Privacy Policy

At Oxolo, we are very aware of the special importance of data protection. Therefore, Oxolo collects and processes your personal data exclusively within the framework of the statutory provisions, including the General Data Protection Regulation ("GDPR"), the German Telecommunications Digital Services Data Protection Act ("TDDDG") and the German Federal Data Protection Act ("BDSG").

With this privacy policy we inform you about the type, scope and purpose of the collection and processing of your personal data when you use our website, software or other services offered by us. In addition, we inform you, for example, about the use of cookies and your rights in connection with your personal data, such as rights of access and revocation.

Your trust is very important to us. We are therefore happy to answer any questions you may have regarding the handling of your personal data or other inquiries. You can contact us by post at Oxolo GmbH, Bohnenstrasse 2, 20457 Hamburg, by telephone on + 49 40-228 529 48 or by e-mail at gdpr@oxolo.com.

  1. Area of application

    1. The privacy policy contains information about data processing when using our himala service, our website at himala.com ("Website"), and other services offered by Oxolo (collectively referred to as "Oxolo Services" in this privacy policy).

    2. Naturally, this privacy policy can only apply to the content of the Oxolo services and the server we use and does not include third-party content and websites to which our website merely links. This applies, for example, to links to social networks such as Facebook, LinkedIn, Instagram and YouTube. The processing of your personal data via these social networks is carried out by the respective operator of the network, without us having any influence on this processing. Information on the handling and protection of your personal data on these platforms can be found in the privacy policy of the respective platform. 

  2. Responsibility and data protection officer

    1. Oxolo is only responsible for data processing in connection with the Oxolo services insofar as the respective data processing is not carried out on behalf of the customer. You can contact Oxolo using the following contact details:

      If Oxolo carries out the respective data processing on behalf of a customer (e.g. your employer who set up the account for you), the respective customer is responsible for the data processing. 

    2. You can contact Oxolo's company data protection officer at:

      gdpr@oxolo.com

  3. Data collected when accessing the website

    1. When you visit our website, the web server we use automatically logs information that your browser transmits to us. This is the IP address of the computer or other device you are using, the date and time (including time zone) of the respective access to the website as well as the information as to which specific page or file has been requested or delivered (i.e. in particular whether the file has been delivered correctly), the amount of data transferred, the domain from which the respective request was made (so-called referrer URL), the operating system used and the browser used. The IP addresses are anonymized during storage. 

    2. We collect this data primarily to ensure the proper operation of our website, i.e. in particular for the purposes of system security and system administration, as well as to optimize our website, i.e. primarily for statistical purposes. The basis for this collection and processing is Art. 6 (1) lit. f) GDPR, whereby our legitimate interests are the security of our website and the improvement of our Internet offering.

    3. We do not pass this data on to third parties or link it to other data. In addition, this data is automatically deleted at regular intervals.

  4. User account and subscriptions

    1. A user account is required to use the himala software and to provide its functions. When the user account is registered, Oxolo collects and processes the data provided by the respective user. This includes in particular the user name, e-mail address and a password chosen by the user. Further data can be optionally provided by the user. The provision of this data is not required by law but is necessary for the conclusion of the himala user contract and the provision of software functions.

    2. For the registration of the user account, we use the so-called double opt-in procedure, i.e. the respective user receives an e-mail for the verification of the ownership of the e-mail address and the confirmation of the registration. If no such verification or confirmation is received, the data provided will be deleted after 30 days. The time of registration (including confirmation of the e-mail address provided) and the IP address collected in the process are stored by us until the user account is deleted.

    3. If you subscribe after creating a user account, the following data will also be collected and processed by Oxolo: First and last name, payment data, tax number if applicable, subscription option and IP address. 

    4. The above data stored in the user account is stored on servers within the European Union. We generally store the data until the user account is deleted. In addition, the data will be stored to the extent necessary for the duration of the contractual relationship with the user and thereafter for up to three years or the expiry of the respective statutory retention period. Due to commercial and tax law requirements, we are obliged to store address, payment and order data for a period of ten years. 

    5. To prevent unauthorized access to your personal data by third parties, the connection to Oxolo servers is encrypted using TLS technology.

    6. We process the aforementioned data to provide and manage the user account and the Oxolo services, i.e. to initiate, fulfill and bill the contract with the user. The legal basis for data processing is therefore Art. 6 (1) lit. b) GDPR (initiation and fulfillment of the user contract or subscription). Insofar as the data is also processed to fulfill a legal obligation to retain data, this is done on the basis of Art. 6 (1) lit. c) GDPR.

  5. Google Login

    1. You can also register and create a profile by entering the access data of your Google user account (so-called "Google Login") if you express your consent to this by clicking on the corresponding button to connect to Google. The Google Login function is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The access data for your Google user account is sent directly to Google. We do not have access to your access data. After verification of the access data, Google only informs us of the following data from your Google user account: the name, your profile picture and the e-mail address. Oxolo receives and uses this aforementioned data to set up your user account for the himala software and to link it to your Google user account.

    2. By using the Google login function, Google receives the information that you have created a user account for himala and can link this information to your Google user account. The information may also be transmitted to Google's US company (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). In this respect, this data transfer takes place on the basis of Art. 45 GDPR, as Google LLC is certified in accordance with the EU-US Data Privacy Framework. Further information on how Google handles your personal data can be found in Google's privacy policy https://policies.google.com/privacy.

    3. The legal basis for data processing as part of the Google Login function is your consent (Art. 6 (1) lit. a) GDPR), which you give when you access the Google Login function and subsequently enter your access data for your Google user account. You can revoke your consent to the use of the Google Login function at any time with effect for the future.

  6. Processing of payments to Oxolo (Stripe)

    1. We use the payment service provider Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ("Stripe") to process payments in connection with the Oxolo services, which are subject to a charge. 

    2. When you make a payment to Oxolo, the payment data you enter will be transmitted to Stripe for the purpose of processing your payment. Stripe processes this payment data on our behalf to carry out the respective payment transaction. In addition, Stripe may also process the transmitted data on its own responsibility for its own purposes and in accordance with its own privacy policy, for example to fulfill regulatory obligations from the financial sector or to ensure the security of the payment platform. In this respect, Oxolo has no influence on the data processing by Stripe. Further information on data processing by Stripe can be found in Stripe's privacy policy, available at https://stripe.com/de/privacy.

    3. We would like to point out that the payment data collected may also be transferred to third countries outside the European Union or the European Economic Area where there is no equivalent level of data protection, in particular the USA, as the Stripe Group also has companies in the USA and operates server locations there. Insofar as data is transferred to the US company of Stripe (Stripe, Inc., 354 Oyster Point Blvd South San Francisco, CA 94080, USA), this data transfer takes place on the basis of Art. 45 GDPR, as Stripe is certified according to the so-called EU-US Data Privacy Framework. In addition, the standard data protection clauses certified by the EU Commission are also concluded with Stripe; in this respect, data is transferred on the basis of Art. 46 (2) lit. c) GDPR.

    4. We process your payment data to process your payment as part of the user contract and subscription concluded with you. The legal basis for this is Art. 6 (1) lit. b) GDPR (fulfillment of the contract).

  7. Collection and processing of the data provided by the user in himala

    1. When using himala, the data provided by the User is transmitted to Oxolo servers, where it is converted into so-called vectors and stored in encrypted form. The transmission of the data to Oxolo servers is necessary so that himala can analyze and process the data in accordance with the user's requests. The information is stored on servers within the European Union and can be deleted by the user at any time. Otherwise, the data provided will be deleted at the latest when the user restricts Oxolo's access to the respective data source (see below) or deletes the corresponding user account.

    2. The selection of the data and data sources provided is made by you as the user of himala. Data can be entered manually, uploaded as a data set or provided via an interface (so-called "API") to other tools. An external data source must always be approved by the user before Oxolo is granted access to this data source or data from this data source is transmitted to Oxolo. A form is provided for this purpose. You can of course disconnect data sources from himala at any time once they have been released and thus prevent future data access by Oxolo.

    3. Please note that you are responsible for any provision of personal data and that Oxolo generally only processes this data in accordance with instructions and in accordance with the conditions of the order processing agreement. The provision of sensitive personal data, including information belonging to the special categories of data pursuant to Art. 9 GDPR, is prohibited in accordance with the Terms of Use.

    4. The information stored on the Oxolo servers (i.e. the vectors, see above) is processed for the operation of himala and the provision of the individual functions of himala on the basis of the user contract concluded with the user. In particular, the vectors are searched, evaluated or summarized at the request of the user, using methods and techniques from the field of artificial intelligence (including so-called "large language models"). In addition, the vectors and the content generated in himala (the so-called "output") can be used for a limited period of time for quality assurance and improvement of himala, for example to measure and further optimize the quality of the generated output. However, the above-mentioned information is not used for training (including development and improvement) of artificial intelligence (including large language models). We explicitly point out that we also do not use Google Workspace interfaces or Google Workspace APIs for the training, development or improvement of artificial intelligence (including large language models).

    5. To prevent unauthorized access to your personal data by third parties, the connection to Oxolo servers is encrypted using TLS technology.

    6. As a rule, the respective user (i.e. the customer and contractual partner of Oxolo) is responsible for the aforementioned processing of the data provided by the user. In this respect, only the respective user can provide information on the legal basis for the data processing. Insofar as Oxolo is responsible for the aforementioned data processing in individual cases, this is done on the basis of the user contract concluded with the user. The legal basis for this data processing is therefore Art. 6 (1) lit. b) GDPR (fulfillment of the user contract). 

  8. Support requests and other contact

    1. When you contact us by e-mail or via a contact form, for example as part of a support request, the data you provide (e.g. your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions. We delete the data arising in this context if the inquiry is assigned to a contract, after the contract period, otherwise after the storage is no longer required, or restrict the processing if there are statutory retention obligations.

    2. The legal basis for the storage and processing of personal data from your contact is Art. 6 (1) lit. b) GDPR, insofar as the request is in connection with the initiation or execution of a contract with us. Otherwise, this storage and processing takes place on the basis of Art. 6 (1) lit. f) GDPR, whereby our legitimate interest is the processing of your request. 

  9. Cookies

    1. The Oxolo services use cookies and similar technologies (collectively "cookies") in several places. These are small text files or data records that are sent from the web server to your browser, for example, and stored by it, i.e. stored on your end device for later access. Cookies cannot execute programs or transfer viruses to your computer. Cookies help us to make our website more user-friendly, effective and secure, e.g. by saving settings you have selected during your visit to our website and providing us with information on the use of our website and other statistical information.

    2. With regard to the storage period, the cookies used on the website can be differentiated as follows:

      1. Session cookies: These cookies are automatically deleted when the browser is closed. They contain a so-called session ID. This allows various requests from your browser to be assigned to the shared session and your computer can be recognized when you return to our website.

      2. Persistent cookies: These cookies remain stored on your end device and are automatically deleted after a certain period of time (depending on the specific cookie, from a few hours to two years) or at your request.

    3. With regard to the purpose of use, the cookies used on the website can be roughly differentiated as follows: 

      • Necessary cookies: These cookies are technically necessary to move around the website, use basic functions and ensure the security of the website; they do not collect information for marketing purposes or store which other websites you visit. The storage of cookies on your end device and access to these cookies are based on Section 25 (2) No. 2 TDDDG.

      • Optional cookies (preferences, statistics, marketing): Among other things, these cookies can record your interactions on the website and are used for analysis or marketing purposes. The use of these cookies (i.e. their storage on your end device and access to these cookies) takes place exclusively with your express, active and freely revocable consent in accordance with Section 25 (1) TDDDG. Your consent is obtained in our cookie banner and can also be revoked there. Further information on the functions of these cookies can be found in our cookie banner and in the following explanations of this privacy policy (in each case for the website function or service that uses the cookies). 

    4. You can usually delete cookies stored by your browser yourself via your browser settings and also set your browser so that it informs you accordingly before storing a cookie and asks for permission.

    5. Our website uses a so-called cookie consent tool (hereinafter "cookie banner") to obtain your consent and for the corresponding data protection-compliant documentation. The provider is OneTrust, LLC, Munich, Mühldorfstraße 8, 81671 Munich, Germany ("OneTrust"). We have concluded a data processing agreement with OneTrust in accordance with Art. 28 GDPR. OneTrust processes the personal data collected exclusively on our behalf and in accordance with our instructions. The legal basis for the processing of your personal data in connection with the legally required obtaining of consent for the use of cookies is Art. 6 (1) lit. c) GDPR in conjunction with Section 25 (2) No. 2 TDDDG.

    6. In connection with the aforementioned functions, OneTrust also processes the data outside the EU, in particular on the servers of OneTrust LLC 1200 Abernathy Rd, Suite 700, Atlanta, Georgia 30328, in the USA and in the United Kingdom. This results in the transfer of data to third countries. The EU Commission has adopted an adequacy decision for the USA in the form of the EU-U.S. Data Privacy Framework. Companies certified under the EU-U.S. Data Privacy Framework guarantee an adequate level of data protection within the meaning of the GDPR. OneTrust is certified under the EU-U.S. Data Privacy Framework and entered in the list maintained by the U.S. Department of Commerce (Data Privacy Framework List). When transferring data to OneTrust, a level of data protection in accordance with the GDPR is therefore guaranteed. The data transfer to the USA is based on Art. 45 (1) sentence 1 GDPR. For the data transfer to the United Kingdom, there is also an adequacy decision within the meaning of Art. 45 (1) sentence 1 GDPR (EU 2021/1772), so that an adequate level of data protection is also guaranteed in this respect.

  10. Customer support (Intercom)

    1. We use the services of Intercom R&D Unlimited Company, 124 St Stephen's Green, Dublin 2, DC02 C628, Ireland ("Intercom") on our website to provide contact options, in particular a support chat, for quick answers to questions and problems in connection with the use of Oxolo services. The information is also used to compile statistical reports on the use of our services offered on the platform.

    2. Intercom's live chat tool collects technical data about your end device (e.g. IP address, information about the browser type and operating system used, referrer URL) as well as the information entered in the chat. With the help of a cookie, which assigns a pseudonymous identification number (so-called ID) to the browser used, Intercom can also recognize the browser when the website is visited again at a later time. This enables cross-session customer support via the tool. 

    3. The data may also be transmitted to Intercom servers located in countries outside the EU (e.g. in the USA). Insofar as data is transferred to Intercom's US company (Intercom, Inc. based in the USA), this data transfer takes place on the basis of Art. 45 GDPR, as Intercom Inc. is certified in accordance with the EU-US Data Privacy Framework. Insofar as the data transfers are not based on an adequacy decision of the EU Commission, the standard data protection clauses of the EU Commission pursuant to Art. 46 (2) lit. c) GDPR have been agreed in each case. 

    4. We have concluded a data processing agreement with Intercom so that the data is only processed in accordance with our instructions and on our behalf. Intercom processes the data to provide the contact options and the support tool, for security purposes (e.g. investigation of security incidents) and to comply with legal regulations. Further information on data processing at Intercom can be found at: https://www.intercom.com/legal/privacy#how-and-why-we-use-your-personal-data.

    5. The legal basis for the storage and processing of personal data when using Intercom is Art. 6 (1) lit. b) GDPR, insofar as your request is in connection with the initiation or execution of a contract with us. Otherwise, this storage and processing takes place on the basis of Art. 6 (1) lit. f) GDPR, whereby our legitimate interest is the processing of your request. The legal basis for the use of cookies in connection with the use of Intercom is Section 25 (2) No. 2 TDDDG.

  11. PostHog analysis tool

    1. On this website, we use the PostHog analysis tool to analyze and check the use of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user. The tool is offered by PostHog, Inc, 2261 Market Street #4008, San Francisco, CA 94114, USA ("PostHog").

    2. For these purposes, the service records, among other things, from which third-party website you have reached our site (so-called referrer URL), information on the access time and the location from which an access originated, your language settings as well as which parts of our website you access and how often and for how long you have viewed a particular part of our website. We collect this information primarily with the help of cookies set by PostHog. The cookies are stored for a maximum period of 2 years and then automatically deleted. In addition, your IP address is recorded to ensure the security of the service and to provide us as the website operator with information about the country, region or location from which the respective user originates.

    3. The information collected is transmitted to us via our (self-hosted) servers. We use PostHog as a so-called "on-premise" solution, so that all data collected is only transmitted to us, but not to PostHog. The data is not shared with third parties. We do not use the information transmitted by PostHog to identify you. We also cannot associate the information collected by PostHog with your user account, as it is only sent to a (self-hosted) server that is separate from the other Oxolo service servers on which the user accounts are hosted. We also do not store any IP addresses collected by PostHug. 

    4. The data collected is used exclusively to compile statistical reports on the use of our website. The use of cookies and further data processing by PostHog is based on your consent in accordance with Section 25 (1) TDDDG and Art. 6 (1) lit. a) GDPR. Any consent given can be freely revoked at any time with effect for the future. Consent is obtained in our cookie banner and can also be revoked there.

  12. Analysis tool Google Analytics

    1. With your consent, Google Analytics 4, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") is used for the purpose of designing the website to meet your needs, measuring its reach and analyzing the general usage behavior of users on the website.

    2. Google Analytics uses cookies (see above for details on cookies), which contain an individual ID of the user, to record user interactions on our website. In addition to user interactions on our website, Google Analytics also collects technical data, in particular the IP address of the end device, in order to ensure the security of the service and to provide us as the operator of the website with information about the country, region or location from which the website is used (so-called "IP location determination"). We have activated the IP anonymization offered by Google on this website. This means that your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area prior to use and further transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The cookies are stored for a maximum period of 2 years and then automatically deleted.

    3. The information generated by the cookie (including your IP address) will be transmitted to and stored by Google on computers in third countries such as the USA. Insofar as data is transmitted to Google's US company (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter "Google LLC"), this data transmission is based on Art. 45 GDPR, as Google LLC is certified under the EU-US Data Privacy Framework. 

    4. Google processes the information collected through the use of cookies on our behalf to evaluate your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. 

    5. Google also processes the aforementioned data collected via Google Analytics for its own purposes in accordance with its own privacy policy. The data may be stored by Google in user profiles and processed, for example, to improve products, to develop new products, to measure the effectiveness of certain advertising and market research and to personalize content and advertisements. If you are logged in to Google, your data will be assigned directly to your user account. If you do not wish to be associated with your Google user account, you must log out before activating Google Analytics. We have no influence on the further processing of your data by Google. You can find further information on the use of data by Google on the Google website: 

    6. The use of cookies and further data processing by Google Analytics is based on your consent in accordance with Section 25 (1) TDDDG and Art. 6 (1) lit. a) GDPR. Any consent given can be freely revoked at any time with effect for the future. Consent is obtained in our cookie banner and can also be revoked there.

  13. Marketing tool Google Ads

    1. We use the Google Ads service to display personalized advertisements in search engines and on the pages of Google and its partners ("Google advertising network"). Google Ads is offered by Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland ("Google").

    2. The advertising material is delivered by Google via so-called "ad servers". For this purpose, we and other websites use so-called ad server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by users, can be measured. We can obtain information about the success of our advertising campaigns via the Google Ads cookies stored on our website. These cookies are not intended to identify you personally. As a rule, a (pseudonymous) cookie ID, information on the advertisements played (so-called impressions) and opt-out information (marking that a user no longer wishes to be addressed) are stored for this cookie. 

    3. Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but only provide Google with the opportunity to collect the data. As part of this advertising service, Google independently selects which advertising is displayed to which user in the Google advertising network. We do not have any options for issuing instructions or any more precise influence on this selection. When ordering the advertisements, we can only make rough restrictions in advance as to where advertising may potentially be displayed by means of a few pre-setting options specified by Google. In this respect, we have no influence on Google's data processing. We only receive statistical evaluations from Google that provide information about which ads were clicked on how often and at what prices. We do not receive any further data from the use of advertising media; in particular, we cannot identify users on the basis of this information. Further information on data processing by Google can be found above in this privacy policy (section 12) and in Google's privacy policy at: https://policies.google.com/privacy.

    4. We use Google Ads with the additional application "Google Conversion Tracking". This is a procedure with which we can check the success of our advertising campaigns. When using Google Ads, each Ads customer (i.e. each website operator like us) receives a different "conversion cookie", which we can use to determine how a user interacts after clicking on the advertisements and whether one of our services is actually used. The information collected with the help of the cookie is used to create so-called conversion statistics for our website. This refers to an evaluation of previously defined actions that a user has carried out on the website. Google tells us the total number of users who clicked on an ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information with which users can be personally identified. 

    5. We use Google Ads with the additional application "Google Remarketing". This process enables us to address you again with our advertising when you continue to use the Internet. For this purpose, Google Remarketing analyzes your user behavior on our website (e.g. click on certain products) in order to classify you into certain advertising target groups and then display suitable advertising messages to you when you visit other online offers. The advertising target groups created with Google Remarketing can also be linked to Google's cross-device functions. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one end device (e.g. cell phone) can also be displayed on another of your end devices (e.g. tablet or PC).

    6. We have also linked Google Ads with Google Analytics 4 so that the (aggregated) statistical data from Google Ads and Google Analytics can be imported into the other tool. In particular, this enables us to carry out extended conversion tracking. For this purpose, the events recorded in Google Analytics are linked to our advertising measures carried out via Google Ads and statistically evaluated as further conversions. From the statistical information obtained, we can draw (additional) conclusions about the success of our advertising measures, i.e. we can measure conversions even if the user has not (yet) been redirected to a page with a conversion tracking tag.

    7. We only use Google Ads and Google Conversion Tracking if you have given your consent to this. The legal basis for the use of cookies described above is therefore Section 25 (1) TDDDG and for the subsequent data processing in this context Art. 6 (1) lit. a) GDPR. You can revoke your consent at any time with effect for the future. Please make the appropriate settings via our cookie banner.

  14. Use of other marketing tools (Meta, LinkedIn, X, TikTok, Hyros)

    1. Purpose of data processing: We want to show our users advertising content that is as interest-based and relevant to them as possible. To do this, we need to understand what content offered on our website is of interest to individual users and how successful our previous advertising measures have been. To determine this, in addition to Google Ads (see section 13), we use other so-called “marketing” tools that make it possible,

      • to record visitor behavior on the website (e.g. clicks on certain links and offers; access to certain sub-websites) and, if necessary, to evaluate it in advertising profiles (so-called "tracking"), 

      • to display targeted personalized advertising (e.g. previously viewed content) to users on other websites or social media platforms (e.g. Facebook, LinkedIn) (so-called "retargeting"),

      • to track the user's interactions with our advertising measures (e.g. click on the advertisement) and thereby measure the success of the advertising measures (so-called "conversion tracking").

      The marketing tools are therefore used to display personalized advertising and measure the effectiveness of our advertising measures. The advertising is displayed in the LinkedIn and Facebook advertising networks.

    2. Meta Pixel

      The website uses the so-called Meta Pixel (formerly Facebook Pixel) from Meta Inc. (formerly Facebook), Hacker Way, Menlo Park, CA 94025, USA ("Meta"). By integrating the Meta Pixel on our website, we can display our advertising measures ("Facebook Ads") to users of our website and the Facebook social network and measure and evaluate their success. Among other things, marketing cookies are set on our website for this purpose, which are stored on for a maximum of 180 days and then automatically deleted.\

    3. LinkedIn Pixel

      The website uses the so-called LinkedIn Pixel (or LinkedIn Insight Tag) of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"). The integration of this JavaScript tag enables us to display and measure personalized advertising as described above when users visit the LinkedIn social network or other websites that have also integrated the LinkedIn advertising network. Among other things, marketing cookies are set on our website for this purpose, which are stored for a maximum of 6 months and then automatically deleted. 

      The deactivation of the LinkedIn Insight tag and other advertising objections are possible in the settings for advertisements at www.linkedin.com/help/linkedin/answer/62931?trk=microsites-frontend_ and additionally at www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

    4. X Pixel

      The website uses the so-called X Pixel of Twitter International Unlimited Company, One Cumberland Place, Feian Street, Dublin 2, D02 AX07, Ireland ("Twitter"). By integrating the X Pixel on our website, we can display our advertising measures to users of our website and the social network X and measure and evaluate their success. For this purpose, among other things, marketing cookies are set on our website, which are stored for a maximum of 2 years and then automatically deleted.

    5. TikTok Pixel

      The website uses the so-called TikTok Pixel of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, EC1A 9HP, United Kingdom (together "TikTok"). Both companies are jointly responsible for data processing. By integrating the TikTok pixel on our website, we can display our advertising measures to users of our website and the TikTok social network and measure and evaluate their success. For this purpose, among other things, marketing cookies are set on our website, which are stored for a maximum of 6 months and then automatically deleted.

    6. Hyros Pixel

      The website uses the Hyros Pixel from Hyros Inc., 13359 N Highway 183 Ste 406 # 2008, Austin, TX 78750, USA. The purpose of integrating the Hyros Pixel on our website is to enable us to analyze your user interactions on websites and in apps and to use the statistics and reports obtained to improve our offer and make it more interesting for you as a user. Hyros is linked to our sponsored advertisements (e.g. Facebook ads). This enables us to display our advertising measures to users of our website and to measure and evaluate their success. For this purpose, among other things, marketing cookies are set on our website, which are stored for a maximum of 6 months and then automatically deleted.

    7. Data processing by the providers of the marketing tools

      By integrating the above marketing tools, your browser automatically establishes a direct connection with the server of the respective provider. The respective provider is solely responsible for processing the transmitted data for the purposes described. The providers therefore decide independently on the specific advertising displayed. In this respect, we can only make rough restrictions in advance as to which user categories our advertising can potentially be displayed to when ordering the advertising on the basis of some pre-settings defined by the provider of the marketing tool.

      We have no influence on the scope and further use of the data collected through the use of these marketing tools. We therefore inform you according to our level of knowledge: By integrating the respective tool on our website, the respective provider receives information about your activities on our website or in connection with our advertising (e.g. the information that you have called up the corresponding website of our Internet presence or clicked on an advertisement from us), your IP address, date and time of the activity and information about your end device. The data may be stored by the respective provider in user profiles, on the basis of which the providers or third-party providers display personalized advertising, for example on third-party sites. In addition, the providers may also process the data, for example, to improve products, develop new products, measure the effectiveness of certain advertising and conduct market research. If you are registered with one of the services (Facebook, LinkedIn, X or TikTok), the respective provider may be able to assign the transmitted information to your account. Even if you are not registered with the service or have not logged in, it is possible that the respective provider will find out your IP address, time window and other identifying features and link them to the actions assigned to you.

      Further information on data processing by the providers can be found under the links below.

    8. Data transfer to third countries (in particular the USA)

      The information collected is stored on servers of the respective provider in countries outside the European Economic Area, including in the USA. Insofar as data is transferred to US companies of the providers (Meta Platforms Inc., LinkedIn Corporation and Hyros Inc., each based in the USA), this data transfer takes place on the basis of Art. 45 GDPR, as Meta Platforms Inc., LinkedIn Corporation and Hyros Inc. are each certified under the EU-US Data Privacy Framework. Insofar as the data transfers are not based on an adequacy decision of the EU Commission, the standard data protection clauses of the EU Commission pursuant to Art. 46 (2) lit. c) GDPR have been agreed in each case. These standard data protection clauses are intended to ensure that an adequate level of data protection is maintained in the third country.

    9. Legal basis

      We only use the above marketing tools if you have given your consent. The legal basis for the use of cookies (including pixels) described above is therefore Section 25 (1) TDDDG and for the subsequent data processing in this context Art. 6 (1) lit. a) GDPR. You can revoke your consent at any time with effect for the future. Please make the appropriate settings via our cookie banner.

  15. Dispatch and evaluation of our newsletter

    1. If you have given us your consent to receive our newsletter with information about Oxolo services and similar Oxolo products by e-mail, Oxolo will process your e-mail address and your name in order to send you the newsletter. You can subscribe to our newsletter using the form on our website. You can find more information on the content of the respective newsletter in the declaration of consent or in the newsletter registration form.

    2. We use the so-called double opt-in procedure to subscribe to our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you are the owner of the e-mail address provided and that you wish to receive the notifications. If you do not confirm your registration, your data will be automatically deleted after one month. In addition, we store the IP address of your device used at the time of registration and confirmation as well as the date and time of registration or confirmation in order to be able to prove your registration and, if necessary, to clarify any possible misuse of your e-mail address.

    3. We evaluate the use of the newsletter e-mails (e.g. opening rate, clicks) to improve the newsletter content with the help of so-called tracking pixels. Using the embedded tracking pixel, we can recognize whether and when a newsletter email was opened and which links in the email were clicked on. By analyzing this information, we can draw conclusions about the recipients' interest in our newsletter content and improve and develop the newsletter accordingly. 

    4. The legal basis for the processing of your data as described above in the context of sending the newsletter is your consent pursuant to Art. 6 (1) lit. a) GDPR. The use of tracking pixels to measure newsletter usage is also based on your consent in accordance with Section 25 (1) TDDDG. You can revoke your consent at any time freely and with effect for the future, for example by unsubscribing from the newsletter by clicking on the unsubscribe link at the end of each newsletter e-mail. We will only store your data for this purpose for as long as the newsletter subscription is active.

  16. Google Fonts

    1. We use so-called web fonts from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") to display fonts. This enables us to optimize the textual design of the website and make it as user-friendly as possible. For this purpose, your browser loads the required web font into your browser cache when you access our website in order to be able to display our texts in a visually improved way. If your browser does not support this function, a standard font will be used by your computer for display.

    2. We host Google Fonts on our own local server within the European Economic Area, where the fonts integrated on our website are also stored. By integrating the service, no data is therefore transmitted from you to Google.

    3. The legal basis for the use of Google Fonts and the associated data processing by us is Art. 6 (1) lit. f) GDPR. In this respect, we have a legitimate interest in optimizing the website and creating the best possible user-friendliness.

  17. Google Tag Manager

    1. We use the "Google Tag Manager" on our website, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Tag Manager enables us to manage website tags via an interface. Google Tag Manager, which implements the tags, is a cookie-free domain and does not itself collect any personal data. Google Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

    2. Further information on data protection can be found on the following Google websites:

  18. Our presence on social networks

    1. We have appearances (so-called "fan pages") on the following social networks and providers:

    2. We use the technical platform and services of the providers to operate the respective fan page. We would like to point out that you use our fan pages on social networks and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). When you visit our fan pages, the social network providers collect certain technical data (including the IP address of your end device) and other information that is stored on your end device in the form of cookies. This information is used to provide us, as the operator of the fan pages, with statistical information about the interaction with our fan pages.

    3. We have no influence on and no precise knowledge of how the providers process the data from visits to our fan page and from interactions with our posts for their own purposes, how long this data is stored and whether the data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the page as a non-registered and/or non-logged-in user. When you access the fan page or a post, the IP address assigned to your end device is transmitted to the provider of the respective social network. If you are currently logged in to the social network, a cookie on your device can be used to track how you have moved around the network. Buttons integrated into websites enable the platforms to record your visits to these websites and assign them to your respective profile. This data can be used to tailor content or advertising to you. If you wish to avoid this, you should log out or deactivate the "stay logged in" function, delete the cookies on your device and restart your browser. Please also note that the data collected about you in this context may be transferred to countries outside the European Economic Area (EEA), in particular the USA, by the respective provider of the social network and processed there. 

    4. Further information on data processing by the providers of the social networks, including any data transfer to third countries, can be found in the data protection information of the respective provider linked above. There you will also find information about contact options and the settings options for advertisements.

    5. We operate our fan page in the respective social network in order to communicate with the users active there and to be able to provide the latest news. We process the data from your use of the fan page that you provide to us and that require interaction. For example, if you ask us a question via a fan page, we process your information in order to answer your query properly. When you visit our fan pages on Facebook and LinkedIn, the respective social network providers also process personal data in order to provide us with statistics and insights into the use of our fan pages. The statistics help us to adapt our fan pages according to user needs and thus to continuously optimize them, which can also be done for market research and advertising purposes. We only receive statistical reports that do not allow us to identify individual users of the social network or draw conclusions about them. The processing of data for statistical purposes is carried out by us and the providers of the social network under joint responsibility in accordance with Art. 26 GDPR. We have regulated the conditions and obligations as joint controllers with the providers in an agreement, which is available at https://de-de.facebook.com/legal/terms/page_controller_addendum (Facebook) or https://legal.linkedin.com/pages-joint-controller-addendum (LinkedIn). 

    6. The aforementioned data processing by us serves to safeguard our legitimate interests in the operation of a fan page on the respective social network, communication and interaction with the users of this social network and the evaluation of user interactions to improve the fan page. The data processing is therefore based in each case on Art. 6 (1) lit. f) GDPR. 

    7. To exercise your rights as a data subject, you can contact us or the provider of the respective social network. If one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the respective provider of the social network directly if you have any questions about the profiling and processing of your data when using the fan page. If you have any questions about the processing of your interaction with us on our fan page, please write to the contact details provided by us above.

  19. Disclosure of personal data

    1. Your personal data will only be passed on to other third parties with your express consent. The only exceptions to this are transfers to our service providers listed above or technical service providers that we require to provide the offer or this website and have commissioned accordingly (e.g. technical service providers or hosting services). The service providers process this data exclusively on our behalf in accordance with our instructions and we have concluded corresponding agreements with these service providers for data processing in accordance with Art. 28 GDPR. Before passing on your personal data, we naturally ensure that the service providers have taken the necessary technical and organizational measures to ensure an appropriate level of protection. The scope of the data transfer is limited to the minimum necessary in each case.

    2. In individual cases, data may also be transmitted to the following recipients: 

      • To our partners or third parties, insofar as the transmission of the data is necessary for the initiation or execution of a contract to be concluded or concluded with you in accordance with Art. 6 (1) lit. b) GDPR.

      • To state institutions and authorities entitled to receive information, insofar as we are obliged to provide information within the scope of the statutory information obligations or by a court or official decision. In this case, the disclosure of your data is required by Art. 6 (1) lit. c) GDPR to fulfill a legal obligation to which we are subject.

      • To lawyers and/or external consultants, insofar as this is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that the data subject has an overriding interest worthy of protection in not disclosing their data. In this case, the data is passed on on the basis of Art. 6 (1) lit. f) GDPR to safeguard our legitimate interest, which consists in the assertion, exercise or defense of legal claims.

  20. Protection of your data and storage duration

    1. We have taken appropriate technical and organizational measures to protect your personal data from unauthorized access, use or disclosure and ensure that any personal data is kept in a controlled, secure environment in which unauthorized access is prevented as far as possible.

    2. We only process your personal data for as long as is necessary to achieve the purpose of the processing. As soon as the purpose of the processing no longer applies, we will delete your data immediately, unless there are legitimate reasons within the meaning of the applicable legal regulations (e.g. Art. 17 (3) GDPR), such as in particular legally prescribed retention periods, to prevent deletion. In this case, the data will be deleted immediately after the retention period has expired. 

    3. Data that we process on the basis of your consent will be deleted immediately after you withdraw your consent, unless statutory regulations prevent deletion.

  21. Your rights 

    1. As a person affected by data processing, you have the following rights - in each case under the legal requirements and to the extent permitted by law. You have the right to

      • to obtain information about the processing of your personal data (Art. 15 GDPR);

      • to demand the immediate rectification of incorrect personal data concerning you and/or the completion of incomplete personal data (Art. 16 GDPR);

      • to demand the erasure of personal data concerning you without undue delay (Art. 17 GDPR);

      • to demand the restriction of data processing concerning you (Art. 18 GDPR);

      • to receive the personal data concerning you, which you have provided, in a structured, machine-readable format and to transmit those data to another controller (Art. 20 GDPR);

      • to object, on grounds relating to your particular situation, to the processing of personal data concerning you, provided that the processing is based on a legitimate interest; if your data is used for the purpose of direct marketing, you have the right to object at any time (Art. 21 GDPR);

      • to withdraw your consent to data processing at any time without affecting the lawfulness of data processing based on consent before its withdrawal (Art. 7 (3) GDPR);

      • to complain to a supervisory authority about the processing of your data (Art. 77 GDPR). 

    2. Please send your request to gdpr@oxolo.com or call us on + 49 40-228 529 48

  22. Miscellaneous

    1. We do not use automated decision-making in accordance with Art. 22 (1) and (4) GDPR, i.e. we do not use web-based systems to create user profiles and make automated decisions based on them with legal effect or similar detriment to you.

    2. You are not contractually or legally obliged to provide personal data on the website or in connection with other Oxolo services. However, the Oxolo services cannot be used without the provision of certain data. For example, the website cannot be used without the provision of log data (see section 3.1), the himala software cannot be used without registering a user account (see section 4.1).

    3. If you have any further questions that have not been answered by this privacy policy or would like more detailed information on individual points, please feel free to contact us at any time using the contact details given at the beginning.

  23. Subject to change

    We reserve the right to change the measures and specifications described here - within the framework of the existing legal regulations - insofar as this is indicated, e.g. due to new technical developments or changes in jurisdiction or our business operations. We therefore ask you to always observe the current version of this privacy policy.