Privacy Policy

Preamble

With this privacy policy we inform you which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, and within external online presences, such as our social media profiles (collectively referred to as the "online offering").

The terms used are gender-neutral.

Last updated: 10 December 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Contact and Inquiry Management
• Marketing Communication via Email, Post, Fax or Phone
• Presence in Social Networks (Social Media)
• Plugins and Embedded Functions and Content
• Privacy Information for Whistleblowers
• Changes and Updates
• Definitions

Controller

naion.tech GbR
Forckenbeckstr. 51
52074 Aachen

Authorized representative: Milan Abel

Email: [email protected]

Phone: +492418098095

Imprint: naion.tech/imprint

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects.

Types of Data Processed

• Inventory data.
• Employee data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Data Subjects

• Service recipients and clients.
• Employees.
• Interested parties.
• Communication partners.
• Users.
• Business and contractual partners.
• Third parties.
• Whistleblowers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Office and organizational procedures.
• Organizational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• IT infrastructure.
• Whistleblower protection.
• Public relations.
• Sales promotion.
• Business processes and commercial procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations in your or our country of residence may also apply. If more specific legal bases are relevant in individual cases, we will inform you in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract with the data subject or in order to take steps at their request prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection rules in Germany: In addition to the GDPR, national data protection regulations apply in Germany, particularly the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right to information, deletion, objection, processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making including profiling. State data protection laws may also apply.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include safeguarding confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, transmission, availability, and separation. We have procedures to ensure data subject rights, deletion of data, and responses to data threats. We also consider the protection of personal data during the development or selection of hardware, software, and procedures according to the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption. When a website is secured by an SSL/TLS certificate, HTTPS appears in the URL.

Transfer of Personal Data

In the course of processing personal data, it may be transferred to or disclosed to other entities, companies, legally independent organizations, or persons. Recipients may include IT service providers or providers of services and content that are embedded in a website. In such cases we comply with legal requirements and conclude corresponding contracts or agreements with recipients.

Data transfers within the organization: We may transfer personal data to other departments or units within our organization. If the data transfer is for administrative purposes, it is based on our legitimate business and commercial interests or is necessary to fulfill contractual obligations, provided consent or legal permission exists.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal provisions as soon as consent is revoked or there is no other legal basis for processing. This applies when the original purpose no longer exists or the data is no longer needed, unless legal obligations or special interests require longer retention.

Data that must be retained for commercial or tax reasons or that is necessary to assert or defend legal claims will be archived accordingly. Our privacy notices contain additional information on retention and deletion of data for specific processing operations.

Where multiple retention periods are indicated, the longest period applies. Data retained for reasons other than the original purpose is processed only for those reasons.

Retention and deletion periods under German law:

• 10 years - retention for books and records, annual financial statements, inventories, management reports, opening balance sheets, and related documentation (Section 147 AO, Section 14b UStG, Section 257 HGB).
• 8 years - accounting vouchers such as invoices and cost receipts (Section 147 AO, Section 257 HGB).
• 6 years - other business documents such as business correspondence and other tax-relevant records (Section 147 AO, Section 257 HGB).
• 3 years - data needed to consider potential warranty and damages claims or similar contractual claims, based on statutory limitation periods (Section Section 195, 199 BGB).

If a period is not explicitly tied to a date and is at least one year, it begins at the end of the calendar year in which the triggering event occurred. For ongoing contracts, the event is the termination or other end of the relationship.

Rights of Data Subjects

Rights under the GDPR: As a data subject you have the following rights under Art. 15-21 GDPR:

• Right to object: You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data is processed for direct marketing, you may object at any time to such processing, including profiling related to direct marketing.
• Right to withdraw consent: You may withdraw consent at any time.
• Right of access: You have the right to obtain confirmation whether data concerning you is being processed and to receive information and a copy of the data.
• Right to rectification: You have the right to request completion or correction of inaccurate data concerning you.
• Right to erasure and restriction: You have the right to request deletion or restriction of processing in accordance with legal requirements.
• Right to data portability: You have the right to receive the data you provided to us in a structured, commonly used, machine-readable format or to request transmission to another controller.
• Right to complain to a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe processing of your personal data violates the GDPR.

Business Services

We process data of our contractual and business partners (e.g., customers and prospects) within contractual or similar legal relationships and related measures, and for communication with the partners (including pre-contractual), such as responding to inquiries.

We use this data to fulfill contractual obligations, including providing agreed services, updates, and remedies for warranty or performance issues. We also use the data to protect our rights and for administrative tasks and business organization. Data may be shared with third parties where necessary for the above purposes or legal obligations. We inform partners of further processing, such as for marketing, in this privacy policy.

We inform partners about required data before or during collection (e.g., in online forms by labels or symbols) or personally. We delete data after statutory warranty or comparable obligations expire, generally after four years, unless stored in a customer account or archived for legal reasons (e.g., tax retention typically ten years). Data disclosed to us in the course of an assignment is deleted as specified and generally after the end of the assignment.

• Data types processed: Inventory data; payment data; contact data; contract data.
• Data subjects: Service recipients and clients; prospects; business and contractual partners.
• Purposes of processing: Provision of contractual services and obligations; communication; office and organizational procedures; organizational and administrative procedures; business processes and commercial procedures.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing, procedures, and services:

• Technical services: We process customer data to enable selection, purchase, ordering, payment, provision, or performance of services or works and related activities. Required details are marked accordingly and include information needed for performance and billing as well as contact details for any queries. Where we receive information about end customers, employees, or other persons, we process it in line with legal and contractual requirements; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of the Online Offering and Web Hosting

We process user data to provide our online services. This requires processing the user's IP address to deliver content and functions to their browser or device.

• Data types processed: Usage data; meta, communication, and procedural data; log data.
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure; security measures.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing, procedures, and services:

• Provision of online offering on rented hosting: We use storage, computing capacity, and software rented or otherwise obtained from a server provider to deliver our online offering; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online offering is logged as server log files. They may include addresses and names of accessed pages and files, date and time, transferred data volumes, success messages, browser type and version, operating system, referrer URL, IP addresses, and the requesting provider. Logs serve security purposes (e.g., preventing server overload or DDoS attacks) and ensuring server stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log files are stored for up to 30 days then deleted or anonymized. Data needed as evidence is retained until the incident is resolved.

Use of Cookies

"Cookies" are functions that store and read information on user devices. They can be used for functionality, security, comfort, and analytics. We use cookies according to legal requirements and obtain consent where required; otherwise, we rely on legitimate interests where storage and access are essential to provide expressly requested content and functions.

Legal basis notes: Whether we process personal data using cookies depends on consent. If consent is given, it is the legal basis; otherwise, we rely on legitimate interests as explained.

Storage duration:

• Session cookies: Deleted after the user leaves the online offering and closes the device/browser.
• Persistent cookies: Remain stored after closing the device. Unless specified, assume up to two years.

General notes on withdrawal and objection (opt-out): Users can withdraw consent at any time and object to processing using browser privacy settings.

• Data types processed: Meta, communication, and procedural data.
• Data subjects: Users.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further notes on processing, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution to obtain, log, manage, and withdraw user consent for cookies or comparable technologies. Consents are stored server-side and/or in a cookie to link consent to a specific user or device. Unless otherwise stated, consent is stored for up to two years along with a pseudonymous identifier, timestamp, scope of consent, and device/browser details; Legal bases: Consent (Art. 6(1)(a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone, or social media) and within existing user and business relationships, we process the information provided by the inquiring persons as necessary to respond to inquiries and any requested measures.

• Data types processed: Inventory data; contact data; content data; usage data; meta, communication, and procedural data.
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback; provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further notes on processing, procedures, and services:

• Contact form: When contacting us via form, email, or other channels, we process the transmitted personal data to respond. This typically includes name, contact details, and other information necessary to handle the request. Data is used solely for communication; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
• HubSpot CRM: Managing customer contacts, tracking sales activities, marketing automation, analytics, campaign management, support ticketing, and AI-assisted features; Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal bases:Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.com/crm;Privacy Policy: https://legal.hubspot.com/privacy-policy;Data Processing Agreement: https://legal.hubspot.com/dpa;Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses.

Marketing Communication via Email, Post, Fax or Phone

We process personal data for marketing communication through channels such as email, phone, post, or fax in accordance with legal requirements. Recipients may withdraw consent or object at any time via the contact options above.

After withdrawal or objection, we retain the data necessary to prove prior authorization for up to three years after the end of the year of withdrawal/objection based on legitimate interests. We also store minimal data to avoid future contact where necessary.

• Data types processed: Inventory data; contact data; content data.
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing; marketing; sales promotion.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
• Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Presence in Social Networks (Social Media)

We maintain online presences in social networks to communicate with users or provide information about us. User data may be processed outside the EU, potentially making enforcement of user rights more difficult.

User data is typically processed for market research and advertising. Usage profiles can be created based on user behavior and interests to serve ads likely matching user interests. Cookies may be stored on user devices to store usage behavior and interests. Usage profiles can also store data across devices (especially if users are logged in).

For detailed information on processing and opt-out options, see the privacy policies of the respective networks. For access or rights requests, please contact the network provider directly. If you need assistance, you may also contact us.

• Data types processed: Contact data; content data; usage data.
• Data subjects: Users.
• Purposes of processing: Communication; feedback; public relations.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing, procedures, and services:

• LinkedIn: Social network. Joint controller with LinkedIn Ireland Unlimited Company for collection of Page Insights data (content viewed, actions, device details such as IP address, OS, browser, language, cookies, and profile attributes such as job function, country, industry, seniority, company size, employment status). Privacy: https://www.linkedin.com/legal/privacy-policy. Joint controller addendum: https://legal.linkedin.com/pages-joint-controller-addendum. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plugins and Embedded Functions and Content

We integrate functional and content elements from third-party providers (e.g., graphics, videos, maps). This requires processing users' IP addresses to deliver the content. Third parties may also use pixel tags for statistics or marketing. Information may be stored in cookies on user devices and combined with data from other sources.

Legal basis notes: If we request user consent, that is the legal basis; otherwise, processing is based on our legitimate interests in efficient, economical, and user-friendly services. Please also see our notes on cookies.

• Data types processed: Usage data; meta, communication, and procedural data; location data.
• Data subjects: Users.
• Purposes of processing: Provision of our online offering and user-friendliness; marketing; profiles with user-related information.
• Retention and deletion: Deletion in accordance with "General Information on Data Storage and Deletion". Cookies may be stored for up to two years unless otherwise stated.
• Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing, procedures, and services:

• Google Maps: Map service by Google. Data processed may include IP addresses and location data; Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website:https://mapsplatform.google.com/;Privacy Policy: https://policies.google.com/privacy;Third-country transfer basis: Data Privacy Framework (DPF).
• LinkedIn plugins and content: e.g., images, videos, texts, and buttons enabling sharing within LinkedIn; Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website:https://www.linkedin.com; Privacy Policy:https://www.linkedin.com/legal/privacy-policy;Data Processing Agreement: https://legal.linkedin.com/dpa;Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses;Opt-out:https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Privacy Information for Whistleblowers

This section explains how we handle data from whistleblowers and affected parties in our whistleblowing process. Our goal is to provide a straightforward and secure way to report possible misconduct by us, our employees, or service providers.

Legal basis (Germany): Where we process data to fulfill statutory obligations under the German Whistleblower Protection Act (HinSchG), the legal basis is Art. 6(1)(c) GDPR (and for special categories Art. 9(2)(g) GDPR, Section 22 BDSG) in connection with Section 10 HinSchG. This covers the duty to operate an internal reporting office and related investigations or employment actions following confirmed violations.

Where we process data (especially when misconduct is found) for or in preparation of legal defense, processing is based on our legitimate interests in lawful and ethical conduct (Art. 6(1)(f) GDPR).

If you provide consent for certain purposes, processing is based on Art. 6(1)(a) GDPR; for special categories of data, Art. 9 may also apply.

Data types processed:

In receiving and handling reports and subsequent procedures, we may collect:

• Name, contact details, and location of the reporting person.
• Names and data of potential witnesses or affected persons.
• Names and data of persons implicated by the report.
• Data about the alleged misconduct.
• Other relevant details provided by the whistleblower.

For fact-finding and follow-up, we may also process:

• Unique identifier of the report.
• Contact details of the reporting person, if provided.
• Personal data of persons named in the report, if provided.
• Personal data of persons indirectly affected by the report.

Special categories of personal data:

If provided, we may process health data, data on racial or ethnic origin, religious or philosophical beliefs, or sexual orientation. Such data is processed only as permitted by law (e.g., Art. 9 GDPR).

Use of online forms: Anonymous reports are possible. For additional privacy you may use your browser's incognito mode. When visiting our site normally, your browser sends technical details (e.g., IP address) that are temporarily logged and deleted after 30 days. Logging helps ensure security, stability, and confidentiality of the reporting form.

Providing your name: You may report anonymously. Where permitted by law, we recommend providing your name and contact details to help us follow up and communicate. Your identity is treated confidentially unless legal obligations require disclosure to protect rights or as mandated.

Disclosure to third parties: Data related to reports is shared only with your express consent or where legally required (e.g., public authorities, regulators, tax authorities). We may engage legal counsel or carefully selected processors (e.g., operators of web-based reporting systems) under data processing agreements to investigate and act on reports.

Retention and deletion: Personal data is processed only as long as necessary for the purposes described. If no longer needed, it is deleted unless longer retention is required to meet legal obligations and is proportionate.

Technical and organizational measures: We implement contractual, technical, and organizational measures to protect all processed data. Reports are handled by authorized personnel. Employees are trained and bound to confidentiality.

Changes and Updates

Please review this privacy policy regularly. We will adapt it when changes in our data processing make this necessary. We will inform you if changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact details of companies and organizations, note that they may change over time; please verify before contacting.

Definitions

This section provides an overview of terms used in this privacy policy. Where terms are legally defined, those definitions apply; the explanations below support understanding.

• Employees: Persons in an employment relationship (staff, employees, similar roles). Employment involves a contract under which the employer pays remuneration and the employee performs work. Employee data includes identifiers, payroll and bank data, working hours, leave, health data, and performance evaluations.
• Inventory data: Core information for identifying and managing contracting parties, accounts, or profiles, such as names, contact details, dates of birth, and identifiers.
• Content data: Information generated when creating or publishing content (texts, images, videos, audio, etc.) including related metadata such as tags, descriptions, authorship, and publication dates.
• Contact data: Information enabling communication, such as phone numbers, postal addresses, email addresses, and social media handles.
• Meta, communication, and procedural data: Contextual information about how data is processed or transmitted, such as file size, creation date, author, change history, communication logs, timestamps, transmission paths, and audit logs.
• Usage data: Information on how users interact with digital products or services (page views, dwell time, click paths, frequency, device and OS, interactions). Includes timestamps, IP addresses, device info, and location data.
• Personal data: Any information relating to an identified or identifiable natural person.
• Profiles with user-related information: Automated processing of personal data to analyze, evaluate, or predict personal aspects (e.g., interests, behavior, location). Often uses cookies and web beacons.
• Log data: Information about events or activities recorded in a system or network (timestamps, IP addresses, user actions, errors) used for analysis, security monitoring, or performance reporting.
• Location data: Information indicating geographic position of a device (e.g., via cell towers, Wi-Fi). Used to display maps or location-based info.
• Controller: The natural or legal person that determines the purposes and means of processing personal data.
• Processing: Any operation performed on personal data, such as collection, storage, transmission, or deletion.
• Contract data: Information related to formalizing agreements between parties (e.g., start/end dates, services/products, pricing, payment terms, termination rights).
• Payment data: Information needed for payment transactions (credit card numbers, bank details, amounts, transaction data, verification numbers, invoices, statuses).