Privacy Policy

1. Responsible Party

The responsible party for data processing on this website according to Art. 4 para. 7 GDPR (General Data Protection Regulation) and § 3 para. 1 BDSG (German Federal Data Protection Act) is:

Optentic - Anton Khorin

Am Teich 1

24601 Ruhwinkel

For all matters related to data protection, please contact: contact(at)optentic.com

2. General Information About Data Processing

2.1 Scope of Personal Data Processing

As a sole proprietorship providing software development, automation, and AI solutions, we process personal data of our users only to the extent necessary to provide a functional website, our content, and services. The processing of personal data occurs regularly only after user consent has been obtained. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of data is permitted by law.

2.2 Legal Basis for Processing Personal Data

Where we obtain consent from data subjects for processing personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.

For processing personal data necessary for the performance of a contract to which the data subject is party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures (e.g., inquiries about our services, booking consultations).

Where processing of personal data is necessary to comply with a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Where processing is necessary to protect the legitimate interests of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override these interests, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

2.3 Data Deletion and Storage Duration

Personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may occur beyond this period if provided for by European or national legislators in EU regulations, laws, or other provisions to which we are subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for continued storage of the data for conclusion or performance of a contract.

3. Provision of the Website and Creation of Log Files

3.1 Description and Scope of Data Processing

This website is hosted using Google Sites, a website hosting and creation service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and its European subsidiary Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

Each time you access our website, the following data is automatically collected and stored in server log files by Google Sites:

- Browser type and version.

- Operating system used.

- Referrer URL (the previously visited page).

- Hostname of the accessing computer.

- IP address (anonymized/pseudonymized where possible).

- Date and time of access.

- Files accessed on the website.

This data is processed by Google on our behalf as a hosting provider.

3.2 Legal Basis

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in providing a functional, secure, and optimized website.

3.3 Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files is carried out to ensure the functionality and security of the website and to optimize website performance. Google uses this data to detect and prevent abuse and security incidents.

3.4 Duration of Storage

Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of collection of data for provision of the website, this occurs when the respective session ends. Log files are typically stored for a maximum of 14 days by Google Sites, after which they are automatically deleted.

3.5 Right to Object and Removal

The collection of data for provision of the website and storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object to this data processing.

4. Use of Cookies and Consent Management

4.1 Description and Scope

This website uses cookies. Cookies are small text files that are stored on your device (computer, tablet, smartphone) by your web browser. Cookies enable us to recognize your browser and make the use of certain functions easier.

According to § 25 TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) and Art. 6 para. 1 lit. a GDPR, we are required to obtain your consent before setting non-essential cookies or accessing information stored on your device.

Types of cookies used:

Technically necessary cookies: These cookies are essential for basic website functions (e.g., session management, security features). No consent is required for these cookies according to § 25 para. 2 TTDSG.

Analytics and performance cookies: Used for website analytics and optimization (e.g., via Google Analytics). These require your explicit consent.

Cookie Consent Management via Google Sites

Google Sites provides an integrated cookie notification system. When you first visit our website, you will see a cookie notice informing you about the use of cookies. Google Sites manages the display and storage of your consent preferences.

4.2 Legal Basis

Technically necessary cookies: Art. 6 para. 1 lit. f GDPR (legitimate interest in providing a functional website)

Analytics and marketing cookies: Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG (consent)

4.3 Purpose of Data Processing

Technically necessary cookies are used to make our website usable and secure. Analytics cookies help us understand how visitors interact with our website so we can improve user experience.

4.4 Duration of Storage and Right to Withdraw Consent

Cookies are stored on your device for varying durations depending on their type:

- Session cookies: Deleted when you close your browser.

- Persistent cookies: Stored for a specified period (typically up to 24 months for analytics cookies).

You can delete cookies at any time through your browser settings. You can also prevent cookies from being set in the first place by adjusting your browser settings accordingly. Please note that disabling certain cookies may limit website functionality.

You may withdraw your consent to the use of cookies at any time with effect for the future by adjusting your browser settings or contacting us at contact(at)optentic.com.

5. Google Analytics

5.1 Description and Scope

This website uses Google Analytics 4, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

Google Analytics uses cookies and similar technologies to analyze how users interact with our website. The information generated about your use of the website (including your IP address) is transmitted to and stored by Google on servers, which may include servers in the United States.

Data collected by Google Analytics includes:

- Pages visited and time spent on pages.

- Browser type and version.

- Operating system.

- Referrer URL.

- Pseudonymized IP address (last octet anonymized).

- Device information (mobile/desktop).

- User interactions and events.

- Approximate geographic location (country/city level).

5.2 Legal Basis

The use of Google Analytics is based on your explicit consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. We obtain this consent through our cookie consent mechanism managed by Google Sites.

Google Analytics will only be activated after you have provided your explicit consent through the cookie banner.

5.3 Data Processing Agreement

We have concluded a Data Processing Agreement (Auftragsverarbeitungsvertrag) with Google in accordance with Art. 28 GDPR. This agreement ensures that Google processes data only according to our instructions and complies with GDPR requirements.

5.4 Data Transfer to the USA and Safeguards

Google LLC is certified under the EU-US Data Privacy Framework, which provides adequate safeguards for data transfers to the United States according to Art. 45 GDPR.

Additionally, we rely on Standard Contractual Clauses (SCCs) approved by the EU Commission according to Art. 46 para. 2 lit. c GDPR for data transfers to Google in the USA. These contractual clauses ensure that your data is protected according to European data protection standards even when processed in third countries.

More information: https://business.safety.google/adsprocessorterms/

5.5 Purpose of Processing

We use Google Analytics to:

- Analyze website traffic and user behavior.

- Optimize website content and user experience.

- Understand which pages and features are most popular.

- Improve our marketing strategies and service offerings.

5.6 IP Address Anonymization

We have configured Google Analytics 4 to anonymize IP addresses. This means that the last octet of your IP address is shortened within EU member states and other EEA countries before transmission to Google, ensuring that your IP address cannot be directly associated with you.

5.7 Duration of Storage

User data stored by Google Analytics 4 is automatically deleted after 14 months. We have configured this retention period in our Google Analytics settings.

5.8 Right to Withdraw Consent

You can withdraw your consent to Google Analytics at any time with effect for the future by:

- Adjusting your cookie settings through your browser.

- Installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout.

- Contacting us at contact(at)optentic.com

5.9 Google's Privacy Policy

More information about how Google processes data can be found in Google's Privacy Policy: https://policies.google.com/privacy.

6. Contact Form

6.1 Description and Scope

Our website includes a contact form (https://www.optentic.com/contact-form) that can be used to contact us electronically. When you use this form, the data entered is transmitted to us and stored.

Data collected via the contact form:

- Name.

- Email address.

- Company name (optional).

- Message content.

- Date and time of submission.

- Your IP address (for security purposes).

By submitting the form, you consent to the processing of your data.

6.2 Legal Basis

The legal basis for processing is:

Art. 6 para. 1 lit. a GDPR (consent) for voluntary contact inquiries

Art. 6 para. 1 lit. b GDPR (pre-contractual measures) if your inquiry relates to a potential business engagement

Art. 6 para. 1 lit. f GDPR (legitimate interest) for responding to general inquiries

6.3 Purpose of Data Processing

We process the data you provide through the contact form solely to:

- Process your inquiry.

- Communicate with you regarding your request.

- Provide information about our services.

- Establish a business relationship if requested.

6.4 Duration of Storage

Your contact form data will be stored for as long as necessary to process your inquiry and handle any follow-up questions. If your inquiry leads to a contractual relationship, we will retain the data according to legal retention requirements (typically 6 years according to § 257 HGB for commercial correspondence).

If no contractual relationship ensues, we will delete your data 6 months after your inquiry unless you have consented to further contact or we have a legitimate interest in retaining the data (e.g., potential future business opportunities).

6.5 Right to Object and Deletion

You may request the deletion of your contact form data at any time by sending an email to contact(at)optentic.com. We will promptly delete your data unless we are legally required to retain it or have a legitimate interest in continued storage.

7. Calendly (Appointment Booking)

7.1 Description and Scope

We use Calendly, an online scheduling service provided by Calendly LLC, 271 17th St NW, 10th Floor, Atlanta, Georgia 30363, USA (https://calendly.com) to enable you to book consultation appointments with us.

When you book an appointment via our Calendly integration (https://www.optentic.com/book-a-call), the following data is collected and transmitted to Calendly:

- Name.

- Email address.

- Phone number (if provided).

- Company/organization name (if provided).

- Time zone.

- Appointment date and time.

- Any additional information you provide in the booking form.

- Your IP address.

- Browser and device information.

Calendly is integrated with Google Calendar to manage our availability and schedule appointments. When you book an appointment, the information is synchronized with our Google Calendar.

7.2 Legal Basis

The processing of your data through Calendly is based on:

Art. 6 para. 1 lit. b GDPR (pre-contractual measures) – processing is necessary to schedule and conduct a consultation appointment with you

Art. 6 para. 1 lit. a GDPR (consent) – by using the booking system, you consent to the processing of your data

7.3 Data Processing Agreement

We have concluded a Data Processing Addendum (DPA) with Calendly in accordance with Art. 28 GDPR. This agreement ensures that Calendly processes your data only according to our instructions and maintains appropriate security measures.

Calendly's DPA can be reviewed here: https://calendly.com/dpa

7.4 Data Transfer to the USA and Safeguards

Calendly processes data in the United States. To ensure adequate data protection, we rely on:

Standard Contractual Clauses (SCCs) according to Art. 46 para. 2 lit. c GDPR – These EU-approved contractual clauses ensure that data transferred to the USA receives protection equivalent to EU standards.

Additional technical and organizational measures implemented by Calendly to protect data against unauthorized access by US authorities.

Calendly's data processing practices and security measures are documented in their privacy policy: https://calendly.com/privacy

7.5 Google Calendar Integration

Calendly is connected to our Google Calendar account to:

- Display our real-time availability.

- Automatically create calendar events for booked appointments.

- Send appointment confirmations and reminders.

Data synchronized with Google Calendar includes your name, email address, appointment time, and any notes you provided. Google Calendar processes this data according to Google's Privacy Policy (https://policies.google.com/privacy).

Google LLC is certified under the EU-US Data Privacy Framework and has signed Standard Contractual Clauses for data transfers to the USA.

7.6 Purpose of Processing

We use Calendly to:

- Enable efficient appointment scheduling.

- Automate appointment confirmations and reminders.

- Reduce scheduling conflicts.

- Provide a convenient booking experience for potential clients.

7.7 Cookies Used by Calendly

Calendly may set cookies on your device when you use the booking widget. We require your consent before Calendly cookies are activated, in accordance with § 25 TTDSG.

The Calendly widget will only be loaded after you have provided consent through our cookie consent mechanism.

7.8 Duration of Storage

Your appointment data is stored by Calendly for the duration necessary to fulfill the appointment purpose. After the appointment:

Completed appointments: Data is retained for 6 months to handle any follow-up communication or documentation needs

Cancelled appointments: Data is deleted after 3 months

If you become a client, your data may be retained longer according to contractual and legal requirements (see section 16).

7.9 Right to Deletion

You can request deletion of your appointment data at any time by contacting us at contact(at)optentic.com. We will process your request within 4 weeks and ensure your data is deleted from both our systems and Calendly, unless we have a legal obligation to retain it.

8. Career Applications and Talent Pool

8.1 Description and Scope

Our website includes pages for career opportunities and talent pool applications:

Career page: https://www.optentic.com/careers

Talent pool application: https://www.optentic.com/talent-pool-application

When you submit an application or join our talent pool, we collect and process the following personal data:

- Full name.

- Email address.

- Phone number.

- Postal address.

- Resume/CV (including work history, education, skills).

- Cover letter.

- Portfolio or work samples (if provided).

- References (if provided).

- Any other information you include in your application materials.

Technical data:

- IP address (for security purposes).

- Date and time of application submission.

- Browser and device information.

8.2 Legal Basis

The legal basis for processing your application data depends on the context.

For applications related to specific job openings:

Art. 6 para. 1 lit. b GDPR (pre-contractual measures) in conjunction with § 26 para. 1 BDSG – Processing is necessary to assess your suitability for employment and to take steps at your request to enter into an employment contract

For talent pool applications (speculative applications/Initiativbewerbungen):

Art. 6 para. 1 lit. a GDPR in conjunction with § 26 para. 2 BDSG (explicit consent) – We process and store your data based on your voluntary and informed consent to be considered for future opportunities.

Your consent is freely given, and you can withdraw it at any time with effect for the future.

8.3 Purpose of Processing

We process applicant data for the following purposes:

- Evaluating your qualifications and suitability for current or future positions.

- Conducting the application and interview process.

- Making hiring decisions.

- Maintaining a talent pool for future opportunities.

- Complying with legal obligations (e.g., documentation for compliance with AGG – German General Equal Treatment Act).

8.4 Data Recipients

Your application data will be accessed only by:

- Authorized personnel involved in the hiring process (management, HR)

- External service providers who support our recruitment process (subject to data processing agreements under Art. 28 GDPR)

We will not share your data with third parties for marketing purposes or sell your data.

8.5 Storage Duration and Deletion

For applications related to specific job openings:

After completion of the application process (i.e., after the position is filled or your application is rejected), your data will be stored for 6 months. This retention period allows us to:

- Respond to any follow-up inquiries from you.

- Defend against potential claims under the AGG (General Equal Treatment Act), which has a 2-month claim period, extended to 6 months for evidential safety.

After 6 months, your application data will be automatically deleted unless:

- You have explicitly consented to inclusion in our talent pool (see below), or

- We are legally required to retain the data for a longer period (e.g., for pending legal proceedings).

For talent pool applications and consent-based storage:

If you submit a speculative application or explicitly consent to inclusion in our talent pool, we will retain your data for 24 months from the date of your application or last update.

Before the expiration of this period, we may contact you to ask if you wish to remain in our talent pool. If you do not respond or decline, your data will be deleted.

Automated deletion processes:

We have implemented technical and organizational measures to ensure that application data is automatically deleted in accordance with the above retention periods. Our systems generate deletion reports to document compliance with these obligations.

8.6 Talent Pool Consent

When you submit a talent pool application, we ask for your explicit consent to store your data for future opportunities. This consent includes:

- Clear information about what data we store and for how long.

- Specific purpose: Being considered for future suitable positions.

- Voluntary nature: Your consent is freely given and does not affect the assessment of any current application.

- Retention period: Up to 24 months.

- Right to withdraw: You can withdraw consent at any time.

If you applied for a specific position and were not selected, we may ask you during the process if you would like to join our talent pool. This is a separate consent request that you can accept or decline without any disadvantage.

8.7 Special Categories of Personal Data

We do not intentionally collect or process special categories of personal data (e.g., racial/ethnic origin, health data, political opinions, religious beliefs) as defined in Art. 9 GDPR.

If your application materials inadvertently contain such information (e.g., disability status, photo revealing ethnic origin), this data will be processed only if:

It is necessary for compliance with employment law obligations (e.g., obligations toward applicants with disabilities under German law), based on Art. 9 para. 2 lit. b GDPR and § 26 para. 3 BDSG, or

You have provided explicit consent for processing, based on Art. 9 para. 2 lit. a GDPR

We recommend that you do not include such information in your application unless specifically requested or legally required.

8.8 Right to Withdraw Consent and Request Deletion

You have the right to:

- Withdraw your talent pool consent at any time with effect for the future.

- Request deletion of your application data at any time.

To exercise these rights, please send an email to contact(at)optentic.com with the subject line "Application Data Deletion Request" and include:

- Your full name.

- Email address used for the application.

- Approximate date of application (if known).

We will process your deletion request within 4 weeks and confirm deletion to you in writing. After deletion, we will only retain minimal data (name, application date, deletion request) for documentation purposes to demonstrate compliance with data protection obligations, which will also be deleted after 3 years.

8.9 Data Security Measures

All application data is stored securely with:

- Encryption during transmission (TLS/SSL).

- Access controls limiting access to authorized personnel only.

- Regular security audits.

- Secure deletion procedures to ensure data cannot be recovered after deletion.

8.10 No Automated Decision-Making

We do not use automated decision-making or profiling in our recruitment process. All hiring decisions are made by human reviewers.

9. Email Communication

9.1 Description and Scope

When you contact us via email contact(at)optentic.com, we collect and store:

- Your email address.

- Name (if provided in the email).

- Message content.

- Date and time of communication.

- Email metadata (email headers, etc.).

9.2 Legal Basis

The processing of data transmitted via email is based on:

Art. 6 para. 1 lit. f GDPR (legitimate interest in responding to inquiries)

Art. 6 para. 1 lit. b GDPR (pre-contractual or contractual correspondence)

Art. 6 para. 1 lit. a GDPR (consent) if you explicitly request to be added to a mailing list

9.3 Purpose and Duration

Email communications are processed to respond to your inquiries and maintain business correspondence.

Storage duration:

General inquiries: 6 months after the last correspondence

Pre-contractual/contractual correspondence: 6 years (§ 257 HGB – retention requirement for commercial correspondence)

9.4 Email Security

Emails transmitted via the internet are not end-to-end encrypted by default and may be subject to unauthorized access. For sensitive communications, we recommend using encrypted communication methods. Please contact us if you require secure transmission options.

10. Social Media and External Links

10.1 Links to Third-Party Websites

Our website may contain links to external websites (e.g., social media profiles, partner websites) that are not operated by us. We have no control over the content and data protection practices of these third-party sites.

When you click on an external link and leave our website, the privacy policy of the destination website applies. We recommend reviewing the privacy policies of any external sites you visit.

10.2 No Third-Party Social Media Plugins

We do not use social media plugins (e.g., Facebook Like buttons, Twitter widgets) that automatically transfer your data to social media platforms when you visit our website.

11. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with Art. 32 GDPR.

Our security measures include:

Encryption: TLS/SSL encryption for data transmission between your browser and our servers

Access controls: Restricted access to personal data limited to authorized personnel with legitimate need

Secure hosting: Use of reputable hosting providers (Google Sites) with robust security infrastructure

Regular security updates: Timely application of security patches and updates

Data minimization: Collection and storage of only the data necessary for specified purposes

Pseudonymization and anonymization: Where possible, processing data in a way that prevents identification

Backup and recovery: Regular backups to prevent data loss

Security monitoring: Continuous monitoring for security incidents and unauthorized access

Employee training: Regular training of personnel on data protection and security practices

Despite these measures, no data transmission over the internet or electronic storage system can be guaranteed to be 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11.1 Data Breach Notification

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by Art. 33 and 34 GDPR.

We will inform you about:

- The nature of the personal data breach

- The likely consequences

- Measures taken or proposed to address the breach

- Contact information for further inquiries

12. International Data Transfers

Some of the services we use (Google Analytics, Calendly, Google Calendar) involve the transfer of personal data to recipients in third countries outside the European Economic Area (EEA), particularly to the United States.

12.1 Legal Basis for Data Transfers

We ensure that such transfers comply with GDPR requirements through:

- EU-US Data Privacy Framework (DPF).

- Google LLC is certified under the EU-US Data Privacy Framework, which has been recognized by the EU Commission as providing an adequate level of data protection through an adequacy decision according to Art. 45 GDPR.

- You can verify Google's DPF certification here: https://www.dataprivacyframework.gov/s/participant-search .

Standard Contractual Clauses (SCCs)

We have entered into Standard Contractual Clauses approved by the EU Commission according to Art. 46 para. 2 lit. c GDPR with our US-based service providers (Google, Calendly). These contractual clauses obligate the recipients to protect your data according to European data protection standards.

The SCCs include provisions for:

- Data processing only according to our instructions.

- Confidentiality obligations.

- Implementation of appropriate technical and organizational security measures.

- Obligations to notify us of government data access requests (where legally permissible).

- Rights of data subjects.

- Liability and auditing rights.

Additional Safeguards

Beyond SCCs, we have assessed the legal situation in the USA and implemented additional safeguards:

- Data minimization: Limiting the data transferred to what is strictly necessary.

- Pseudonymization: Using pseudonymized data where possible (e.g., IP anonymization in Google Analytics).

- Encryption: Ensuring data is encrypted during transmission and storage.

- Transparency: Informing you about these transfers in this Privacy Policy.

12.2 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we have implemented for international data transfers. You may also object to such transfers under certain circumstances (see section 14.6).

If you have concerns about the transfer of your data to third countries, please contact us at contact(at)optentic.com.

13. No Automated Decision-Making or Profiling

We do not use automated decision-making processes, including profiling, as defined in Art. 22 GDPR, that would have legal effects concerning you or similarly significantly affect you.

All decisions related to:

- Hiring and recruitment

- Service offerings and pricing

- Business relationships

are made by human review and judgment, not by automated systems alone.

14. Your Rights as a Data Subject

Under the GDPR, you have comprehensive rights regarding your personal data. You can exercise these rights at any time by contacting us at contact(at)optentic.com.

14.1 Right to Information (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to receive information about:

- The categories of personal data being processed.

- The purposes of processing.

- The recipients or categories of recipients to whom the data has been or will be disclosed.

- The envisaged storage period or criteria for determining that period.

- Your rights (rectification, erasure, restriction, objection, data portability, complaint).

- The source of the data if not collected from you.

- The existence of automated decision-making, including profiling.

- Information about safeguards for data transfers to third countries.

You also have the right to receive a copy of the personal data undergoing processing (first copy free of charge; additional copies may incur a reasonable fee).

14.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. You also have the right to have incomplete personal data completed, including by providing a supplementary statement.

We will process rectification requests within 2 weeks.

14.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You have the right to obtain the erasure of your personal data without undue delay if one of the following grounds applies:

- The data is no longer necessary for the purposes for which it was collected.

- You withdraw consent on which processing is based and there is no other legal ground for processing.

- You object to processing based on legitimate interests and there are no overriding legitimate grounds for processing.

- The data has been unlawfully processed.

- The data must be erased to comply with a legal obligation.

- The data was collected in relation to information society services offered to children (Art. 8 para. 1 GDPR).

Limitations: We may be unable to delete your data if processing is necessary for:

- Compliance with a legal obligation (e.g., tax and commercial retention requirements).

- Establishment, exercise, or defense of legal claims.

- Archiving purposes in the public interest, scientific/historical research, or statistical purposes where erasure would impair achievement of those purposes.

We will process erasure requests within 4 weeks and confirm deletion to you.

14.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to obtain restriction of processing (i.e., marking of stored data to limit future processing) if:

- You contest the accuracy of the personal data (for a period enabling us to verify accuracy).

- The processing is unlawful, but you oppose erasure and request restriction instead.

- We no longer need the data for processing purposes, but you require it for legal claims.

- You have objected to processing based on legitimate interests pending verification of whether our legitimate grounds override yours.

When processing is restricted, the data may only be processed (except for storage) with your consent, for legal claims, for protection of rights of another person, or for important public interest reasons.

14.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from us, where:

- Processing is based on consent (Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR) or on a contract (Art. 6 para. 1 lit. b GDPR), and

- Processing is carried out by automated means.

You also have the right to have the data transmitted directly from us to another controller, where technically feasible.

Common formats we provide: CSV, JSON, PDF

This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

14.6 Right to Object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR (legitimate interests), including profiling based on those provisions.

Upon receiving your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Objection to direct marketing: If your data is processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling related to direct marketing. If you object, your data will no longer be processed for such purposes.

How to object: Send an email to contact(at)optentic.com with the subject line "Objection to Data Processing" and specify the processing activities you object to.

14.7 Right to Withdraw Consent (Art. 7 para. 3 GDPR)

Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw consent:

- For cookie consent: Adjust your browser settings or use the cookie settings on our website.

- For other consent: Email us at contact(at)optentic.com with the subject line "Withdraw Consent".

14.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

You may also contact any other supervisory authority in the EU. A list of all EU supervisory authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

14.9 No Fees for Exercising Your Rights

Exercising your data subject rights is free of charge unless your requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

14.10 Response Times

We will respond to your requests without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt, together with the reasons for the delay.

15. Data Processing for Business Purposes

15.1 Client Data

If you engage our services (software development, automation, AI solutions implementation), we process personal data necessary to perform our contractual obligations.

Data processed:

- Contact information (name, email, phone, company).

- Billing information (address, tax ID, payment details).

- Project-related communications and documentation.

- Technical specifications and requirements.

- Deliverables and work products.

Legal basis:

Art. 6 para. 1 lit. b GDPR (performance of contract)

Art. 6 para. 1 lit. c GDPR (legal obligations, e.g., tax and accounting requirements)

Art. 6 para. 1 lit. f GDPR (legitimate interest in documenting business relationships)

15.2 Third-Party Processors

We may engage third-party service providers to support our business operations (e.g., cloud storage, accounting software, project management tools). All such processors are carefully selected and bound by data processing agreements according to Art. 28 GDPR to ensure they process data only according to our instructions and maintain appropriate security measures.

16. Data Retention and Deletion Policy

We have implemented a comprehensive data retention and deletion policy to ensure compliance with the principle of storage limitation (Art. 5 para. 1 lit. e GDPR).

16.1 General Retention Principles

Personal data is stored only as long as necessary to fulfill the purposes for which it was collected or as required by law. Once the retention period expires, data is automatically deleted or anonymized so that it can no longer be attributed to you.

16.2 Deletion Procedures

We have implemented automated deletion processes to ensure timely deletion of data when retention periods expire. Our systems:

- Identify data subject to deletion based on retention schedules.

- Automatically delete or anonymize data when the retention period expires.

- Generate deletion logs to document compliance.

- Conduct regular audits to verify effective deletion.

Manual deletion: For data not subject to automated deletion (e.g., physical documents, backup archives), we conduct manual deletion reviews quarterly.

16.3 Exceptions to Deletion

We may retain personal data beyond the standard retention period if:

- Required by law (e.g., tax audits, regulatory investigations).

- Necessary for establishment, exercise, or defense of legal claims.

- You have explicitly requested extended retention (e.g., ongoing project collaboration).

17. Children's Privacy

Our services are not directed to children under the age of 16 years. We do not knowingly collect personal data from children under 16.

If we become aware that we have inadvertently collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 16, please contact us immediately at contact(at)optentic.com.

18. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations.

Notification of changes:

- We will update the "Last Updated" date of this policy.

- Material changes will be prominently announced on our website.

- If legally required, we will seek your renewed consent for changed processing practices.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

19. Contact Information for Data Protection Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us: contact(at)optentic.com.

We will respond to your inquiries within one month of receipt, or inform you if we need additional time to address your request.

20. Legal References and Definitions

This Privacy Policy is based on and complies with:

GDPR – Regulation (EU) 2016/679 (General Data Protection Regulation)

BDSG – Bundesdatenschutzgesetz (German Federal Data Protection Act)

TTDSG – Telekommunikation-Telemedien-Datenschutz-Gesetz (German Telecommunications-Telemedia Data Protection Act, formerly TTDSG)

TMG – Telemediengesetz (replaced by DDG as of May 2024)

DDG – Digitale-Dienste-Gesetz (Digital Services Act, in force since May 2024)

HGB – Handelsgesetzbuch (German Commercial Code)

AO – Abgabenordnung (German Fiscal Code)

Key definitions:

Personal data: Any information relating to an identified or identifiable natural person (Art. 4 para. 1 GDPR)

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, erasure (Art. 4 para. 2 GDPR)

Controller: The entity that determines the purposes and means of processing personal data (Art. 4 para. 7 GDPR) – in this case, Optentic

Processor: An entity that processes personal data on behalf of the controller (Art. 4 para. 8 GDPR) – e.g., Google, Calendly

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to processing (Art. 4 para. 11 GDPR)

Third country: A country outside the European Economic Area (EEA)

Last Updated: 21.12.2025

Google Sites

Report abuse