Privacy Policy

Version: 2025-07-05

1. General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information on data protection, please refer to our privacy policy listed below this text.

Your personal data will not be shared with third parties unless it is necessary for the processing purposes described in each section of this policy. When we engage service providers on behalf of AtroCore GmbH, they will process your data strictly under our instructions, will not use it for their own purposes, and are contractually bound to comply with the GDPR.

Our websites and web applications are operated by AtroCore GmbH (the "Controller"), whose full contact details – including postal address, email, and telephone number – are provided in the legal notice. Contact Details for a responsible Data Protection Officer are available bellow.

When you visit our websites or web applications, we employ anonymized analytics services to measure and improve site performance and user experience. We don't use cookies for this.

Data Collection

We collect two types of personal data. First, data you provide voluntarily, for example when you fill out a contact form, register for an account, or subscribe to a newsletter. Second, data collected automatically by our IT systems when you visit our sites, such as your IP address, browser type and version, operating system, device identifiers, pages visited, referral URL, and timestamps. This data is directly anonimized.

Data Retention

We retain your submitted data only as long as necessary to fulfill the purpose for which it was collected – typically up to two years for contact requests – and automatically collected logs for up to six months, unless a different retention period is required by law.

Purpose and Legal Basis

We process your data for the following purposes and legal grounds:

• Providing our services and fulfilling contracts with our users and customers (Art. 6 (1)(b) GDPR)
• Ensuring a secure, performant, and reliable IT infrastructure (Art. 6 (1)(f) GDPR)
• Complying with legal obligations (e.g., tax, bookkeeping) (Art. 6 (1)(c) GDPR)
• Sending newsletters or marketing communications, where consent has been given (Art. 6 (1)(a) GDPR).

Children’s Data

Our services are intended for users aged 18 and above. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently processed a minor’s data, we will delete it immediately. Where local law sets a higher minimum age for consent, we comply with that requirement.

2. Data Protection

We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of your personal data, in accordance with GDPR and other applicable laws. We treat all personal data as strictly confidential and process it only for the purposes set out in this policy.

Whenever you interact with our website, we may collect personal data as described elsewhere in this policy; we use HTTPS/TLS to encrypt data in transit and, where applicable, encrypt data at rest. We regularly test, assess, and evaluate the effectiveness of our security measures and restrict access to your data to authorized personnel only.

Please be aware that, despite our best efforts, transmission of data over the internet (for example, via email) cannot be guaranteed 100% secure. We cannot accept liability for the security of data transmitted to us electronically.

Data Controller and Data Protection Officer

The Data Controller for this website is:

• AtroCore GmbH
• An den Klostergründen 29
• 93049 Regensburg
• Germany

We have appointed Alexander Zinchenko as our Data Protection Officer. For all matters relating to your personal data – requests, questions or to exercise your GDPR rights – please contact him at dpo["@"]atrocore.com.

Data Breach Notification

In the event of a personal-data breach, AtroCore GmbH has established an incident-response process to ensure rapid containment, assessment, and remediation.

Detection and Containment

Our IT and security teams continuously monitor systems for anomalies.

Upon detecting an actual or suspected breach, we immediately activate our incident-response plan, isolate affected systems, and mitigate ongoing risk.

Notification to Supervisory Authority

If a breach occurs, we notify the competent supervisory authority (e.g., Bayerisches Landesamt für Datenschutzaufsicht) without undue delay and, in any case, within 72 hours of becoming aware of it (Art. 33 GDPR).

The notification includes:

• a description of the nature and scope of the breach (including categories of data and approximate number of records affected)
• the likely consequences for data subjects
• the measures taken or proposed to address the breach and mitigate adverse effects
• the name and contact details of our Data Protection Officer or other contact point for more information

Communication to Data Subjects

If the breach is likely to result in a high risk to individuals’ rights and freedoms, we inform affected data subjects without undue delay (Art. 34 GDPR).

Such communication will contain:

• a clear description of the nature of the breach
• the likely consequences for the individual
• the measures we have taken or plan to take to contain and remediate the breach
• practical advice on steps data subjects can take to protect themselves

Record-Keeping and Review

We maintain a detailed incident log for every breach, documenting facts, effects, and remedial actions taken.

After each incident, we conduct a root-cause analysis and update our technical and organizational measures to prevent recurrence.

All breach notifications are coordinated by our Data Protection Officer, who serves as the single point of contact for supervisory authorities and affected individuals.

3. Your Rights

You have the following rights in relation to your personal data. To exercise any of these rights, or to ask questions about data processing, please contact our Data Protection Officer. We will respond free of charge, generally within one month of receipt of your request. If necessary, we may extend this period by up to two further months, but we will inform you of any extension and its reasons within one month.

Right of Access (Art. 15 GDPR)

You may at any time request free access to your personal data, its origin, recipients, processing purposes, and a copy in a usable format. You can request confirmation as to whether we process your personal data. If we do, you have the right to receive a copy of that data, along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights.

Right to Rectification (Art. 16 GDPR)

If your personal data is inaccurate or incomplete, you may ask us to correct or complete it without undue delay.

Right to Erasure (“Right to Be Forgotten”) (Art. 17 GDPR)

You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, if you withdraw consent, or if processing otherwise violates the GDPR. We will comply unless we have a legal obligation or overriding legitimate interest to retain it.

Right to Restrict Processing (Art. 18 GDPR)

You may ask us to suspend processing of your data in specific cases—for example, while we verify its accuracy or if you have objected to processing.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

Right to Object (Art. 21 GDPR)

You can object at any time to processing of your personal data based on our legitimate interests, including profiling. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds or need it for legal claims.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before you withdraw your consent.

Right to Withdraw or Modify Cookie Consent

You may refuse or withdraw consent to the use of cookies and similar technologies at any time via our cookie settings. This will not affect the functionality of essential cookies necessary for site operation.

Right to Object to Electronic Marketing

You may object at any time, free of charge, to receiving unsolicited promotional communications by email or other electronic channels. If you object, we will immediately cease any such processing.

Right to Object to Promotional Emails

We prohibit the use of any contact details collected on this site for unsolicited promotional communications. If you receive such communications despite this, you may object at any time by sending a message to our Data Protection Officer; we will then cease such processing and may pursue legal remedies against the sender.

Right to file complaints with regulatory authority

If you believe our processing of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority under GDPR Article 77.

In Germany, the responsible authority is:

• Bayerisches Landesamt für Datenschutzaufsicht
• Promenade 18, 91522 Ansbach
• Phone: +49 981 53 1300
• Email:

You can also find other EU supervisory authorities here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

4. Data Collection in Detail

SSL or TLS encryption

This website uses HTTPS with TLS 1.2 or higher to secure your connection. You can verify an encrypted session by the “https://” prefix and the lock icon in your browser’s address bar. All information you transfer is encrypted and cannot be read by third parties during transmission.

Cookies

We use cookies – small text files stored by your browser on your device – to enhance usability, performance and security.

Cookies we use in our web applications fall into two categories:

• Strictly necessary cookies (GDPR Art. 6(1)(f)): these enable core site functions such as session management, shopping cart and secure login. They cannot be disabled in our systems and are deleted when you close your browser (session cookies).

• Preference cookies (GDPR Art. 6(1)(a) – consent): these remember your settings (for example, language or region) to personalize your experience. Our web applications set these cookies by design; we cannot technically disable them server-side.

Before any preference cookies are set, you’ll see a cookie-settings banner asking for your explicit opt-in. You can accept or reject them, and we securely record your choices along with the timestamp and policy version. You may revisit the banner at any time to modify or withdraw your consent. Please note that if you decline the preference cookies required for certain features, access to the related website or web application will be disabled and your session closed automatically.

No other cookies are used on our sites.

You can modify or withdraw your cookie consent at any time by activating the cookie settings for a respective website.

You can manage or delete cookies through your browser settings by choosing to

• receive a notification when a cookie is set and decide on a case-by-case basis
• block all cookies automatically
• delete cookies when your browser closes

Please refer to your browser’s help menu for instructions.

Server Log Files

Each time you access our website, our server automatically records and stores log file information sent by your browser, including:

• Browser type and version
• Operating system
• Referrer URL
• Host name of the accessing device
• Timestamp of the request
• Anonymized IP address

We process these server logs on the legal basis of our legitimate interest and, where required to ensure the stability, security, and performance of our services. We do not combine these logs with data from other sources, and access is restricted to authorized personnel only.

Contact Form

When you submit a query via our contact form, we collect the personal data you provide – such as your name, email address, phone number and message content – to process and respond to your request. This information is used solely for the purpose of correspondence and will not be disclosed to third parties without your explicit consent, except where required by law.

We will, therefore, process any data you enter onto the contact form only with your consent. You may revoke your consent at any time. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed.

We retain contact form submissions only as long as necessary to address your inquiry and to comply with any statutory retention obligations – typically up to two years after resolution of your request – unless you request earlier deletion or revoke your consent. Mandatory legal retention periods (e.g., under commercial or tax law) remain unaffected.

Registration on our Websites and in our Web Applications

To access additional features, you may register by providing the mandatory information, such as name, email address, and chosen password – required for the specific site or service. If any required field is left blank, your registration will be declined.

We use the email address provided during registration to send you essential service notifications, such as updates to our terms of use or technical changes. We process your registration data to set up and maintain your user account and to fulfill the user agreement. Passwords are stored in encrypted form, and we enforce strong-password requirements to protect your account.

Your registration data will be retained for as long as your account remains active and thereafter only to the extent necessary to comply with statutory retention obligations (for example, for invoicing or fraud prevention). Upon deletion of your account, we will erase your personal data within 30 days unless retention is required by law.

You may at any time request access to, correction or deletion of, or restriction on the processing of your registration data, and you may object to further processing or request portability. To exercise these rights, contact our Data Protection Officer.

Processing of Customer Data

We collect and process your customer and contract data, such as name, billing address, company name, VAT-ID, email address and payment information only to the extent necessary to establish, execute or modify a contractual relationship with you. This processing is based on Art. 6 (1)(b) GDPR (performance of a contract) and, where needed to prepare a contract, on preliminary measures. We also process usage data (e.g., pages accessed, login timestamps) strictly insofar as it is required to enable you to use our services or to invoice you.

Your customer and contract data will be erased (except accounting records, which are to be stored for 10 years) once the contractual relationship ends or your order is completed, unless statutory retention obligations (for example, under tax or commercial law) require us to keep the data for a longer period.

Audio and Video Conferencing

We use Microsoft Teams (Microsoft Ireland Operations Limited, One Microsoft Place, Dublin 18, Ireland) to conduct online meetings. Teams processes any data you provide (for example, your name, email address, profile picture), session metadata (start/end time, participant count), shared content (screen, files, whiteboard), chat messages, and audio/video streams. Recorded meetings may also include AI-generated transcripts or summaries.

All Teams recordings, transcripts, and summaries are retained for 30 days from the date of the meeting, after which they are permanently deleted, unless a longer period is required by law. Participants must give prior consent before recording begins.

Processing is necessary to fulfill our contracts or pre-contractual measures (GDPR Art. 6(1)(b)) and to ensure efficient communication (legitimate interest, Art. 6(1)(f)). You must give prior consent to join recorded sessions. Microsoft stores your data on EU servers and may transfer it to third countries under the EU-U.S. Data Privacy Framework.

Data we collect directly will be deleted upon your request, withdrawal of consent, or once it’s no longer needed, except where mandatory legal retention periods or Microsoft’s own policies require longer storage. Please review Microsoft’s privacy notice for full details.

Processing of Job Applications

At AtroCore GmbH, we process the personal data you submit—such as your name, address, telephone number, CV, qualifications, certificates and interview notes—solely to evaluate and select candidates. This is necessary for pre-contractual measures at your request (GDPR Art. 6 (1)(b)). If a criminal-record check is legally required, we will verify it but not retain the certificate. If we carry out criminal-record checks or process health data, we obtain your explicit, separate consent under Art 9(2)(a) GDPR. You may withdraw that consent at any time without affecting the lawfulness of prior processing.

We retain your application data for six months after the recruitment process ends, to allow for any potential legal claims. We may keep your data for up to three years if you explicitly consent; you can withdraw that consent at any time in writing to our Data Protection Officer without affecting the lawfulness of prior processing.

Legitimate Interests

Where we process personal data based on our legitimate interests (Art. 6(1)(f) GDPR), we have conducted a balancing test to ensure that these interests do not override your fundamental rights and freedoms. You may request more information on this assessment by contacting our Data Protection Officer.

5. Data Recipients and Transfers

We may share your personal data with the following categories of recipients:

• IT service providers (e.g., hosting, email),
• Payment service providers,
• Authorities and legal advisors, where required by law.

We transmit your personal data to third parties strictly to the extent necessary to perform our contractual obligations under GDPR Art. 6(1)(b) – for example, to payment service providers, banks entrusted with payment processing, or carriers engaged to deliver goods. We do not share your data for any other purpose without your explicit consent, nor do we disclose it to third parties for advertising without your express permission.

When we engage third-party processors, we ensure they process data on our behalf under data processing agreements that require compliance with GDPR. If any recipient is located outside the EU/EEA, we safeguard transfers through appropriate measures such as Standard Contractual Clauses or Binding Corporate Rules.

We may disclose data to Authorities if required by law or court order.

Hosting, Cloud Services, and Data Backup

Our websites and web applications are hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. In addition, we use Hetzner’s cloud services and backup solutions to store, manage, and secure data related to the operation of this website and our business processes.

Personal data collected on this website or otherwise processed by us may be stored on Hetzner’s servers. This includes, in particular, IP addresses, metadata and communication data, contract data, contact details, website access logs, and other data generated by the website or connected systems.

The use of Hetzner is based on the necessity of fulfilling contractual obligations toward our prospective and existing customers (Article 6(1)(b) GDPR), as well as our legitimate interest in maintaining a secure, high-performance, and reliable IT infrastructure (Article 6(1)(f) GDPR).

We have entered into a data processing agreement with Hetzner in accordance with Article 28 GDPR. Hetzner processes all personal data exclusively on our instructions and in compliance with applicable data protection regulations. All server locations are situated within Germany or the European Union.

Payment Service Providers

When you make a purchase, e.g. in our online store, we collect only the payment details necessary to complete your transaction – such as bank account numbers for direct debits or card information. This processing is required to perform the sales contract you enter into with us (GDPR Art. 6(1)(b)) and to safeguard the payment data (GDPR Art. 32).

All payment pages are secured by TLS 1.2+ encryption, visible as “https://” and a lock icon in your browser’s address bar, ensuring your data cannot be intercepted in transit. We do not store full payment card details on our servers; instead, your information is transmitted directly to our payment processors under strict GDPR-compliant agreements (GDPR Art. 28):

• PayPal Europe S.à r.l. & Cie S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg
• Mollie B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands.

Both providers are PCI DSS–certified and retain your data only as needed to settle the transaction and comply with legal requirements (for example, accounting retention periods). Any transfers outside the EU/EEA are covered by Standard Contractual Clauses to ensure an adequate level of protection.

You may exercise your rights of access, correction, erasure, restriction or objection to the processing of your personal data by contacting our Data Protection Officer.

Third-Country Transfers

When we transfer personal data outside the EU/EEA, we rely on one or more of the following safeguards:

Standard Contractual Clauses (2021 SCCs)

We have adopted the European Commission’s 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) in all our data-processing agreements with third-country processors. These SCCs ensure that any entity outside the EU/EEA processes your data under the same level of protection as required by the GDPR. You can review the SCC text here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914

EU–U.S. Data Privacy Framework (DPF)

Transfers to Microsoft Ireland Operations Limited (for Teams conferencing) are covered by the EU–U.S. Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/97). Microsoft self-certifies to the DPF and implements additional contractual and technical controls. Full details are at https://www.dataprivacyframework.gov

Adequate Hosting

Plausible Analytics is hosted exclusively on our own servers located within the EU (Germany).

Payment Services

PayPal Europe S.à r.l. & Cie S.C.A. and Mollie B.V. process payment data exclusively in the EU and apply SCCs for any subprocessors.

All third-country transfers are governed by binding data-processing agreements that mirror the GDPR’s requirements for data security, confidentiality, and data-subject rights.

6. Web analysis

We use Plausible Analytics, an open-source, cookie-free web-analysis tool, hosted exclusively on our own servers to measure and improve site performance. No data is transmitted to or processed by third-party servers. No cookies are set.

The following anonymous data points are collected when you visit our pages:

• The first two bytes of your IP address (to prevent personal identification)
• The URL of the page you accessed
• The referrer URL from which you arrived
• Subsequent sub-pages you visit on our site
• Time spent on each page
• Number of times each page is viewed.

We process this information on the basis of your consent (GDPR Art. 6(1)(a)). By truncating IP addresses before storage, we ensure that you cannot be personally identified. All analytics data is retained for a period of 12 months, after which it is automatically deleted. You may withdraw your consent or object to this processing at any time by emailing to our Data Protection Officer. It will not affect the lawfulness of processing carried out before your withdrawal.

You have the right under GDPR Articles 16, 17 and 21 to request rectification, erasure or to object to processing of your analytics data. To exercise these rights, please contact our Data Protection Officer.

7. Main Language and Changes

This Privacy Policy is maintained in German. In the event of any discrepancy between different language versions, the German version shall prevail.

We may update this policy periodically. The date of current version is stated at the beginning of this document. We will notify you by prominent notice on our website.