Legal

Privacy Policy

1. Data protection at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. Detailed information on data protection can be found in our privacy policy set out below.

Data recording on this website

Who is responsible for data recording on this website?

Data processing on this website is carried out by the website operator. You will find their contact details in the section “Notice concerning the controller” in this privacy policy.

How do we record your data?

Your data is collected in part because you provide it to us — for example, data you enter into a contact form.

Other data is recorded automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system, time of page access). This data is captured automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyse your user behaviour. Where contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders or other order enquiries.

What rights do you have regarding your data?

You have the right at any time to obtain information free of charge about the origin, recipients and purpose of your stored personal data. You also have the right to demand the rectification or deletion of this data. If you have granted consent to data processing, you can revoke this consent at any time with effect for the future. You also have the right to demand the restriction of processing of your personal data under certain circumstances, and to lodge a complaint with the competent supervisory authority.

You may contact us at any time regarding these and other questions on data protection.

Analytics and third-party tools

When you visit this website, your browsing behaviour may be statistically evaluated, mainly through so-called analytics programs. Detailed information on these programs can be found in the privacy policy below.

2. Hosting

We host the content of our website with the following provider:

Lovable

This website has been created with the “Lovable” platform and is delivered via its infrastructure. Provider is Lovable Labs Incorporated / Lovable Labs AB, Regeringsgatan 25, 111 53 Stockholm, Sweden (“Lovable”).

This website is hosted externally. Personal data collected on this website is stored on the servers of the infrastructure used by Lovable. This may include IP addresses, contact requests, meta and communication data, contract data, contact data, names, website access and other data generated via a website. Lovable uses the infrastructure of Supabase for back-end services (database, authentication, storage) — see the separate section “Supabase”.

External hosting is carried out for the purpose of contract performance vis-à-vis our potential and existing customers (Art. 6 (1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1)(f) GDPR). Where consent has been requested, processing is based exclusively on Art. 6 (1)(a) GDPR and § 25 (1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of TDDDG. Consent may be revoked at any time.

Our host will only process your data to the extent necessary to fulfil its performance obligations and will follow our instructions regarding this data.

Details on data processing by Lovable can be found in Lovable’s privacy policy at https://lovable.dev/privacy and in the list of subprocessors at https://trust.lovable.dev.

Transfers to third countries (including the US) are based on the EU Commission’s Standard Contractual Clauses (Module 2), the UK International Data Transfer Addendum and the Swiss Addendum.

We have concluded a data processing agreement (DPA) for the use of the above service. This is a contract required under data protection law which ensures that our website visitors’ personal data is only processed in accordance with our instructions and in compliance with the GDPR.

Supabase

Supabase is integrated as part of Lovable’s hosting and back-end services. Supabase acts as a sub-processor of Lovable. Data protection safeguards under Art. 28 GDPR are provided via the DPA concluded between us and Lovable, which expressly includes Supabase as a sub-processor.

3. General information and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. Personal data is data by which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission over the internet (e.g. communication by email) can have security gaps. Complete protection of data against access by third parties is not possible.

Notice concerning the controller

The controller for data processing on this website is:

Exploit Labs GmbH
Schwalbacher Str. 54
65760 Eschborn
Germany
Phone: +49 (0)30 344 082 070
E-mail: hello@xplt.com

The controller is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, email addresses).

Storage duration

Unless a more specific storage period is mentioned within this privacy policy, your personal data remains with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible grounds for storing it (e.g. tax or commercial retention periods); in the latter case, deletion takes place after these grounds cease to apply.

General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR where special categories of data under Art. 9 (1) GDPR are processed. In the case of explicit consent to the transfer of personal data to third countries, processing is additionally based on Art. 49 (1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device (e.g. via device fingerprinting), processing is additionally based on § 25 (1) TDDDG. Consent may be revoked at any time. If your data is required for the performance of a contract or pre-contractual measures, we process your data on the basis of Art. 6 (1)(b) GDPR. In addition, we process your data where required for compliance with a legal obligation under Art. 6 (1)(c) GDPR. Data processing may also be based on our legitimate interest under Art. 6 (1)(f) GDPR. The applicable legal bases in each case are described in the following paragraphs of this privacy policy.

Data protection officer

We have appointed a data protection officer.

Johannes Schönborn
Exploit Labs GmbH
Schwalbacher Str. 54
65760 Eschborn
Phone: +49 (0)30 344 082 070
E-mail: datenschutz@xplt.com

Recipients of personal data

In the course of our business activities, we cooperate with various external parties. In some cases, this also involves the transfer of personal data to such parties. We only disclose personal data to external parties if this is necessary within the framework of contract performance, if we are legally obliged to do so (e.g. transmission to tax authorities), if we have a legitimate interest under Art. 6 (1)(f) GDPR in the transfer, or if another legal basis permits the disclosure. When using processors, we only pass on our customers’ personal data on the basis of a valid data processing agreement. In the case of joint processing, a joint controller agreement is concluded.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You may revoke consent already given at any time. The lawfulness of the data processing carried out until revocation remains unaffected.

Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)

If data processing is based on Art. 6 (1)(e) or (f) GDPR, you have the right at any time to object to the processing of your personal data on grounds arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (objection under Art. 21 (1) GDPR).

If your personal data is processed for direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent it is connected with such direct marketing. If you object, your personal data will no longer be used for direct marketing (objection under Art. 21 (2) GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects have a right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. This right exists without prejudice to any other administrative or judicial remedy.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to yourself or a third party in a common, machine-readable format. If you request direct transfer of the data to another controller, this will only take place to the extent technically feasible.

Information, rectification and deletion

Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of data processing and, where applicable, a right to rectification or deletion of this data. For these and other questions on personal data, you may contact us at any time.

Right to restriction of processing

You have the right to request restriction of the processing of your personal data. You may contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you have restricted processing of your personal data, this data — apart from being stored — may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

SSL / TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries you send us as site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the browser address bar changes from “http://” to “https://” and by the lock symbol in your browser bar.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Rejection of unsolicited advertising emails

We hereby object to the use of contact data published in the context of the imprint obligation for the transmission of advertising and information material that has not been expressly requested. The operators of these pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, for example through spam emails.

4. Data recording on this website

Cookies

Our websites use so-called “cookies”. Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or until they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have various functions. Numerous cookies are technically necessary because certain website functions would not work without them (e.g. the shopping cart function or video display). Other cookies may be used to evaluate user behaviour or for advertising purposes.

Cookies required to carry out the electronic communication process, to provide certain functions you have requested (e.g. shopping cart function) or to optimise the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 (1)(f) GDPR unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. Where consent to the storage of cookies and comparable recognition technologies has been requested, processing is based exclusively on that consent (Art. 6 (1)(a) GDPR and § 25 (1) TDDDG); consent may be revoked at any time.

You can set your browser to inform you about the setting of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or generally, and to activate automatic deletion of cookies when the browser is closed. Deactivating cookies may limit the functionality of this website.

Details of the cookies and services used on this website can be found in this privacy policy.

Enquiries by email, telephone or fax

If you contact us by email, telephone or fax, your enquiry, including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1)(b) GDPR if your enquiry is related to the performance of a contract or is required for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries directed to us (Art. 6 (1)(f) GDPR) or on your consent (Art. 6 (1)(a) GDPR) where this has been requested; consent may be revoked at any time.

The data you send us via contact requests remains with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after completed processing of your request). Mandatory statutory provisions — in particular statutory retention periods — remain unaffected.

Contact and enquiry form (“Request now”)

The website contains a contact / enquiry function (“Request now”). If you contact us via the form, your details from the form, including the contact data you provide there, will be stored by us and in the infrastructure we use (Lovable Cloud / Supabase and, where applicable, HubSpot CRM, see the respective sections) for the purpose of processing the enquiry and in case of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1)(b) GDPR if your enquiry is related to the performance of a contract or is required for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries directed to us (Art. 6 (1)(f) GDPR) or on your consent (Art. 6 (1)(a) GDPR) where this has been requested; consent may be revoked at any time.

The data you enter in the form remains with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Mandatory statutory provisions — in particular retention periods — remain unaffected.

5. Analytics and advertising

Google Analytics

This website uses functions of the web analytics service Google Analytics. Provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyse the behaviour of website visitors. The website operator receives various usage data such as page views, time spent, operating systems used and origin of the user. This data may be assigned by Google to a profile associated with the respective user or their device.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transferred to a Google server in the US and stored there.

Use of this service is based on your consent under Art. 6 (1)(a) GDPR and § 25 (1) TDDDG. Consent may be revoked at any time.

Data transfer to the US is based on the EU Commission’s Standard Contractual Clauses. Details: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF commits to comply with these standards. Further information from the provider: https://www.dataprivacyframework.gov/participant/5780.

IP anonymisation

We have activated IP anonymisation. As a result, your IP address is shortened by Google within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area prior to transmission to the US. Only in exceptional cases is the full IP address transferred to a Google server in the US and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide further services related to website and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google.

Order processing

We have concluded an order-processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Lovable Analytics

The platform we use embeds its own analytics / event script (including via the domains cdn.gpteng.co as well as a platform-internal events script) with which technical usage and event data of the website is recorded and evaluated. The underlying platform is operated by Lovable (see section “Hosting – Lovable”). Technical data such as IP address, time of access, pages viewed and browser and device information may be processed.

Use of this service is based on your consent under Art. 6 (1)(a) GDPR and § 25 (1) TDDDG, to the extent processing includes the storage of information on the user’s device or access to such information. Consent may be revoked at any time. Where consent is not required, processing is based on our legitimate interest in the analysis and optimisation of our online offering (Art. 6 (1)(f) GDPR).

Details on data processing by Lovable can be found in the privacy policy at https://lovable.dev/privacy.

6. Plug-ins and tools

Sentry

This website uses the Sentry service to record and analyse technical errors and crashes (error and crash reporting). Provider is Functional Software, Inc. (Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA (“Sentry”).

Sentry helps us detect and fix technical problems on the website. In the event of an error, technical data (e.g. IP address, timestamp, page accessed, browser and device information, and error context data) is transmitted to Sentry and processed there.

Use of Sentry is based on Art. 6 (1)(f) GDPR. We have a legitimate interest in the technically error-free, stable and secure presentation and optimisation of our website. Where consent has been requested, processing is based exclusively on Art. 6 (1)(a) GDPR and § 25 (1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of TDDDG. Consent may be revoked at any time.

Sentry is certified under the “EU-US Data Privacy Framework” (DPF). In addition, data transfer to the US is based on the EU Commission’s Standard Contractual Clauses. Further information can be found in Sentry’s privacy policy at https://sentry.io/privacy/ and in the Data Processing Addendum at https://sentry.io/legal/dpa/.

We have concluded a data processing agreement (DPA) for the use of the above service.

7. Own services / CRM

HubSpot CRM

We use HubSpot CRM on this website. Provider is HubSpot Inc., 2nd Floor 25 First Street, Cambridge, 02141 Massachusetts, USA (“HubSpot CRM”).

HubSpot CRM enables us, among other things, to manage existing and potential customers and customer contacts. With HubSpot CRM we are able to record, sort and analyse customer interactions by email, social media or telephone across various channels. The personal data collected in this way may be evaluated and used for communication with the prospective customer or for marketing measures (e.g. newsletter mailings). With HubSpot CRM we are also able to record and analyse the user behaviour of our contacts on our website.

The use of HubSpot CRM is based on Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in the most efficient possible customer management and customer communication. Where consent has been requested, processing is based exclusively on Art. 6 (1)(a) GDPR and § 25 (1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of TDDDG. Consent may be revoked at any time.

Details can be found in HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy.

Data transfer to the US is based on the EU Commission’s Standard Contractual Clauses. Details: https://www.hubspot.com/data-privacy/privacy-shield.

The company is certified under the “EU-US Data Privacy Framework” (DPF). Further information from the provider: https://www.dataprivacyframework.gov/participant/5812.

We have concluded a data processing agreement (DPA) for the use of the above service.

Source of text passages: template based on eRecht24, adapted by Exploit Labs GmbH.