Data Protection Statement

Controller

turingpoint GmbH
Neuer Wall 80
20354 Hamburg
Email: [email protected]
Managing Directors: Jan Kahmen, Till Oberbeckmann
Imprint: turingpoint.de/en/company/legal-disclosure/

Overview of Data Processing

What Data We Process

We only process personal data to the extent necessary for providing our website and services. This includes:

• Master and contact data (e.g. name, address, email, phone number)
• Usage data (e.g. pages visited, access times)
• Content data (e.g. form entries)
• Technical data (e.g. IP address, browser type, operating system)
• Contract data (e.g. subject matter, term, customer category)
• Payment data (e.g. bank details, invoices)

Data Subjects

Visitors to our website, customers, business partners, applicants, and interested parties.

Purposes

• Provision and operation of our website
• Processing inquiries and communication
• Provision of contractual services
• Security and abuse prevention
• Analysis and optimization of our offering
• Compliance with legal obligations

Legal Bases

Our data processing is based on the following legal bases under the GDPR:

• Consent (Art. 6(1)(a)): When you have given your explicit consent, e.g. for analytics tools.
• Contract performance (Art. 6(1)(b)): Where processing is necessary for the performance of a contract or pre-contractual measures.
• Legal obligation (Art. 6(1)(c)): Where legal obligations require processing, e.g. tax retention requirements.
• Legitimate interests (Art. 6(1)(f)): Where processing is necessary for our legitimate interests, e.g. the secure operation of our website.

Processing of special categories of data (Art. 9(1) GDPR) only takes place under the conditions of Art. 9(2) GDPR.

Your Rights

As a data subject, you have the following rights:

• Access (Art. 15 GDPR): You may request information about your data stored with us.
• Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
• Restriction (Art. 18 GDPR): You may request restriction of processing.
• Data portability (Art. 20 GDPR): You may receive your data in a commonly used, machine-readable format.
• Objection (Art. 21 GDPR): You may object to the processing of your data based on Art. 6(1)(e) or (f) GDPR at any time. This also applies to profiling based on these provisions. If your data is processed for direct marketing, you may object at any time.
• Withdrawal: You may withdraw any consent given at any time with effect for the future.
• Complaint: You have the right to lodge a complaint with a data protection supervisory authority.

Data Security

We employ technical and organizational measures to adequately protect your data. These include encryption of data transmission, access controls, and regular review of our security measures. We take data protection into account from the design stage of our systems (Privacy by Design).

Processors and Third Parties

Where we engage service providers as processors, this is done on the basis of appropriate contracts pursuant to Art. 28 GDPR. Within our group of companies, data may be shared for administrative purposes as a legitimate interest. Details on individual services can be found in the following sections.

Data Transfers to Third Countries

Some of our service providers are based outside the EU/EEA, particularly in the USA. Transfers are made on the basis of adequacy decisions, EU Standard Contractual Clauses (SCCs), or certifications under the EU-US Data Privacy Framework (DPF). Further details can be found under the respective services.

Cookies

This website does not set any cookies of its own. Embedded third-party services (e.g. Google Analytics) may set cookies if you have consented. You can manage or delete cookies at any time in your browser settings.

Hosting and Infrastructure

Cloudflare Pages

Our website is hosted via Cloudflare Pages. The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. As a Content Delivery Network (CDN), Cloudflare ensures the delivery of our website and processes technical access data (e.g. IP address, browser type) in the process. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and performant website). Cloudflare is certified under the EU-US DPF and additionally employs SCCs. Privacy policy: https://www.cloudflare.com/security-policy

Amazon CloudFront

For fast and secure content delivery, we additionally use Amazon CloudFront, a CDN by Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg. Personal data may be processed in server log files. We also store anonymized log files to ensure the stability and security of our website. Legal basis: Art. 6(1)(f) GDPR. You have the right to object to this processing. The functionality of the website is not guaranteed without this processing. Privacy notice: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf. Data transfer information: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Communication and Contact

Contact Form and Email

When you contact us via the contact form or email, we process your information to handle your inquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual/contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing inquiries). Your data may be stored in a CRM system. Inquiries are deleted once they are no longer needed. Necessity is reviewed every two years.

Email Dispatch via Resend

For sending emails from our contact form, we use Resend (Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA). When you use our contact form, your entries (name, email, message) are transmitted to us via Resend. Resend acts as a processor pursuant to Art. 28 GDPR. Legal basis: Art. 6(1)(b) or (f) GDPR. Data transfer to the USA is based on SCCs. Privacy policy: https://resend.com/legal/privacy-policy

Appointment Booking via Cal.com

You can book appointments via our website (https://cal.turingpoint.de). For this, we use Cal.com (Cal.com, Inc., San Francisco, CA, USA). When booking, your data (e.g. name, email, preferred appointment) is transmitted to Cal.com. Legal basis: Art. 6(1)(b) or (f) GDPR. Data transfer to the USA is based on SCCs. Privacy policy: https://cal.com/privacy

Analytics and Marketing

Google Tag Manager

We use Google Tag Manager to manage website tags. The Tag Manager itself does not process any personal data of users. For the services integrated through it, please refer to the respective sections. Usage policy: https://www.google.com/intl/de/tagmanager/use-policy.html

Google Analytics

We use Google Analytics, a web analytics service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies, provided you have consented (legal basis: Art. 6(1)(a) GDPR). Without your consent, no analysis takes place. We use Google Analytics exclusively with IP anonymization enabled, so your IP address is truncated within the EU/EEA. Personal data is deleted or anonymized after 14 months. Google is certified under the EU-US DPF and employs SCCs. You can prevent data collection by installing the browser add-on: https://tools.google.com/dlpage/gaoptout?hl=de. Privacy policy: https://policies.google.com/privacy. Ad settings: https://adssettings.google.com/authenticated

Google Cloud Services

We use Google Workspace and other Google Cloud services for internal purposes such as document management, communication, and collaboration. Personal data may be processed insofar as it forms part of the content or communication processes involved. For publicly available documents, Google may set cookies for analytics or settings purposes. Legal basis: Art. 6(1)(f) GDPR. Processing is carried out on the basis of a data processing agreement: https://cloud.google.com/terms/data-processing-terms. Google Cloud services are provided by Google Ireland Limited. For transfers to the USA, we refer to Google USA's DPF certification and the agreed SCCs. Privacy policy: https://www.google.com/policies/privacy. Security information: https://cloud.google.com/security/privacy/

Embedded Third-Party Content

When embedding external content (e.g. videos, fonts), the transmission of your IP address to the respective provider is technically necessary. We endeavor to only use services that process your data in compliance with data protection law. Third-party providers may also use tracking technologies (e.g. pixel tags) for statistical purposes. Legal basis: Art. 6(1)(f) GDPR.

YouTube

We embed videos from YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When playing a video, data may be transmitted to Google. Privacy policy: https://www.google.com/policies/privacy/. Opt-out: https://adssettings.google.com/authenticated

Social Media

We maintain company profiles on social networks to communicate with customers and interested parties. User data may also be processed outside the EU. Platform operators may create usage profiles and use cookies. Legal basis: Art. 6(1)(f) GDPR. Data subject rights can be exercised most effectively directly with the respective provider.

• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) - Privacy policy: https://www.linkedin.com/legal/privacy-policy, Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Job Applications

Applications can be submitted by email to [email protected] or by postal mail. Please note that emails on the internet are generally not encrypted end-to-end.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual relationship). For special categories of data (Art. 9(1) GDPR), Art. 9(2)(b), (c), and (h) GDPR apply. In Germany, §§ 22, 26 BDSG additionally apply.

Applicant data is deleted no later than six months after an unsuccessful application, unless legitimate reasons for longer retention exist. Invoices for travel expense reimbursement are archived in accordance with tax law requirements.

Business Data Processing

In the course of our business activities, we process contract, payment, and contact data of our customers and business partners. Purposes: contract performance, customer care, accounting, office organization, and compliance with legal obligations. Legal bases: Art. 6(1)(b), (c), and (f) GDPR. Data is shared with tax advisors, auditors, and payment service providers as required. Business partner data is generally stored permanently based on our legitimate interests.

For business optimization, we analyze business data. Personal evaluations are deleted or anonymized upon contract termination, at the latest after two years. Overall business analyses are prepared anonymously wherever possible.

Data Deletion

We delete personal data once the processing purpose ceases to apply and no statutory retention obligations (e.g. under commercial or tax law) prevent deletion. Where such obligations exist, processing is restricted to retention only.

Currency of This Privacy Policy

We update this privacy policy as needed when changes to our data processing require it. If changes require your participation (e.g. renewed consent), we will inform you separately.