Privancy Notice

General Information for Website, Apps, Features, and Social Media Channels according to Art. 13, 14 GDPR

Privacy Notice for the Website www.exporto.de

Privacy Notice for Online Meetings

Privacy Notice for Use of the Platform app.exporto.de

Privacy Notice for Use of Our Social Media Channels

General Information for Website, Apps, Features and Social Media Channels pursuant to Art. 13, 14 GDPR

I. Responsible Entity

Responsible for data processing within the meaning of the GDPR is:

exporto GmbH
Bücklestraße 5
78467 Konstanz
Deutschland

Phone: +49 7531 127 949 10
Email: info@exporto.de

II. Data Protection Officer

Our company has appointed a Data Protection Officer pursuant to Art. 37 GDPR. You can reach him at the email: datenschutz@exporto.de

III. Types of Data Collection

We collect personal data exclusively within the framework of legal requirements and only when this is necessary to fulfill a specific purpose. Collection may occur through the following channels:

• Via our Websites (www.exporto.de / www.mag.exporto.de)
  e.g., through use of contact forms, newsletter registration, downloads, web analysis or through cookies.

• Via our Platform / App (app.exporto.de)
  e.g., during registration of company accounts, during transactions, in the context of communication or through uploaded documents.
• Via our Social Media Channels
  e.g., through comments, messages, interactions or participation in campaigns on platforms such as LinkedIn, Instagram or Facebook.
• In the Context of Events and Functions
  e.g., when registering for webinars, trade shows or information events – online or on-site.
• In the Context of an Employment Relationship or Application Process
  e.g., through applications, contract documents, employee administration or internal communication.
• Via Direct Contact by Email, Phone or Mail
  e.g., for support inquiries, business initiation or customer communication.
• Within the context of online meetings (e.g., Zoom, Microsoft Teams, Slack)
  e.g., when participating in video conferences in which content may also be processed by AI notetakers or recording functions (e.g., transcripts, summaries, video recordings).

The collected data vary depending on the purpose of processing and are used exclusively for the respective processing purpose.

IV. Your Rights 

As a data subject, you have the following rights in particular pursuant to Art. 15 ff. GDPR:

1. Access, Rectification and Erasure

‍You have the right at any time to receive information free of charge about your personal data stored with us, their origin, recipients and the purpose of data processing. In addition, you have the right to rectification of incorrect data or erasure, provided that no legal retention obligations exist.

2. Right to Restriction of Processing

You have the right to request restriction of the processing of your personal data if:

• You dispute the accuracy of the data (for the duration of verification),
• The processing is unlawful and you request restriction instead of erasure,
• We no longer need the data, but you need it for the establishment of legal claims,
• Or you have objected to processing and a balancing of interests is still pending.

In case of restriction, processing – apart from storage – occurs only with your consent or for the establishment of legal claims or for reasons of important public interest.

3. Withdrawal of Your Consent

Insofar as processing of your data is based on your consent (Art. 6(1)(a) GDPR or § 25(1) TDDDG ), you may withdraw this at any time with effect for the future. The lawfulness of processing until withdrawal remains unaffected.

4. Right to Object pursuant to Art. 21 GDPR

Objection for special reasons (Art. 21(1) GDPR):
If your data is processed on the basis of Art. 6(1)(e)(f) GDPR, you have the right to object to processing at any time for reasons arising from your particular situation.

Objection to Direct Marketing (Art. 21(2) GDPR):
If your personal data is processed for direct marketing purposes, you may object to such processing at any time. This also applies to profiling insofar as it is connected with direct marketing.

Following an objection, your personal data will no longer be processed for these purposes.

5. Right to Data Portability

You have the right to receive data that we process automatically based on your consent or for contract fulfillment in a structured, common and machine-readable format or – insofar as technically possible – to have it transmitted to another controller.

6. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data. Generally responsible is the supervisory authority of your place of residence, workplace or the place of the alleged violation.

V. Handling of Applicant Data

1. Purpose and Legal Bases of Processing

When you apply to exporto, we process your personal data for the purpose of handling the application process. This concerns in particular contact data, application documents, correspondence, notes from interviews or comparable information.

Legal bases for this are:

• § 26(1) BDSG (initiation of an employment relationship)
• Art. 6(1)(b) GDPR (contract initiation)
• Art. 6(1)(a) GDPR (consent, e.g., inclusion in applicant pool)
• Art. 6(1)(f) GDPR (legitimate interest, e.g., for defense against claims)

The data is passed on exclusively to persons within our company entrusted with selection.

2. Retention Period

• In case of unsuccessful completion of the application process, we retain your documents for up to 6 months after completion of the process (Art. 6(1)(f) GDPR), e.g., for defense against possible claims.
• After expiration of this period, the data will be deleted or destroyed, unless there is a continuing legal reason for retention.
• Longer retention occurs only if you have expressly consented (Art. 6(1)(a) GDPR) or legal retention obligations exist.

3. Applicant Pool

If you are not hired immediately, you may be offered the option to include your application in our applicant pool. This occurs only on the basis of express consent (Art. 6(1)(a) GDPR). This consent is voluntary, may be withdrawn at any time and has no influence on the ongoing application process. Data stored in the applicant pool will be deleted after 2 years at the latest.

4. Transfer and Contract Processing

In the context of the application process, transfer may occur:

• to internal specialists, insofar as this is necessary for applicant selection (legal basis: Art. 6(1)(f) GDPR in conjunction with § 26 BDSG),
• to external service providers in the context of contract processing pursuant to Art. 28 GDPR, e.g., for IT infrastructure or applicant management systems.

For handling and administration of applications, we use the applicant management system Personio. Personio processes applicant data exclusively on behalf and on secure servers within the EU.

Further information on the use of Personio can be found in the table of deployed tools.

Transfer to third countries generally does not occur. Should this be necessary in exceptional cases, transfer occurs exclusively on the basis of appropriate guarantees such as EU standard contractual clauses pursuant to Art. 46 GDPR.

VI. Communication via Email

When you contact us via email, we process your personal data exclusively to the necessary extent. This concerns e.g., your name, your email address, the content of your message as well as any attachments sent.

Processing occurs on one of the following legal bases:

• Art. 6(1)(b) GDPR – for carrying out pre-contractual measures or for fulfillment of a contract (e.g., for quote requests, project agreements),
• Art. 6(1)(f) GDPR – based on our legitimate interest in effective communication with business partners, customers or interested parties,
• Art. 6(1)(a) GDPR – insofar as you have expressly consented.

Your data remains with us as long as this is necessary for handling your inquiry or legal retention periods exist. After purpose fulfillment or withdrawal of your consent, your data will be deleted, provided no other legal retention obligations exist.

Privacy Notice for the Website www.exporto.de

This information applies to the use of the website http://www.exporto.de/ and all publicly accessible subpages and subdomains, such as mag.exporto.de. It provides information about which personal data is processed when you visit our website, for what purposes this is done, and on what legal basis the processing is based.

We collect personal data in two ways:

1. Data you provide to us:
   Such as information provided through contact forms or via email.
2. Data collected automatically:
   When visiting our website, technical data is automatically collected by our IT systems or hosting service providers, e.g.:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

This data is collected automatically as soon as you visit our website.

I. Purpose of Data Processing

We process your data for the following purposes:

• Ensuring technical operation and security of the website
• Improvement and optimization of our online offering
• Answering inquiries
• Analysis of user behavior for improving user experience
• Fulfillment of legal obligations

II. Storage Duration

We store your personal data only as long as necessary for fulfilling the stated purposes. If a legitimate deletion request occurs or you withdraw consent, we delete your data, provided no other legal retention obligations exist. In this case, deletion occurs after expiration of legal deadlines.

III. Legal Bases of Processing

Processing of your personal data occurs on the basis of the following legal provisions:

• Consent (Art. 6(1)(a) GDPR)
• Contract fulfillment or carrying out pre-contractual measures (Art. 6(1)(b) GDPR)
• Fulfillment of legal obligations (Art. 6(1)(c) GDPR)
• Protection of legitimate interests (Art. 6(1)(f) GDPR)

When using cookies and similar technologies, we additionally rely on § 25(1) TDDDG . You may withdraw granted consent at any time with effect for the future.

IV. Recipients of Personal Data

In the context of our business activities, it may be necessary to transfer personal data to external entities. Transfer occurs only if:

• it is necessary for contract fulfillment,
• a legal obligation exists,
• a legitimate interest pursuant to Art. 6(1)(f) GDPR exists, or
• another legal basis permits this.

Insofar as processors are employed, data transfer occurs exclusively on the basis of a valid data processing agreement pursuant to Art. 28 GDPR. In case of joint controllership, a corresponding agreement pursuant to Art. 26 GDPR is concluded.

V. Use of Third-Party Tools and Plugins

To ensure functionality, security and user-friendliness of our website as well as to continuously analyze and optimize our offering, we employ various services from external providers. These tools support us in technical delivery of the website, user interaction as well as in success measurement and improvement of our online presence.

Data processing by these providers occurs either:

• based on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (e.g., analysis and marketing tools), or
• based on legitimate interests pursuant to Art. 6(1)(f) GDPR (e.g., hosting and security functions).

We have concluded a data processing agreement (DPA) pursuant to Art. 28 GDPR with all service providers. Furthermore, all services are configured so that your data is processed exclusively on servers within the European Union. Transfer to third countries does not take place.

For providers based outside the EU (e.g., USA), we ensure through appropriate measures that your data is nevertheless processed exclusively within the EU. Should transfer to third countries be exceptionally necessary, this occurs only on the basis of appropriate guarantees such as EU standard contractual clauses (SCC) or certification under the EU-US Data Privacy Framework (DPF).

VI. Consent Management

For managing your consents, we use the service Cookiebot from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark.

Only after your active consent are non-necessary cookies or tracking technologies set (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG ).

You can withdraw or adjust consents at any time:
Link to CookieBot Consent Tool

VII. Categories of Deployed Tools

The deployed services can be categorized as follows:

• Necessary Tools: (e.g., hosting, security, content delivery, consent management) These are required for basic provision and secure operation of the website and require no consent. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and functional website operation) in conjunction with § 25 Para. 2 No. 2 TDDDG.
• Preference Tools: These enable remembering settings you have chosen (e.g., language, region or display options) to facilitate website use. Legal basis is Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG , insofar as cookies or comparable technologies are used.
• Statistics Tools: These serve anonymized analysis of user behavior to understand and improve use of our website. Processing occurs exclusively based on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG . You can withdraw your consent at any time in the cookie banner.
• Marketing Tools: These are used to recognize users across websites, conduct reach measurements and display personalized content or advertising. This also includes social media plugins (e.g., LinkedIn, Facebook). Processing occurs exclusively based on your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG ).

VIII. Deployed Tools on the Website

Privacy Notice for Online Meetings

We regularly conduct internal and external meetings as video conferences. For this we use in particular Zoom as well as comparable platforms. Furthermore, in some cases an automated note service ("AI Notetaker") may be used, which records, summarizes or transcribes conversation content.

I. Processing of Personal Data

In the context of such online meetings, the following personal data may be processed depending on the scenario:

• Name, email address, company, participant role
• Image and audio data (with active camera or microphone)
• Chat content, screen sharing, uploaded files
• Possibly recordings, transcripts or summaries of the meeting (e.g., through tools like Zoom AI Companion, TL;DV, Gemini)

Processing occurs depending on context either:

• for preparation or performance of a contract (Art. 6(1)(b) GDPR),
• for protection of legitimate interests (Art. 6(1)(f) GDPR), e.g., for documentation,
• based on your consent (Art. 6(1)(a) GDPR), e.g., when using analysis functions or recordings.

II. Use of AI-based Notetaking Tools

If an AI notetaker or recording service is used, participants are informed in advance verbally or by a visible notice in the session. Participation in this case is voluntary and requires your consent.

III. Deployed Tools for Meetings

‍

With these services, processing of your data in third countries (e.g., USA) may occur. In these cases, appropriate protective mechanisms such as EU standard contractual clauses or certifications under the EU-US Data Privacy Framework (DPF) apply.

IV. Recording of Meetings

Online meetings will only be recorded if this has been expressly communicated in advance or if you have given your consent. If a recording is made, this will be done exclusively for the stated purpose and in compliance with data protection regulations.

V. Storage Duration

Recordings, transcripts or notes are stored only as long as necessary for the respective purpose. If legal retention obligations exist, storage duration is determined accordingly.