Privacy Policy

Last updated: 2026-03-13

1. General Information

1.1. Overview

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.

Your personal data will not be shared with third parties unless necessary for the processing purposes described in each section. When we engage service providers, they process your data strictly under our instructions, will not use it for their own purposes, and are contractually bound to comply with the GDPR.

Our websites and web applications are operated by AtroCore GmbH (the "Controller"), whose full contact details are provided in the legal notice. Contact details for our Data Protection Officer are provided in Section 2.3.

1.2. Data Collection

We collect two types of personal data. First, data you provide voluntarily – for example when you fill out a contact form, register for an account, or subscribe to a newsletter. Second, data collected automatically by our IT systems when you visit our sites, such as your browser type and version, operating system, pages visited, referral URL, and timestamps. IP addresses are truncated before storage so that they cannot be attributed to a specific individual (see Section 6.1.).

1.3. Data Retention

We retain submitted data only as long as necessary to fulfill the purpose for which it was collected – typically up to two years for contact requests – and automatically collected logs for up to six months, unless a different retention period is required by law.

1.4. Purpose and Legal Basis

We process your data for the following purposes and on the following legal grounds:

Providing our services and fulfilling contracts (Art. 6(1)(b) GDPR)
Ensuring a secure, performant, and reliable IT infrastructure (Art. 6(1)(f) GDPR)
Complying with legal obligations, e.g., tax and bookkeeping (Art. 6(1)(c) GDPR)
Sending newsletters or marketing communications, where consent has been given (Art. 6(1)(a) GDPR)

1.5. Automated Decision-Making

We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal or similarly significant effects for you.

1.6. Children's Data

Our services are intended for users aged 18 and above. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently processed a minor's data, we will delete it immediately. Where local law sets a higher minimum age for consent, we comply with that requirement.

2. Data Protection

2.1. Security Measures

We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of your personal data in accordance with the GDPR and other applicable laws. We treat all personal data as strictly confidential and process it only for the purposes set out in this policy.

We use HTTPS/TLS to encrypt data in transit and, where applicable, encrypt data at rest. We regularly test, assess, and evaluate the effectiveness of our security measures and restrict access to your data to authorized personnel only.

Please be aware that transmission of data over the internet cannot be guaranteed 100% secure. We cannot accept liability for the security of data transmitted to us electronically.

2.2. Data Controller

AtroCore GmbH
Johanna-Kinkel-Str. 1, 2nd floor
93049 Regensburg
Germany

2.3. Data Protection Officer

We have appointed a Data Protection Officer with the requisite professional qualifications and expert knowledge of data protection law and practice as required by Art. 37(5) GDPR. The DPO holds no position within AtroCore GmbH that could give rise to a conflict of interest and acts independently in the exercise of their tasks (Art. 38(3) GDPR). For all matters relating to your personal data – requests, questions, or to exercise your GDPR rights – please contact our DPO:

Roman Ratsun
Email: dpo[@]atrocore.com

2.4. Data Breach Notification

AtroCore GmbH has established an incident-response process to ensure rapid containment, assessment, and remediation of personal data breaches.

Upon detecting an actual or suspected breach, we immediately activate our incident-response plan, isolate affected systems, and mitigate ongoing risk. If a breach occurs, we notify the competent supervisory authority (Bayerisches Landesamt für Datenschutzaufsicht – BayLDA) without undue delay and in any case within 72 hours of becoming aware of it (Art. 33 GDPR), providing:

the nature and scope of the breach (categories of data and approximate number of records affected)
the likely consequences for data subjects
the measures taken or proposed to address the breach and mitigate adverse effects
the contact details of our Data Protection Officer

If the breach is likely to result in a high risk to individuals' rights and freedoms, we also inform affected data subjects without undue delay (Art. 34 GDPR), describing the nature of the breach, its likely consequences, our remediation measures, and practical steps data subjects can take to protect themselves.

We maintain a detailed incident log for every breach, documenting facts, effects, and remedial actions. After each incident, we conduct a root-cause analysis and update our technical and organizational measures to prevent recurrence.

3. Your Rights

To exercise any of the rights listed in this section, please contact our Data Protection Officer (Section 2.3.). We will respond free of charge within one month. If necessary, we may extend this period by up to two further months, informing you of the extension and its reasons within the first month.

You may request confirmation of whether we process your personal data and, if so, a copy of that data together with information about the purposes of processing, categories of data, recipients, retention periods, and your rights.

If your personal data is inaccurate or incomplete, you may ask us to correct or complete it without undue delay.

You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, if you withdraw consent, or if processing otherwise violates the GDPR. We will comply unless we have a legal obligation or overriding legitimate interest to retain it.

You may ask us to suspend processing of your data in specific cases – for example, while we verify its accuracy or while an objection is pending.

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

You can object at any time to processing of your personal data based on our legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds or a need to establish, exercise, or defend legal claims.

Where processing is based on your consent, you may withdraw it at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.8. Right to Object to Electronic Marketing

You may object at any time, free of charge, to receiving promotional communications by email or other electronic channels (§7 UWG). If you object, we will immediately cease such processing. We prohibit the use of contact details collected on this site for unsolicited promotional communications; if you receive such communications, you may notify our Data Protection Officer and we will take action accordingly.

You have the right to lodge a complaint with a supervisory authority at any time if you consider that processing of your personal data infringes applicable law. The competent authority for AtroCore GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
Phone: +49 981 53 1300
Email:
A list of all EU supervisory authorities: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

4. Data Collection in Detail

4.1. SSL/TLS Encryption

This website uses HTTPS with TLS 1.2 or higher. You can verify an encrypted session by the "https://" prefix and the lock icon in your browser's address bar.

4.2. Cookies

We use cookies – small text files stored by your browser – to enhance usability, performance, and security. We use only strictly necessary cookies (Art. 6(1)(f) GDPR): these enable core functions such as session management and secure login. They are deleted when you close your browser and cannot be disabled without affecting core functionality. No consent is required for these cookies.

We do not use preference, analytics, marketing, or any other non-essential cookies.

You can manage or delete cookies through your browser settings (block, delete on close, or prompt per cookie). Please refer to your browser's help documentation for instructions.

4.3. Server Log Files

Each time you access our website, our server automatically records:

Browser type and version
Operating system
Referrer URL
Host name of the accessing device
Timestamp of the request
Truncated (pseudonymized) IP address

We process these logs on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in ensuring the stability, security, and performance of our services. Logs are not combined with data from other sources and access is restricted to authorized personnel. Retention: up to six months. You may object to this processing at any time under Art. 21 GDPR; see Section 3.6.

4.4. Contact Form

When you submit a query via our contact form, we collect the data you provide – such as your name, email address, phone number, and message content – to process and respond to your inquiry. The legal basis is your consent (Art. 6(1)(a) GDPR) and, where your inquiry relates to a pre-contractual or contractual matter, Art. 6(1)(b) GDPR.

You may withdraw consent at any time by contacting our Data Protection Officer (Section 2.3.). We retain contact form submissions for up to two years after resolution of your inquiry, or until you request earlier deletion, unless statutory retention obligations require longer storage.

4.5. Registration

To access additional features, you may register by providing your name, email address, and a password. We process this data to set up and maintain your account and to fulfill the user agreement (Art. 6(1)(b) GDPR). Passwords are stored in encrypted form.

We use your email address to send essential service notifications such as updates to our terms of use. Your registration data is retained for as long as your account remains active and thereafter only to the extent required by statutory obligations. Upon account deletion, we erase your personal data within 30 days unless retention is required by law.

Where you subscribe to our newsletter or otherwise consent to receive marketing communications, we process your email address and, where provided, your name on the basis of your explicit consent (Art. 6(1)(a) GDPR). Consent is obtained via a double opt-in process: after submitting your email address, you will receive a confirmation email and your subscription is activated only upon clicking the confirmation link. We record the timestamp and policy version for each consent.

You may withdraw consent and unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting our Data Protection Officer (Section 2.3.). We comply with §7 UWG regarding unsolicited electronic communications.

4.7. Customer and Contract Data

We collect and process customer and contract data – such as name, billing address, company name, VAT-ID, email address, and payment information – only to the extent necessary to establish, execute, or modify a contractual relationship (Art. 6(1)(b) GDPR). We also process usage data (e.g., pages accessed, login timestamps) strictly as required to deliver our services or to invoice you.

Customer and contract data is erased once the contractual relationship ends or the order is completed, unless statutory retention obligations require otherwise (see Section 4.8. for applicable retention periods).

4.8. Payment Processing

We collect only the payment details necessary to complete your transaction. Full payment card details are never stored on our servers; payment information is transmitted directly to our PCI DSS–certified processors under Art. 28 GDPR data processing agreements:

PayPal Europe S.à r.l. & Cie S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg
Mollie B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands

Transaction records (excluding full card details) are retained for ten years in accordance with §257 HGB and §147 AO. Any transfers outside the EU/EEA are covered by Standard Contractual Clauses. The legal basis is Art. 6(1)(b) GDPR (performance of contract).

4.9. Audio and Video Conferencing

We use Microsoft Teams (Microsoft Ireland Operations Limited, One Microsoft Place, Dublin 18, Ireland) for online meetings. Teams processes data you provide (name, email address, profile picture), session metadata, shared content, chat messages, and audio/video streams. AI-generated transcripts or summaries may be created for recorded meetings.

Recordings, transcripts, and summaries are retained for 30 days after the meeting and then permanently deleted, unless a longer period is required by law. Participants are notified in advance and must give explicit consent before any recording begins; consent is documented by the meeting organizer.

The legal bases are Art. 6(1)(b) GDPR (contractual and pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient communication). We have concluded a data processing agreement with Microsoft Ireland Operations Limited under Art. 28 GDPR. Microsoft stores data on EU servers; limited transfers to the United States (e.g., for global support operations) are covered by the EU–U.S. Data Privacy Framework adequacy decision and Standard Contractual Clauses (see Section 5.3.). Please review Microsoft's privacy notice for full details.

4.10. Job Applications

We process the personal data you submit in your application – such as name, address, telephone number, CV, qualifications, certificates, and interview notes – solely to evaluate and select candidates. The legal basis is §26 BDSG in conjunction with Art. 6(1)(b) GDPR (pre-contractual measures at your request).

Where we process special-category data (Art. 9 GDPR), we obtain your explicit and separate consent under Art. 9(2)(a) GDPR prior to doing so. Criminal record information, to the extent legally permissible, is processed under §26(1) BDSG and not retained beyond the recruitment process. You may withdraw any separately given consent at any time in writing to our Data Protection Officer (Section 2.3.) without affecting the lawfulness of prior processing.

Application data is retained for six months after the recruitment process ends to allow for potential legal claims. With your explicit written consent, we may retain your data for up to three years for consideration in future vacancies.

4.11. Legitimate Interests Balancing Test

Where we process personal data on the basis of Art. 6(1)(f) GDPR, we have conducted a balancing test to confirm that our legitimate interests do not override your fundamental rights and freedoms. You may request further information on any such assessment by contacting our Data Protection Officer (Section 2.3.).

5. Data Recipients and Transfers

5.1. Recipients

We share your personal data only to the extent necessary for the purposes described in this policy. Recipients fall into the following categories:

IT service providers (e.g., hosting, email)
Payment service providers
Authorities and legal advisors, where required by law

All third-party processors are bound by Art. 28 GDPR data processing agreements requiring GDPR compliance. We do not share data for advertising or marketing purposes without your explicit consent.

5.2. Hosting and Cloud Services

Our websites and web applications are hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Personal data processed in connection with our services may be stored on Hetzner's servers, including pseudonymized access logs, metadata, contract data, and contact details. All server locations are within Germany or the European Union. We have concluded a data processing agreement with Hetzner under Art. 28 GDPR. The legal bases are Art. 6(1)(b) and Art. 6(1)(f) GDPR.

5.3. Third-Country Transfers

Where personal data is transferred outside the EU/EEA, we rely on the following safeguards:

Standard Contractual Clauses (2021 SCCs): adopted in all data processing agreements with third-country processors (Commission Implementing Decision (EU) 2021/914): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914

EU–U.S. Data Privacy Framework: limited transfers to Microsoft in the United States are covered by the DPF adequacy decision (Commission Decision (EU) 2023/97) and Standard Contractual Clauses as an additional safeguard: https://www.dataprivacyframework.gov

Processing within the EU/EEA: Umami analytics and all Hetzner hosting operate exclusively on servers within Germany or the EU. PayPal and Mollie process payment data exclusively within the EU and apply SCCs for any subprocessors outside the EU/EEA.

6. Web Analytics

6.1. Umami Analytics

We use Umami, an open-source, cookie-free analytics tool, hosted exclusively on our own servers in Germany. No data is transmitted to third-party servers and no cookies are set.

The following data is collected on each page visit:

A truncated IP address (first two octets only, e.g., 192.168.x.x); the full IP address is never written to disk
The URL of the page accessed
The referrer URL
Subsequent pages visited on our site
Time spent on each page
Page view counts

Because the IP address is truncated before storage and cannot in isolation be attributed to a specific individual, we treat this data as pseudonymous. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in understanding aggregate site usage and improving our services, subject to the balancing test described in Section 4.11.. Analytics data is retained for 12 months and then automatically deleted.

You have the right to object to this processing at any time under Art. 21 GDPR by contacting our Data Protection Officer (Section 2.3.), after which we will cease collecting analytics data attributable to your browsing session.

7. Language and Policy Updates

7.1. Governing Language

This Privacy Policy is maintained in German. In the event of any discrepancy between language versions, the German version prevails.

7.2. Policy Updates

We may update this policy periodically. The date of the current version is stated at the top of this document. We will notify you of any material changes by prominent notice on our website prior to the change taking effect.