fbpx

Data Privacy Statement

Last update: October 2021

1. Introduction

With the following data protection declaration, we would like to inform you of the types of your personal data we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our service and on our websites, in mobile applications and within external online presences, such as our social media profile. The provisions of our data protection declaration listed here apply without restriction to all CI-HUB GmbH internet offers referenced here by word and internet link. 

2. Our full contact details in accordance with the European GDPR can be found at the end of this Privacy Statement. 

3. Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects. 

Types of data processed according to consent and purpose of use 

  • Inventory data (e.g., names, addresses)
  • Content data (e.g., text input, photographs, videos)
  • Contact data (e.g., e-mail, telephone numbers)
  • Meta/communication data (e.g., device information, IP addresses)
  • Usage data (e.g., websites visited, interest in content, access times)
  • Contract data (e.g., subject matter of contract, term, customer category)
  • Payment data (e.g., bank details, invoices, payment history)

 Categories of data subjects

  • Employees (e.g., employees, applicants, former employees)
  • Business and contractual partners
  • Interested parties
  • Communication partners
  • Customers
  • Users (website visitors, users of our services) 

Purposes of processing

  • Evaluation of visits, events
  • Office and organizational procedures
  • Direct marketing
  • Interest-based and behavioral marketing
  • Contact requests and communication
  • Profiling (creation of user profiles)
  • Reach measurement (access statistics, recognition of returning visitors)
  • Security measures
  • Tracking (interest/behavior-based profiling, use of cookies you allow)
  • Contractual services, billing and services 
  • Administration and response to inquiries 


Applicable legal basis

In the following, we share the legal bases of the General Data Protection Regulation (GDPR) based on which we process personal data.

In addition to the regulations of the GDPR, the national data protection regulations in your or our country of residence and domicile apply. In the Federal Republic of Germany, this is the Federal Data Protection Act (BDSG). If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in the data protection declaration.

  • Consent (Art. 6 para. 1 p. 1 lit. a GDPR) – The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or purposes.
  • Performance of a contract and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures carried out at the data subject’s request.
  • Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

4. Data security

Our service is secured in accordance with legal requirements, considering the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons appropriate technical and organizational measures to ensure the personal data a level of protection appropriate to the risk.

Within the website visit, we use the widespread SSL (Secure Socket Layer) procedure in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. 

5. Transfer and disclosure of personal data

During our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of additional services and content that are integrated into our service. In this case, we observe the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data. 

Data transfer within the organization

Furthermore, we may transfer personal data to other companies within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and operational interests or is done if it is necessary to fulfill our contract-related obligations or if there is a consent of the data subjects or a legal permission. 

6. Data processing in third countries

We try to avoid it, but insofar as we need to process data in a third country (outside the European Union, the European Economic Area) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this is only done in accordance with the legal requirements.

7. Cookie statement

Cookies are files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after his visit within an online offer. Stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. We further include in the term cookies other technologies that perform the same functions as cookies, such as user IDs.

The following cookie types and functions are distinguished:

  • Temporary cookies (also: session cookies): temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
  • Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the interests of users used for reach measurement or marketing purposes can be stored in such a cookie.
  • First-party cookies: First-party cookies are set by us.
  • Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e.g., to store logins or other user input or for security reasons).
  • Statistical, marketing and personalization cookies: Furthermore, cookies are generally also used in the context of range measurement and when a user’s interests or behavior (e.g., viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as “tracking,” i.e., tracing the potential interests of users. To the extent that we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or in the context of obtaining consent. 

 

The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent (Art. 6 (1) p. 1 lit. a GDPR). Otherwise, the data processed with the help of cookies is processed based on our legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) or if the use of cookies is necessary to fulfill our contractual obligations (Art. 6 para. 1 p. 1 lit. b GDPR).

Unless we provide you with explicit information about the storage period of permanent cookies, please assume that the storage period can be up to two years.

Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke any consent given or to object to the processing of your data by cookie technologies. You can initially declare your objection by means of your browser settings by deactivating the use of cookies. An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking.

Before we process or have processed data in the context of the use of cookies, we ask users for consent that can be revoked at any time. Before the consent has not been expressed, cookies are used at most, which are necessary for the operation of our online offer. Their use is based on our interest and the interest of users in the expected functionality of our online offer.

  • Types of data processed: Usage data (e.g., web pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR). 

8. Services

We process data of our contractual, business partners and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually to respond to inquiries). We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization. Within the framework of the applicable law, we only pass on the data of the contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). You will be informed about further forms of processing below in this declaration. We inform the contractual partners in each case which data is required for the aforementioned purposes before or as part of the data collection.

We delete the data after the expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes generally 10 years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.

If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers. 

9. Customer account/User account

Contractual partners can create an account within our online offer upon request (e.g. customer or user account). Customer accounts are not public, protected and cannot be indexed by search engines. Within the scope of registration and subsequent logins and uses of the customer account, we store the IP addresses of the customers along with the access times in order to prove the registration and to prevent any misuse of the customer account. If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to their retention being required for legal reasons. It is the responsibility of the customer to back up their data upon termination of the customer account. 

10. Offering of software, platform, and services

We process the data of our users, registered users, and any demanders (users) to be able to provide our contractual services to them as well as on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information necessary for the provision of services and billing as well as contact information to be able to hold any consultations.

  • Types of data processed: inventory data (e.g., names, addresses, as well as via Okta Inc.), payment data (via Paddle.com), contact data (e.g., email, phone numbers), contract data (e.g., subject matter of contract, term, customer category, as well as via Okta Inc.), usage data (via Okta. Inc.), meta/communication data (e.g., device information, IP addresses).
  • Data Subjects: Prospective customers, business and contractual partners, customers.
  • Purposes of processing: contractual performance and service, contact requests and communication, office and organizational procedures, administration and response to requests, security measures
  • Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR). 

11. Use of online platforms

We offer our services on online platforms operated by other service providers. In this context, the data protection notices of the respective platforms apply in addition to our data protection notices. This applies in particular regarding the reach measurement and interest-based marketing methods used on the platforms.

  • Types of data processed: types of data processed: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
  • Data subjects: Customers
  • Purposes of processing: Contractual performance and service
  • Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR). 

12. Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers for this purpose in addition to banks and credit institutions.

The data processed by the payment service providers may include inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions necessary for contractual fulfillment. However, the data entered is only processed by the payment service providers and stored with them. We only receive information with confirmation or negative information of the payment, i.e., no personal information. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. This transmission is for the purpose of checking identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection notices of the payment service providers.

For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.

  • Types of data processed: types of data processed: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
  • Data subjects: Customers, interested parties
  • Purposes of processing: Contractual performance and service
  • Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We currently use Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom, exclusively as another payment service provider. Data protection information and general terms and conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://paddle.com/privacy

13. Providing the service and web hosting

To provide our Service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the Service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed as part of the provision of the hosting service may include all information relating to the users of our service, which is generated during use and communication. This regularly includes the IP address, which is necessary to provide the content of our services, and all entries made within our services or from websites, as well as the metadata packages for the use of our services.

  • Types of data processed: inventory data (names, addresses), contact data, content data (text inputs, photographs, videos), usage data, meta/communication data.
  • Data subjects: Customers, employees (e.g., employees, applicants, former employees), prospective customers, communication partners.
  • Purposes of processing: office and organizational procedures
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We use the following third-party providers for this purpose:

  • Microsoft Cloud Services: cloud storage services; service providers: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Notice: https://www.microsoft.com/de-de/trustcenter; Privacy Shield (ensuring level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.
  • Amazon Web Services: Cloud service; service provider: Amazon Web Services Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS), parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121, USA; website: https://www.amazon.de; privacy policy: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice-GERMAN_2020-01-24.pdf ; Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.

14. Collection of access data and log files

We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

  • Types of data processed: processed types of data: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
  • Data subjects: Users (e.g., website visitors, users of our service).
  • Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR). 

15. Registration, login, user, and user account

Users can create a user account. As part of the registration process, users are provided with the required mandatory information and processed for the purpose of providing the user account based on contractual obligation fulfillment. The processed data includes the login information (name, password as well as an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose.

If users have terminated their user account, their data regarding the user account will be deleted, subject to any legal obligation to retain such data. It is the responsibility of users to back up their data upon termination prior to the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.

Within the scope of the use of our registration and login functions as well as the use of the user account, we or the third-party provider Okta Inc. store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to other third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.

  • Types of data processed: processed data types: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: contractual performance and service, security measures, administration, and response to inquiries
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We currently use Okta Inc. 301 Brannan Street, San Francisco, CA 94107 United States for registration, login, and user account management. Privacy Notice and Terms and Conditions https://trust.okta.com/security , as well as https://www.okta.com/privacy-policy/ . 

16. Contacting us

When contacting us (via contact form, email, telephone or via social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures. The response to contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

  • Types of data processed: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
  • Data subjects: Communication partners
  • Purposes of processing: contact inquiries and communication, administration, and response to inquiries
  • Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We currently additionally use the third-party service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication. The terms and conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active

17. Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of the messengers, on encryption, on the use of the metadata of the communication and on your objection options.

You can also contact us by alternative means, e.g. via telephone or e-mail. Please use the contact options provided to you or the contact options provided within our service.

However, we additionally point out to our communication partners that although the messenger providers cannot view the content, they can learn that and when communication partners communicate with us as well as process technical information about the device used by the communication partners and, depending on the settings of their device, also location information (metadata).

If we ask communication partners for permission before communicating with them via Messenger, the legal basis of our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own initiative, for example, we use Messenger in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners in communicating via Messenger. Furthermore, we would like to point out that we do not transmit the contact data provided to us to the messengers for the first time without your consent.

You can revoke any consent given at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume to have answered any information provided by the communication partners, if no reference back to a previous conversation is to be expected and the deletion does not conflict with any legal retention obligations.

Finally, we would like to point out that for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case if, for example, contractual internals require special confidentiality or an answer via Messenger does not meet the formal requirements. In such cases, we refer you to our other communication channels.

  • Types of data processed: contact data (e.g., e-mail, telephone numbers), usage data (e.g., websites visited, interest in content, access times), meta/communication data, content data (e.g., text input, photographs, videos).
  • Data subjects: Communication partner
  • Purposes of processing: contact requests and communication, direct marketing.
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We currently use the service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication via Messenger. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.

18. Newsletters

We send newsletters, emails and other electronic notifications only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during a registration, they are decisive for the consent of the users. Apart from that, our newsletters contain information about our services and us. To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address in the newsletter, or further information, if this is necessary for the purposes of the newsletter.

Double opt-in procedure: The registration for our newsletter is generally carried out in a so-called double opt-in process. In this context, you will receive an e-mail after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for our newsletter are logged to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Likewise, the changes to your data stored with the shipping service provider are logged. 

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove consent formerly given. The processing of this data will be limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blocking list for this purpose alone. The logging of the registration process takes place based on our legitimate interests for the purpose of proving its proper course. Insofar as we commission a service provider to send e-mails, this is done based on our legitimate interests in an efficient and secure dispatch system. Our newsletters are sent based on the recipients’ consent or, if consent is not required, based on our legitimate interests in direct marketing, if and insofar as this is permitted by law. If we commission a service provider to send e-mails, this is done based on our legitimate interests. The registration process is recorded based on our legitimate interests to prove that it has been carried out in accordance with the law.

The content of our newsletter is information about us, our services, promotions and offers. The newsletters contain a so-called “web beacon”, this is a pixel-sized file that is retrieved from the server of our dispatch service provider when the newsletter is opened. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can indeed be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. Rather, the evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The evaluation of the newsletter and the measurement of success are carried out, subject to the express consent of the users, based on our legitimate interests for the purpose of using a user-friendly as well as secure newsletter system, which serves both our business interests and meets the expectations of the users. Unfortunately, a separate revocation of the performance measurement is not possible, in which case the entire newsletter subscription must be cancelled.

  • Types of data processed: inventory data (e.g., names, addresses), contact data (e.g., e-mail, phone numbers), meta/communication data (e.g., device information, IP addresses), usage data (e.g. web pages visited, interest in content, access times).
  • Data subjects: Communication partners.
  • Purposes of processing: direct marketing (e.g., by e-mail or postal mail).
  • Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
  • Opt-out: You can cancel the receipt of our newsletter at any time and thus revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or otherwise use one of the above contact options, preferably e-mail, for this purpose.


We use the newsletter service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA for this purpose. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy , api.hubspot.com , track.hubspot.com and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active

19. Website analysis and optimization

Web analytics (also referred to as “reach analysis”) is used to evaluate the flow of visitors to our service offering and may include behavior, interests or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online service or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization. In addition to web analysis, we may also use test procedures, for example, to test and optimize different versions of our online offering or its components. For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose may be used. This information may include, for example, content viewed, websites visited and elements used there, and technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.

The IP addresses of users are also stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy.

  • Types of data processed: Usage data and usage times
  • Data subjects: Users (e.g., website visitors, users of our services).
  • Purposes of processing: reach measurement, tracking, visit action evaluation, profiling, interest-based and behavioral marketing.
  • Security Measures: IP masking
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


For this purpose, we use Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The general terms and conditions and data protection information for this service can be found at https://optimize.google.com; https://policies.google.com/privacy; https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=ActiveEine. The corresponding opt-out option for the opt-out plug-in can be found at https://tools.google.com/dlpage/gaoptout?hl=de and for the settings for the display of advertising content at https://adssettings.google.com/authenticated

20. Plug-Ins for Social Media

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us. We point out that this may involve processing user data outside the area of the European Union. Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users if the users are members of the respective platforms and log in to them with different devices. For a detailed presentation of the respective forms of processing and the options to object (opt-out), please refer to the data protection statements, and information provided by the operators of the respective networks.

  • Types of data processed: inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: contact requests and communication, tracking (e.g., interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g., access statistics, recognition of returning visitors).
  • Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We use the following third-party providers for this purpose:

  • Facebook: Social network; Service provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Opt-out: Settings for advertisements: https://www.facebook.com/settings?tab=adsZusätzliche Privacy notices: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, Privacy notices for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
  • LinkedIn: social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
  • Xing: Social network; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

 21. Design, organization, implementation and auxiliary tools.

We use based on our legitimate interests in the economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR, we use services, platforms, and software of others for purposes of organization, administration, planning as well as provision of our services. When selecting third-party providers and their services, we observe the legal requirements. In this context, personal data may be processed and stored on the servers of the third-party providers. This may involve various data that we process in accordance with this privacy policy. This data may include master data and contact data of users, data on transactions, contracts, other processes and their contents. If users are referred to the third-party providers or their software or platforms during communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore explicitly point out to observe the data protection notices of the respective third-party providers.

If we ask users for their consent to use the third-party providers, the legal basis for processing data is consent. Furthermore, their use may be a component of our (pre)contractual services if the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed based on our legitimate interests.

  • Types of data processed: inventory data (e.g., names, addresses), contact data, content data (text input, photographs, videos, etc.), meta/communication data.
  • Data subjects: Communication partners, users (e.g., website visitors, users of our services).
  • Purposes of processing: contact requests and communication
  • Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


We use the following service providers for this purpose:

  • Microsoft Cloud Services: cloud storage services; service providers: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/de-de; c.bing.com Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Notice: https://www.microsoft.com/de-de/trustcenter
  • Privacy Shield (ensuring level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.
  • Amazon Web Services: Cloud service; service provider: Amazon Web Services Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS), parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121, USA; website: https://www.amazon.de; privacy policy: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice-GERMAN_2020-01-24.pdf .
  • Okta Inc, 301 Brannan Street, San Francisco, CA 94107 United States. Privacy notice and terms and conditions available at https://www.okta.com/privacy-policy/ . 
  • HubSpot Inc, 25 First Street, Cambridge, MA 02141, United States. HubSpot Inc. terms and conditions and privacy information can be found at https://www.hubspot.com/data-privacy/gdpr , https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
  • Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom. Paddle Ltd. privacy notice and terms and conditions can be found at www. Paddle Ltd. https://paddle.com/gdpr and https://paddle.com/privacy.

22. Erasure of personal data

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (for example, the purpose of processing this data no longer applies or the need for it no longer exists). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. For more detailed information, please refer to the explanations in the respective sections of this privacy policy. 

23. Rights of the data subject

You have the right: 

  • According to Art. 7 para. 3 GDPR to revoke your consent once given to us at any time. This has the consequence that we may no longer continue the data processing, which was based on this consent, for the future;
  • in accordance with Art. 15 GDPR, to request information about your personal data processed by us;
  • pursuant to Art. 16 GDPR, to request without undue delay the rectification of inaccurate or incomplete personal data held by us;
  • pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
  • pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 GDPR;
  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request the transfer to another controller; and
  • complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our association headquarters for this purpose. The supervisory authority responsible for us is: The Brandenburg State Commissioner for Data Protection and for the Right to Inspect Files, Stahnsdorfer Damm 77, 14532 Kleinmachnow. 
  • Right to object 


If your personal data is processed based on legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, for example, if there are grounds for doing so that arise from your situation. If you wish to exercise your right to object, an e-mail to info@ci-hub.com will suffice. The contact details of the controller are 

Name and address of the data controller: 

CI HUB GmbH 
Andreas Michalski 
Benkertstraße 4
14467 Potsdam
info@ci-hub.com 
E-mail address: info@ci-hub.com  
Phone: + 49 172 6900970 
Domain: https://ci-hub.com/de/ 
Webhosting Provider: IONOS by 1&1 Internet SE located in 56410 Montabaur, Germany 

Contact data of the Data protection officer: 

Datenschutz Beinhold
Frank Beinhold 
Maximiliankorso 9
13465 Berlin
info@datenschutz-beinhold.de 

24. Topicality and change of this data protection statement

Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification. You can access and print out the current data protection declaration on the website at any time.