Data Privacy

1. Introduction

We, XTRACTION GmbH, are pleased about your visit to our website (hereinafter also referred to as “Website”) and your interest in our company. We place the utmost importance on the protection and security of your personal data. With the following information, we would like to inform you about which personal data we process from you for what purposes and what rights you have regarding your personal data under the relevant data protection laws.

As the responsible party for processing, we have implemented numerous technical and organizational measures to ensure the most comprehensive protection possible of personal data processed through this website. However, internet-based data transmissions can generally have security gaps, so absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us via alternative means as well.

2. Controller

The controller within the meaning of the GDPR is:

XTRACTION GmbH
Eichlesstr. 16
D-89129 Langenau
Phone: +49 731 141108-11
E-mail: info@xtraction-germany.de

3. Definitions

“Personal data” (hereinafter “data”) is all information that says something about a natural person. Personal data includes not only information that allows direct identification of a specific person (such as a person’s name or email address) but also information with which a reference to a specific person can be established with appropriate additional knowledge.

“Processing” means any measure carried out with your personal data (such as collecting, recording, organizing, structuring, storing, using, or erasing data).

4. Your rights as a data subject

You have the following rights within the legally prescribed framework:

Right to information Art. 15 GDPR
You have the right to obtain from us at any time free information about the personal data stored about you and a copy of this data in accordance with statutory provisions.

Right to rectification Art. 16 GDPR
You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Erasure Art. 17 GDPR
You have the right to demand that we erase personal data concerning you without undue delay, provided that one of the legally prescribed reasons applies and insofar as the processing or storage is not necessary.

Restriction of processing Art. 18 GDPR
You have the right to request from us the restriction of processing if one of the legal requirements is met.

Data Portability Art. 20 GDPR
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us to whom the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) GDPR; and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, in exercising your right to data portability pursuant to Article 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

Right to object Art. 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) (processing in the public interest) or (f) (processing based on balancing of interests) of Article 6(1) GDPR.

This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

In individual cases, we process personal data to conduct direct marketing. You can object to the processing of personal data for such advertising purposes at any time. This also applies to profiling to the extent that it is related to such direct advertising. If you object to processing for direct marketing purposes, we will no longer process the personal data for these purposes.

You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You are free to exercise your right to object by automated means involving technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

Withdrawal of data protection consent
You have the right to withdraw your consent for the processing of personal data at any time with effect for the future.

When asserting the above-mentioned rights, we ask for your understanding that in case of doubts regarding your identity, we may request evidence from you proving that you are the person you claim to be.

In addition to the aforementioned rights, you also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR.

5. Transfer of data to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only share your personal data with third parties if:

You have given your express consent according to Art. 6 para. 1 lit. a) GDPR,
The disclosure is permissible for safeguarding our legitimate interests according to Art. 6 para. 1 lit. f) GDPR and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
In the event that there is a legal obligation for the transfer according to Art. 6 para. 1 lit. c) GDPR, and
It is required according to Art. 6 para. 1 lit. b) GDPR for the processing of contractual relationships with you.

As part of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission according to Art. 45 GDPR applies. We have explicitly mentioned this for the affected service providers in the privacy policy. To protect your data in all other cases, we have concluded agreements for order processing based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 para. 1 lit. a) GDPR can serve as the legal basis for the transfer to third countries. This does not apply, among other things, to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR.

6. Links to third-party websites

Our website may contain links to and from websites of other providers (‘third parties’) not associated with us. After clicking on the link within our website, we no longer have any influence on the processing of any data transferred to the third party by clicking on the link (such as the IP address or the URL on which the link is located), as the behavior of third parties is naturally beyond our control. We cannot assume any responsibility for the processing of such data by third parties.

7. Links to social networks and messengers

Our website may contain links for sharing content from our website on various social networks and/or messenger services. The links we have created do not lead to any data transfer to social network or messenger service providers while using our website. Only when you click on one of the links to share content from our website will data (such as your IP address or the URL where the link is located) be transmitted to the respective social network or messenger service provider. We have no influence on the further data processing by the respective social network or messenger service provider.

8. Technology & hosting

8.1 SSL/TLS encryption

This website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data, or contact requests that you send to us as the operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

We use this technology to protect your transmitted data.

8.2 Data collection when visiting the website & hosting

When using our website for informational purposes only, if you do not register or otherwise provide us with information or do not consent to processing that requires consent, we only collect data that is technically necessary for the provision of the service. This is usually data that your browser transmits to our server (“in so-called server log files”). Our website collects a series of general data and information with each page call by you or an automated system. This general data and information is stored in the server’s log files. The following may be recorded:

Browser types and versions used,
The operating system used by the accessing system,
The website from which an accessing system reaches our website (so-called referrer),
The sub-pages accessed on our website via an accessing system,
The date and time of access to the website,
An Internet Protocol address (IP address), and
The Internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is needed to

Deliver the contents of our website correctly,
Optimize the contents of our website as well as its advertisement,
Ensure the long-term viability of our IT systems and website technology, and
Provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.

Therefore, we analyze anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest follows from the data collection purposes listed above.

The hosting of our website is carried out on the servers of our service provider HostPress GmbH, Bahnhofstraße 34, 66571 Eppelborn, Germany. Our service provider will only process your data to the extent necessary to fulfill its performance obligations and follow our instructions regarding this data. We have concluded a data processing agreement with the service provider in accordance with Art. 28 GDPR.

For more information on HostPress GmbH’s privacy policy, please visit: https://www.hostpress.de/datenschutz/

9. Cookies & use of consent management tool

9.1 General information about cookies

Cookies are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our site. Cookies store information that results from the specific context of the end device used. However, this does not mean that we thereby gain direct knowledge of your identity.

The use of cookies serves to make the use of our services more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after leaving our page.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a specific period of time. If you visit our site again to use our services, it is automatically recognized that you have already been with us and what inputs and settings you have made, so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate our offer for the purpose of optimization. These cookies allow us to automatically recognize that you have already visited our website when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage duration of the cookies can be found in the settings of the consent tool used.

9.2 Required cookies

Borlabs cookie (consent management tool)
We use the WordPress cookie plugin “Borlabs Cookie” from Borlabs GmbH. This service enables us to obtain and manage the consent of website users for data processing.

Borlabs Cookie collects data using cookies that are generated by end users who use our website. When an end user gives consent, the following data, among others, is automatically logged:

Cookie duration,
Cookie version,
Domain and path of the WordPress page,
Selection in the cookie banner,
UID (a randomly generated ID),

The consent status is also stored in the end user’s browser so that the website can automatically read and follow the end user’s consent on all subsequent page requests and future end user sessions for up to 12 months. The consent data (consent and withdrawal of consent) is stored for three years. The retention period corresponds to the regular limitation period according to § 195 BGB. The data is then immediately deleted.

The functionality of the website is not guaranteed without the processing described above. There is no possibility for the user to object as long as there is a legal obligation to obtain the user’s consent for certain data processing operations, Art. 7 para. 1, 6 para. 1 S. 1 lit. c) GDPR.

The collected data is neither forwarded to Borlabs GmbH nor does it have access to it.

Information about the service provider:
Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany

Website: https://de.borlabs.io

Privacy policy of the service provider: https://de.borlabs.io/datenschutz/

On what legal basis are required cookies used?
In order to be able to prove whether you have consented to the use of cookies that require consent, we store the information about the granting or non-granting of consent to fulfill our legal obligation to provide proof in accordance with Art. 6 para. 1 lit. c, para. 3 lit. a GDPR in conjunction with Art. 7 para. 1 GDPR.

In addition, we use required cookies to safeguard legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

Our pursued legitimate interests are:

Ensuring the security and stability of our website and IT security of our systems;
Assertion, exercise, and defense of legal claims;
Provision and assurance of the proper functionalities of our website.

9.3 Optional cookies

Google Analytics 4 (GA4)
On our website, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website may include, among others:

A short-term collection of the IP address without permanent storage
Location data
Browser type/version
Operating system used
Referrer URL (previously visited page)
Time of server request

The pseudonymized data can be transferred by Google to a server in the USA and stored there.

The information is used to evaluate the use of the website, to compile reports on website activities, and to provide other services related to website and internet usage for market research purposes and needs-based design of these internet pages. This information may also be transferred to third parties if required by law or if third parties process this data on behalf of the company.

These processing operations are carried out exclusively with explicit consent in accordance with Art. 6 Para. 1 lit. a) GDPR.

The default data retention period set by Google is 14 months. Otherwise, personal data is stored for as long as it is necessary to fulfill the processing purpose. The data is deleted as soon as it is no longer necessary for achieving the purpose.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision according to Art. 45 GDPR, allowing the transfer of personal data without further guarantees or additional measures.

Information about the service provider:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Website: https://marketingplatform.google.com/about/analytics/

Information regarding data usage by Google Analytics: https://support.google.com/analytics/answer/6004245?hl=en

Privacy policy of the service provider: https://policies.google.com/privacy?hl=en

Google Analytics 4 (GA4) – Additional information on consent mode, simple implementation
According to the Digital Markets Act, Google is obligated to obtain user consent before processing user data for personalized advertising. Google complies with this requirement through the “Consent Mode”. Users are required to implement this and thereby demonstrate that they have obtained the consent of website visitors.

Google offers two implementation modes: the simple and the advanced implementation.

We use the simple implementation method of the Google Consent Mode. Only if you give your consent to the use of Google Analytics (see above) will a connection to Google be established, a Google code executed, and the processing described above carried out. If you refuse consent, Google only receives information that consent has not been given. The Google code is not executed and no Google Analytics cookies are set.

10. Plugins, other services & video conferences

Microsoft Teams
We use the tool “Microsoft Teams” (“MS-Teams”) for our communication, both in written form (chat) and in the form of telephone conferences, online meetings, and video conferences. The operating company of the service is Microsoft Ireland Operations, Ltd., 70 Sir John Rogerson’s Quay, Dublin, Ireland; Parent company: Microsoft Corporation, One Microsoft Way, Redmond, Washington, USA (“Microsoft”).

When using MS-Teams, the following personal data is processed:
Meetings, chats, voicemails, shared files, recordings, and transcriptions.
Data shared about you. Examples include your email address, profile picture, and phone number.
A detailed history of the phone calls you make.
Call quality data.
Support/feedback data Information related to troubleshooting tickets or feedback sent to Microsoft.
Diagnostic and service data diagnostic data related to service usage.

To enable the display of video and playback of audio, data from your device’s microphone and video camera is processed for the duration of the meeting. You can turn off the camera or mute the microphone at any time via the “Microsoft Teams” applications.

If we make recordings of video conferences, the processing is carried out exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR. The legal basis for the use of “MS Teams” within the framework of contractual relationships or pre-contractual measures is Art. 6 para. 1 lit. b) GDPR. In all other cases, the legal basis for the processing of your personal data is Art. 6 para. 1 lit. f) GDPR. Here, our interest lies in the effective conduct of online meetings.

As a cloud-based service, “MS-Teams” processes the aforementioned data as part of providing the service. To the extent that “MS-Teams” processes personal data in connection with Microsoft’s legitimate business operations, Microsoft is an independent data controller for this use and as such is responsible for complying with applicable laws and obligations of a data controller. When you access the MS-Teams website, Microsoft is responsible for data processing. Accessing the website is necessary to download the MS-Teams software.

This US company is certified under the EU-US Data Privacy Framework. There is an adequacy decision according to Art. 45 GDPR, so that personal data may be transferred without further guarantees or additional measures.

Information about the service provider:
Microsoft Ireland Operations, Ltd., 70 Sir John Rogerson’s Quay, Dublin, Ireland; Parent company: Microsoft Corporation, One Microsoft Way, Redmond, Washington, USA (“Microsoft”)

Website:
https://www.microsoft.com/en-us/microsoft-teams/group-chat-software

Privacy policy of the service provider:
https://privacy.microsoft.com/en-us/privacystatement

Terms of use of the service provider:
https://www.microsoft.com/en-us/legal/terms-of-use

Detailed information from the service provider:
https://docs.microsoft.com/en-us/microsoftteams/teams-privacy

YouTube Videos in enhanced privacy mode (Youtube-NoCookies)
We directly embed videos stored on YouTube on some subpages of our website. The operating company of YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). With this integration, content from the YouTube website is displayed in parts of a browser window. If you access a (sub)page of our website on which YouTube videos are embedded, a connection to the YouTube servers is established and the content is displayed on the website through a notification to your browser.

The integration of YouTube content only occurs in “enhanced privacy mode”. YouTube itself provides this and thus ensures that YouTube initially does not store any cookies on your device. However, when accessing the relevant pages, the IP address and possibly other data are transmitted, thus particularly informing which of our websites you have visited. This information cannot be attributed to you unless you have logged in to YouTube or another Google service before accessing the page or are permanently logged in. As soon as you start playing an embedded video by clicking on it, YouTube only stores cookies on your device through the enhanced privacy mode that do not contain any personally identifiable data, unless you are currently logged into a Google service. These cookies can be prevented by appropriate browser settings and extensions.

These processing operations are carried out exclusively upon granting explicit consent in accordance with Art. 6 para. 1 lit. a) GDPR.

Information about the service provider:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Website: https://www.youtube.com/

Privacy policy of the service provider: https://policies.google.com/privacy

Google Tag Manager
We use the Google Tag Manager service on our website. The operating company of Google Tag Manager is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). This tool allows “website tags” (i.e., keywords embedded in HTML elements) to be implemented and managed through an interface. By using Google Tag Manager, we can automatically track which button, link, or personalized image you actively clicked on and can then record which content on our website is particularly interesting to you.

The tool also triggers other tags, which may collect data themselves. Google Tag Manager does not access this data. If you have deactivated tracking at the domain or cookie level, it remains in effect for all tracking tags implemented with Google Tag Manager.

These processing operations are carried out exclusively with explicit consent in accordance with Art. 6 para. 1 lit. a) GDPR.

Information about the service provider:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Website: https://marketingplatform.google.com/intl/en/about/tag-manager/

Privacy policy of the service provider: https://www.google.com/intl/en/policies/privacy/

11. Contact

We offer you the possibility to contact us directly via email, telephone, or fax. If you take advantage of this option, we process your personal data to handle your message or inquiry and to contact you if necessary. Your data will be deleted after your request has been fully processed. This is the case when it can be inferred from the circumstances that the matter in question has been conclusively clarified and there are no legal retention obligations preventing deletion.

What data do we process for what purposes?

We process the following data:

Last name, first name
Company name
Email Address
Phone number
Content data (your message/inquiry)

This data is processed solely for the purpose of responding to your request or for contact and (pre)contractual measures.

On what legal basis do we process your data?
The processing of your data is carried out for the performance of a contract or to take steps prior to entering into a contract in accordance with Art. 6 para. 1 lit. b GDPR, as well as for the purposes of legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR.

Our pursued legitimate interests are the proper response to and processing of your message or inquiry, as well as customer-oriented communication.

You have the right to object at any time to processing based on Art. 6 para. 1 lit. f GDPR on grounds relating to your particular situation.

12. Newsletter dispatch to existing customers

If you have provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services from our range by email. According to § 7 para. 3 UWG, we do not need to obtain separate consent from you for this. The data processing is carried out solely on the basis of our legitimate interest in personalized direct advertising in accordance with Art. 6 para. 1 lit. f) GDPR. If you initially objected to the use of your email address for this purpose, we will not send you emails. You have the right to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by notifying the controller mentioned at the beginning. You will only incur transmission costs according to the basic rates. After receiving your objection, the use of your email address for advertising purposes will be stopped immediately.

13. Our activities on social networks

To communicate with you on social networks and inform you about our services, we have our own pages there. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the resulting processing operations, in the sense of Art. 26 GDPR. We are not the original provider of these pages, but only use them within the possibilities offered to us by the respective providers.

Therefore, we would like to point out as a precaution that your data may also be processed outside the European Union or the European Economic Area. Use may therefore involve data protection risks for you, as safeguarding your rights, e.g., to information, deletion, objection, etc., may be more difficult, and processing in social networks often occurs directly for advertising purposes or for analyzing user behavior by the providers, without us being able to influence this. If usage profiles are created by the provider, cookies are often used or the usage behavior is assigned to your own member profile of the social networks.

The described processing operations of personal data are carried out in accordance with Art. 6 Para. 1 lit. f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider to communicate with you in a contemporary manner or to inform you about our services. If you as a user must give consent to data processing with the respective providers, the legal basis refers to Art. 6 Para. 1 lit. a) GDPR in conjunction with Art. 7 GDPR.

Since we do not have access to the providers’ data records, we point out that you can best assert your rights (e.g., to information, correction, deletion, etc.) directly with the respective provider. We have listed further information on the processing of your data in social networks below for each social network provider we use:

13.1 Facebook

(Co-)Controller for data processing in Europe:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

13.2 Instagram

(Co-)Controller for data processing in Germany:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

13.3 LinkedIn

(Co-)Controller for data processing in Europe:
LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland

13.4 YouTube

(Co-)Controller for data processing in Europe:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

14. Routine storage, deletion, and blocking of personal data

As a rule, we process and store your personal data only for the period necessary to achieve the purpose of storage or as long as this is required by the legal provisions to which our company is subject.

If the storage purpose no longer applies or a prescribed storage period expires, the personal data is routinely blocked or deleted in accordance with statutory provisions.

15. Duration of the storage of personal data

The criterion for the duration of the storage of personal data is the respective statutory retention period. After the period has expired, the corresponding data is routinely deleted, provided that it is no longer required for the performance of a contract or the initiation of a contract.

16. Updates and amendments to the privacy policy

This privacy policy is currently valid and was last updated in December 2024.

Due to the further development of our websites and offers or due to changed legal or official requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed and printed by you at any time on the website at “https://xtraction-germany.de/Datenschutz/“.