Privacy Policy

Effective date: December 21, 2025

Please read this statement carefully to understand how we collect, use and process your personal information. We will explain in detail how we protect your privacy, how you can check and adjust your information at any time, and how to control the strict application of this policy.

As part of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the person affected by processing (we also refer to you as the data subject hereinafter as "customer", "user", "you", "you" or "data subject").

 

Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (Art. 13 and 14 GDPR). With this declaration (hereinafter: "data protection information"), we inform you about the way in which your personal data is processed by us.

 

Definitions

Following the concept of Art. 4 GDPR, this data protection notice is based on the following definitions:

  • "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data)."Processing" (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.
  • "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
  • "Data processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
  • "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller and scope

This "Privacy Policy" describes the privacy practices of requestee UG and our subsidiaries and affiliates (collectively, "Secfix", “requestee”, "we", "us", or "our") in connection with the https://secfix.com website, and any other website that we own or control and which posts or links to this Privacy Policy (collectively, the "Service"), in connection with our marketing activities, and as otherwise described in this privacy policy. In addition, this privacy policy describes your rights and choices with respect to the Personal Information we collect.

We are the controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:

Secfix GmbH (limited liability)

Salvatorplatz 3

c/o Mindspace

80333 Munich

E-mail: hello@secfix.com 

For further information about our company, please refer to the imprint information on our website.

We provide important information for individuals located in the European Union and the European Economic Area in the GDPR based Privacy Policy.

We know that in this digital age, your privacy is important. This Privacy Policy reflects our commitment to protect personal data and the choices we offer you regarding how your data is used. We welcome you to read more about how we keep your information safe, as well as how you can exercise your rights. In addition, our Privacy policy covers our treatment of data that may be personal to you.

We will review, update and amend these policies from time to time consistent with our business needs and technology. We encourage you to check back periodically for new updates or changes. Your continued use of the service makes up your acceptance of any change to this Privacy Policy. We are the data controller of your information. We handle and process all data on behalf of our customers.

This Privacy Policy only applies to processing activities under our own control (Art. 4 No. 7 GPDPR) and not to processing operations that we carry out as a Data Processor (Art. 28 GDPR) on behalf of customers.

What personal data do we collect from the people who visit our website and app?

When enlisting on our site or buying services, as suitable, you could be approached to type in your name, email, postage information, payment information, or different subtleties to assist you with your experience.

When you create an account and use the Services, including through a third-party platform, we collect any data you provide directly, including:

  • Personal Account Data: To use certain features (like Paid or unpaid Services), you need to create a user account. When you create or update your account, we collect and store the data you provide, like your email address, password, gender, and date of birth, and assign you a unique identifying number ("Account Data").
  • Personal Data: Personal Data is information that can be used to identify you specifically, including your name, zip code, time zone, email address, telephone number, or demographic information like your age, gender, or hometown

Legal base and storage duration

  • Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
  • When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
  • Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
  • If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing. Your data will only be processed for as long as is necessary to achieve the above-mentioned processing purposes; the legal bases specified in the context of the processing purposes apply accordingly.

Purposes and legal base

Purpose of Processing Legal base
Access to services
To provide access to the Application for both customers and their end users.
To provide certain features or functionality of the services on the site. 		Consent in accordance with Art. 6 para. 1 lit. a GDPR.
Fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR, insofar as you use our portal to obtain information about our range of services and to request them.
Customer Communication and requests
To communicate with customers and their end users about the Application.
To respond to support requests. 		Fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR, insofar as you use our portal to obtain information about our range of services and to request them.
Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in responding appropriately to customer inquiries.
Marketing
To personalize and develop our site and the services we provide you and improve our offerings.
For marketing and promotions. 		Consent in accordance with Art. 6 para. 1 lit. a GDPR.
If you have provided us with your email address in connection with the purchase of goods or services or we send you personalized advertising, to protect our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest is based on our economic interests in the implementation of advertising measures and target group-oriented advertising.
Development and Improvement
To develop and improve the Application.
Analyze trends to improve our website and offerings.
For testing, research, analysis, and product development, including to develop and improve our site and services. 		Consent in accordance with Art. 6 para. 1 lit. a GDPR.
Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to measure the reach of our website, to statistically analyze the use of our website and thus to be able to optimize our website in order to offer you a user-friendly website based on your usage behavior.
Legal Obligations
To comply with legal and regulatory requirements applicable to our business and internal policies for maintaining records.
Compile anonymous statistical data for our own use or for a third party's use. 		Fulfillment of a statutory obligation pursuant to Art. 6 para. 1 lit. c GDPR.
Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in the preservation of integrity and the defense against claims.
Safety and secureness
To maintain the security and integrity of the Application.
To protect all parties in the event of disputes.
Prevent fraudulent activity on our website or mobile app.
To help maintain the safety, security, and integrity of our site, services, databases, and other technology assets and business. 		Fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR, insofar as you use our portal to obtain information about our range of services and to request them.
Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in the preservation of integrity and the defense against claims.

Newsletter

In addition to the purely informational use of our website, we offer a subscription to our newsletter, which we use to inform you about current developments and product information. 

  • You will only receive the newsletter if you have registered for it and confirmed your registration in a double opt-in procedure. The consent associated with the registration can be revoked at any time. 
  • If you register for our newsletter, the following "newsletter data" will be collected, stored and processed by us:
  • the page from which the page was requested (so-called referrer URL)
  • the date and time of the request
  • the description of the type of web browser used
  • the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established
  • the e-mail address
  • the date and time of registration and confirmation
  • We evaluate your user behavior when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID.
  • The data is collected exclusively in pseudonymized form, i.e. the IDs are not linked to your other personal data, and direct personal references are excluded.

When do we acquire information?

We get data from you when you get enlisted on our site, respond to an audit, give us reactions on our items or enter information on our site. Below are the examples:

  • To register on our website or App to get updated about services or to buy services.
  • To create your account on the website (e.g., your name and email address)
  • Request a quote
  • Request a demo
  • Purchase or register a product
  • Request support
  • Sign up for newsletters, support materials, white papers, our email list, our blog, or any other assets offered by
  • To deal with our relationship with you, including notifying you about changes to our terms or security arrangement. Requesting that you leave an auditor to take an overview.
  • To manage and ensure our business and this site (counting investigating, information examination, testing, framework upkeep, backing, announcing, and facilitating information).
  • To make proposals and suggestions to you about merchandise or administrations that might hold any importance with you.

Social media and social signals

If you choose to register or log in to our website using a social media account, we may access certain information about you.

  • We may obtain certain information through your social media or other online accounts if they are connected to your Secfix account. If you login to via Google or another third-party platform or service, we ask for your permission to access certain information about that other account. For example, depending on the platform or service, we may collect your name, profile picture, account ID number, login email address, location, the physical location of your access devices, gender, birthday, and list of contacts.
  • Social Networking Data: We may access personal information from social networking sites, and apps, includes Google, which may include your name, your social network username, location, email address, age, gender, profile picture, and any other public information. If you do not want us to access this information, please go to the specific social networking site and change your privacy settings.
  • Mobile Device Data: If you use our website via a mobile device or app, we may collect information about your mobile device, including device ID, model and manufacturer, and location information.
  • If you access or use our Services or to buy services through a third-party platform or service, or click on any third-party links, the collection, use, and sharing of your data will also be subject to the privacy policies and other agreements of that third party.

Those platforms and services make information available to us through their APIs. The information we receive depends on what information you (via your privacy settings) or the platform or service decide to give us.

Google Login/ MS Office 365 Login

Our Sites offers you the ability to register and log in using your third-party Google Login/ MS Office 365 Login. Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile Information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, profile picture, as well as other information you choose to make public. We will use the information we receive only for the purposes described in this privacy policy or that are otherwise made clear to you on the Sites. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy policy to understand how they collect, use and share your personal information and how you can set your privacy preferences on their sites and apps. The APIs that we use to store and access cookies and other information on your devices. If you are a user currently in the European Union, please look at our EU User Consent Policy.

Job applicants and recruitment

When you apply for a job at Secfix, we collect and use your personal data to run our recruitment process. We use Ashby (an applicant tracking system) to receive and manage applications. Ashby acts as a data processor and processes applicant data on our behalf, based on our instructions. 

We may collect:

  • Your name and contact details (such as email address)
  • Your CV, cover letter, employment history, and education
  • Messages you send during the recruitment process (including emails or texts sent through the system) 
  • Basic technical and security information (such as IP address, device and browser details) to protect the process and detect fraud 
  • If interviews are recorded, we may process recordings, transcripts, and related notes 

How we collect it

  • Directly from you when you submit an application (including via an Ashby-hosted application form) 
  • Through communications during the hiring process (for example, scheduling and interview coordination) 

Why we use it

We use applicant data to review your application, assess suitability, communicate with you, schedule interviews, and meet legal or regulatory obligations. 

Retention

We keep applicant data only as long as needed for recruitment and related legal obligations, then we delete or anonymize it. 

Your rights and how to contact us

To request access, correction, or deletion of your applicant data, contact us at hello@secfix.com. 

For details about Ashby’s processing as a provider, review Ashby’s privacy policy.

Cookies

Secfix uses cookies and similar technologies in our Websites and Services to help us collect Other Information. The Websites and Services may also include cookies and similar tracking technologies of third parties, which may collect Other Information about you via the Websites and Services and across other websites and online services. For more details about how Secfix uses these technologies, and your opt-out opportunities and other options, please see Secfix’s Cookie Policy.

Do Not Track

Currently, various browsers — such as Internet Explorer, Firefox, and Safari — offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user's browser DNT preference setting. Secfix does not currently commit to responding to browsers' DNT signals with respect to the Company's Web sites, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. Secfix takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.

When we share personal information

Once your personal information is collected, as detailed above, we may share it with third parties for various reasons, among them email delivery, data hosting, analytics, payment processing and content streaming. These services may collect browsing data that includes IP addresses, referring pages, and users’ movements as they navigate the Website. Other third parties help us with our marketing efforts including sending and analyzing our marketing efforts by measuring whether recipients have opened an email and clicked on any content within it.

When we share your personal information with a third party, we require that third party to protect the information consistent with this Statement and limit its use of the information to performing the services they provide to us. For example, when we share personal information with payment processors or presenters of web seminars, its use is limited to providing that service.

Data Processors

As with any large company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR. If your personal data is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships. Our data processors can be found under our Trust Center.

How do we protect your details?

  • We have implemented industry-accepted administrative, physical, and technology-based security measures to protect against loss, misuse, unauthorized access, and alteration of personal information in our systems. We ensure that any employee, contractor, corporation, organization, or vendor who has access to personal information in our systems is subject to legal and professional obligations to safeguard that personal information.
  • We do not use vulnerability scanning and/or scanning to PCI specifications.
  • We use regular Malware Scanning.
  • Your individual information is comprised behind secured systems and is merely accessible by a restricted number of folks who've special access privileges to such systems and must keep the information confidential carefully. Furthermore, all very sensitive/credit information you resource is encrypted via Secure Socket Layer (SSL) technology.
  • We implement a number of security measures whenever a user gets into, submits, or accesses their information to keep up the protection of your individual information.
  • While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or form of electronic storage is 100 percent secure. Therefore, we cannot guarantee its absolute security.
  • Secfix prohibits unauthorized access or use of personal information stored on our servers. Such access is a violation of law, and we will fully investigate and press charges against any party that has illegally accessed information within our systems.

Children

Our Services is directed to, and is intended for use only by persons who are 18 years of age or older. We do not knowingly collect information from children under 18. If you are under 18 years of age, you are not permitted to register for an account or otherwise submit any personally identifiable information to us, including your name, address or e-mail address. If we discover that we have collected any personally identifiable information from a child under the age of 18, we will suspend the associated account and remove that information from our database as soon as possible. By registering for an account or submitting any personally identifiable information to us, you represent that you are 18 years of age or older.

"Data Protection Laws" signifies all information protection laws and guidelines appropriate to a gathering's handling of Customer Data under the agreement, including, where pertinent, EU Data Protection Law and Non-EU Data Protection Laws.

GDPR-EU data protection law

"EU Data Protection Law" signifies all data protection laws and guidelines appropriate to Europe, including (I) Regulation 2016/679 of the European Parliament and of the Council on the insurance of ordinary people concerning the preparing of individual information and on the free development of such information (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union).

"Europe" signifies, for the motivations behind this DPA, the European Union, the European Economic Area as well as their part states, Switzerland and the United Kingdom.

"Non-EU Data Protection Laws" means the California Consumer Privacy Act ("CCPA"); the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); and the Brazilian General Data Protection Law ("LGPD"), Federal Law no. 13,709/2018.

  • Parties' roles: If EU Data Protection Law or the LGPD applies to either party's processing of Customer Data, the parties acknowledge and agree that concerning the processing of Customer Data, Customer is the controller and is a processor acting on behalf of Customer, as further described in Annex A (Details of Data Processing) of this DPA.
  • Purpose limitation: Secfix shall process Customer Data only following Customer's documented lawful instructions as outlined in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing ("Permitted Purposes"). The parties agree that the agreement sets out the Customer's complete and final instructions to Secfix concerning the processing of Customer Data, and processing outside the scope of these instructions (if any) shall require a prior written agreement between the parties.
  • Customer compliance: Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to Secfix; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Secfix   to process Customer Data for the purposes described in the agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent, or managed through the service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
  • The lawfulness of Customer's instructions: Customer will ensure that United Kingdom processing of the Customer Data by Customer's instructions will not cause Secfix to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Secfix shall promptly notify Customer in writing unless prohibited from doing so under EU Data Protection Laws if it becomes aware or believes that any data processing instruction from Customer violates the GDPR or any UK implementation of the GDPR.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

You may have the following rights:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • If you want us to establish the data's accuracy.
  • Where our use of the data is unlawful, but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you. We will provide to you your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR, subject to the conditions of Art. 77 GDPR. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The supervisory authority responsible for us is:

 

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59-61

10555 Berlin

Phone: +49 30 13889-0

E-mail: mailbox@datenschutz-berlin.de

Identity verification requirement

The law requires us to verify that any request submitted was made by someone with the legal right to access the information. Therefore, before accessing or divulging any information pursuant to a data access request, we may request that you provide us with additional information so we can verify your identity and legal authority, particularly where the information provided with the request is insufficient to confirm legal authority and/or identity.

Governing Law and Jurisdiction

This website originates from Germany. The present Privacy Policy as well as the processing operations on which it is based are governed by German and European law, in particular the EU-GDPR.  We make no legal representation that the website or products are appropriate or available for use in locations outside Germany. You may access the website from outside Germany at your own risk and initiative and must bear all responsibility for compliance with any applicable foreign laws.

Changes to this privacy notice

We reserve the right to alter this privacy notice at any time. Such alterations will be posted on our website. You can also obtain an up-to-date copy of our privacy notice by contacting us.

Contacting us

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may do so via the contact us or email us at hello@secfix.com or at our mailing address

Secfix GmbH (limited liability)

Salvatorplatz 3

c/o Mindspace

80333 Munich