Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.

Data Collection on this Website

Who Is Responsible for Data Collection on This Website?

Data processing on this website is carried out by the website operator. You can find the operator’s contact details in the section “Information on the Responsible Entity” in this privacy policy.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may include, for example, data you enter into a contact form.
Other data is collected automatically or with your consent when you visit the website through our IT systems. This primarily includes technical data (e.g., internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other service inquiries.

What rights do you have regarding your data?

You have the right at any time to obtain free information about the origin, recipient, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you may revoke this consent at any time for the future. Furthermore, you have the right, under certain circumstances, to request the restriction of the processing of your personal data. You also have the right to lodge a complaint with the competent supervisory authority.
For this purpose, as well as for further questions on the subject of data protection, you may contact us at any time.

Analysis Tools and Third-Party Tools

When visiting this website, your browsing behavior may be statistically evaluated. This is primarily done using so-called analysis programs.
Detailed information about these analysis programs can be found in the following privacy policy.

Hosting

We host the content of our website with the following provider:

External Hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of the hosting provider(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access data, and other data generated via a website.
External hosting is carried out for the purpose of fulfilling contracts with our prospective and existing customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast, and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR). If corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting). Consent may be revoked at any time.

Our hosting provider(s) will process your data only to the extent necessary to fulfill their service obligations and will comply with our instructions regarding such data.

Hosting provider:
Dogado GmbH
Antonio-Segni-Strasse 11
44263 Dortmund
Germany

Data processing agreement

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a legally required contract that ensures the hosting provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

General information and mandatory disclosures

Data protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.
When you use this website, various personal data is collected. Personal data is data that can be used to personally identify you. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this happens.
Please note that data transmission over the internet (e.g., communication by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

Information on the Responsible Entity

The responsible entity for data processing on this website is:
Heacon Service GmbH
Friedrichstraße 148
10117 Berlin
Germany
Phone: +49 (0) 30 27909 – 136
Email: info@heacon.de

The responsible entity is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g., names, email addresses, etc.).

Storage duration

Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you submit a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial retention periods); in the latter case, deletion will occur after these reasons cease to apply.

Legal bases for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data pursuant to Art. 9(1) GDPR are processed. In the case of explicit consent to the transfer of personal data to third countries, processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device, processing is additionally based on Section 25(1) TDDDG. Consent may be revoked at any time. If your data is required for contract performance or pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if required to fulfill a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. The relevant legal bases are explained in the following sections of this privacy policy.

Data Protection Officer
We have appointed a data protection officer.
Heacon Service GmbH
Data Protection Officer
Friedrichstraße 148
10117 Berlin
Germany
Email: datenschutz@heacon.de

Recipients of personal data

During our business activities, we work with various external parties. In some cases, this requires the transfer of personal data to these external parties. We only pass on personal data if this is necessary for contract performance, if we are legally obligated to do so, if we have a legitimate interest pursuant to Art. 6(1)(f) GDPR, or if another legal basis permits the transfer. When using processors, we only pass on personal data on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement is concluded.

Revocation of your consent to data processing

Many data processing operations are only possible with your explicit consent. You may revoke consent already given at any time. The legality of data processing carried out prior to revocation remains unaffected.

Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE APPLICABLE LEGAL BASIS CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to lodge a complaint with the supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. This right exists without prejudice to any other administrative or judicial remedies.

Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or in fulfillment of a contract, in a commonly used, machine-readable format, or to have it transmitted to a third party. If you request direct transfer to another controller, this will only be done if technically feasible.

Access, correction, and deletion

Within the scope of applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to correction or deletion of this data. You may contact us at any time regarding this or other questions related to personal data.

Right to restriction of processing

You have the right to request restriction of the processing of your personal data. You may contact us at any time. The right to restriction applies in the following cases:
• If you dispute the accuracy of your personal data, we usually need time to verify this. During verification, you have the right to request restriction of processing.
• If processing is unlawful, you may request restriction instead of deletion.
• If we no longer need your data, but you require it for the establishment, exercise, or defense of legal claims.
• If you have objected pursuant to Art. 21(1) GDPR and a balance of interests is pending.

If processing has been restricted, such data may only be processed—with the exception of storage—with your consent or for legal claims, protection of rights, or important public interest.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption. You can recognize an encrypted connection by the change from “http://” to “https://” and the lock symbol in your browser.
If SSL or TLS encryption is enabled, data transmitted to us cannot be read by third parties.

Data Collection on this website

Cookies
Our website uses so-called “cookies.” Cookies are small data files and do not cause any harm to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently on your device (persistent cookies). Session cookies are automatically deleted after you leave the site. Persistent cookies remain on your device until you delete them yourself or your browser automatically removes them.
Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies allow the integration of specific services from third-party providers on websites (e.g., cookies for processing payment services).
Cookies serve different functions. Many cookies are technically necessary because certain website features would not function without them (e.g., shopping cart functionality or video playback). Other cookies may be used to analyze user behavior or for advertising purposes.

Cookies that are required to carry out electronic communication, provide specific features you request (e.g., shopping cart functionality), or optimize the website (e.g., cookies for measuring web traffic) (“necessary cookies”) are stored based on Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to ensure the technically flawless and optimized provision of its services. If consent to store cookies and similar recognition technologies has been obtained, processing occurs exclusively based on that consent (Art. 6(1)(a) GDPR); consent can be revoked at any time.
You can configure your browser to notify you about cookie settings, allow cookies on a case-by-case basis, block cookies entirely or for specific cases, and automatically delete cookies when the browser is closed. Disabling cookies may limit the functionality of this website.
Which cookies and services are used on this website can be found in this privacy policy.

Consent with Borlabs Cookie

Our website uses the consent technology from Borlabs Cookie to obtain your consent for storing certain cookies in your browser or using certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (hereinafter “Borlabs”).
When you visit our website, a Borlabs cookie is stored in your browser, recording the consent you have given or withdrawn. This data is not shared with Borlabs Cookie.
The data collected is stored until you request its deletion, delete the Borlabs cookie, or the purpose of storage no longer applies. Mandatory statutory retention periods remain unaffected. Detailed information on Borlabs Cookie data processing is available at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/
The use of Borlabs cookie consent technology is intended to obtain legally required consents for using cookies. The legal basis is Art. 6(1)(c) GDPR.

Contact form

If you send us inquiries via the contact form, your information, including contact details provided in the form, will be stored for processing the request and in case of follow-up questions. These data will not be shared without your consent.
Processing is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in efficiently handling inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time.
The data you submit via the contact form remain with us until you request deletion, withdraw consent, or the purpose of storage no longer applies (e.g., after your inquiry has been processed). Mandatory statutory provisions, especially retention periods, remain unaffected.

Requests via email, phone, or fax

If you contact us by email, phone, or fax, your request, including any personal data it contains (e.g., name, inquiry), is stored and processed for the purpose of handling your concern. These data are not shared without your consent.
Processing is based on Art. 6(1)(b) GDPR if the request relates to a contract or pre-contractual measures. Otherwise, processing is based on our legitimate interest in efficiently handling inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time.
Your data sent via these contact methods remain with us until deletion is requested, consent is withdrawn, or the purpose of storage expires. Mandatory legal retention periods remain unaffected.

Analytics Tools and Advertising

Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that allows us to integrate tracking, analytics, and other technologies into our website. Google Tag Manager itself does not create user profiles, store cookies, or perform independent analyses. It only manages and delivers the tools integrated through it. However, it does capture your IP address, which may also be transmitted to Google’s parent company in the United States.
The use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in quickly and efficiently managing various tools on the website. If consent has been obtained, processing is based solely on Art. 6(1)(a) GDPR. Consent can be revoked at any time.

The company is certified under the EU-US Data Privacy Framework (DPF), ensuring compliance with European data protection standards when processing data in the U.S. Details are available here: https://www.dataprivacyframework.gov/participant/5780

Newsletter

Newsletter data

If you want to subscribe to the newsletter offered on this website, we require your email address and verification information to ensure you are the owner of the email address and consent to receiving the newsletter. No additional data is collected unless voluntarily provided. We use newsletter service providers as described below.

Brevo

This website uses Brevo for newsletter distribution. The provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
Brevo organizes and analyzes newsletter distribution. Data you provide for the newsletter is stored on Sendinblue servers in Germany.

Data Analysis with Brevo

Brevo allows us to analyze newsletter campaigns, e.g., tracking whether emails are opened and which links are clicked. It can also determine whether certain actions occurred after opening or clicking (conversion rate) and allows clustering recipients by categories such as age, gender, or location for better targeting.
If you do not want analysis by Brevo, you must unsubscribe from the newsletter. Each newsletter contains an unsubscribe link.
More details on Brevo functions are available here: https://www.brevo.com/de/newsletter-software/
Legal basis
Data processing is based on your consent (Art. 6(1)(a) GDPR), which can be revoked at any time. The lawfulness of processing carried out before withdrawal remains unaffected.

Retention period

The data you have provided for the purpose of subscribing to our newsletter will be stored by us until you unsubscribe from the newsletter, either with us or with the newsletter service provider, and will be deleted from the distribution list after the newsletter is canceled. Data that has been stored for other purposes will remain unaffected.

After you unsubscribe from the newsletter distribution list, your email address may be stored in a blacklist either by us or the newsletter service provider, if necessary to prevent future mailings. The data in the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest pursuant to Art. 6(1)(f) GDPR). The storage in the blacklist is not time-limited. You can object to the storage if your interests outweigh our legitimate interest.
For more information, please refer to Brevo’s privacy policy at: https://www.brevo.com/de/datenschutz-uebersicht/ and https://www.brevo.com/de/legal/privacypolicy/.

Data processing agreement

We have entered into a Data Processing Agreement (DPA) for the use of the aforementioned service. This is a legally required contract that ensures that the service provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

Newsletter Distribution to Existing Customers

If you order goods or services from us and provide your email address, we may use this email address for the distribution of newsletters, provided that we inform you in advance. In such a case, the newsletter will only contain direct marketing for similar goods or services of our own. You can unsubscribe from this newsletter at any time. There will be a corresponding link in every newsletter for this purpose. The legal basis for sending the newsletter is, in this case, Art. 6(1)(f) GDPR in connection with § 7(3) UWG.
After unsubscribing from the newsletter distribution list, your email address may be stored in a blacklist to prevent future mailings. The data in the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest pursuant to Art. 6(1)(f) GDPR). The storage in the blacklist is not time-limited. You can object to the storage if your interests outweigh our legitimate interest.

Plugins and tools

Google Fonts (Local Hosting)

This website uses Google Fonts to display fonts uniformly. These Google Fonts are locally installed, so no connection is made to Google’s servers.
For more information on Google Fonts, visit https://developers.google.com/fonts/faq and Google Privacy Policy https://policies.google.com/privacy?hl=de.

Audio and video conferences

Data processing

To communicate with our customers, we use online conference tools. The specific tools we use are listed below. If you communicate with us via video or audio conference over the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.
The conference tools collect all the data that you provide to use the tools (email address and/or phone number). They also process the duration of the conference, the start and end times of participation, the number of participants, and other “contextual information” related to the communication process (metadata).
In addition, the tool provider processes all technical data necessary for the execution of the online communication, including IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and connection type.
If content is exchanged, uploaded, or otherwise provided within the tool, this content will also be stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared during the use of the service.
Please note that we do not have full control over the data processing activities of the tools used. Our influence is largely determined by the policies of the respective providers. Further information on data processing by the conference tools can be found in the privacy statements of the tools listed below.

Purpose and legal basis

The conference tools are used to communicate with potential or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Additionally, using these tools simplifies and speeds up communication with us and our company (legitimate interest under Art. 6(1)(f) GDPR). If consent has been requested, the use of the respective tools is based on that consent, which can be revoked at any time with effect for the future.

Retention Period

The data directly collected by us through the video and conference tools will be deleted from our systems once you request its deletion, revoke your consent for storage, or the purpose for the data storage no longer applies. Stored cookies will remain on your device until you delete them. Mandatory legal retention periods remain unaffected.
We do not have control over the retention period of data stored by the conference tool operators for their own purposes. For details, please refer directly to the privacy policies of the conference tool providers.

Conference tools used

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. You can find details about data processing in the Microsoft Teams Privacy Statement: https://privacy.microsoft.com/de-de/privacystatement.
The company has been certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States, ensuring that European data protection standards are upheld when data is processed in the U.S. Any company certified under the DPF commits to adhering to these privacy standards. For more information, visit the provider’s link: https://www.dataprivacyframework.gov/participant/6474.

Data processing agreement

We have entered into a Data Processing Agreement (DPA) for the use of the above-mentioned service. This contract ensures that the service provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

Handling applicant data

We offer you the opportunity to apply for a job with us (e.g., via email, mail, or online application form). Below, we inform you about the scope, purpose, and use of the personal data we collect during the application process. We assure you that the collection, processing, and use of your data complies with applicable data protection laws and all other legal provisions, and that your data will be treated strictly confidential.

Scope and purpose of data collection

If you send us an application, we process the personal data associated with it (e.g., contact and communication data, application documents, notes from interviews, etc.), as far as necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG (German Data Protection Act) (initiation of an employment relationship), Art. 6(1)(b) GDPR (general contract initiation), and, if you have given consent, Art. 6(1)(a) GDPR. Consent can be revoked at any time. Your personal data will only be shared within our company with persons involved in processing your application.
If the application is successful, the data you submitted will be stored in our data processing systems for the purpose of executing the employment relationship based on § 26 BDSG and Art. 6(1)(b) GDPR.

Retention period of data

If we are unable to make a job offer, if you reject a job offer, or if you withdraw your application, we reserve the right to retain the data you submitted for up to 6 months after the conclusion of the application process (rejection or withdrawal) based on our legitimate interests (Art. 6(1)(f) GDPR). Afterward, the data will be deleted, and physical application documents will be destroyed. The retention is mainly for documentation purposes in case of a legal dispute. If it becomes clear that the data will be required after the 6-month period (e.g., due to a potential or ongoing legal dispute), deletion will occur once the purpose for further retention is no longer needed.
Further retention may occur if you have given specific consent (Art. 6(1)(a) GDPR) or if legal retention obligations prevent deletion.

Inclusion in the applicant pool

If we do not make you a job offer, there may still be an opportunity to include you in our applicant pool. If included, all documents and information from the application will be transferred to the applicant pool to contact you in case of suitable vacancies.
Inclusion in the applicant pool occurs solely based on your express consent (Art. 6(1)(a) GDPR). The submission of consent is voluntary and unrelated to the current application process. You can withdraw your consent at any time. In such a case, the data in the applicant pool will be permanently deleted unless there are legal retention reasons.

Data in the applicant pool will be permanently deleted no later than two years after consent is given.

Social Media

LinkedIn

This website uses elements from the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
Each time a page on this website that contains LinkedIn elements is accessed, a connection to LinkedIn’s servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click the “Recommend” button on LinkedIn and are logged into your LinkedIn account, LinkedIn can associate your visit to this website with you and your user account. We would like to point out that as the website provider, we have no knowledge of the content of the data transmitted or how it is used by LinkedIn.
The use of this service is based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You can withdraw your consent at any time.
Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/privacy-policy.

For more information, please refer to LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that aims to ensure the compliance with European data protection standards when processing data in the U.S. Any company certified under the DPF is committed to adhering to these data protection standards. For more information, please visit the provider’s link: https://www.dataprivacyframework.gov/participant/5448.