Privacy Policy

1. Controller

The controller responsible for data processing is: Condien UG (haftungsbeschraenkt) Zur Einigkeit 3 27374 Visselhoevede Germany Commercial register: HRB 210982 Register court: Amtsgericht Walsrode Represented by: Mateusz Carstens Phone: +49 4262 / 9185873 Mobile: +49 151 / 28522321 Email: info@condien.de

2. General information on data processing

We process personal data only where a legal basis exists. Depending on the processing activity, we rely in particular on:

• Art. 6(1)(a) GDPR where you have given consent,
• Art. 6(1)(b) GDPR where processing is necessary for the performance of a contract or pre-contractual measures,
• Art. 6(1)(c) GDPR where we are legally obliged to process data,
• Art. 6(1)(f) GDPR where processing is necessary to safeguard legitimate interests and your interests, fundamental rights and freedoms do not override them.

This privacy notice follows the information obligations under Art. 13 GDPR. These include, among other things, naming the controller, purposes, legal bases, recipients, third-country transfers, storage periods and data subject rights. Where cookies or similar technologies store information on your device or access information from it, we also observe Section 25 TDDDG. Under this rule, access to information in terminal equipment generally requires consent unless a statutory exception applies.

3. Provision of the website and server log data

When you access our website, technically necessary data is processed so that the website can be displayed, operated reliably and protected. This may include in particular:

• IP address,
• date and time of access,
• requested URL,
• referrer URL,
• browser type and browser version,
• operating system,
• HTTP status code,
• amount of data transferred,
• technical request and security information.

The purposes of processing are the technical provision of the website, stability, error analysis, abuse detection, attack detection and IT security. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and performant operation of our website. Server and security logs are stored only for as long as required for operation, error analysis, security and abuse investigation. In the event of security-relevant incidents, longer storage may take place where necessary for investigation and defense.

4. Hosting via Vercel

Our website is provided via Vercel. The provider is Vercel Inc. We use the Vercel Pro Plan. Vercel provides a Data Processing Addendum for Enterprise and Pro customers that governs the processing of personal data as a processor. During hosting, technical data generated when the website is accessed may be processed. This includes, for example, IP addresses, request data, browser and device information, technical log data and information on delivery and performance of the website. The purposes of processing are hosting, deployment, delivery of the website, scaling, performance, security and error analysis. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and efficient provision of our website. Where data is transferred to the USA, this is done on the basis of appropriate safeguards. Vercel is listed under the EU-U.S. Data Privacy Framework; the European Commission has issued an adequacy decision for certified organizations under the EU-U.S. Data Privacy Framework.

5. Supabase: database, authentication and storage

We use Supabase for database functions, authentication, session management and file storage. The Supabase project is configured in Europe. Supabase is used in particular for the following functions:

• job postings and career content,
• private storage of job PDFs,
• authentication for the back office,
• session management,
• admin and editor profiles,
• roles and active status,
• activity and security logs,
• MFA/2FA-related information in the back office.

In the protected back office, in particular email address, display name, role, active status, login and logout events, failed login attempts, password change events, MFA status, encrypted MFA secrets, hashed recovery codes and activity logs may be processed. The purposes of processing are operation of the website, management of job postings, provision of the back office, user and rights management, IT security, logging of security-relevant actions and protection against unauthorized access. The legal bases are Art. 6(1)(b) GDPR where user accounts or processes are required for pre-contractual or contractual measures, and Art. 6(1)(f) GDPR for security, role management, abuse prevention and auditing. Supabase provides a Data Processing Addendum; according to Supabase, it must be completed through Supabase's signature process in order to become binding. Storage period:

• Back-office user profiles are stored as long as the access is required.
• Job PDFs are stored as long as the relevant position is active or legitimate documentation purposes exist.
• Activity and security logs are stored only for as long as required for security, traceability, abuse investigation and operation.
• MFA data is deleted or reset when the factor is disabled, the access is deleted or deletion becomes necessary.

6. Cookies, session technologies and localStorage

Our website uses cookies and similar technologies where they are technically necessary or where you have given consent. Technically necessary cookies and comparable technologies serve in particular:

• provision of the website,
• session management,
• login to the back office,
• security checks,
• storage of your consent decision,
• protection against abuse.

Authentication and session cookies are used in the back office. They serve to recognize authorized admins and editors and to provide protected functions. MFA-related cookies may be used to confirm a successful two-factor check for a limited time. According to the current technical state, the website application does not use localStorage for its own persistence. Non-essential cookies and comparable technologies, especially for analytics or marketing, are used only after your consent. According to the current technical state, the following cookies or comparable storage may be used in particular:

• condien_site_gate: technically necessary preview and access-protection cookie for the temporary site-gate function; storage period up to 14 days.
• sb-<project-ref>-auth-token and comparable Supabase cookies: technically necessary authentication and session cookies for the protected back office; storage period depends on the Supabase session.
• condien_mfa: technically necessary MFA cookie confirming a successful two-factor check in the back office; storage period up to 12 hours.
• cd_ann_dismissed_<ID>: preference cookie to remember that a banner or popup was dismissed; storage period depends on the respective banner or popup configuration.
• condien_admin_flash: short-lived back-office cookie for showing one-time status messages; storage period approx. 60 seconds.
• Usercentrics cookies or comparable storage: technically necessary storage of your consent decision; the concrete name and storage period will be shown in the consent banner after the Usercentrics scan has been completed.

In addition, providers such as Supabase, Cloudflare or Usercentrics may set technically necessary cookies or comparable technologies as part of the functions described in this privacy policy. Analytics or marketing services such as Google Analytics are activated only after your consent.

7. Usercentrics consent management

We use Usercentrics as a consent management solution. Usercentrics helps us activate services that require consent only after your consent and document your decision. In this context, the following data in particular may be processed:

• consent ID,
• consent status,
• time of the decision,
• browser and device information,
• user agent,
• website URL,
• selected cookie and service categories.

Usercentrics states that, to prove consent, a consent ID and consent status, among other data, are processed and stored. The purposes of processing are obtaining, managing and proving consent and controlling services that require consent. The legal bases are Art. 6(1)(c) GDPR where we must prove consent in a legally compliant manner, and Art. 6(1)(f) GDPR for the technical management of privacy preferences. For technically necessary consent cookies, we rely on Section 25(2) TDDDG. You can change or withdraw your consent at any time via the cookie settings on our website. Implementation note: before publication, a Usercentrics scan should be carried out so that the concrete cookie and service list is shown completely and correctly in the banner.

8. Google Tag Manager and Google Analytics

We use Google Analytics via Google Tag Manager to analyze use of our website and improve our content, page structure and user guidance. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google LLC in the USA may also be involved in the processing. Google Tag Manager is a tag management system. It is used to technically manage services such as Google Analytics and trigger them according to your consent decision. Google states that Google Tag Manager may process aggregated data on tag firing to monitor stability, performance and installation quality; according to Google, this diagnostic data does not contain IP addresses or measurement IDs of individual persons. Google Analytics may process in particular the following data:

• page views,
• interactions with the website,
• referrer information,
• browser and device information,
• approximate location information,
• usage times,
• technical identifiers,
• consent signals.

Google states that Google Analytics does not log or store IP addresses of users from the EU and discards IP addresses via EU domains and servers before logging. We use Google Analytics and Google Tag Manager for analytics purposes only on the basis of your consent. The legal bases are Art. 6(1)(a) GDPR and Section 25(1) TDDDG. For EEA users, Google points out that consent must be obtained for the use of personal data where tags send data to Google and that consent signals must be transmitted to Google. Google Consent Mode may be used to control the behavior of Google tags depending on your consent decision. Google describes Consent Mode as a mechanism that controls data collection depending on user consent for analytics and advertising purposes. The storage period for user and event data stored in Google Analytics depends on the data retention setting configured in Google Analytics. For standard properties, Google Analytics offers retention periods of 2 months or 14 months for user- and event-related data. Where data is transferred to the USA, this is done on the basis of appropriate safeguards. Google LLC is listed under the EU-U.S. Data Privacy Framework.

9. Cloudflare protection for admin and editor login

We use Cloudflare in connection with protection of the back-office login. This concerns admins and editors, for example for managing job postings. According to the current state, this protection function is not used for normal visitors of the public website unless they access an admin/editor login page. Depending on the technical configuration, Cloudflare Turnstile or a comparable Cloudflare security check may be used. Turnstile is used to detect automated access, bots and abusive login attempts. Cloudflare describes Turnstile as a security check where a JavaScript widget generates a token in the browser and the server then validates this token with Cloudflare. According to Cloudflare, Cloudflare Turnstile processes, among other things, client-side signals such as IP address, TLS fingerprint, user agent header, sitekey and associated origin. The purposes of processing are protection of the back-office login, bot defense, abuse prevention, security and prevention of unauthorized access. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in protecting administrative access and the security of our systems. Where the security check technically requires access to information on the device, we rely on Section 25(2) TDDDG because the security check is necessary for the protected login area. Where data is transferred to the USA, this is done on the basis of appropriate safeguards. Cloudflare refers in its privacy policy to compliance with the EU-U.S. Data Privacy Framework.

10. Contact form

If you contact us via the contact form, we process the data you enter. This may include in particular:

• name,
• email address,
• company,
• phone number, if provided,
• subject,
• message,
• time of the request,
• technical security data,
• origin or referrer header,
• IP address or rate-limit values derived from it.

The contact form uses protection mechanisms against spam and abuse. These include in particular a honeypot field, timing check, origin/referrer check, rate limiting, server-side validation and sanitization of inputs. The purposes of processing are handling your request, communicating with you, preparing or carrying out a business relationship, spam prevention and IT security. The legal basis is Art. 6(1)(b) GDPR where your request relates to a contract or pre-contractual measures. In all other cases, Art. 6(1)(f) GDPR applies. Our legitimate interest lies in handling incoming requests and protecting our website against abuse. Contact requests are deleted after final handling of the request unless statutory retention obligations or legitimate documentation interests prevent deletion. Business communication may be subject to statutory retention obligations depending on its content, in particular where it concerns commercial or business letters. Section 257 HGB regulates retention obligations, among other things, for received and sent commercial letters and accounting documents.

11. Communication by email via Hetzner and Microsoft 365/O365

If you contact us by email or we communicate with you by email, we process your email address, content data of your message, communication metadata and, where applicable, attachments and further contact data. We use Hetzner and Microsoft 365/O365 for Condien mailboxes. The purposes of processing are communication, handling requests, project initiation, contract performance, documentation and statutory retention. The legal bases are Art. 6(1)(b) GDPR where the communication relates to a contract or pre-contractual measures, Art. 6(1)(f) GDPR for general business communication and Art. 6(1)(c) GDPR for statutory retention obligations. Hetzner provides a data processing agreement that specifies the data protection obligations of the parties in the context of processing on behalf of the controller. Microsoft states that, for products under the Microsoft Product Terms, the data processing and security terms are governed by the Microsoft Products and Services Data Protection Addendum. We store emails with business or legal relevance in accordance with statutory retention obligations. Other emails are deleted once the purpose no longer applies and no legal or legitimate reasons for further storage exist.

12. Careers section and applications by email

Our website contains a careers section with job postings. Job postings are loaded from Supabase. Job PDFs are stored in a private Supabase Storage bucket and provided for active positions via signed URLs. Applications in this environment are submitted by email. An application upload via the website and a talent pool are not operated in this environment. If you apply to us, we process the application data you transmit by email. This may include in particular:

• name,
• contact details,
• cover letter,
• CV,
• certificates,
• qualifications,
• professional background,
• voluntary information,
• communication data,
• internal notes on the application process.

The purpose of processing is carrying out the application process and deciding whether to establish an employment or contractual relationship. The legal basis is Section 26 BDSG where processing is necessary for the decision on establishing an employment relationship, and Art. 6(1)(b) GDPR for pre-contractual measures. Section 26 BDSG regulates the processing of personal data for employment-related purposes. Application data is deleted after completion of the application process as soon as no legitimate interests or legal reasons for further storage exist. Longer storage takes place only where this is necessary to defend against possible claims, to fulfill legal obligations or with your consent. The Lower Saxony data protection supervisory authority provides information on retention and deletion periods for application documents. Admission to a talent pool does not take place in this website environment.

13. Protected back office

Our back office is accessible only to authorized admins and editors. It is used in particular to manage job postings, users, logs, ideas, security functions, CI views and internal documentation areas. In the back office, the following personal data in particular may be processed:

• email address,
• display name,
• role,
• active status,
• login and logout events,
• failed login attempts,
• password change events,
• MFA/2FA status,
• encrypted MFA secrets,
• hashed recovery codes,
• security and activity logs,
• actions on job postings, users, ideas and system modules.

The purposes are access control, rights management, protection of the system, traceability of administrative changes, abuse detection and IT security. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in protecting our systems and ensuring traceability of security-relevant processes. Where employees or comparable internal users are affected, Section 26 BDSG and Art. 6(1)(b) GDPR may additionally apply. Activity logs are stored only for as long as required for security, traceability, abuse investigation, legal claims or statutory obligations.

14. Two-factor authentication in the back office

For back-office accounts, two-factor authentication via TOTP can be configured. The following data in particular may be processed:

• MFA status,
• encrypted TOTP secrets,
• hashed recovery codes,
• times of successful or failed MFA checks,
• MFA-related audit events,
• a time-limited MFA cookie confirming a successful check.

The purposes of processing are protection of administrative accounts, prevention of unauthorized access and traceability of security-relevant events. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in securing the back office and the data processed there. MFA data is deleted or reset when the factor is disabled, the account is deleted or storage is no longer required.

15. Recipients and service providers

We disclose personal data only where this is necessary for the stated purposes, where a legal basis exists or where you have consented. The service providers used may include in particular: We conclude data processing agreements under Art. 28 GDPR with service providers that process personal data on our behalf where required.

16. Third-country transfers

Some of the providers used have their registered office or technical infrastructure outside the European Union or the European Economic Area, in particular in the USA. Data transfers to third countries take place only where the requirements of Art. 44 et seq. GDPR are met. For the USA, the EU-U.S. Data Privacy Framework may be relevant in particular. On 10 July 2023, the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework. Transfers to certified organizations may therefore be based on this adequacy decision. Where no adequacy decision or suitable certification exists, we use appropriate safeguards, in particular EU Standard Contractual Clauses, as well as supplementary technical and organizational measures where necessary.

17. Storage period and deletion

We store personal data only for as long as required for the respective purposes. We then delete the data unless statutory retention obligations, proof interests, security interests or legal claims prevent deletion. Specific criteria include in particular: Statutory retention obligations may arise in particular from commercial and tax law provisions. Section 257 HGB contains retention obligations, among other things, for commercial letters and accounting documents.

18. Provision of personal data

Providing personal data is generally voluntary. However, certain data is required so that we can provide the website, handle requests, review applications, initiate or perform contracts and provide protected back-office functions. If you do not provide required data, we may be unable to handle your request, review an application or provide certain functions.

19. Your rights

Subject to the GDPR, you have in particular the following rights:

• right of access to the data processed about you,
• right to rectification of inaccurate data,
• right to erasure,
• right to restriction of processing,
• right to data portability,
• right to object to processing based on legitimate interests,
• right to withdraw consent with effect for the future,
• right to lodge a complaint with a data protection supervisory authority.

To exercise your rights, you can contact us using the contact details stated above.

20. Objection to processing based on legitimate interests

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you may object to this processing at any time on grounds relating to your particular situation. We will then no longer process the affected data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

21. Withdrawal of consent

You can withdraw consent you have given at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected. You can change or withdraw cookie and analytics consent at any time via the cookie settings on our website.

22. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. For Condien, the following supervisory authority is particularly responsible: The State Commissioner for Data Protection of Lower Saxony Prinzenstrasse 5 30159 Hanover Phone: 0511 120-4500 Email: poststelle@lfd.niedersachsen.de The contact details of the Lower Saxony data protection supervisory authority are also maintained by the BfDI in the overview of data protection supervisory authorities.

23. No automated decision-making

We do not use automated decision-making within the meaning of Art. 22 GDPR on this website.

24. Security

We use technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure. Depending on the system, these include in particular:

• HTTPS/TLS,
• access restrictions,
• role and rights concepts,
• HTTP-only cookies,
• secure session management,
• server-side validation,
• spam and abuse protection,
• logging of security-relevant events,
• two-factor authentication in the back office,
• encrypted storage of sensitive security information,
• hashed recovery codes.

25. Changes to this privacy policy

We update this privacy policy when our website, services used, technical architecture or legal requirements change. The current version published on the website applies.