Data Security

I) Name and contact data of the controller responsible for processing, as well as the company data protection officer

This data security information applies to data processing by:

Controller:                  
Xolvis GmbH (“Xolvis”)
Im Thal 2
82377 Penzberg, Germany

represented by the CEO Martin Jacker,

email:  [email protected]
tel: + 49 89 413 2945 0
fax: + 49 89 413 2945 99

The companies’ data protection officer can be reached under:
email: [email protected]

II) Data processing on our website www.xolvis.com

1. When visiting the website

When accessing our website the browser used on your end device automatically sends information to our website’s server. This information is stored temporarily in a so-called log file. The following information is collected and stored without any action on your part, until its automatic erasure:

- IP address of the accessing computer
- Date and time of the access
- Name and URL of the retrieved file
- Website from which access was made
- Browser used and, where applicable, the operating system of your computer

and the name of your access provider.

The aforementioned data will be processed by us for the following purposes:

- Guaranteeing the smooth connection setup of the website
- Guaranteeing the comfortable use of our website
- Evaluating system security and stability, and
- Other administrative purposes

The legal basis for the data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest is derived from the purposes listed above for data collection. Under no circumstances shall we use the data collected for the purpose of making any inferences to your person.

In addition, we also use cookies and analytical services for visits to our website. More information on this can be found in this data protection declaration.

2. When using our contact form

For queries of all kinds we offer you the possibility to contact us by means of a form provided on the website. This requires the input of a valid e-mail address, so that we know from whom the request has come, and in order to reply. Additional information can be provided voluntarily. We process data for the purpose of making contact in accordance with Art. 6 (1) lit. a GDPR on the basis of your voluntary consent. The personal data collected by us for the use of the contact form will be erased automatically once your query has been dealt with.

3. Sign up to our newsletter

If you have expressly consented in accordance with Art. 6 (1) lit. a GDPR, we will use your e-mail address to send you our newsletter on a regular basis. To receive the newsletter, it is sufficient to provide an e-mail address; further information can be provided voluntarily.

You can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you are welcome to send your unsubscribe request by e-mail to "[email protected] " at any time.

4. Forwarding Data

Your personal data will not be transferred to any third party for any purpose other than those listed below.

We shall forward your personal data to third parties only

- if you have given your explicit consent, in accordance with Art. 6 (1) lit. a GDPR
- if under Art. 6 (1) lit. f GDPR the transfer is necessary for the establishment, exercise or defence of legal claims, and there is no reason to assume that you have an overriding interest, which must be protected, in the non-forwarding of your data
- in the event that there is a legal obligation to forward the data under Art. 6 (1) lit. c GDPR and
- if this is legally permissible and necessary under Art. 6 (1) lit. b GDPR for the processing of contractual relationships with you.

5. Cookies

This website uses Borlabs Cookie, which sets a technically necessary cookie (borlabs-cookie) to store your cookie consents. Borlabs cookie does not process any personal data. The borlabs-cookie stores the consent you gave when you entered the website. If you wish to revoke these consents, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked again for your cookie consent.

6. Social Media

On the basis of Art. 6 (1) lit. f GDPR, we use social media plug-ins of the social networks Facebook, Instagram, Youtube Xing and LinkedIn on our Website.

No personal data will be transmitted to the providers of these plug-ins without you clicking on the button of a plug-in.

If you press the button of a plug-in personal data will be automatically transmitted to the provider of the plug-in and can be stored and used by that provider. Please note that this may be carried out overseas, i.e. in particular in the United States of America.

We do have no full knowledge of the type and scope of the data collection and their use and processing and cannot exert any influence on such processes either.

If you activate a plug-in, the plug-in provider will receive the information that you have activated this on the respective website of our Website or the corresponding subpage of the respective website from our Website. In addition, the log files, as stated in clause I. 2 of this privacy statement will be transmitted to the plug-in provider.

The data collection and transmission is carried out irrespective of whether you have a user account at the respective plug-in provider or not. If you have a user account at the respective plug-in provider and you are logged into this user account at the time, at which you click on the respective plug-in the data transmitted to the respective plug-in provider will be directly allocated to your user account. If you confirm the activated plug-in and e.g. link the page, the plug-in provider will also store this information in your user account and can also notify your contacts to the public. In order to prevent the allocation to your user account at the respective plug-in provider you should log-out from your user account at the respective plug-in provider before clicking the plug-in on Website.

The respective plug-in provider stores the data transmitted to it, irrespective of whether you are also logged-in to your user account at the respective plug-in provider as a rule as user profiles, which are used for the following purposes:

- Advertising suitable for the needs
- Market research
- Optimization of the websites of the plug-in provider suitable for the needs.

You are entitled to object to the formation of user profiles with the data collected about you. For this purpose, please contact the respective plug-in provider. We have no influence on the compliance with your objection and are not responsible for this either.

You can find further relevant information and regarding your rights in this respect in the privacy statements of the plug-in providers as the responsible bodies, which you can call as follows:

Facebook: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
https://www.facebook.com/help/568137493302217

Xing: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany
https://privacy.xing.com/en

Instagram: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
https://help.instagram.com/519522125107875

YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
https://policies.google.com/privacy?hl=de

LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

7. Sub-processors

a) Active Campaign

Our newsletter is sent using "ActiveCampaign", a newsletter sending platform located at 1 N Dearborn, 5th Floor, Chicago, IL 60601, United States.

The email addresses of our newsletter recipients, as well as their other data described in this notice, are stored on ActiveCampaign's servers in the USA. ActiveCampaign uses this information to send and evaluate the newsletter on our behalf. Furthermore, according to its own information, ActiveCampaign may use this data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and presentation of the newsletter or for economic purposes in order to determine from which countries the recipients come. However, ActiveCampaign does not use the data of our newsletter recipients to write to them itself or pass the data on to third parties.

ActiveCampaign undertakes to comply with the EU data protection regulations within the scope of standard data protection clauses. Furthermore, we have concluded a "Data Processing Agreement" with ActiveCampaign. According to this ActiveCampaign undertakes to protect the data of our users, to process it on our behalf in accordance with its data protection provisions and, in particular, not to pass it on to third parties.

For more information see:
https://www.activecampaign.com/legal/privacy-policy

b) Google Fonts

We use "Google Web Fonts" on our website, a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as "Google"). Google Web Fonts enables us to use external fonts, so-called Google Fonts. For this purpose, the required Google Font is loaded into the browser cache by your web browser when you call up our website. This is necessary so that your browser can display a visually improved representation of our texts. If your browser does not support this function, a standard font will be used by your computer for display. The integration of these web fonts takes place via a server call, usually at a Google server in the USA. This transmits to the server which of our Internet pages you have visited. The IP address of your browser is also stored by Google. We have no influence on the scope and further use of the data collected and processed by Google through the use of Google Web Fonts.

We use Google Web Fonts for optimisation purposes, in particular to improve the use of our website for you and to make its design more user-friendly. This is also our legitimate interest in the processing of the above data by the third-party provider. The legal basis is Art. 6 (1) lit. f) GDPR.

Further information on Google Web Fonts can be found at https://fonts.google.com/, https://developers.google.com/fonts/faq?hl=de-DE&csw=1                                                            
and https://www.google.com/fonts#AboutPlace:about.

c) Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC ("Google"), on the basis of consent granted within the meaning of Art. 6 para. 1 lit. a. GDPR) Google Analytics, a web analytics service provided by Google LLC ("Google"). Google uses cookies. The information generated by the cookie about the use of the online offer by the users is usually transmitted to a Google server in the USA and stored there.

Google uses the so-called standard data protection clauses of the European Commission and thereby offers a guarantee of compliance with European data protection law.

Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous user profiles can be created from the processed data.

We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user's browser will not be merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

For more information on Google's use of data, settings and objection options, please refer to Google's privacy policy (https://policies.google.com/technologies/ads) and the settings for the display of advertising by Google (https://adssettings.google.com/authenticated).

The users' personal data is deleted or anonymised after 14 months.

d) Borlabs

In order to obtain your consent to the storage of certain cookies on your terminal device and to document this in accordance with data protection law, we use the Cookie Consent Manager "Borlabs Cookie" from the provider Borlabs, Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany, as part of our legal obligation pursuant to Art. 6 (1) lit. c GDPR and thus also our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Only technically necessary cookies (borlabs-cookie) are set by the Borlabs cookie. If our website is accessed, the following data is transmitted to Borlabs Cookie:

- Your consent or revocation of your consent to the setting of cookies, a cookie set by Borlabs Cookie in your browser,
- the cookie runtime and version,
- domain and path of the WordPress website and the UID.

The UID is a randomly generated ID and not personal information. Borlab's cookie does not process any personal data. If you wish to revoke your consent to the setting of certain cookies, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked again for your cookie consent. For detailed information on the Borlabs cookie privacy policy, please visit: https://de.borlabs.io/datenschutz/

e) WPML

We use WPML from OnTheGoSystems Limited, 22/F 3 Lockhart Road, Wanchai, Hong Kong. WPML is a multi-language plugin for WordPress. We use WPML to display our website in different languages. When you visit our website, WPML stores a cookie on your terminal device to save the language setting you have selected. Personal data can be stored and evaluated, especially the activity of the user (in particular which pages have been visited and which elements have been clicked on) as well as device and browser information (in particular the IP address and the operating system).

Further information on the collection and storage of data by WPML can be found here:
https://wpml.org/documentation/privacy-policy-and-gdpr-compliance

The use of WPML serves to be able to present our website in multiple languages.

Legal basis for the processing of personal dataThe legal basis for data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in addressing visitors to our website in their native language.

WPML stores cookies on your terminal device. Information on the storage period of the cookies can be found at: https://wpml.org/documentation/privacy-policy-and-gdpr-compliance.

You can prevent the collection and processing of your personal data by WPML by preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function of a supporting browser, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (www.noscript.net) or Ghostery (www.ghostery.com) in your browser.

For more information on objection and removal options vis-à-vis WPML, please visit:
https://wpml.org/documentation/privacy-policy-and-gdpr-compliance

III) Data processing in our Online Payment Tool

1. Collection and storage of personal data and the purpose of their use

Xolvis provides an Online Payment Tool to its customers, which allows them to optimize payment processes. Xolvis, therefore, acts as a processor of personal data on behalf of its customers. The present statement depicts the processing of personal data in connection with the Xolvis Online Payment Tool.

a) Personal data of our customers

For the purpose of performing the mutual contractual obligations we process required personal data of our customers and their employees as follows:

- contact data; e.g. names, addresses phone numbers, e-mail addresses
- correspondence

The legal basis for the data processing is Art. 6 (1) lit. b GDPR.

The personal data processed for this purpose are erased after the cease of contract, unless Union or Member State law requires storage of the personal data.

b) Personal data processed by Xolvis on behalf of our customers

For the purpose of providing the Xolvis Online Payment Tool, we process the following personal data on behalf of our customers:

- contact data, e.g. names, addresses, e-mail addresses etc.
- license plates
- invoices

The legal basis for the data processing is Art. 6 (1) lit. b, 28 GDPR.

The personal data processed on behalf is stored until erased by the customer, unless Union or Member State law requires storage of the personal data

2. Forwarding data

a) Sub-processors

The legal basis for the using sub-processors for data processing is Art. 6 (1) lit. b), 28 GDPR. The processing is necessary for the performance of mutual contractual obligations. We want to provide our customers with the technical infrastructure that enables us to offer our services.

i) Amazon Web Services (AWS)

Xolvis uses Amazon Web Services, EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxemburg, as hosting service. All data processed by Xolvis is processed on hosting platforms operated by AWS. This also includes personal data processed by Xolvis on behalf of its customers. The processing of personal data only takes place on servers located in the European Union. No personal data is transferred to third countries. 

ii) Microsoft Office 365

Xolvis uses Microsoft Office 365, provided by Microsoft Corporation (“Microsoft”), One Microsoft Way, Redmond, WA 98052-6399, USA as e-mail hosting service. For technical reasons, personal data may be processed on Microsoft infrastructure in the United States. Xolvis does not process any personal data processed on behalf of its customers on Microsoft infrastructure or services. Microsoft has invested in the operational processes necessary to meet the exacting requirements of the European Union Model Clauses for the transfer of personal data to processors. Microsoft has submitted itself to Model Clauses, referred to as Standard Contractual Clauses, that make specific guarantees around transfers of personal data for in-scope Microsoft services.

iii) Franz Martin IT Consultant

Xolvis cooperates with Franz Martin, Benedikt-Erhard-Straße 6, 83646 Bad Toelz, Germany as freelancing IT Consultant. For technical reasons, this includes the processing of all personal data processed by Xolvis. The processing of personal data by Franz Martin only takes place on Xolvis infrastructure.

b) Third parties

Your personal data will not be transferred to any third party for any purpose other than those listed below.

We shall forward your personal data to third parties only

- if you have given your explicit consent, in accordance with Art. 6 (1) lit. a) GDPR
- if under Art. 6 (1) lit. f) GDPR the transfer is necessary for the establishment, exercise or defence of legal claims, and there is no reason to assume that you have an overriding interest, which must be protected, in the non-forwarding of your data
- if there is a legal obligation to forward the data under Art. 6 (1) lit. c) GDPR and if this is legally permissible and necessary under Art. 6 (1) lit. b) GDPR for the processing of contractual relationships with you.

IV) Data subject rights

You have the right:

- pursuant to Art. 15 GDPR, to demand information about your personal data that we have processed. In particular, you can obtain information about the purposes of the processing, The categories of personal data concerned, the recipients or category of recipients to whom you data have been or will be disclosed, the envisaged period for which the data will be stored, the existence of the right to request rectification, erasure, or restriction of the processing, or to object to it, the right to lodge a complaint with a supervisory authority, the source of your data, if these have not been collected by us, and on the existence of automated decision-making, including profiling, and any other meaningful information about their details or the logic involved;
- pursuant to Art. 16 GDPR, to demand the immediate rectification or completion of inaccurate personal data stored by us;
- pursuant to Art. 17 GDPR, to demand the erasure of personal data stored by us, unless their processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
- pursuant to Art. 18 GDPR, to demand the restriction of the processing of your personal data in cases where you contest the accuracy of the data, where the processing is unlawful yet you oppose the erasure of the personal data, where we no longer need the data but you still require them to establish, exercise or defend legal claims, or where you have objected to the processing of the data pursuant to Art. 21 GDPR;
- pursuant to Art. 20 GDPR, to obtain your personal data that you have provided to us in a structured, commonly used and machine-readable format and to demand the transfer of these data to another controller;
- pursuant to Art. 7 (3) GDPR, to withdraw your consent at any time, which will mean that in future we may no longer carry out the data processing that was contingent upon this consent and
- pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority. In general, you can contact the supervisory authority of your usual residence or place of employment, or that of our company headquarters for this purpose.

Insofar as your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) lit. f) GDPR, you have the right, under Art. 21 GDPR, to object to the processing of your personal data, provided there are reasons relating to your particular situation or if the objection relates to direct marketing. In the latter case, you have a general right to object, which shall be implemented by us without any reference to a particular situation.

If you wish to avail of your right to withdraw or object, an e-mail to [email protected] will suffice.