Privacy Policy

We are pleased about your visit to our website www.colexo.com and the associated interest in our company. In order to provide you with a high level of transparency, we inform you below about the type, scope, and purpose of the collection, processing, and use of personal data that arise in the context of using our website. The General Data Protection Regulation (hereinafter referred to as “GDPR”) can be retrieved here as a complete document.

1. Definitions

The following terms that we use within our privacy policy are defined in Art. 4 GDPR. This is only an excerpt from Art. 4 GDPR. You can view all definitions in the GDPR (accessible here).

• Personal data (Art. 4 No. 1 GDPR) Personal data are all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.‍

• Processing (Art. 4 No. 2 GDPR) Processing includes any operation or set of operations which is performed on personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.‍

• Pseudonymization (Art. 4 No. 5 GDPR) Pseudonymization refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not attributed to an identified or identifiable natural person.‍

• Controller (Art. 4 No. 7 GDPR) The controller is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for its designation may be provided for by Union law or the law of the Member States.‍

• Processor (Art. 4 No. 8 GDPR) A processor is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.‍

• Third party (Art. 4 No. 10 GDPR) A third party is a natural or legal person, authority, agency, or other body, other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.‍

• Consent (Art. 4 No. 11 GDPR) Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.‍

• Company (Art. 4 No. 18 GDPR) A company is understood to be a natural or legal person engaged in economic activity, irrespective of its legal form, including partnerships or sole proprietorships that engage regularly in economic activities (Art. 4 No. 18 GDPR).‍

2. Controller according to Art. 4 No. 7 GDPR

COLEXO GmbH
Ralf Mattschas, Thies Jacob
Johann-Clanze Straße 28 C
81369 Munich
Email: info@colexo.de

You can retrieve our complete imprint here: https://colexo.com/impressum

3. Legal basis for processing

For each processing described within our privacy policy, we will inform you of the relevant legal basis on which the processing is carried out. The following categories of processing are considered lawful:

• You have given us consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 Para. 1 S. 1 lit. a GDPR).

• There is a contract between you and us, for whose performance the processing is carried out, or the processing is necessary for the performance of pre-contractual measures taken at your request (Art. 6 Para. 1 S. 1 lit. b GDPR).

• The processing is necessary to comply with a legal obligation to which we are subject (Art. 6 Para. 1 S. 1 lit. c GDPR).

• The processing is necessary to protect vital interests of yours or of another natural person (Art. 6 Para. 1 S. 1 lit. d GDPR).

• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 Para. 1 S. 1 lit. e GDPR).

• The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 Para. 1 S. 1 lit. f GDPR).

4. Cookies & Consent Management Tool

Our websites use so-called “Cookies”. Cookies are small text files that are stored on your device and processed by your browser. They do no harm and do not contain viruses or malware.

Cookies can be temporary (session cookies) or permanent (persistent cookies):

• Session cookies: These are automatically deleted when you leave the website.

• Persistent cookies: These remain stored on your device until you delete them or they expire.

4.1 Cookie Management & Consent

Upon your first visit to our website, a cookie banner will appear, allowing you to give your consent or refusal.

You can change your cookie settings at any time via the cookie banner (click on the cookie icon in the lower left corner of the screen).

Alternatively, you can manage and delete cookies via your browser settings.

4. Data retention / Data deletion

Within the processing described in our privacy policy, we will inform you of the respective retention period or the time points of deletion or blocking of data. If no explicit retention period is defined, data will be deleted or blocked as soon as the purpose or the legal basis for retention is no longer applicable.

Retention may occur beyond the defined periods if legal regulations to which we are subject (e.g., § 147 AO, § 247 HGB) provide for a different retention period.

After the retention period, personal data will be deleted or blocked unless further retention is required by us based on a legal basis. Additionally, retention beyond the specified period is possible in the event of a (potential) dispute with you or any other legal proceedings.

5. Disclosure of personal data

If your personal data is disclosed, you will be informed accordingly at the relevant point in our privacy policy. If your personal data is disclosed outside the European Economic Area and thus in so-called third countries, you will be informed accordingly at the relevant point in our privacy policy. In general, we only transmit personal data to third countries where an adequate level of protection has been confirmed by the EU Commission or where we can ensure careful handling of personal data through contractual agreements or other suitable guarantees.

6. Collection of personal data

Below, we will inform you about the collection of personal data (such as name, email address, address, or user behavior).

6.1 Exclusive informational use of our website

If you do not register on our website (for example, in the form of a newsletter) or otherwise transmit data to us (for example, by using a contact form), only those personal data are collected that are transmitted by your browser to our server. This data is technically necessary for us to present the website to you in a secure and stable manner. This includes the following information derived from a log file entry:‍

• Internet protocol address (IP address)

• Time and date of the respective access

• Time zone difference to Greenwich Mean Time (GMT)

• The specific page requested

• Status of the access / Hypertext Transfer Protocol (http)

• Amount of data transmitted

• Website from which access is made to our website (referrer URL)

• Used internet browser (including language and version)

• Used operating system

The legal basis for the collection of the listed data is given in Art. 6 Para. 1 S. 1 lit. f GDPR. We have a legitimate interest in ensuring error-free connectivity and comfortable use of our website, as well as analyzing system stability and security and using the data for other administrative purposes.

6.2 Contacting via email

When contacting via the email address provided in Section 2 or other email addresses of our company published on our website, your email address, as well as any other contact data contained in your email (e.g., your name or your phone number), will be stored by us to process your request. This data will be deleted immediately as soon as further storage is no longer necessary. Should statutory retention periods apply regarding the data, instead of deletion, a corresponding restriction of processing will apply. The legal basis for processing the data arises depending on the reason for sending the email from Art. 6 Para. 1 S. 1 lit. b GDPR or from Art. 6 Para. 1 S. 1 lit. f GDPR, thus either to process the contract entered into with you and to fulfill our (pre)contractual obligations or based on our legitimate interest in contacting interested parties regarding our services.

6.3 Contact form

When contacting through the contact form available on our website, the contact data provided by you will be stored and processed by us to address your request. The legal basis for processing the data depends on the reason for the contact and arises from Art. 6 Para. 1 S. 1 lit. b GDPR or Art. 6 Para. 1 S. 1 lit. f GDPR, thus either for processing the contract entered into with you and fulfilling our (pre)contractual obligations, or based on our legitimate interest in contacting interested parties regarding our services.

6.4 Letter of intent

When contacting through the letter of intent form available on our website, the contact data provided by you will be stored and processed by us to address your request. The legal basis for processing the data arises depending on the reason for the contact from Art. 6 Para. 1 S. 1 lit. b GDPR or Art. 6 Para. 1 S. 1 lit. f GDPR, thus either for processing the contract entered into with you and fulfilling our (pre)contractual obligations, or based on our legitimate interest in contacting interested parties regarding our services.

6.5 Applications

Job offers are published on our website. If you click the “Apply now” button, an email window opens, allowing you to apply to us via email.

When applying, the data you provide will be stored by us and processed for the purposes of the application process. The legal basis for processing this data is the fulfillment of our pre-contractual obligations in the context of the application process in accordance with Art. 6 Para. 1 lit. b GDPR in conjunction with § 26 Federal Data Protection Act (BDSG). Furthermore, an additional legal basis may arise from Art. 6 Para. 1 lit. f GDPR if data processing becomes necessary in the context of legal proceedings, for example. Should applicants voluntarily submit special categories of personal data according to Art. 9 Para. 1 GDPR, these will be processed by us in accordance with Art. 9 Para. 2 lit. b GDPR. If we request data according to Art. 9 Para. 1 GDPR, data processing will always occur based on your explicit consent (Art. 9 Para. 2 lit. a GDPR). If an employment relationship arises from the application, the applicant data will be further processed for the establishment of an employment relationship according to Art. 6 Para. 1 lit. b GDPR in conjunction with § 26 BDSG. Otherwise, the applicant data will only be stored for the duration of the application process and for as long as is legally permissible, in accordance with generally accepted and legal retention periods, and will then be deleted (at the latest, 6 months after the position has been filled to address applicant claims under the General Equal Treatment Act (AGG)). This also applies to retracted applications. Additional data may be stored beyond this period for compliance with other legal obligations.

7. Framer

Our website is hosted by Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands. Framer uses Amazon Web Services (AWS), with the main servers located in the us-east-1 (USA) region.

Additionally, Framer uses a global Content Delivery Network (CDN) with over 450 edge locations, supported by AWS CloudFront with Origin Shield. This allows for fast and reliable delivery of our website content worldwide.

The use of Framer as a hosting provider is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest) as we want to ensure powerful and secure web hosting. If consent is required (e.g., for the storage or processing of cookies by Framer), the data processing occurs based on Art. 6 Para. 1 lit. a GDPR.

For more information about data processing by Framer, see the provider's privacy policy: https://www.framer.com/legal/privacy-policy/

7.1 Hosting

Framer hosts our website through the content delivery networks of American companies Amazon Web Services, Inc. A content delivery network refers to a network of geographically distributed, potentially interconnected servers. The nearest server to the respective user of the website is always used. The CDN used here includes servers in North America and parts of Europe. More information can be found on the following Framer page: https://www.framer.com/help/articles/guide-to-framer-hosting-infrastructure/

7.2 Hosting at Amazon Web Services (AWS)

Our website is hosted on the servers of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter referred to as “AWS”), which is a leading global provider of cloud hosting services providing the infrastructure for our website.

The servers of AWS are primarily located in the us-east-1 (USA) region, while Framer uses additional AWS regions to ensure optimized delivery through a global Content Delivery Network (CDN). As a result, personal data (e.g., IP addresses) may be transferred to third countries, specifically the USA. Data transfer occurs based on the EU Standard Contractual Clauses (SCCs) approved by the European Commission.

Additionally, our hosting provider uses a Content Delivery Network (CDN) from Amazon CloudFront to optimize the loading speed and availability of our website. The servers are distributed worldwide, including in the USA. Data transfer occurs based on the EU Standard Contractual Clauses (SCCs) and the EU/US Data Privacy Framework.

The use of AWS is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest) as we want to ensure a secure, high-performance, and reliable delivery of our website. If consent is required (e.g., for setting cookies or tracking technologies by AWS), data processing occurs based on Art. 6 Para. 1 lit. a GDPR.

For further information on data processing by AWS, please see the provider's privacy policy: https://aws.amazon.com/de/privacy/

7.3 framerusercontent.com

Our website loads images and other media content through the domain framerusercontent.com. This is a subdomain provided by Framer B.V. used for hosting static files (e.g., images, PDFs, scripts).

These files are delivered via the Amazon CloudFront CDN from AWS. This may result in a data transfer to the USA. The transfer occurs based on the EU Standard Contractual Clauses (SCCs) as well as the EU-US Data Privacy Framework.

Further information:

• Framer Data Protection: https://www.framer.com/legal/privacy-statement/?fob=MqWTq4V1r5BNu7fW

• AWS Data Protection: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice_10.28.24_DE-DE.pdf

7.4 Legal basis

The legal basis for data processing in the sense of the preceding is in Art. 6 Para. 1 S. 1 lit. f GDPR and is based on our interest in providing you with a fast, secure, and user-friendly website. As far as the situation of data processing in the third country USA is concerned, the legal basis arises, as explained, from Art. 44 and 45 GDPR (since all involved companies are active participants in the so-called “EU/US – Data Privacy Framework”), as well as otherwise from Art. 46 Para. 1, Para. 2 lit. c GDPR (Standard Contractual Clauses).

8. Use of Framer Analytics (events.framer.com)

Our website uses Framer Analytics, a web analytics service from Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands. Since our website is hosted on Framer, the analysis of website usage occurs via events.framer.com as a first-party service (First-Party Cookie).

8.1 Which data is collected?

Framer Analytics collects information on website performance and usage, including:

• Technical metrics (e.g., load times such as Time to First Byte, Largest Contentful Paint, First Input Delay),

• Interactions with the website (e.g., clicks, scrolling behavior),

• Visited pages and navigation behavior,

• Device information (e.g., screen resolution, operating system, browser type).

This data is collected automatically in order to analyze and optimize website performance.

8.2 Cookies and storage

Framer Analytics does not store any personal identifiable information but rather aggregated performance data to improve the user experience. Cookies or other technologies may be used to measure website usage.

Since our website is hosted on Framer, the processing of this data occurs as a first-party service within the Framer infrastructure. No sharing with external third parties (e.g., Google Analytics) occurs.

8.3 Legal basis

The processing is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest), as we have an interest in a technically optimized and high-performing website. If consent is required (e.g., for tracking technologies or placing cookies), the data processing occurs based on Art. 6 Para. 1 lit. a GDPR.

Further information can be found in Framer's privacy policy:

8.4 Data transfer and storage

The collected data is transmitted to Framer B.V. This may lead to a data transfer to third countries (e.g., USA). The transfer occurs based on the EU Standard Contractual Clauses (SCCs) and/or the EU/US Data Privacy Framework.

More information can be found in Framer's privacy policy: https://www.framer.com/legal/privacy-statement/?fob=MqWTq4V1r5BNu7fW

9. Appointment booking via Cal.com

On our website, we use the service Cal.com to provide you with a simple and efficient appointment booking process. The provider is Cal.com, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

9.1 Which data is processed?

When using Cal.com, the following personal data is collected and processed:

• Name

• Email address

• Other information necessary for appointment scheduling (e.g., phone number, notes on booking)

The data transfer occurs directly between you and Cal.com. We have no direct access to this data.

9.2 Embedded iFrame and data transfer

The appointment booking function is integrated into our website through a so-called iFrame. This means that when accessing the page with the embedded calendar, a connection to the servers of Cal.com is established. Personal data (such as IP address or device information) may be transmitted to Cal.com – even if you do not actively use the calendar.

9.3 Legal basis

The use of Cal.com is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest) as we want to enable simple and efficient appointment scheduling. If consent is required (e.g., for cookies or tracking by Cal.com), the processing occurs based on Art. 6 Para. 1 lit. a GDPR.

If you do not want Cal.com to collect data already when loading the page, we recommend that you disable cookies in your browser settings or use a content blocker.

For more information about data processing by Cal.com, see the provider's privacy policy: https://cal.com/privacy

10. YouTube

We embed YouTube videos on our website. This is a video portal of the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, imprint: https://www.google.de/intl/de/contact/impressum.html.  The parent company of this company, based in Ireland, is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). Google's privacy policy can be retrieved here: https://policies.google.com/privacy?hl=de.  We have embedded the videos in a so-called “extended privacy mode”, which ensures that no cookies are set and – according to Google - the playback of the video is not used by Google for personalizing the use of the YouTube platform. Furthermore, the playback of the video – according to Google - is not used for personalizing advertisements.

A data transfer to the USA and thus to a third country takes place. The data transfer to this third country is currently justified under Art. 44 and 45 GDPR, as Google is an active participant in the Data Privacy Framework of the EU and the USA, where the level of data protection for certified companies in the USA is declared adequate (“adequacy decision”). The legal basis for the processing of the data, in addition to that, arises from Art. 6 Para. 1 S. 1 lit. f GDPR, relying on our legitimate interest in providing our website users with videos on the website to inform about our services. When you play the video, the local and session storage described, which is technically necessary for you to play the video, are also stored.

11. Your rights

Below, we inform you about your rights under the GDPR. You can retrieve the GDPR here as a complete document.

• Right of access under Art. 15 Para. 1 GDPR‍ You have the right to request from us confirmation as to whether personal data concerning you is being processed. If this is the case, you have the right to access this personal data, as well as information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your personal data has been or will be disclosed (in particular in the case of recipients in third countries or international organizations), the retention period or criteria for determining the retention period, the existence of a right to rectification or erasure of personal data concerning you or the right to restriction of processing by us, as well as information about the existence of a right to lodge a complaint with a supervisory authority, and all available information about the source of the data (in the event that it was not collected by us), the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved, the significance and the intended consequences of such processing.

• Right to rectification under Art. 16 GDPR‍ You have the right to request from us the immediate rectification of inaccurate personal data concerning you, as well as the completion of incomplete personal data.

• Right to erasure (“right to be forgotten”) under Art. 17 Para. 1 GDPR‍ You have the right to request that we erase personal data concerning you without delay. This right, however, does not exist according to Art. 17 Para. 3 GDPR, if the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, or for the assertion, exercise, or defense of legal claims.

• Right to restriction of processing under Art. 18 Para. 1 GDPR‍ You have the right to request from us the restriction of processing of your personal data if you dispute the accuracy of your personal data (the restriction applies for the period that allows us to verify the accuracy), if the processing of your personal data is unlawful and you oppose the erasure, if we no longer need your personal data for the purposes of processing, but you need them for the establishment, exercise, or defense of legal claims, or if you have lodged an objection against the processing according to Art. 21 Para. 1 GDPR (the restriction applies as long as it remains unclear whether our legitimate grounds override yours).

• Right to data portability under Art. 20 GDPR‍ You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance from us (or request the direct transmission from us to another controller, where technically feasible), if the processing is based on your consent or a contract or is carried out by automated means.

• Right to withdraw consent given under Art. 7 Para. 3 GDPR‍ You have the right to withdraw your consent at any time with effect for the future, so that the data processing which was based on the consent can no longer be continued in the future; however, the legality of the processing carried out until your withdrawal remains unaffected.

• Right to lodge a complaint under Art. 77 GDPR‍ Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you violates the GDPR. In general, you can contact the supervisory authority of your usual place of residence, your workplace, or the place of the alleged infringement. Further information on this can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information.‍

12. Right to object

In addition to the stated rights, you also have the right to object at any time to the processing of your personal data, which is based on the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 Para. 1 S. 1 lit. e GDPR) or for the purposes of legitimate interests pursued by us (Art. 6 Para. 1 S. 1 lit. f GDPR), if there are reasons arising from your particular situation. In the event of an objection, no further processing of the personal data will be carried out, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. In the event of processing your personal data for the purpose of direct marketing or profiling, if there is a connection to direct marketing, you have a general right to object without the need to provide reasons arising from your particular situation. In the event of an objection, we will immediately cease processing of personal data for these purposes.  To exercise your right of withdrawal or objection, it is sufficient to send an email to: info@colexo.de

13. Use if SalesViewer® technology:

This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of the website operator’s legitimate interests (Section 6 paragraph 1 lit.f GDPR) in order to collect and save data on marketing, market research and optimisation purposes.

In order to do this, a javascript based code, which serves to capture company-related data and according website usage. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personally

The data stored by SalesViewer® will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.

The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on https://www.salesviewer.com/opt-out in order to prevent SalesViewer® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.

14. Data security

Our website uses the encryption and communication protocol TLS 1.3 (Transport Layer Security). Through the TLS certificate we use, which is issued by a certification authority, we enable encrypted data exchange between web browser and web server, preventing sensitive data from being read by third parties. We use the method with the highest encryption level that your browser supports; usually, this will be a 256-bit encryption. The higher the bit count, the longer the key, and thus the better the protection against third parties.