Privacy Policy
1. Introduction
Below, we provide information about the collection of personal data when using
- our website www.r3.group
- our social media profiles.
Personal data refers to any data that can be linked to a specific natural person, such as a name or IP address.
1.1. Contact Information
The data controller within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR) is R3 Solutions GmbH, Kurfürstendamm 194, 10707 Berlin, DE, email . Legally represented by Dr. Mathias Bohge and Florian Bonanati.
You can contact our Data Protection Officer at heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.
1.2. Scope of Data Processing, Purposes of Processing, and Legal Bases
Below, we explain the scope of data processing, the purposes of processing, and the legal bases. In general, the following may serve as legal bases for data processing:
- Article 6(1), sentence 1, letter a of the GDPR serves as our legal basis for processing operations for which we obtain consent.
- Article 6(1), first sentence, letter b of the GDPR is the legal basis to the extent that the processing of personal data is necessary for the performance of a contract, e.g., when a website visitor purchases a product from us or we provide a service to them. This legal basis also applies to processing necessary for the implementation of pre-contractual measures, such as in the case of inquiries regarding our products or services.
- Article 6(1), sentence 1, letter c of the GDPR applies when we fulfill a legal obligation by processing personal data, as may be the case under tax law, for example.
- Article 6(1), first sentence, letter f of the GDPR serves as the legal basis when we can rely on legitimate interests for the processing of personal data, e.g., in the case of cookies that are necessary for the technical operation of our website.
1.3. Data Processing Outside the EEA
To the extent that we transfer data to service providers or other third parties outside the EEA, the security of the data during transmission is ensured by adequacy decisions of the European Commission, where such decisions exist (e.g., for the United Kingdom, Canada, and Israel) (Article 45(3) of the GDPR).
If no adequacy decision exists (e.g., for the United States), the legal basis for data transfers is generally—unless we specify otherwise— standard contractual clauses. These are a set of rules established by the European Commission and form part of the contract with the respective third party. Pursuant to Article 46(2)(b) of the GDPR, they ensure the security of the data transfer. Many of the providers have provided contractual guarantees that go beyond the standard contractual clauses to protect the data. These include, for example, guarantees regarding data encryption or regarding the third party’s obligation to notify data subjects if law enforcement authorities wish to access the relevant data.
1.4. Retention Period
Unless expressly stated in this Privacy Policy, the data we store will be deleted as soon as it is no longer necessary for its intended purpose and no statutory retention obligations prevent its deletion. If the data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted, i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
1.5. Rights of data subjects
Rights of data subjects:
- Right of access,
- Right to rectification or erasure,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability,
- Right to withdraw consent at any time.
Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. Contact information for the data protection supervisory authorities can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.l.
1.6. Obligation to Provide Data
Within the scope of a business or other relationship, customers, prospective customers, or third parties must provide us with personal data that is necessary for the establishment, performance, and termination of a business or other legal relationship, or that we are legally required to collect. Without this data, we will generally have to refuse to enter into a contract or provide a service, or we will no longer be able to fulfill an existing contract or other legal relationship.
Required information is marked as such.
1.7. No Automated Decision-Making in Individual Cases
As a general rule, we do not use fully automated decision-making processes pursuant to Art. 22 of the GDPR to establish and carry out a business or other legal relationship. Should we use such processes in individual cases, we will provide separate notice thereof if required by law.
1.8. Contacting Us
When you contact us, e.g., by email or phone, we store the data you provide (e.g., names and email addresses) in order to answer your questions. The legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR) in responding to inquiries directed to us. We delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.
1.9. Customer Surveys
We occasionally conduct customer surveys to better understand our customers and their needs. In doing so, we collect the data requested in each instance. It is in our legitimate interest to better understand our customers and their needs; therefore, the legal basis for the associated data processing is Article 6(1)(f) of the GDPR. We delete the data once the survey results have been evaluated.
2. Newsletter
Prospective customers have the option to subscribe to a free newsletter. The data provided during registration is processed exclusively for the purpose of sending the newsletter. Registration is completed by checking the corresponding box on our website, by checking the corresponding box on a paper document, or by another clear action, by which the interested parties declare their consent to the processing of their data. Therefore, the legal basis is Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time, e.g., by clicking the corresponding link in the newsletter or by sending a message to our email address listed above. The processing of the data up until the withdrawal remains lawful even in the event of withdrawal.
Based on the recipient’s consent (Article 6(1)(a) of the GDPR), we also track the open and click-through rates of our newsletters to understand what is relevant to our audience.
We send newsletters using the HubSpot tool provided by HubSpot, Inc., 25 1st Street, Cambridge, MA 02141, USA (Privacy Policy: https://legal.hubspot.com/privacy-policy). The provider processes content, usage, meta/communication data, and contact data within the EU.
3. Data Processing on Our Website
3.1. Notice for Website Visitors from Germany
Our website stores information on website visitors’ devices (e.g., cookies) or accesses information already stored on those devices (e.g., IP addresses). You can find details on what information this entails in the following sections.
This storage and access are based on the following provisions:
- To the extent that this storage or access is absolutely necessary to provide the service on our website that visitors have expressly requested (e.g., to operate a chatbot used by the visitor or to ensure the IT security of our website), it is carried out on the basis of Section 25(2)(2) of the German Telecommunications and Telemedia Data Protection Act (“TTDSG”).
- Otherwise, this storage or access is based on the website visitor’s consent (Section 25(1) TTDSG).
The subsequent data processing is carried out in accordance with the following sections and based on the provisions of the GDPR.
3.2. Informational Use of Our Website
When the website is used for informational purposes—i.e., when website visitors do not separately transmit any information to us—we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, so the legal basis is Article 6(1), sentence 1, letter f of the GDPR.
This data includes:
- IP address
- Date and time of the request
- Time difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred
- Website from which the request originates
- Browser
- Operating system and its user interface
- Language and version of the browser software.
This data is also stored in log files. It is deleted when its storage is no longer necessary, but no later than 14 days after collection.
3.3. Web Hosting and Website Provision
Our website is hosted by HubSpot. The provider is HubSpot, Inc., 25 1st Street, Cambridge, MA 02141, USA. The provider processes the personal data transmitted via the website—such as content, usage, meta/communication data, or contact information—within the EU. For more information, please see the provider’s privacy policy at https://legal.hubspot.com/de/privacy-policy.
It is in our legitimate interest to provide a website; therefore, the legal basis for the data processing described is Article 6(1)(f) of the GDPR.
3.4. Contact Form
When you contact us via the contact form on our website, we store the data requested there and the content of the message. The legal basis for the processing is our legitimate interest in responding to inquiries directed at us. The legal basis for the processing is therefore Article 6(1), first sentence, letter f of the GDPR. The data will be deleted as soon as storage is no longer necessary, or we will restrict processing if statutory retention obligations apply.
3.5. Job Openings
We publish job openings at our company on our website, on pages linked to our website, or on third-party websites.
The data provided as part of the application process is processed for the purpose of conducting the application process. To the extent this is necessary for our decision regarding the establishment of an employment relationship, the legal basis is Article 88 of the GDPR in conjunction with Section 26(1) of the Federal Data Protection Act. We have marked or indicated the data required for the application process accordingly. If applicants do not provide this data, we cannot process the application. Additional data is voluntary and not required for an application. If applicants provide additional information, the legal basis is their consent (Article 6(1), sentence 1, letter a of the GDPR).
We ask applicants not to include information about political opinions, religious beliefs, or similarly sensitive data in their resumes and cover letters. This information is not required for an application. If applicants nevertheless provide such information, we cannot prevent its processing as part of the processing of the resume or cover letter. The processing of this information is then also based on the applicant’s consent (Art. 9(2)(a) GDPR).
Finally, we process applicants’ data for further recruitment processes if they have given us their consent to do so. In this case, the legal basis is Art. 6(1), sentence 1, lit. a GDPR.
We share applicants’ data with the relevant employees in the Human Resources department, with our data processors in the recruiting division, and with other employees involved in the application process.
If we enter into an employment relationship with the applicant following the application process, we will not delete the data until the employment relationship has ended. Otherwise, we will delete the data no later than six months after rejecting an application.
If applicants have given us their consent to use their data for future application processes, we will not delete their data until one year has passed since we received the application.
3.6. Technically Necessary Cookies
Our website uses cookies. Cookies are small text files stored in the web browser on a visitor’s device. Cookies help make our website more user-friendly, effective, and secure. To the extent that these cookies are necessary for the operation of our website or its functions (hereinafter “Technically Necessary Cookies”), the legal basis for the associated data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in providing customers and other website visitors with a fully functional website. In particular, we use technically necessary cookies for the following purposes:
- Cookies that save language settings
3.7. Third Parties
3.7.1. HubSpot
We use HubSpot for customer relationship management. The provider is HubSpot, Inc., 25 1st Street, Cambridge, MA 02141, USA. The provider processes usage data (e.g., visited web pages, interest in content, access times), content data (e.g., entries in online forms), and meta/communication data (e.g., device information, IP addresses) in the EU.
The legal basis for the processing is Art. 6(1)(f) of the GDPR. We have a legitimate interest in managing data in a simple and cost-effective manner.
The data will be deleted once the purpose for which it was collected no longer exists and there is no legal obligation to retain it. For more information, please see the provider’s privacy policy at https://legal.hubspot.com/de/privacy-policy.
3.7.2. Google Web Fonts
We use Google Web Fonts for fonts on the website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. However, processing takes place exclusively on our servers. We process meta/communication data (e.g., device information, IP addresses) within the EU.
The legal basis for the processing is Art. 6(1)(f) of the GDPR. We have a legitimate interest in using a font that is easy to use and cost-effective on our website.
For more information, please see the provider’s privacy policy at https://policies.google.com/privacy?hl=de.
3.7.3. YouTube Videos
We use YouTube videos on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., webpages visited, content interests, access times) and meta/communication data (e.g., device information, IP addresses) in the United States.
The legal basis for the processing is Article 6(1)(a) of the GDPR. The processing is based on consent. Data subjects may withdraw their consent at any time by contacting us, for example, using the contact information provided in our Privacy Policy. The withdrawal does not affect the lawfulness of the processing prior to the withdrawal.
The legal basis for the transfer to a country outside the EEA is consent.
Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy.
3.7.4. HubSpot
We use HubSpot for customer relationship management. The provider is HubSpot, Inc., 25 1st Street, Cambridge, MA 02141, USA. The provider processes usage data (e.g., websites visited, interest in content, access times), content data (e.g., entries in online forms), and meta/communication data (e.g., device information, IP addresses) in the United States.
The legal basis for the processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in managing data in a simple and cost-effective manner.
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of the transferred data is ensured by standard data protection clauses (Article 46(2)(c) of the GDPR) adopted by the European Commission, which we have agreed upon with the provider.
The data will be deleted once the purpose for which it was collected no longer applies and there is no legal obligation to retain it. Further information can be found in the provider’s privacy policy at https://legal.hubspot.com/de/privacy-policy.
3.7.5. Google Analytics
We use Google Analytics for analysis. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the United States.
The processing is based on consent pursuant to Art. 6(1)(a) of the GDPR. Data subjects may revoke their consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Transfers to a country outside the EEA are based on standard contractual clauses. The security of the transferred data is ensured by standard data protection clauses adopted by the European Commission.
The data will be deleted once the purpose for which it was collected no longer applies. Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=de.
3.7.6. Google reCAPTCHA
We use Google reCAPTCHA to manage authentication. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data and meta/communication data in the United States.
The processing is based on our legitimate interest in protecting our web offerings from misuse in accordance with Art. 6(1)(f) of the GDPR.
Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=de.
4. Data Processing on Social Media Platforms
We maintain a presence on social media to showcase our organization and services. The operators of these networks regularly process user data for advertising purposes and create user profiles based on online behavior. These profiles are used for targeted advertising. The operators store information about user behavior in cookies. It is possible that this information may be combined with other data. Users can learn about their rights and object to this processing by reviewing the operators’ privacy policies. Processing in non-EU countries may entail risks.
When users contact us via social media, we process the data provided to respond to inquiries. This is based on our legitimate interest pursuant to Art. 6(1)(f) of the GDPR.
4.1. Facebook
We maintain a profile on Facebook. The operator is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. One way to object to data processing is through the ad settings: https://www.facebook.com/settings?tab=ads. We are joint controllers for the processing of data from visitors to our profile based on an agreement with Facebook pursuant to Article 26 of the GDPR. Facebook explains in detail which data is processed at https://www.facebook.com/legal/terms/information_about_page_insights_data. Data subjects may exercise their rights with both us and Facebook. However, under our agreement with Facebook, we are required to forward requests to Facebook. Data subjects will therefore receive a faster response if they contact Facebook directly.
4.2. YouTube
We are active on YouTube. The operator is Google Ireland Limited, Dublin, Ireland. The privacy policy can be found at https://policies.google.com/privacy?hl=de.
4.3. Twitter
We use Twitter. The operator is Twitter Inc., USA. The privacy policy is available at https://twitter.com/de/privacy. You can opt out via the ad settings: https://twitter.com/personalization.
4.4. LinkedIn
We have a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Dublin, Ireland. The privacy policy is available at https://www.linkedin.com/legal/privacy-policy?_l=de_DE. You can opt out via the advertising settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
5. Changes to This Privacy Policy
We reserve the right to change this Privacy Policy. An up-to-date version is always available on our website.
6. Questions and Comments
If you have any questions or comments regarding this Privacy Policy, please contact us using the contact information provided.