1. Introduction

With the following information, we would like to provide you, as a “data subject”, with an overview of how we process
your personal data and of your rights under data protection law.

In principle, you can use our website without providing any personal data. However, if you wish to use certain services
offered by our company via our website, the processing of personal data may be necessary. Where there is no legal basis
for such processing, we will generally obtain your consent.

The processing of personal data (e.g. name, address or email address) is always carried out in accordance with the
General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection provisions
applicable to ATBAS GmbH & Co. KG. This Privacy Policy explains the scope and purpose of the personal data we collect,
use and process.

We have implemented numerous technical and organisational measures to ensure the most comprehensive protection possible
for personal data processed via this website. Nevertheless, internet-based data transmissions may inherently involve
security vulnerabilities, so absolute protection cannot be guaranteed. You may therefore also send us personal data via
alternative channels (e.g. by telephone or post).

Guidance on the secure handling of your data

  • Protect your account (login, user or customer account) and your IT system (computer, laptop, tablet or mobile device) with strong passwords.
  • Only you should have access to your passwords.
  • Do not use the same password for multiple accounts.
  • Do not reuse a password across different websites, applications or online services.
  • Especially on publicly accessible or shared devices, always log out after each session.
  • Passwords should contain at least 12 characters and be chosen so they cannot easily be guessed. Avoid common everyday words or names; instead use a mix of upper- and lower-case letters, numbers and special characters.

2. Data Controller

The controller within the meaning of the GDPR is:

ATBAS GmbH & Co. KG
Freiberger Str. 69–71
01159 Dresden, Germany
Telephone: +49 351 404 252 40
Fax: +49 351 404 252 49
Email: support@atbas.de

3. Data Protection Officer

You can contact our Data Protection Officer as follows:

Christian Wollinger
Telephone: +49 351 404 252 40
Fax: +49 351 404 252 49
Email: datenschutz@atbas.de

You are welcome to contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection.

4. Definitions

This Privacy Policy is based on the terminology used in the GDPR. For ease of understanding, we explain certain terms below:

  • Personal data: Any information relating to an identified or identifiable natural person.
  • Data subject: Any identified or identifiable natural person whose personal data is processed.
  • Processing: Any operation performed on personal data (e.g. collection, storage, use, disclosure, deletion).
  • Restriction of processing: Marking stored personal data with the aim of restricting its future processing.
  • Profiling: Any form of automated processing of personal data used to evaluate certain personal aspects.
  • Pseudonymisation: Processing personal data in such a manner that it can no longer be attributed to a specific person without additional information.
  • Processor: A party that processes personal data on behalf of the controller.
  • Recipient: A party to whom personal data is disclosed.
  • Third party: Any party other than the data subject, controller, processor and persons authorised to process the data under the controller’s or processor’s direct authority.
  • Consent: Any freely given, specific, informed and unambiguous indication of your wishes by which you signify agreement to the processing of your personal data.

6. Disclosure to Third Parties and International Data Transfers

We only disclose your personal data to third parties if:

  • you have expressly consented (Art. 6(1)(a) GDPR),
  • the disclosure is necessary and permissible to protect legitimate interests (Art. 6(1)(f) GDPR),
  • there is a legal obligation (Art. 6(1)(c) GDPR), or
  • it is required for contract performance / pre-contractual measures (Art. 6(1)(b) GDPR).

Where personal data is transferred to third countries (outside the EU/EEA), we ensure appropriate safeguards where required
(e.g. Standard Contractual Clauses). Where an adequacy decision pursuant to Art. 45 GDPR applies (e.g. certification under the
EU–US Data Privacy Framework), the transfer may be based on this.

7. Technology

7.1 SSL/TLS encryption

This website uses SSL/TLS encryption to protect the transmission of confidential content (e.g. contact enquiries).
You can recognise an encrypted connection by “https://” and the padlock symbol in your browser.

7.2 Data collection when visiting the website (no access log files)

When you use our website for information purposes only, certain data is transmitted by your browser to our systems for technical reasons.
This may include:

  • browser type and version,
  • operating system,
  • referrer URL,
  • subpages accessed,
  • date and time of access,
  • IP address,
  • internet service provider.

Purpose: Providing the website, ensuring stability and IT security, as well as detecting/defending against attacks and misuse.

No storage as access log files: We have disabled permanent logging of page views in web server access log files, meaning we do not store such access logs.

Hosting: Our website is hosted in the cloud infrastructure of Microsoft Azure. Microsoft may, as a processor, have access to personal data in the course of operating the infrastructure, insofar as this is necessary for provision, maintenance and operation.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in provision, stability and IT security).

Note: If technical logs are generated in individual cases as part of security measures or troubleshooting
(e.g. error messages/security events), they are processed solely for the purposes stated above and deleted as soon as they are no longer required.

8. Cookies and Consent Management

8.1 General information about cookies

Cookies are small files that your browser stores on your device. Cookies may, for example, be used to save settings or enable statistical evaluations.

8.2 Legal basis for access to end-user devices (cookies & similar technologies)

Where we store information on your device or access information on your device (e.g. cookies), this is governed by Sec. 25 TDDDG:

  • Consent requirement: Sec. 25(1) TDDDG (generally required)
  • Exception: Sec. 25(2) TDDDG (strictly necessary for a service you have expressly requested)

Where personal data is subsequently processed, this will be based—depending on purpose—on:

  • Art. 6(1)(a) GDPR (consent) or
  • Art. 6(1)(f) GDPR (legitimate interest).

8.3 Complianz (consent management tool)

We use the consent management tool “Complianz GDPR/CCPA Cookie Consent” by Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen,
Netherlands, to obtain, manage and document consent.

When you give or withdraw consent, the following data may be recorded in particular:

  • browser information,
  • date and time,
  • device information,
  • URL of the page visited,
  • banner language,
  • consent ID,
  • consent status.

Your consent status is stored in your browser so your selection can be applied in future sessions (for up to 12 months).
Consent records (consent/withdrawal) are stored for three years (regular limitation period under Sec. 195 German Civil Code)
and then deleted.

Cookie settings / withdrawal: You can withdraw or amend your consent at any time via the cookie settings (e.g. via the “Cookie settings” link in the footer).

Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR (documentation/evidence of consent). Complianz processes the data as a processor; processing takes place within the EU.

9. Content on Our Website

9.1 Contact / contact form

If you contact us (e.g. via the contact form or by email), we process the personal data you provide in order to handle your enquiry
and for technical administration.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in handling enquiries). Where the contact aims at concluding a contract: Art. 6(1)(b) GDPR.

Retention period: Deleted after final processing, unless statutory retention obligations require otherwise.

10. Newsletter

10.1 Newsletter to existing customers

If, in connection with the purchase of goods/services, you have provided us with your email address, we may send you offers for similar
goods/services by email (Sec. 7(3) UWG). You can object to this use at any time.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in direct marketing). Objection: at any time with effect for the future (by contacting the controller).

10.2 Marketing newsletter (subscription/double opt-in)

When you subscribe to the newsletter, we process the data entered in the input form. For legal reasons, we use a double opt-in procedure.
We also store the IP address and the date/time of registration (for verification/safeguarding against misuse).

Legal basis: Art. 6(1)(a) GDPR (consent). Withdrawal: at any time, e.g. via the unsubscribe link in every newsletter email.

10.3 Mailjet (newsletter & transactional emails)

We use Mailjet to send newsletters and transactional emails (e.g. system or service notifications).
Provider: SAS Mailjet, 13-13 bis, rue de l’Aubrac, 75012 Paris, France.

a) Newsletters via Mailjet
Legal basis: Art. 6(1)(a) GDPR (consent, double opt-in). Withdrawal at any time (unsubscribe link).

b) Transactional emails via Mailjet
Legal basis: Art. 6(1)(b) GDPR (contract/pre-contractual) and/or Art. 6(1)(f) GDPR (reliable communication).

Mailjet may use data in pseudonymised form for technical optimisation. Mailjet is used on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Retention period: Newsletter data until you unsubscribe; afterwards, it may be stored in a suppression list to prevent further mailings.

Further information: https://www.mailjet.de/privacy-policy/

11. Activities on Social Networks

We maintain company pages on social networks in order to communicate with you and inform you about our services. When you visit our social
media pages, we are generally jointly responsible with the platform provider (Art. 26 GDPR) insofar as the provider makes “insights”/statistics available.

It cannot be ruled out that data is processed outside the EU/EEA. Providers often process data for advertising and analytics purposes without us being able
to influence this. You can most effectively exercise your rights (access, deletion, etc.) directly with the respective provider.

11.1 Facebook

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy Policy: https://www.facebook.com/about/privacy

11.2 Instagram

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy Policy: https://instagram.com/legal/privacy

11.3 LinkedIn

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

11.4 XING

New Work SE, Am Strandkai 1, 20457 Hamburg, Germany

Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung

Data access: https://www.xing.com/settings/privacy/data/disclosure

12. Web Analytics / Marketing

12.1 HubSpot (forms)

We use HubSpot Forms. Provider: HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA.

When you complete a form, we process the information you enter in order to handle your enquiry. It may be matched to an existing HubSpot contact profile
if a contact already exists in HubSpot.

Legal basis: Art. 6(1)(f) GDPR (handling enquiries) and/or Art. 6(1)(b) GDPR (contract/pre-contractual). Where HubSpot sets or reads
cookies/tracking technologies, this only takes place with your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG).

Further information: https://legal.hubspot.com/privacy-policy

12.2 Leadinfo

We use the lead generation service Leadinfo B.V., Rivium Quadrant 141, 2909 LC Capelle aan den IJssel, Netherlands.

Leadinfo identifies company visits based on IP addresses and provides us with publicly available information (e.g. company name/address). IP addresses are
neither displayed nor stored. Leadinfo also uses cookies and processes domains from form entries to correlate and improve its services.

Processed data may include:

  • IP address without permanent storage,
  • location (derived from IP),
  • domain from form entries.

Legal basis: Art. 6(1)(a) GDPR (consent).

Further information: https://www.leadinfo.com/de/

12.3 Matomo

We use the web analytics tool Matomo (provider: InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand). Matomo is operated on our own systems; the collected data is not shared with third parties.

Matomo is configured in two operating modes:

a) Audience measurement without cookies (“cookieless”) – without consent

In this basic configuration, no Matomo analytics cookies are stored or read. We process usage data (e.g. pages accessed, referrer, general technical
device/browser information, time of access) for statistical analysis and optimisation.

IP anonymisation: IP addresses are anonymised (IP masking).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analytics/optimisation/security).

Right to object: You may object to the processing at any time on grounds relating to your particular situation (Art. 21 GDPR).

b) Audience measurement with cookies – only with consent

If you consent to the statistics/analytics category, we additionally use Matomo in cookie-based mode.

Legal bases: Sec. 25(1) TDDDG (storing/reading cookies), Art. 6(1)(a) GDPR (consent).

Further information: https://matomo.org/privacy/

12.4 Google Ads (conversion tracking)

We use Google Ads to advertise our offers on external websites. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
for certain processing activities, Google LLC (USA) may also be a recipient.

Conversion tracking (only with consent):
If you consent to the “Marketing” category in the consent settings, we use Google Ads conversion tracking. This allows us to measure whether users perform
a certain action on our website after clicking on a Google advert (e.g. submitting a form). For this purpose, the Google tag may use cookies and similar
technologies and process click identifiers (e.g. “GCLID”) to attribute conversions.

No tracking without consent:
If you do not consent, Google Ads tracking technologies are not loaded on our website and no Google Ads conversion tracking takes place.

Legal bases: Sec. 25(1) TDDDG (storing/reading on the end device, e.g. cookies), Art. 6(1)(a) GDPR (consent).

Withdrawal: You can withdraw or amend your consent at any time via the cookie settings with effect for the future.

International transfers: A transfer of personal data to the USA cannot be ruled out.

Additional cookieless campaign analysis: Irrespective of your consent, we evaluate campaign visits (e.g. source/campaign, page views) in a cookieless manner using Matomo in order to obtain GDPR-compliant baseline statistics on campaign performance (see Matomo section).

13. Plug-ins and Other Services

13.1 Vimeo (videos)

Our website embeds content from the Vimeo video platform (Vimeo, LLC, 555 West 18th Street, New York, NY 10011, USA).

Integration only after consent: Vimeo content is not loaded by default. The video is only loaded once you consent to the integration of external media (e.g. the “External media” category), and your browser then establishes a connection to Vimeo.

In doing so, Vimeo may receive, among other things:

  • IP address,
  • device/browser information,
  • referrer URL,
  • cookie/technology information (depending on configuration).

If you are logged in to Vimeo, Vimeo may associate your visit with your user account. Interactions (e.g. starting a video) may also be transmitted.

Legal bases: Sec. 25(1) TDDDG (end-user device access, e.g. cookies), Art. 6(1)(a) GDPR (consent).

Withdrawal: at any time via the cookie settings; without consent, Vimeo content will not be loaded.

Further information: https://vimeo.com/privacy

14. Your Rights as a Data Subject

Under the GDPR, you have the following rights in particular:

  • Confirmation (Art. 15 GDPR: whether data is being processed)
  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR), in particular to processing based on legitimate interests and to direct marketing
  • Withdrawal of consent (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority

15. Routine Storage, Deletion and Blocking

We process and store personal data only for as long as necessary to achieve the purposes, or as required by law.
Once the purpose no longer applies or statutory retention periods expire, the data will be deleted or restricted in accordance with legal requirements.

16. Retention Period

The applicable statutory retention period is decisive. Once the relevant period has expired, the data will be deleted unless it is still required
for contract performance or the initiation of a contract.

17. Updates and Changes to this Privacy Policy

This Privacy Policy is currently valid and dated: January 2026.
We may need to update it due to further development of our website/services or as a result of changes in legal or regulatory requirements.

© ATBAS GmbH & Co. KG