Privacy policy for softgarden website

I. General information

1. Contact details of the person responsible

The controller within the meaning of the data protection laws is the:

softgarden e-recruiting GmbH
Tauentzienstr. 14
10789 Berlin

Tel: +49 (0)30 884 940 400
info@softgarden.de

If you have any questions or suggestions regarding data protection, you can also contact us by e-mail at datenschutz@softgarden.de.

2. Data protection officer

You can reach our data protection officer using the following contact details:

Herting Oberbeck Data Protection GmbH
Hallerstraße 76, 20146 Hamburg

Email: datenschutzbeauftragter@softgarden.de
Web: www.datenschutzkanzlei.de

3. Basis for data processing

The subject of data protection is personal data. According to Art. 4 No. 1 GDPR, this is any information relating to an identified or identifiable natural person (hereinafter “data subject”). This includes, for example, information such as name, postal address, email address or telephone number, but may also include usage data. Usage data is data that is required in order to use our website, such as information about the start, end and scope of use of our website and login data.

We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by us only takes place on the basis of legal authorisation. We process personal data only with your consent (Art. 6 para. 1 letter a GDPR), for the fulfilment of a contract to which you are a party or at your request for the implementation of pre-contractual measures (Art. 6 para. 1 letter b GDPR), for the fulfilment of a legal obligation (Art. 6 para. 1 letter c GDPR) or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail (Art. 6 para. 1 letter f GDPR).

If you apply for an open position in our company, we will also process your personal data to decide on the establishment of an employment relationship (Section 26 (1) sentence 1 BDSG).

4. Place of data processing

softgarden operates IT infrastructure at the office locations in Berlin and Saarbrücken as well as in data centres of the following service providers

• OVH GmbH (hosting of the website)
• WIIT AG (formerly myLoc managed IT AG)
• Equinix Germany GmbH

The service provider’s data centres for the website are located in Frankfurt/Germany.

Some data processing, in particular in connection with external services on our website, may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not applicable law. Such a transfer is permitted if the European Commission has determined that an adequate level of data protection is required in such a third country. This applies to all transfers to countries in this list: Data protection adequacy for non-EU countries

If such an adequacy decision by the European Commission does not exist, personal data will only be transferred to a third country if suitable guarantees pursuant to Art. 46 GDPR are in place or if one of the requirements of Art. 49 GDPR is met.

Unless there is an adequacy decision and unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data from the scope of the GDPR to third countries. You have the option of obtaining or viewing a copy of these EU standard data protection clauses. Please contact us at the address given under Contact.

If you consent to the transfer of personal data to third countries, the transfer takes place on the legal basis of Art. 49 para. 1 letter a GDPR.

5. Recipient of data

In order to provide our services and operate economically as a company, we use various external companies to which we transfer personal data in some cases. If other specific recipients receive personal data in some data processing operations, we will inform you of this in the course of this data protection notice. In principle, we pass on personal data to the following categories of recipients:

• Hosting provider: We commission certified service providers to host our data who have the highest security standards
• IT service providers and SaaS providers: We use the services of various service providers who support us as processors and simplify and optimise our processes.
• Advertising and marketing providers: With the help of various advertising and marketing providers, we aim to increase our brand awareness, promote demand for our products and increase customer loyalty. To this end, campaigns are planned, played out and their success measured and analysed. The providers are usually also processors.
• Administration and authorities: In order to comply with legal regulations or to respond to court orders or other similar official requests, further transfers may take place. This also includes transfers to the tax authorities and tax consultancy/auditing firms.
• As part of the further development of our business, the structure of softgarden e-recruiting GmbH may change by changing its legal form or by founding, buying or selling subsidiaries, parts of the company or components. In such transactions, customer information may be passed on together with the part of the company to be transferred. Whenever personal data is passed on to third parties in this context, softgarden will ensure that this is done in accordance with this data protection notice and the relevant data protection laws. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

6. Storage period

Unless otherwise stated in the following information, we only store the data for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting data for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof and with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to processing for this purpose.

softgarden products support do not track requests through web browsers.

7. Your rights as a data subject

As a data subject, you have the right to assert your data subject rights against us. In particular, you are therefore entitled to know at any time whether your personal data has been stored and can contact us to assert a right of access to stored data (right of access), to verify its accuracy (right to rectification), to request its completion and updating, to request its erasure (right to be forgotten), to request the restriction of processing (right to restriction) and to have the data ported/ported in a commonly used, machine-readable format (data portability).

These rights apply insofar as there are no compelling and/or legitimate reasons on the part of the controller to the contrary. To assert these rights, please contact datenschutz@softgarden.de or send a letter to the address given above.

If you have given us separate consent to data processing, you can exercise your right of cancellation at any time without giving reasons and amend or completely revoke the declaration of consent given with effect for the future. You can send your cancellation to us either by post, e-mail or fax.  Such a revocation does not affect the legality of the processing that was carried out on the basis of the consent until the revocation.

If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 (2) and (3) GDPR without giving reasons.

If you exercise your rights in accordance with Art. 15 to 22 GDPR, we process the personal data transmitted for the purpose of implementing these rights by us and to be able to provide proof of this. We will only process data stored for the purpose of providing and preparing information for this purpose and for the purposes of data protection monitoring and will otherwise restrict processing in accordance with Art. 18 GDPR. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR in conjunction with. Art. 15 to 22 GDPR and § 34 para. 2 BDSG.

II. Data processing on our website

When you use the website, we collect information that you provide yourself. In addition, certain information about your use of the website is automatically collected by us during your visit to the website. In data protection law, the IP address is also considered personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.

1. Automated data collection

softgarden and third-party services may collect files for operational and maintenance purposes that record the interaction taking place via this application (system logs) or use other personal data (e.g. IP address) for this purpose.

When you access softgarden products, your Internet browser automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

• Date and time of access,
• Browser type and version,
• operating system used,
• URL of the previously visited website,
• Amount of data sent,
• IP address of the access

This data is stored solely for technical reasons and is not assigned to a specific person at any time. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

We use the service of the ISO 27001-certified provider Cloudflare Inc. (USA) and its subsidiary Cloudflare Germany GmbH (Germany) (“Cloudflare”) to increase the security of our platform, in particular to protect against DDoS attacks, and to improve the delivery speed. Cloudflare provides a network of servers capable of delivering optimised content to the end user and intercepting virus-infected traffic.

The services provided by Cloudflare include the product “Data Localisation Suite” with the components “Regional Services” and “Metadata Boundary for Customers”. Both components ensure that the transfer of personal data when using our platform and the checking of traffic takes place exclusively within the EU.

The personal data processed by Cloudflare includes all content transmitted by our customers and applicants, i.e. beyond the IP address, all files (application documents) and multimedia images, graphics, audio or video, as well as any interaction of their browser with our system.

Cloudflare is the recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR to ensure the security and security as well as user-friendliness of our platform.

Your personal data will be stored by Cloudflare for as long as is necessary for the purposes described, usually 124 calendar days.

Further information about Cloudflare can be found at: Cloudflare DPA

Please note that we are generally not in a position to identify you as a data subject on the basis of the information stored. Art. 15 to 22 GDPR therefore do not apply in accordance with Art. 11 para. 2 GDPR, unless you provide additional information that enables your identification in order to exercise your rights set out in these articles.

2. Contact options and enquiries

On our website, you have the option of contacting us via contact forms or booking a live demo for our products directly. To do this, you must enter the data specified as mandatory fields in the respective form. This data is required in order to contact you as part of our sales process or as part of customer and prospective customer surveys. Last but not least, softgarden also requires this and, if necessary, other data in order to be able to respond to requests, questions and criticism. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

We use the HubSpot service from HubSpot Germany GmbH (Germany) as a software solution for managing and implementing inbound marketing. If you use our contact form, the data you enter will be transmitted directly to HubSpot and processed by us there. When using HubSpot, data may be transferred to third countries. Please therefore note the information in section I.4 of this privacy policy.

HubSpot also sets cookies to display forms and analyse your user behaviour. If these cookies are not necessary for technical reasons, you can refuse or consent to the use of cookies. If you consent, the legal basis for data processing is Art. 6 para. 1 lit. a GDPR in conjunction with Art. 25 para. 1 TDDD. § Section 25 (1) TDDDG (consent). The legal basis for the use of technically necessary cookies is Art. 6 para. 1 lit. f GDPR (legitimate interest) in conjunction with § Section 25 para. 2 no. 2 TDDDG. You can change your cookie settings at any time and thus revoke your consent without giving reasons. Please note that if you block cookies, some services may not be able to be used to their full extent. For more information about the technologies used by HubSpot Inc., please refer to HubSpot’s privacy policy at: HubSpot Privacy Policy.

3. Data processing within the scope of the free trial phase

You have the opportunity to try out our products as part of a free trial phase and test them for your company. During the test phase, we process personal data from you as a user:in our systems. Below you will find information on special data processing during and after the test phase. Further information on general data processing in our products can be found in our data protection information for softgarden products, which you can access at any time in our products or here: Data protection information for the use of softgarden Software as a Service

3.1 Registration for the test phase

To register for the test phase, you only need to enter the data visible in the input mask (in particular your business e-mail address). We process this data in order to provide you with temporary access to our products.

The legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in providing you with a free opportunity to test our products.

The data will be stored for a period of 30 days and then deleted if no contract is concluded.

3.2 Analysis of user behaviour

In return for the free provision of the test phase, we analyse your usage behaviour in our products in order to be able to derive general improvement potential for our services and to offer you personalised assistance in the event of problems. Among other things, screen recordings are created for this purpose in order to be able to track your click behaviour and your usage behaviour in our products more precisely. This ensures that all content data (e.g. entries in free text fields, in applications or other personal and sensitive data) is automatically hidden and not captured by the screen recordings.

For this purpose, we use the Amplitude service from Amplitude, Inc (USA). Amplitude is configured in such a way that only pseudonymised data is collected by the service. The IP address is anonymised. The so-called “events” that are tracked relate, for example, to the use of certain functions, retrieval of help content or onboarding guides. This is purely a statistical evaluation of user behaviour. Amplitude does not use cookies or similar technologies.

The data is hosted exclusively on Amplitude servers in Germany (at Amazon Web Services in Frankfurt), so that all analysis data remains in the EU. Amplitude Inc. is ISO 27001 certified. Further information about Amplitude can be found here: Trust, Security and Privacy | Amplitude. However, we cannot rule out the possibility that organisations based outside the EU may also access the data. For this reason, we have concluded the approved EU standard contractual clauses with Amplitude, Inc. in accordance with Art. 46 para. 2 lit. c GDPR have been concluded. In addition, Amplitude, Inc. is certified under the EU-U.S. Data Privacy Framework. We will be happy to provide you with further information on request.

The legal basis for the analysis of your usage behaviour during the test phase is our legitimate interest pursuant to Art. 6 para. 1 letter f GDPR to analyse your usage behaviour in return for the free trial of our software and thus to continuously improve our product. Your personal data will be stored for the duration of the test phase and then deleted. However, we may continue to use the findings from your usage behaviour in anonymised form to improve our products.

3.3 Personalised assistance and

In order to provide you with the best possible support during and after the test phase and to show you the full functionality of our products, we will contact you by email or via push notifications in the software with personalised assistance. We can also contact you by telephone to inform you about new offers or to enquire about your experiences during the test phase.

For this purpose, we use findings from the analysis of your usage behaviour (see 3.2) to provide you with personalised assistance in the event of problems (e.g. by sending onboarding guides, tutorials or other information). In addition, we will contact you, if necessary, also after the end of the test phase, to inform you about the next steps and suitable offers.

We use the HubSpot service from HubSpot Germany GmbH (Germany) to send emails. Your e-mail address is therefore transmitted by us to the service provider. When using HubSpot, data may be transferred to third countries. Please therefore note the explanations in section I.4 of this privacy policy.

The legal basis for data processing is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent to receive emails at any time via the unsubscribe link in the footer of each email. To revoke your consent to be contacted by telephone, please contact datenschutz@softgarden.de

4. Direct booking of our services via the website

You have the option of booking our products and services by direct purchase via our website.

If you order a product or service via our website, we process personal data exclusively for contract processing or to be able to provide you with the ordered product. As part of the booking or ordering process, we only process the data that you yourself have entered in the input screen.

We work together with the payment service provider Stripe to process payments. The payment data you provide during the ordering process will be transmitted to Stripe if this transmission is necessary to process the payment transaction

Stripe is provided by Stripe Payments Europe, Limited (Ireland, EU), which on the one hand acts as a processor for us and on the other hand processes your personal data on its own responsibility. Payments are processed by Stripe Technology Europe, Limited (Ireland, EU), which always acts as an independent controller.

We use Stripe for payments, analytics and other business services. The personal data collected by Stripe may include transaction data and device identification information (including cookies) associated with Stripe services. Stripe uses this information to operate and improve the services it provides to us, including fraud detection and prevention, loss prevention, authentication and analysis related to the performance of the services. For more information about Stripe’s privacy practices, please visit: Datenschutzrichtlinie | Stripe

The legal basis for the data processing for which we are responsible is our legitimate interest pursuant to Article 6(1)(f) GDPR in providing you with a simple and efficient way to book our products. All data fields marked as mandatory are required to process your booking. Failure to provide this data means that we will not be able to process your booking.

When using Stripe, data may be transferred to third countries, in particular to Stripe, Inc. in the USA. Please therefore note the explanations in Section I.4 of this Privacy Policy.

5. Newsletter

softgarden offers you a free newsletter service. We use the newsletter to inform you about product updates, other information relevant to the use of the platform and participation in surveys to draw your attention to new products or services or to provide you with other information that may be of interest to you. We also use the newsletter to inform you about offers and products from our co-operation partners.

Each newsletter contains information on how you can unsubscribe from the newsletter with effect for the future. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.

When registering for the newsletter, we store the IP address as well as the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 GDPR).

We use the HubSpot service from HubSpot Germany GmbH (Germany) to manage newsletter subscriptions and send the newsletter. Your e-mail address is therefore transmitted by us to the service provider. If you do not want your data to be processed by this service provider, you should not subscribe to the newsletter or unsubscribe from it. When using HubSpot, data may be transferred to third countries. Please therefore note the explanations in section I.4 of this privacy policy.

6. Download of eBooks & studies

On our website, we offer you the opportunity to download our eBooks and studies. This generally requires you to enter your personal contact details in the forms provided for this purpose. We process your personal data on on the basis of our legitimate interest pursuant to Art. 6 para. 1 letter f GDPR to provide you with the requested documents.

If you give us your consent, we will subsequently use the data you provide to include you in our newsletter or to inform you about our products and services by email or telephone. The legal basis for this data processing is your consent given during registration in accordance with Art. 6 para. 1 letter a GDPR. Once you have given your consent, you can revoke it at any time via the unsubscribe link contained in the mailings.

7. Realisation of online seminars

We offer online seminars from time to time to give you the opportunity to exchange ideas with us and other HR experts on topics and new trends in the field of applicant management. We use the “GoTo Webinar” platform from LogMeIn, Inc (USA) to organise the online seminars. The registration process for a seminar takes place via GoTo Webinar. By clicking on the registration link, the user is redirected to the GoTo Webinar website. GoTo Webinar acts as a processor, is controlled by us and is subject to our instructions. Further information on data protection at GoTo Webinar can be found here: GoTo Privacy Policy

We process the personal data you provide when registering and organising the webinar. In return for free participation in our webinar, we will send you documents and information material about the webinar by email. The legal basis for data processing is Art. 6 para. 1 b GDPR (fulfilment of a contract).

Your IP address and other usage data are also collected in order to organise the webinar. This data is technically necessary in order to provide you with the online offer. In addition, cookies are placed on your computer when you use GoTo Webinar. You can find out which cookies these are and what they are used for here: GoTo Privacy Policy

If you have given us your consent during the registration process, we will use the data collected to contact you after a webinar and to provide you with information about our products and services. The legal basis for the processing of the data required for this is your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time without giving reasons and with effect for the future. To do so, please contact us at datenschutz@softgarden.de.

8. Online surveys with easyfeedback

It is possible that we invite you as an existing customer to participate in an online survey. The aim of the surveys is to improve and further develop softgarden products and services, enhance the application experience, conduct customer surveys and studies on recruiting trends. We use the service provider easyfeedback GmbH (Germany) to conduct surveys and studies. Surveys are conducted and analysed by softgarden.

Participation in surveys is voluntary. You have the option of cancelling the survey at any time by closing the browser window. The answers provided to date will be made available to softgarden. If you do not provide us with any information in the course of your participation that establishes a connection between the answers and you, your participation in the surveys is always anonymous.

The legal basis for conducting the surveys and the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest). Our legitimate interest is to improve and further develop softgarden products and services, to enhance the application experience and to conduct studies on recruiting trends.

Further information on data processing by easyfeedback can be found in easyfeedback’s data protection information: Privacy policy easyfeedback

9. Support requests and requests from affected parties

We use the Intercom R&D Unlimited Company (Ireland, EU) support platform for end-user support and for processing and documenting requests from affected parties. Intercom helps us to manage, distribute, process and subsequently document incoming requests.

A chat tool is available on our website, which you can use to contact softgarden support directly. You can also send your questions to support by e-mail. All enquiries, including the personal data mentioned there (e.g. your name, your email address, your problem description or your enquiry) are processed and stored by Intercom. Intercom sets a technically necessary cookie to provide the chat tool on our platform, which is required to provide the support service.

It is possible that you will first contact an AI assistant who will attempt to answer your enquiry based on the internal softgarden knowledge base. We make sure that you can always recognise whether you are interacting with an AI assistant. We use Intercom’s AI features to provide you with an always-available support option, increase the speed of responses and thus reduce the workload on our employees. Intercom is contractually obliged not to use the data entered into the AI system for training purposes. In addition, the inputs and outputs are not stored in the AI system, but are automatically deleted immediately after the enquiry has been answered.

You have the opportunity to directly rate the answers you receive from our support team and give us feedback on whether we were able to help you. We use this feedback to continuously develop and improve our support.

The processing of your personal data serves our legitimate interest pursuant to Art. 6 para. 1 letter f GDPR in the optimisation and economic operation of our customer support as well as the processing and documentation of enquiries from data subjects.

When using the service, your data may be transferred to the USA or other third countries. This transfer takes place on the basis of adequacy decisions (Art. 45 GDPR). In addition, we have concluded suitable guarantees with Intercom in accordance with Art. 46 GDPR (EU standard data protection clauses).

10. Cookies

We use cookies and similar technologies (“cookies”) on our website.  Cookies are small data records that are stored on your computer with the help of your Internet browser. This identifies the browser used and can be recognised by web servers. If you do not wish cookies to be used, you can prevent them from being stored on your computer by making the appropriate settings in your Internet browser. Please note that this may limit the functionality and range of functions of our website.

The use of cookies is in part technically necessary for the operation of our website and is therefore permitted without the user’s consent. We may also use cookies to offer special functions and content and for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with Section 25 (1) TDDDG and, if applicable, Art. 6 (1) (a) GDPR. Information on the purposes, providers, technologies used, stored data and the storage duration of individual cookies can be found in our cookie policy: softgarden cookie policy

You can edit your cookie settings by clicking on the black Cookiebot widget at the bottom left of the browser window. Alternatively, you can deactivate all non-functional cookies there.

11. Consent management tool

We use the consent management tool Cookiebot from Usercentrics A/S (Denmark) to control cookies and the processing of personal data.

The consent banner enables users of our website to give their consent to certain data processing operations or to withdraw their consent. By confirming the “Allow all” button or by saving individual cookie settings, you consent to the use of the associated cookies.

The legal basis under data protection law is your consent within the meaning of Art. 6 (1) (a) GDPR.

The banner also helps us to provide evidence of the declaration of consent. For this purpose, we process information about the declaration of consent and other log data relating to this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 GDPR).

12. Analysis and tracking services

12.1 Amplitude

In order to continuously improve our website and offer you an optimal user experience, we analyse user behaviour on our public pages. For this purpose, screen recordings are created, among other things, in order to be able to track your click behaviour and your usage behaviour on our public pages more precisely. This ensures that all content data (if available, e.g. entries in free text fields, in applications or other personal and sensitive data) is automatically hidden and not captured by the screen recordings.

For this purpose, we use the Amplitude service from Amplitude, Inc (USA). The data is collected and analysed exclusively on the basis of your consent, which you can give and revoke via our cookie consent tool.

Amplitude is configured so that only pseudonymised data is collected. Your IP address is recorded anonymously and no personal data or user IDs are used, as the recording takes place before a possible login. The so-called “events” that are tracked relate, for example, to the use of certain functions or navigation behaviour on our website. This is a purely statistical evaluation of user behaviour. Amplitude does not use cookies or similar technologies that store personal data.

The data is hosted exclusively on Amplitude servers in Germany (at Amazon Web Services in Frankfurt) so that all analysis data remains in the EU. Amplitude Inc. is ISO 27001 certified. Further information about Amplitude can be found here. However, we cannot rule out the possibility that organisations based outside the EU may also access the data. For this reason, we have concluded the approved EU standard contractual clauses with Amplitude, Inc. in accordance with Art. 46 para. 2 lit. c GDPR have been concluded. In addition, Amplitude, Inc. is certified under the EU-U.S. Data Privacy Framework. We will be happy to provide you with further information on request.

The legal basis for the analysis of your usage behaviour on our website is your consent in accordance with Art. 6 para. 1 letter a GDPR. You can revoke your consent at any time via our cookie consent tool. The data collected will only be stored for as long as is necessary for the analysis and then deleted. Insights from anonymised user behaviour can still be used to improve our website.

12.2 Tracking Proxy

Our website facilitates the immediate pseudonymisation of your IP address on your first visit. In this way, we prevent direct access by third parties to end-user devices for tracking purposes and ensure complete control over a single data parameter and setting conditions for the transfer of data to such third parties.  To do this, we use first-party cookies and browser fingerprinting methods that are stored on your device. Your end device is assigned a randomly generated identification number (cookie ID/device ID).

This service is provided to us by Tracking Garden GmbH, Ritterfelddamm 225e, 14089 Berlin, Germany.

The aim is to obtain information about the use of our website, statistical analyses and reach measurements, such as the call-up of a specific webpage, the number of unique visitors, entry and exit pages, dwell time, click, wipe and scroll behaviour, the activation of buttons, the bounce rate and similar interactions by users on our website (events). This access data primarily includes browser and device information, the anonymised cookie ID of the tracking proxy and the date and time of the server request. The processing of this data by this service takes place exclusively on servers in Germany.

Your IP address will not be forwarded to third-party providers without your consent. Only general location information such as the region and city of the end device’s location is collected and derived in advance from the IP address. Due to the service, further user data is forwarded to third-party providers exclusively in pseudonymised form for the purpose of analysing and measuring the range of user behaviour on our website. To ensure effective pseudonymisation, the tracking proxy creates artificially generated data parameters for the browser identifier (user agent), for the cookie IDs of the third-party providers, for order numbers (if applicable) and for other browser and device information that would otherwise enable re-identification. The storage period for first-party cookies from this service is limited to a maximum of 24 months.

The legal basis for this processing by the service is our legitimate interest, in particular Art. 6 para. 1 sentence 1 lit. f) of the GDPR. Our legitimate interest is the analysis and measurement of the reach of our website, through which we can optimise and improve our digital offering and search for errors in it.

12.3 Google Analytics & Google Remarketing

softgarden uses Google Analytics, a web analytics service provided by Google Ireland Limited (Ireland) (“Google”). Google Analytics is a web analytics service that enables us to collect and analyse data about user behaviour on our website. Google Analytics enables us to measure interaction data from different devices and from different sessions. This allows us to contextualise individual user actions and analyse long-term relationships.

Google Analytics uses cookies for this purpose, which enable your use of the website to be analysed. Personal data in the form of IP addresses, device identifiers and information about the interaction with our website is also processed. Some of this data is information that is stored on the device you are using. In addition, further information is also stored on your device via the cookies used.

Google will process the data collected in this way on our behalf in order to analyse the use of our website by users, to compile reports on the activities within our website and to provide us with further services associated with the use of our website and the use of the Internet. Pseudonymised user profiles can be created from the processed data.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Article 6(1)(a) GDPR. You can revoke this consent at any time via our Consent Management Tool with effect for the future.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is truncated by Google Ireland within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. The IP address transmitted by the user’s browser is not merged with other data. The IP address is truncated on servers in the EU.

The data on user actions is stored for a period of approximately 13 months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.

We also use the Google Analytics advertising functions (remarketing). This function enables us, in conjunction with Google’s cross-device functions, to display adverts in a more targeted manner and to present users with adverts tailored to their interests. Remarketing is used to show users adverts and products for which interest has been identified on other websites in the Google network. The function allows us to link advertising target groups created via Google Analytics Remarketing with the cross-device functions of Google Ads. In this way, interest-based, personalised advertising messages that have been adapted to a user depending on previous usage and surfing behaviour on one device (e.g. mobile phone) can also be displayed on another of the user’s devices (e.g. tablet or PC).

If you have given your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages can be displayed on every device on which you sign in with your Google account. The data collected in your Google account is summarised exclusively on the basis of your consent, which you can give or withdraw from Google. For these linked services, data is then collected for advertising purposes via Google Analytics. To support the remarketing function, Google Analytics collects the Google-authenticated IDs of users, which are temporarily linked to our Google Analytics data. This is used to define and create target groups for cross-device adverts.

Further information on how Google uses data from websites or apps for advertising purposes can be found in Google’s information at: Advertising – Privacy & Terms – Google.

12.4 Google Ads conversion tracking (AdWords)

Google Ads Conversion Tracking (formerly AdWords) is an analytics service provided by Google Inc. that connects data from the Google Ads advertising network with actions performed through this Application. Personal data collected: Cookie and usage data.

Furthermore, softgarden uses the so-called “call conversion tracking” function of Google Ads. For this purpose, a specific telephone number is displayed to a Google user in softgarden’s company profile on Google. This is triggered by entering certain search terms (AdWords booked by softgarden). When users call this specific telephone number, the call is linked to the web search with the booked AdWord in the Google Ads backend. This allows softgarden to determine which booked AdWords are more likely to lead to a customer call and to plan and design the advertising measures accordingly. The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a). GDPR. Consent is obtained via the cookie banner. You can also use it to object to processing.

12.5 Google Tag Manager

We use the Google Tag Manager of the provider Google Ireland Limited (Ireland) on our website. The Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookie-free domain to which the IP address is transmitted for technical reasons. The Google Tag Manager merely triggers other tags, which in turn may collect data without accessing this data themselves. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

Your data is processed on the basis of Art. 6 para. 1 letter f GDPR and is based on our legitimate interest in the optimisation and economic operation of our website as well as the administration of our website services and the triggering of tags.

12.6 Microsoft Advertising (Bing Ads)

We use the Microsoft Advertising service (formerly Bing Ads) from Microsoft Ireland Operations Limited (Ireland) (“Microsoft”) on our website, which uses the Universal Event Tracking (UET) tool to help us target adverts via the search engines Microsoft Bing, Yahoo, Aol, other search partners (e.g. Ecosia, DuckDuckGo) and the Microsoft Audience Network. Microsoft Advertising uses cookies for this purpose, in which information about the use of our website, i.e. the pages you have accessed, is stored by Bing Ads for 180 days and then deleted. This information includes the URL of the page visited, the URL of the referring page and your IP address. By using the remarketing function, we can provide you with customised offers when you later search on one of the above-mentioned search engines.

The legal basis for data processing is Art. 6 para. 1 lit. a GDPR (consent). You can change your cookie settings at any time and withdraw your consent without giving reasons. When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in section I.4. You can access Microsoft’s privacy policy on the handling of collected data at the following link: Microsoft Privacy Statement

12.7 Crazy Egg

Our website uses the Crazy Egg web analysis service from Crazy Egg, Inc. (USA) to record randomly selected individual visits (only with anonymised IP addresses). This tracking tool uses cookies to analyse how you use the website (e.g. which content is clicked on). A user profile is visualised for this purpose. When the tool is used, user profiles are created using pseudonyms.

The legal basis for data processing is Art. 6 para. 1 lit. a GDPR (consent). You can change your cookie settings at any time and withdraw your consent without giving reasons.

When using Crazy Egg, the transfer of data to third countries cannot be ruled out. Please therefore note the information in section I.4 of this data protection notice.

Further information on data protection at CrazyEgg.com can be found at: Crazy Egg Privacy Policy

12.8 Meta pixel

We use the meta pixel on our website, a meta business tool from Meta Platforms Ireland Limited (Ireland) for the purpose of conversion tracking and remarketing and thus for more efficient management of advertising campaigns on Facebook and Instagram.

Information on the contact details of Meta Platforms Ireland Ltd. and the contact details of the Data Protection Officer of Meta Platforms Ireland Ltd. can be found in the Meta Platforms Ireland Ltd. privacy policy at Meta privacy policy

The meta pixel is a JavaScript code snippet that enables us to track the activities of visitors to our website. This tracking is called conversion tracking. The meta pixel collects and processes the following information (so-called event data) for this purpose:

• Information on the actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
• Specific pixel information such as the pixel ID and the Facebook cookie;
• Information on buttons clicked by visitors to the website;
• Information available in the HTTP headers, such as IP addresses, information about the web browser, the location of the page and the referrer;
• Information on the status of the deactivation/restriction of ad tracking.

Some of this event data is information that is stored on the device you are using. In addition, cookies are also used via the meta pixel to store information on the device you are using. Such storage of information by the meta pixel or access to information that is already stored on your device only takes place with your consent in accordance with Section 25 (1) TDDDG.

The event data collected via the meta pixel is used to target our advertisements and to improve the delivery of advertisements on meta products such as the social media platforms Facebook and Instagram, to personalise functions and content and to improve and secure the meta products. For this purpose, the event data collected on our website using the meta pixel is transmitted to Meta Platforms Ireland Ltd. This collection and transmission of event data is carried out by us and Meta Platforms Ireland Ltd. as joint controllers. We have entered into an agreement with Meta Platforms Ireland Ltd. on processing as joint controllers, in which the distribution of data protection obligations between us and Meta Platforms Ireland Ltd. is defined. In this agreement, we and Meta Platforms Ireland Ltd. have agreed, among other things

• that we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR on the joint processing of personal data;
• that Meta Platforms Ireland Ltd. is responsible for enabling the rights of data subjects under Art. 15 to 20 GDPR with regard to the personal data stored by Meta Platforms Ireland Ltd. following joint processing.

You can access the agreement concluded between us and Meta Platforms Ireland Ltd. at https://www.facebook.com/legal/controller_addendum.

Meta Platforms Ireland Ltd. is solely responsible for the subsequent processing of the submitted event data. For more information on how Meta Platforms Ireland Ltd. processes personal data, including the legal basis on which Meta Platforms Ireland Ltd. relies and how to exercise your rights against Meta Platforms Ireland Ltd., please refer to Meta Platforms Ireland Ltd.’s Data Policy at Meta privacy policy

We have also commissioned Meta Platforms Ireland Ltd. to prepare reports on the impact of our advertising campaigns and other online content (campaign reports) and to prepare analyses and insights about users and their use of our website, products and services (analyses) on the basis of the event data collected via the meta pixel. For this purpose, we transmit personal data contained in the event data to Meta Platforms Ireland Ltd. The transmitted personal data is processed by Meta Platforms Ireland Ltd. as our processor in order to provide us with the campaign reports and analyses.

The collection and transfer of personal data by us to Meta Platforms Ireland Ltd. and the commissioned processing of personal data by Meta Platforms Ireland Ltd. for the creation of analyses and campaign reports will only take place if you have given your prior consent. The legal basis for the processing of personal data is therefore Article 6(1)(a) GDPR.

12.9 LinkedIn insight tag

We use the LinkedIn Insight tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (Ireland) for the purpose of conversion tracking and remarketing and thus for more efficient management of advertising campaigns on LinkedIn.

Information on the contact details of LinkedIn Ireland and the contact details of LinkedIn Ireland’s data protection officer can be found in LinkedIn’s data policy at LinkedIn Privacy Policy

The LinkedIn Insight tag is a JavaScript code snippet that is triggered by LinkedIn when you visit our website and stores a cookie on your device . Such storage of information by the LinkedIn Insight tag or access to information that is already stored on your device and any further processing of personal data in connection with the LinkedIn Insight tag will only take place with your consent. The legal basis for the collection and transmission of personal data by us to LinkedIn Ireland is therefore Art. 6 para. 1 lit. a GDPR.

We can perform various functions via the LinkedIn Insight tag, which we describe in detail below.

LinkedIn conversion tracking is an analysis function that is supported by the LinkedIn Insight tag. The LinkedIn Insight tag enables the collection of data on visits to our website, including URL, referrer URL, IP address, device and browser properties (user agent) and timestamp. The IP addresses are truncated or hashed (if they are used to reach members across devices). LinkedIn does not provide us with any personal data, but only offers reports (in which you are not identified) about the website target group and ad performance. This allows us to measure the effectiveness of LinkedIn adverts for statistical and market research purposes.

The direct identifiers of the members are removed by LinkedIn within seven days in order to pseudonymise the data. LinkedIn then deletes this remaining pseudonymised data within 180 days.

This processing is carried out for the purpose of obtaining information about our website target group and a report on the effectiveness of LinkedIn campaigns.

We also use the “Matched Audiences” service to target our advertising campaigns to specific audiences. LinkedIn Matched Audiences and associated data integrations allow us to target advertising to specific audiences based on data we provide to LinkedIn (e.g. company lists, hashed contact information, device identifiers or event data such as websites visited).

This processing is carried out for the purpose of marketing our offers by displaying advertising to specific target groups.

We have entered into an agreement with LinkedIn on processing as joint controllers, which sets out the distribution of data protection obligations between us and LinkedIn. You can view this here: LinkedIn Pages Joint Controller Addendum

Please note that in accordance with the LinkedIn privacy policy, personal data is also processed by LinkedIn in the USA or other third countries. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

13. External media

This type of service allows users to view and interact with content hosted on external platforms directly from this Application.

If such a service is installed, it may be able to collect data from data traffic for the pages on which it is installed even if users do not use it.

13.1 Integration of YouTube videos

We embed YouTube videos on our website in order to make our specially created content directly available to you. Content from the YouTube page is displayed in parts of a browser window. However, the YouTube videos are only called up by clicking on them separately. By embedding the videos, your browser automatically establishes a connection with the YouTube servers of Google Ireland Limited (Ireland) as soon as you call up a page with an embedded video.

We have integrated our videos in the so-called “extended data protection mode”. This means that YouTube does not automatically set cookies as soon as a video is embedded. Rather, this now only happens after you open an embedded video and are redirected either to other websites or to the YouTube page. Only then are cookies set by YouTube and other Google services.

By playing the videos, you consent to the setting of cookies and the associated tracking. The legal basis is Art. 6 para. 1 lit. a GDPR (consent). You can change your cookie settings here at any time and revoke your consent without giving reasons. Please note that you will not be able to view the embedded videos if you have not consented to the use of cookies.

When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in section I.4. of this privacy policy. Further information on data protection at Google can be found in Google’s privacy policy: Privacy Policy – Privacy & Terms – Google

13.2 Customer ratings via eKomi

We use technology from eKomi Ltd, Zimmerstraße 11, 10969 Berlin (“eKomi”) for the purpose of provider and product reviews by our customers and for our own quality management. We have therefore integrated eKomi rating software on this website. You can use this evaluation software to submit an anonymous evaluation of your experience with us after we have provided our service. We will send you a separate request for this in a confirmation email. The reviews will be made unrecognisable for us by the service provider and deleted at the time the order is completed. You can object to this processing at any time using the contact details provided above.

Your data is processed on the basis of your consent in accordance with Art. 6 para. 1 letter a GDPR or on the basis of our legitimate interest in accordance with Art. 6 para. 1 letter f GDPR in conjunction with Art. 7 para. 3 UWG. § Section 7 (3) UWG to obtain feedback on our offer and to improve our offer on this basis.

You can find more detailed information on eKomi’s data protection here: eKomi Privacy

As part of your review via eKomi, you can enter your e-mail address, which we can use to contact you later regarding your review. In this way, we can, for example, respond individually to your criticism, answer your questions or provide other assistance. We would like to point out that providing your e-mail address is voluntary.

14. Spam defence with Friendly Captcha

We use the Friendly Captcha tool from Friendly Captcha GmbH (Germany, EU). In order to protect the website from spam and misuse, this tool is used for all forms integrated on the website.

It is technically necessary to process your IP address in order to use the service for the aforementioned purposes. We host the Friendly Captcha service on our own servers, so your personal data is not forwarded to external parties. For security reasons, we use the service to check whether form entries are made by a natural person. In this way, automated access attempts and attacks can be recognised and warded off. We are legally obliged to take appropriate technical and economic measures to ensure the security of our website. You can prevent this data processing at any time via the settings of the browser used or certain browser extensions. One such extension is the Matrix-based firewall uMatrix for the Firefox and Google Chrome browsers. Please note that this may result in functional restrictions on the website.

The processing of your data takes place on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with. Art. 32 GDPR and § 19 para. 4 TDDDG.

III. Data processing on our social media pages

We have a company page on several social media platforms. In this way, we would like to offer further opportunities for information about our company and for dialogue. Our company has company pages on the following social media platforms:

• Facebook of Meta Platforms Ireland Limited, (Ireland, EU), hereinafter referred to as “Meta”;
• Instagram of Meta Platforms Ireland Limited, (Ireland, EU), hereinafter referred to as “Meta”;
• LinkedIn of LinkedIn Ireland Unlimited Company, (Ireland, EU), hereinafter referred to as “LinkedIn”;
• XING of NEW WORK SE, (Germany, EU), hereinafter referred to as “XING”.

When you visit or interact with a profile on a social media platform, personal data about you may be processed. The information associated with a social media profile used also regularly constitutes personal data. This also includes messages and statements made using the profile. In addition, certain information is often automatically collected during your visit to a social media profile, which may also constitute personal data.

1. Visiting a social media page

When you visit our social media page, which we use to present our company or individual products from our range, certain information about you is processed. The operators of the social media platforms are solely responsible for this processing of personal data. Further information on the processing of personal data can be found in their privacy policies, which we link to below:

• Meta. Meta offers the option of objecting to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads;
• LinkedIn
• XING

The operators of the social media platforms collect and process event data and profile data and provide us with statistics and insights for our pages in anonymised form, with the help of which we gain knowledge about the types of actions that people take on our site (so-called “page insights”). These Page Insights are created on the basis of certain information about people who have visited our site. This processing of personal data is carried out by the social media operators and us as joint controllers. The processing serves our legitimate interest in analysing the types of actions taken on our site and improving our site based on these findings. The legal basis for this processing is Article 6(1)(f) GDPR.

We cannot assign the information obtained via Page Insights to individual user profiles that interact with our pages. We have entered into agreements with the operators of the social media platforms on processing as joint controllers, in which the distribution of data protection obligations between us and the operators is specified. Details on the processing of personal data for the creation of Page Insights and the agreement concluded between us and the operators can be found at the following links:

• Meta
• LinkedIn
• XING

You also have the option of asserting your rights against the operators. You can find further information on this under the following links:

• Meta
• LinkedIn
• XING

We have agreed with Meta and LinkedIn that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission or any other supervisory authority.

2. Communication via social media sites

We also process information that you have made available to us via our company page on the respective social media platform. Such information may include the username used, contact details or a message to us. This processing is carried out by us as the sole controller. We process this data on the basis of our legitimate interest in contacting enquiring persons. The legal basis for data processing is Article 6(1)(f) GDPR. Further data processing may take place if you have given your consent (Art. 6 para. 1 letter a GDPR) or if this is necessary to fulfil a legal obligation (Art. 6 para. 1 letter c GDPR).

If you have provided us with information about your participation in a competition, we will only process it in order to be able to send you a prize if applicable. After delivery of the prize or if you have not won, we will delete the data. The legal basis for the processing is Art. 6 para. 1 letter b GDPR.

IV. Further data processing

1. Contact data management

We use Salesforce from salesforce.com Germany GmbH (Germany) as a CRM and ERP system. If you contact us or have a business relationship with us, we process your contact data in Salesforce. We have activated various plugins within Salesforce, including Tableau Pulse as an internal analysis and reporting tool.

In Salesforce, we process personal data such as your contact details, which you provide to us via our contact form or in the course of our business relationship. In addition, we use Salesforce to create department-specific analyses of our company key figures based on aggregated data.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in contacting enquirers and analysing and managing our business activities. To this end, we process your data to the extent necessary to establish or fulfil the contractual relationship. This regularly includes processing the personal master data, contract data and payment data provided to us as well as contact and communication data of our contact persons at commercial customers and business partners.

When using Salesforce, data transfer to third countries cannot be ruled out. Please therefore note the information in section I.4. of this privacy policy.

2. Invitation to trade fairs and events

We may use the e-mail address you provide when ordering to invite you to trade fairs and events in your area or to send you other information about our products and services. These trade fairs and events are always related to current and interesting topics on softgarden products and services, applicant management in general or other topics in the field of human resources. You will receive these invitations free of charge from softgarden. By receiving or using these invitations, you do not enter into any legal obligations with softgarden.

If you no longer wish to receive these invitations, you can object to receiving them at any time by sending an email to datenschutz@softgarden.de or using one of the contact options in the data protection information.

Sending these emails and invitations is necessary to safeguard softgarden’s legitimate interest in inviting you to trade fairs and events in connection with softgarden’s products and services. The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in conjunction with. §7 para. 3 UWG.

Version

Dokument-ID: D402

Document status: 14/04/2025

Rev. 3.0