Privacy Policy

This is an English courtesy translation. The German version is the legally binding document under the GDPR and German data protection law. In case of discrepancies, the German text prevails.

We are pleased that you are interested in our organisation. Protecting your personal data is especially important to our management. You can use our websites without disclosing personal data to us. However, should you wish to make use of our specific services via our websites, applications or social media pages, we may need to process your personal data. Where we wish to process data about you and cannot rely on another legal basis, we will always ask for your consent first (e.g. via a cookie banner).

We always comply with applicable data protection laws when handling your personal data (such as name, address, email or telephone number). With this privacy policy, we inform you about which data we process. You will also find information about your rights as a data subject.

We have implemented various technical and organisational measures to protect your data on our websites to the best of our ability. Nevertheless, there are always risks on the internet, and complete protection is not possible. You may therefore also submit your personal data to us by other means, such as by telephone, if you prefer.

This privacy policy serves to fulfil the obligations arising from the GDPR and to comply with the laws of the Member States of the European Union (EU) and the European Economic Area (EEA). It is also intended to support compliance with legal provisions such as the UK GDPR, the Swiss Federal Act on Data Protection and the Swiss Data Protection Ordinance (DSG, DSV), the California Consumer Privacy Act (CCPA/CPRA), and other global data protection regulations, and shall be interpreted accordingly.

1. Definitions

In this privacy policy we use specific terms from various data protection laws. We want our statements to be easy to understand and therefore explain these terms in advance.

a) Personal data – Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject – Any identified or identifiable natural person whose personal data is processed by the controller, a processor, an international organisation or another data recipient.

c) Processing – Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing – The marking of stored personal data with the aim of limiting their processing in the future.

e) Profiling – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymisation – The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller – The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

h) Processor – A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient – A natural or legal person, public authority, agency or other body, to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry are not regarded as recipients.

j) Third party – A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent – Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and address of the controller

Controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and the European Economic Area, UK data protection law, Swiss data protection law (DSG, DSV), California data protection law (CCPA/CPRA), Chinese data protection law (PIPL), and other international laws and provisions of a data protection nature is:

orgaloom GmbH

Marktplatz 4

85567 Grafing bei München, Germany

Phone: +49 8092 2621950

Email: muc@ai-transformation-camp.de

Website: muc.ai-transformation-camp.com

3. Collection of general data and information

Our websites record a series of general data and information every time they are accessed by a data subject or an automated system. This general data and information is stored in the server’s log files. What may be recorded includes: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our websites (so-called referrer), (4) the sub-websites accessed via an accessing system on our websites, (5) the date and time of access, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information used to avert dangers in the event of attacks on our IT systems.

When using this general data and information, we do not draw any conclusions about the data subject. This information is rather needed to (1) deliver the content of our websites correctly, (2) optimise the content of our websites and the advertising for them, (3) ensure the long-term operability of our IT systems and the technology of our websites, and (4) provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack. Data from the server log files is stored separately from any personal data provided by a data subject.

The purpose of processing is to avert danger and ensure IT security, as well as the aforementioned purposes. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is, in particular, the protection of our IT systems. Log files are deleted once the stated purposes have been achieved.

4. Contact options via the website and other data transmissions, and your consent

Our websites contain information that enables quick electronic contact with our organisation as well as direct communication with us, which also includes a general email address and, where applicable, a telephone number. If a data subject contacts us by email, via a contact form, via an input form or otherwise, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted to us voluntarily by a data subject is processed for purposes of handling or contacting the data subject.

For the transmission, storage and processing of your contact data and enquiries and for contacting you, we obtain your consent pursuant to Art. 6 (1) (a) GDPR and Art. 49 (1) (1) (a) GDPR as follows:

By submitting your personal data, you voluntarily consent to the processing of the personal data you have entered or transmitted for the purposes of handling the enquiry and making contact. By transmitting your data to us, you also voluntarily give explicit consent pursuant to Art. 49 (1) (1) (a) GDPR to data transfers to third countries to and by the companies mentioned in this privacy policy and for the purposes stated, in particular to transfers to third countries for which there is or is not an adequacy decision of the EU/EEA, and to companies or other bodies that do not fall under an existing adequacy decision due to self-certification or other accession criteria, and in which or for which significant risks and no appropriate safeguards for the protection of your personal data exist (e.g. due to § 702 FISA, Executive Order EO12333 and the CloudAct in the USA). At the time of giving your voluntary and explicit consent, you were aware that third countries may not provide an adequate level of data protection and that your rights as a data subject may not be enforceable. You can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. With a single action (entering and transmitting), you give several consents. These are consents under EU/EEA data protection law as well as under the CCPA/CPRA, ePrivacy and telemedia law, and other international regulations, which, among other things, are required as a legal basis for further planned processing of your personal data. By your action, you also confirm that you have read and acknowledged this privacy policy.

5. Routine erasure and restriction of personal data

We process and store personal data for the period necessary to achieve the purpose of processing, or as provided for by European directives or other legislators in laws or regulations to which we are subject, or for as long as a legal basis for processing exists.

If the purpose of processing ceases to apply, if a storage period required by European directives or another competent legislator expires, or if the legal basis for processing ceases to apply, the personal data will be routinely restricted or erased in accordance with statutory provisions.

6. Rights of the data subject under the GDPR

a) Right of confirmation – Every data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her is being processed. To exercise this right, you may contact us at any time.

b) Right of access – Every data subject has the right to obtain, free of charge, information about the personal data stored about him or her and a copy of this data. The data subject is also entitled to information about the purposes of processing, categories of personal data processed, recipients, storage duration, right to rectification or erasure, right to lodge a complaint, origin of data, and the existence of automated decision-making.

c) Right to rectification – Every data subject has the right to request the immediate rectification of inaccurate personal data concerning him or her.

d) Right to erasure (right to be forgotten) – Every data subject has the right to have the personal data concerning him or her erased without delay, provided that the processing is no longer necessary, consent has been withdrawn, the data subject objects, the data has been processed unlawfully, or erasure is required to comply with a legal obligation.

e) Right to restriction of processing – Every data subject has the right to request the restriction of processing if the accuracy of the data is contested, the processing is unlawful, the data is no longer needed but required by the data subject to assert legal claims, or an objection has been lodged.

f) Right to data portability – Every data subject has the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format, and to transmit that data to another controller.

g) Right to object – Every data subject has the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data based on Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions. In particular, you have the right to object at any time to the processing of your personal data for direct marketing purposes.

h) Automated individual decision-making, including profiling – Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for the conclusion or performance of a contract, is authorised by Union or Member State law, or is based on the data subject’s explicit consent.

i) Right to withdraw consent – Every data subject has the right to withdraw consent to the processing of personal data at any time.

To exercise any of these rights, please contact us at any time using the details in section 2.

7. General purpose of processing, categories of data processed and categories of recipients

The general purpose of processing personal data is the handling of all transactions affecting the controller, customers, prospects, business partners, or other contractual or pre-contractual relationships between the named groups (in the broadest sense), or legal obligations of the controller. This general purpose applies where no more specific purposes are stated for a concrete processing operation.

The categories of personal data we process are customer data, prospect data, employee data (including applicant data) and supplier data. The categories of recipients of personal data are public bodies, external bodies, internal processing, intra-group processing and other bodies.

A list of our processors and data recipients in third countries as well as, where applicable, international organisations is either published on our website or can be requested free of charge from us.

8. Legal bases for processing

Art. 6 (1) (a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If processing is necessary for the performance of a contract to which the data subject is party, processing is based on Art. 6 (1) (b) GDPR. The same applies to processing necessary for pre-contractual measures. If we are subject to a legal obligation requiring the processing of personal data, such as tax obligations, processing is based on Art. 6 (1) (c) GDPR.

In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be based on Art. 6 (1) (d) GDPR.

Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Art. 6 (1) (e) GDPR.

Finally, processing may be based on Art. 6 (1) (f) GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary for the legitimate interests of our organisation or a third party, provided that the interests, fundamental rights and fundamental freedoms of the data subject do not override those interests.

9. Legitimate interests pursued by the controller or a third party, and direct marketing

Where processing of personal data is based on Art. 6 (1) (f) GDPR and no more specific legitimate interests are stated, our legitimate interest is the conduct of our business for the benefit of our staff and shareholders.

We may send you direct marketing about our own goods or services that are similar to the goods or services you have requested, ordered or purchased. You may object to direct marketing at any time (e.g. by email) at no additional cost beyond transmission costs at basic rates.

10. Duration for which personal data is stored

The criterion for the duration of storage of personal data is the respective statutory retention period. If no statutory retention period exists, the criterion is the contractual or internal retention period. After expiry of the period, the corresponding data is routinely erased, provided it is no longer required for contract performance or initiation.

11. Legal or contractual provisions to provide personal data; necessity for contract conclusion; obligation of the data subject to provide personal data; possible consequences of failure to provide such data

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information about the contractual partner). Sometimes it may be necessary for a contract to be concluded that a data subject provides us with personal data that must subsequently be processed by us. Failure to provide the personal data would mean that a contract with the data subject could not be concluded.

12. Existence of automated decision-making

As a responsible organisation, we generally do not use automatic decision-making or profiling. If we do so in exceptional cases, we will inform the data subject either separately or via a sub-section in our privacy policy.

13. Recipients in third countries and appropriate or adequate safeguards

Pursuant to Art. 46 (1) GDPR, the controller or processor may only transfer personal data to a third country if appropriate safeguards are in place and data subjects have enforceable rights and effective legal remedies available. Appropriate safeguards may be provided by standard data protection clauses without the need for specific authorisation from a supervisory authority (Art. 46 (2) (c) GDPR).

With all recipients from third countries, EU standard data protection clauses or other appropriate safeguards are agreed before the first transfer of personal data, or transfers are based on adequacy decisions. Every data subject may request a copy of the standard data protection clauses or adequacy decisions from us.

Art. 45 (3) GDPR authorises the European Commission to determine, by way of an implementing act, that a non-EU country provides an adequate level of protection. In all cases where the European Commission or a government has decided that a third country provides an adequate level of protection or that a valid framework exists (e.g. EU-U.S. Data Privacy Framework), transfers from us to members of such frameworks are based exclusively on the membership of the respective entity in the framework or on the respective adequacy decisions.

14. Right to lodge a complaint with a supervisory authority

As controller, we are obliged to inform data subjects of the existence of a right to lodge a complaint with a supervisory authority. Pursuant to Art. 77 (1) GDPR, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if he or she considers that the processing of personal data concerning him or her infringes the GDPR.

15. Registration or completing input masks on our website and your consent

You have the possibility to register on our websites by providing personal data and/or to complete input masks. The personal data transmitted to us is apparent from the respective input mask used for registration or input. The personal data entered by you is processed exclusively for internal use by us and for our own purposes. However, we may pass your personal data on to one or more processors, who also use your personal data exclusively for purposes attributable to us as controller. The legal basis is then Art. 6 (1) (b) GDPR.

Through registration or input on our website, the IP address assigned by your Internet service provider (ISP), the date and time of registration or input may also be stored. The storage of this data is to prevent misuse of our services and, if necessary, to enable the investigation of criminal offences. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is in particular the protection of our IT systems and the investigation of criminal offences.

By entering and transmitting your data, you voluntarily consent to the processing of the personal data you have entered. By entering and transmitting your data to us, you also voluntarily give explicit consent pursuant to Art. 49 (1) (1) (a) GDPR to data transfers to third countries to and by the companies mentioned in this privacy policy and for the purposes stated. You can withdraw your consent at any time with effect for the future.

16. No cookies, no tracking technologies

We do not set any cookies of our own for tracking or advertising purposes on our websites. We use no advertising IDs and no analytics tools (such as Google Analytics, Matomo or similar). A cookie banner is therefore not required.

External connections to third parties are only established insofar as you use an embedded map, make a ticket purchase or actively click an outgoing link. The third-party services used are documented in the following sections.

17. Use of IONOS

IONOS provides web hosting and domain services. As a provider in this field, IONOS provides not only the technical infrastructure for our online presence but also related services such as email hosting, SSL certificates and data backup. Through the use of IONOS, various types of data are processed, in particular data generated during domain registration such as the name of the domain holder, contact details and technical information about the domain.

In addition, IONOS records data about website traffic to ensure IT security and to defend against attacks such as DDoS attacks. This information can include IP addresses, timestamps and pages accessed.

The operator and thus the recipient of personal data is: IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. The representative under UK law is: IONOS Cloud Limited, 2 Cathedral Walk, The Forum, Gloucester, GL1 1AU, United Kingdom.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is the use of web hosting services and related services. Processing is based on Art. 6 (1) (f) GDPR. The legitimate interest is the reliable and secure provision of our website and related services.

Further information and the applicable data protection provisions of IONOS SE can be found at https://www.ionos.de.

18. Use of OpenStreetMap

To display the event location, we embed a map from OpenStreetMap. When the map is loaded, your IP address is transmitted to the servers of the OpenStreetMap Foundation so that the map tiles can be delivered. No cookies are set and no tracking technologies are used.

The operator and thus the recipient of personal data is: OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is to show how to reach the event. Processing is based on Art. 6 (1) (f) GDPR, with the legitimate interest being a privacy-friendly map display without cookies and tracking.

The operator is located in the United Kingdom. An adequacy decision of the European Commission of 28 June 2021 applies to the United Kingdom, so that the data transfer corresponds to the level of protection of the EU.

Further information and the applicable data protection provisions of OpenStreetMap can be found at https://osmfoundation.org/wiki/Privacy_Policy.

19. Use of Pretix

Within our event offering, functions and content of the pretix service are integrated. This includes the ticket shop, which is embedded via a JavaScript widget. When you buy a ticket, pretix uses a technically necessary cookie to enable the ordering process and to remember which shopping cart belongs to you. The cookie is set as soon as you interact with the widget. pretix does not store IP addresses, browser information or other unnecessary metadata beyond the duration of your request. When purchasing a ticket, personal data such as name, email address, billing address, participant data and payment information are transmitted to pretix and processed there. pretix also provides us with invoices and order data for our internal accounting.

The operator and thus the recipient of personal data is: pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg, Germany.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is the handling of ticket sales, the issuance of legally compliant invoices and communication around the event. Processing is based on Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (c) GDPR (compliance with legal obligations such as commercial and tax retention obligations).

The operator is located in Germany. This is not a transfer to a third country.

The criteria for determining the duration for which personal data is processed are statutory retention periods (in particular under the German Commercial Code and the Fiscal Code) and the contractual relationship between us and the operator. The provision of personal data is necessary for the conclusion of the contract. If the data is not provided, no ticket can be issued.

Further information and the applicable data protection provisions of pretix can be found at https://pretix.eu/about/en/privacy.

20. Use of Stripe

Stripe is a technology company that offers powerful and flexible tools for e-commerce, including payment processing, billing and financial management solutions. Stripe enables businesses of all sizes to accept and process online payments, manage subscriptions and carry out fraud prevention.

When using Stripe services, personal data such as names, addresses, email addresses, phone numbers, bank and payment information as well as transaction data are processed. This information is necessary to provide the payment services, prevent fraud, offer customer support and comply with legal requirements.

The operator and thus the recipient of personal data is: Stripe, Inc., 354 Oyster Point Boulevard, San Francisco, CA 94080, USA. For data subjects in the EU and EEA, Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national UK law is: Stripe Payments UK Ltd., 9th Floor, 107 Cheapside, London, EC2V 6DN, United Kingdom.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is the use of payment processing via Stripe. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the improvement of our services, fraud prevention and compliance with legal requirements.

The operator is located in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other appropriate safeguards referred to in Art. 46 (2) GDPR. The operator may have concluded one of the EU standard contracts with us. A copy of the appropriate or adequate safeguards can be requested from us.

Further information and the applicable data protection provisions of Stripe can be found at https://stripe.com.

21. Use of Meetup

We link from our website to our Meetup group. Meetup is a platform for organising and participating in local events. Data is only transmitted to Meetup when you actively click the Meetup link and visit the platform or create an account. On our website itself, no Meetup content is embedded and no Meetup cookies are set.

The operator and thus the recipient of personal data after a click is: Meetup, Inc., 632 Broadway, 10th Floor, New York, NY 10012, USA.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is sending event invitations, managing our Meetup group and exchanging with members. Processing is based on Art. 6 (1) (f) GDPR (legitimate interest in community communication) and on the user’s consent by actively clicking the link (Art. 6 (1) (a) GDPR).

The operator is located in a third country, namely the USA. Transfers to third countries may be based on standard contractual clauses or other appropriate safeguards under Art. 46 (2) GDPR.

Further information and the applicable data protection provisions of Meetup can be found at https://www.meetup.com/.

22. Use of Zoom

For our online meetups (see section 21) we use the video conferencing platform Zoom. In these meetups we use the Zoom features AI Companion (AI-supported meeting summaries and action items), automatic transcription and recording.

When joining a Zoom meeting, you will be explicitly informed about the use of these features. You may leave the meeting at any time if you do not agree. Transcripts and AI-generated summaries are used exclusively internally for follow-up and documentation of the meetups. Recordings are not publicly distributed; any sharing only takes place with the express consent of the actively involved participants.

When using Zoom, personal data such as names, email addresses, profile pictures and device information is processed. During meetings, content data is added: video and audio streams, chat logs, shared content, transcripts and AI-generated summaries.

The operator and thus the recipient of personal data is: Zoom Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For data subjects in the EU and EEA, Lionheart Squared (Europe) Limited, 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, DO2 EK84, Ireland acts as representative within the meaning of Art. 27 GDPR.

Purposes of processing are the execution, follow-up and documentation of our online meetups. Legal bases are Art. 6 (1) (a) GDPR (explicit consent of participants when joining the meeting for AI Companion, transcription and recording), Art. 6 (1) (b) GDPR (performance of contract with Zoom) and Art. 6 (1) (f) GDPR (legitimate interest in efficient meeting infrastructure and follow-up).

The operator is located in a third country, namely the USA. Transfers to third countries may be based on standard contractual clauses or other appropriate safeguards pursuant to Art. 46 (2) GDPR. The operator may be a certified member of one or more of the Data Privacy Frameworks. For more details see https://www.dataprivacyframework.gov/list.

Recordings, transcripts and AI summaries are stored only for as long as necessary for the follow-up of the meetup, as a rule no longer than 12 months. Provision of personal data is required for participation in the meetup; without provision, participation is not possible.

Further information and the applicable data protection provisions of Zoom can be found at https://zoom.us/en/trust/privacy.

23. Use of PayJoe

For the automated transfer of Stripe payment data (ticket sales) into our accounting software, we use the payment reconciliation service PayJoe. PayJoe reads transactions from our Stripe account via a read-only API and transfers them into our accounting environment. No processing takes place on devices of website visitors or ticket buyers; PayJoe is integrated exclusively on the server/backend side.

In the course of this processing, personal data such as name, email address, transaction amount, currency, transaction ID and payment status are processed.

The operator and thus the recipient of personal data is: NetConnections GmbH (product “PayJoe”), Jesinger Straße 52, 73230 Kirchheim, Germany.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is the automated transfer of payment data to our accounting. Processing is based on Art. 6 (1) (b) GDPR (performance of a contract), Art. 6 (1) (c) GDPR (statutory retention obligations under German commercial and tax law) and Art. 6 (1) (f) GDPR (legitimate interest in efficient accounting). A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.

The operator is located in Germany. This is not a transfer to a third country.

The criteria for determining the duration for which personal data is processed are statutory retention periods (in particular under the German Commercial Code and the Fiscal Code) and the contractual relationship between us and the operator.

Further information and the applicable data protection provisions of PayJoe/NetConnections can be found at https://payjoe.de/datenschutz.html.

24. Use of Lexware Office

For accounting and invoice management we use the cloud-based accounting software Lexware Office (formerly lexoffice). Outgoing invoices to ticket buyers are archived in this system and matched to incoming payments.

In particular, the following personal data of ticket buyers are processed: name, address, email address, invoice number, invoice amount, VAT ID where applicable, and payment data.

The operator and thus the recipient of personal data is: Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany.

Purposes for which the personal data is processed, as well as the legal basis: The purpose of processing is the proper conduct of accounting, the creation and archiving of invoices, and compliance with statutory retention obligations. Processing is based on Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (c) GDPR (statutory obligations under the German Commercial Code, Fiscal Code, and VAT Act). A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.

The operator is located in Germany. This is not a transfer to a third country.

The criteria for determining the duration for which personal data is processed are statutory retention periods (in particular 10 years for invoices pursuant to § 147 AO).

Further information and the applicable data protection provisions of Lexware Office can be found at https://www.lexware.de/datenschutz/.

This privacy policy was created with the help of a specialised generator developed by data protection legal advisors, certified data protection coordinators and an accredited certification body, to ensure a legally sound formulation.