Privacy

1. Introduction

In the following, we provide information about the collection of personal data when using:

  • our website fuxam.com
  • our profiles on social media.

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1 Contact details

The controller within the meaning of Art. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is Fuxam GmbH, Französische Straße 20, Berlin, Germany, email: info@fuxam.de. We are legally represented by Julian Schröder, Oliver Grübnau, and Leo van den Brandt.

Our data protection officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2 Scope of data processing, processing purposes, and legal bases

Below we detail the scope of data processing, processing purposes, and legal bases. In principle, the following serve as the legal basis for data processing:

  • Art. 6 para. 1 s. 1 lit. a GDPR is our legal basis for processing operations for which we obtain consent.
  • Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis if the processing of personal data is necessary for the performance of a contract, for example, if a site visitor purchases a product from us or we perform a service for them. This also applies to processing necessary for pre-contractual measures, such as inquiries about our products or services.
  • Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.
  • Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis when we rely on legitimate interests to process personal data, e.g., for cookies necessary for the technical operation of our website.

1.3 Data processing outside the EEA

If we transfer data to service providers or other third parties outside the EEA, the security of the data during the transfer is ensured by adequacy decisions of the EU Commission, where such exist (e.g., for Great Britain, Canada, and Israel) (Art. 45 para. 3 GDPR).

In the case of data transfer to service providers in the USA, the legal basis is an adequacy decision of the EU Commission if the service provider has certified itself under the EU-US Data Privacy Framework.

In other cases (e.g., if no adequacy decision exists), the legal basis for the data transfer is, unless we indicate otherwise, standard contractual clauses. These are a set of rules adopted by the EU Commission and are part of the contract with the third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of data transfer. Many providers have given contractual guarantees that go beyond these standard clauses for further data protection.

These include guarantees regarding the encryption of data or an obligation for the third party to notify data subjects if law enforcement agencies wish to access the respective data.

1.4 Storage duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and no legal retention obligations prevent deletion. If the data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted, i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data required for commercial or tax law reasons.

1.5 Rights of data subjects

Data subjects have the following rights regarding their personal data:

  • Right of access,
  • Right to correction or deletion,
  • Right to restrict processing,
  • Right to object to processing,
  • Right to data portability,
  • Right to revoke consent at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority about the processing of their personal data. Contact details of the supervisory authorities can be found at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

1.6 Obligation to provide data

In the context of a business or other relationship, customers, prospective customers, or third parties must provide us with personal data necessary for the establishment, execution, and termination of such relationship or data we are legally required to collect. Without this data, we may generally have to refuse to conclude the contract, provide a service, or continue an existing relationship.

Mandatory data are marked as such.

1.7 No automated decision-making in individual cases

As a matter of principle, we do not use any fully automated decision-making process according to Article 22 GDPR when establishing or implementing a business or other relationship. If we use such procedures in individual cases, we will inform you separately if required by law.

1.8 Making contact

When contacting us, e.g., by e-mail or telephone, the data provided to us (such as names and e-mail addresses) will be stored by us in order to respond to inquiries. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in responding to such inquiries. We delete data arising in this context after storage is no longer required or restrict processing if there are legal retention obligations.

1.9 Customer surveys

From time to time, we conduct customer surveys to get to know our customers and their needs better. We collect the data requested in each case. Our legitimate interest is to understand our customers and their needs better; the legal basis for the associated data processing is Art. 6 para. 1 s. 1 lit. f GDPR. We delete the data when the results of the surveys have been evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods from us from time to time by e-mail or other means about our offers, unless they have objected. The legal basis for this data processing is Art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest is direct advertising (recital 47 GDPR). Customers may object to the use of their e-mail address for advertising purposes at any time without incurring additional costs, e.g., via the link at the end of each e-mail or by sending an e-mail to the address above.

Interested parties may subscribe to a free newsletter. We process the data provided during registration exclusively for sending the newsletter. Subscription occurs by selecting the appropriate field on our website, ticking a box in a paper document, or another clear action, through which interested parties declare their consent to processing their data; the legal basis is Art. 6 para. 1 s. 1 lit. a GDPR. Consent may be revoked at any time, e.g., by clicking the link in the newsletter or notifying our above e-mail. Processing up to the point of revocation remains lawful.

Based on recipients' consent (Art. 6 para. 1 s. 1 lit. a GDPR), we also measure the opening and click rates of our newsletters to understand what is relevant for our audience.

We send newsletters using the following tools and providers:

3. Data processing on our website

3.1 Notice for website visitors from Germany

Our website stores information in the terminal equipment of website visitors (e.g., cookies) or accesses information already stored there (e.g., IP addresses). Details are provided in the following sections.

This storage and access are based on the following legal provisions:

  • If this storage or access is absolutely necessary for us to provide the service explicitly requested (e.g., chatbot use or to ensure IT security), it is based on Section 25 para. 2 no. 2 of the German Telecommunications Digital Services Data Protection Act ("TDDDG").
  • Otherwise, storage or access is based on the website visitor's consent (Section 25 para. 1 TDDDG).

Subsequent data processing takes place according to the next sections and is based on the provisions of the GDPR.

3.2 Informative use of our website

During purely informative use of the website (i.e., when visitors do not actively provide information), we collect personal data that the browser transmits to our server to ensure stability and security. This is our legitimate interest; the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

This data includes:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request came
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

This data is also stored in log files, which are deleted when their storage is no longer necessary, at the latest after 14 days.

3.3 Web hosting and provision of the website

Our website is hosted by:

For data transfers to the USA, these are secured by adequacy decisions where applicable, or standard contractual clauses.

We use Webflow’s content delivery network (CDN) to ensure optimal data throughput, even during peak loads; the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

3.4 Contact form

When contacting us via the contact form on our website, we store the requested data and the content of the message. The legal basis is our legitimate interest under Art. 6 para. 1 s. 1 lit. f GDPR in responding to inquiries. We delete such data after storage is no longer required or restrict processing if legal retention duties exist.

3.5 Vacant positions

We advertise vacancies on our website, on linked pages, or on third-party sites. Data processed as part of the application is for handling the application process. Where necessary for decisions to establish an employment relationship, the legal basis is Art. 88 GDPR in conjunction with Sec. 26 para. 1 of the German Data Protection Act. Required application data is marked. Voluntary additional data is processed based on consent (Art. 6 para. 1 s. 1 lit. a GDPR).

Applicants should refrain from providing information on political opinions, religious beliefs, or similarly sensitive information. If such data is provided, processing is also on the basis of consent (Art. 9 para. 2 lit. a GDPR).

Applicants' data may be passed to HR staff, service providers in recruiting, and those otherwise involved in the application process. If employment is established, data is deleted after the employment ends. Otherwise, data is deleted no later than 6 months after rejection, or after one year with consent for further opportunities.

3.6 Booking of appointments

Site visitors may book appointments online. For this purpose, we process metadata or communication data in addition to the data entered. We have a legitimate interest in a user-friendly booking process; the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR. If a third-party tool is used, see section "Third parties."

3.7 Customer account

Site visitors can open a customer account. We process required data for the contract concluded for the account; the legal basis is Art. 6 para. 1 s. 1 lit. b GDPR.

3.8 Payment Processors

Payment processing is handled by payment processors who are themselves data controllers under Art. 4 No. 7 GDPR. Data and payment details entered during the order process are used to fulfil the customer contract (Art. 6 para. 1 s. 1 lit. b GDPR). Processor: Stripe Payments Europe, Ltd., Ireland.

3.9 Technically necessary cookies

Our website sets cookies. These are text files stored in the browser on the visitor's device. Cookies help make the service more user-friendly and secure. As far as these are necessary for website operation ("Technically Necessary Cookies"), the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

Specifically, we set technically necessary cookies for the following:

  • Saving login data
  • Remembering search terms
  • Applying language settings
  • Enabling the playback of media content (Flash cookies)

3.10 Third parties

3.10.1 HubSpot

HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, is used for analytics, marketing automation, and lead generation (data in the EU). Legal basis: Art. 6 para. 1 s. 1 lit. f GDPR. Data is deleted when no longer needed. Privacy policy: https://legal.hubspot.com/de/privacy-policy.

3.10.2 Google Analytics

Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; used for analytics. Processing is with consent (Art. 6 para. 1 s. 1 lit. a GDPR); revocable at any time. Data transfer to the USA is secured by adequacy decisions. Data is deleted when no longer needed. Privacy policy: https://business.safety.google/privacy/.

3.10.3 Google Tag Manager

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; used for analytics and advertising. Processing is with consent (Art. 6 para. 1 s. 1 lit. a GDPR); revocable at any time. Data transfer to the USA is secured by adequacy decisions. Data is deleted when no longer needed. Privacy policy: https://business.safety.google/privacy/.

3.10.4 heyData

A data protection seal is integrated from heyData GmbH, Schützenstraße 5, 10117 Berlin. The provider processes meta/communication data (e.g., IP addresses) in the EU. Legal basis: Art. 6 para. 1 s. 1 lit. f GDPR. Further information: https://heydata.eu/en/privacy-policy.

4. Data processing on social media platforms

We are present on social media networks to present our organization and services. The operators of these networks regularly process user data for advertising purposes, including creating user profiles from online behavior and storing cookies. Operators may be based outside the EU, leading to possible risks for users (e.g., more difficult enforcement of rights, government access to data).

If users contact us via our profiles, we process the provided data to respond to inquiries. Our legitimate interest is the legal basis—Art. 6 para. 1 s. 1 lit. f GDPR.

4.1 Facebook

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policy: https://www.facebook.com/policy.php. Opt-out: https://www.facebook.com/settings?tab=ads. Joint controllers with Facebook under Art. 26 GDPR. Further info: https://www.facebook.com/legal/terms/information_about_page_insights_data.

4.2 Instagram

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policy: https://help.instagram.com/519522125107875.

4.3 TikTok

TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Privacy policy: https://www.tiktok.com/de/privacy-policy.

4.4 YouTube

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy?hl=de.

4.5 LinkedIn

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

4.6 Xing

XING AG, Dammtorstraße 29-32, 20354 Hamburg. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

5. Changes to this Privacy Policy

We reserve the right to change this privacy policy with effect for the future. A current version is always available here.

6. Questions and comments

If you have any questions or comments regarding this privacy policy, please feel free to contact us using the contact information provided above.