Privacy policy

Details on the processing of personal data

Provision of the website and creation of log files

When you visit our website for informational purposes only, without actively providing personal data, access data is automatically stored in so-called server log files. The following information is collected automatically and stored for a limited period:

• Name of the requested file
• Date and time of access
• Amount of data transferred
• Browser used
• Operating system used
• IP address of the requesting computer
• Requested URL
• Referrer URL (the URL you visited immediately before)
• Requesting provider

Purpose of data processing
We process the data listed above for the following purposes:

• Ensuring a smooth connection to the website
• Ensuring a convenient use of the website
• Evaluation of system security and stability
• Additional administrative purposes

Legal basis
The legal basis for the processing of these personal data is Article 6(1)(f) GDPR. Our legitimate interest lies in the provision and operation of the website as well as ensuring its functionality.

Objection and deletion
The collection of this data for the provision of the website and the storage in log files is absolutely necessary for the operation of the website. Therefore, there is no possibility to object to this processing. The data is automatically deleted after a certain period unless it is required for an ongoing analysis or a legitimate interest.

Hosting
Our website is hosted by 1xINTERNET GmbH, Frankfurt am Main (www.1xinternet.de). The hosting provider supplies the technical infrastructure and processes access data on our behalf to ensure the website’s operational capability. A data processing agreement has been concluded with 1xINTERNET in accordance with Article 28 GDPR.

CMS platforms
Our websites are managed and maintained using the content management systems Drupal and Webflow, which support us in the administration and upkeep of our pages.

Integration of third-party services and external content

YouTube videos

Our website includes embedded videos from the YouTube platform. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When visiting a corresponding page, no connection to YouTube’s servers is initially established, as the videos are protected via a so-called two-click solution (consent request).

Only once you actively consent to the display of the YouTube video will a connection to YouTube be established, and personal data such as your IP address or information about your usage behavior may be transmitted to Google. This may also involve data transfers to the USA.
Your consent is stored via our consent tool. This means the consent prompt will not reappear on future visits unless you delete your cookies or revoke/change your consent via the tool.

Purpose:
User-friendly integration of video content

Legal basis:
Art. 6 (1) lit. a GDPR (Consent)

Recipient:
Google Ireland Ltd. / possibly Google LLC, USA
Click here for YouTube’s privacy policy
You may withdraw your consent at any time via our consent management tool.

ProvenExpert

Our website uses review badges and customer testimonials from the ProvenExpert platform, a service of Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin, Germany. When accessing a page that includes a ProvenExpert badge, a connection to ProvenExpert’s servers is established. This may involve the transmission of technically necessary data such as your IP address, date, and time of access.

If you provide your consent, ProvenExpert may place cookies on your device, which are used for statistical evaluation of user behavior and for displaying personalized content. These cookies are only activated after you have consented via our consent banner (Art. 6 (1) lit. a GDPR, § 25 (1) TTDSG).

We also publish selected customer reviews (anonymized or named), submitted via ProvenExpert, as social proof elements on our website.

Purpose of processing:
Building trust by displaying customer reviews and integrating a review badge.

Legal bases:
Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG (for optional cookies)
Art. 6 (1) lit. f GDPR (our legitimate interest in transparent communication and trust building)

Recipient of the data:
Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin, Germany

More information:
Click here for ProvenExpert’s privacy policy
 

Use of cookies

To make visiting our websites www.hvs-consulting.de, www.is-fox.de, and www.get-is-fox.de more appealing and to enable certain functions, we use so-called “cookies.” These are small text files that your browser automatically creates and stores on your device when you visit our sites.

Cookies allow us to:

• Track and store your preferences
• Identify you individually during a visit to our website
• Make your user experience more efficient and optimize site functionality

Most of the cookies we use are deleted automatically at the end of your browser session (“session cookies”). Some cookies, however, remain on your device so we can recognize you on your next visit and analyze your usage behavior (“persistent cookies”).

• We use the following types of cookies on our websites:
• Technically necessary cookies (e.g., for storing consents via Cookiebot)
• Statistical cookies (e.g., Google Analytics, Fathom)
• Marketing cookies (e.g., LinkedIn Ads, Meta Pixel)

Legal basis:

• Technically necessary cookies: Art. 6(1)(f) GDPR
• Statistical and marketing cookies: Art. 6(1)(a) GDPR (consent)

Objection and changing settings:
You can change or revoke your consent to the use of cookies at any time. Cookie settings can be managed via the cookie consent banner on each of our websites. You can adjust or update your preferences during your initial visit or at any later time. The settings are accessible on each relevant page under “Cookie Settings.”

Contact via contact form, email, and telephone

Our website offers several options for quick electronic communication, particularly via our contact form. If you contact us via email or the contact form, the personal data you provide will be stored automatically.

We typically process the following personal data as part of handling your request:

• First and last name
• Email address
• Company/employer
• Telephone number
• Content of your inquiry (e.g., issues, questions, specific requirements)
• IP address (to prevent misuse and improve communication)

We use your personal data solely for processing your specific inquiry. Your data may be stored in a customer relationship management system (CRM) or another organizational tool to streamline communication and processing.

Storage duration:
Your data will be deleted once it is no longer required to fulfill the purpose for which it was collected. This is typically the case when the conversation is concluded or any resulting contract has ended and the data is no longer needed.

Legal basis:

• Art. 6(1)(b) GDPR: Processing for the performance of pre-contractual measures (e.g., inquiries about offers or services)
• Art. 6(1)(f) GDPR: Legitimate interest in effective communication and inquiry handling

Objection:
If the processing of your data is based on Art. 6(1)(f) GDPR, you may object at any time. In this case, we will cease processing unless there are compelling legitimate grounds for further processing.

Subscription to our newsletter

If you sign up for our newsletter, we process your personal data to regularly send you information about our products, services, and events.

We use the services of Cleverreach and Mailgun to send the newsletter. We have signed data processing agreements with these providers, requiring them to protect your data, process it according to this privacy policy on our behalf, and not disclose it to third parties. Your data is stored on the servers of Cleverreach and Mailgun.

To register, you must provide your email address. Optionally, you may also share your name. Registration uses a double opt-in process, which means you will receive a confirmation email after signing up that you must verify. This process is documented, including the registration and confirmation times and your IP address.

Legal basis:
Processing your personal data is based on your consent under Art. 6(1)(a) GDPR.

Withdrawal of consent:
You may withdraw your consent for the newsletter at any time with future effect. Simply use the unsubscribe link included in every newsletter. The withdrawal does not affect the legality of the data processing carried out prior to your withdrawal.

Use of the IS-FOX Awareness Platform

When you use our IS-FOX Awareness Platform, we process personal data to provide access to e-learning content and deliver personalized learning experiences. This includes data about your learning progress and training activities.

Purpose:

• Providing personalized training content
• Documenting and tracking learning progress
• Managing users within the platform

Legal basis:
Art. 6(1)(b) GDPR (contract performance or pre-contractual measures)

Storage duration:
Data is stored as long as the user account is active and no statutory retention obligations prevent deletion.

Creating an account

Access to certain protected areas, such as demo content on our awareness platform, requires creating a user account. We collect basic contact and access information for this purpose.

Purpose:

• Setting up and managing the user account
• Controlling access to protected content (e.g., demo videos or trial training)

Legal basis:
Art. 6(1)(b) GDPR (contract performance)

Storage duration:
Data is stored until the user account is deleted or for as long as statutory retention obligations exist.

Use of payment services

For processing paid services on our website, we use the payment provider Stripe. Stripe is an international company that facilitates payment transactions for online services.

Purpose:
The personal data you submit is used by Stripe solely for payment processing. This includes collecting, storing, and sharing payment data such as credit card details, bank account information, or other payment methods you choose.

Legal basis:
Art. 6(1)(b) GDPR: Processing is necessary for the performance of the payment transaction and the contractual relationship.

Recipient:
The data collected during payment processing is transferred to Stripe Inc., located in the United States. Since Stripe operates outside the EU, data is transmitted to third countries, including the USA. However, Stripe is certified under the Privacy Shield framework, meaning it adheres to EU data protection standards.

Data transfer to third countries:
The transfer of data to the USA and other third countries takes place under Art. 44 ff. GDPR, as Stripe provides appropriate safeguards such as EU Commission standard contractual clauses.

Storage duration:
Stripe stores your personal data for the duration of the payment process and any applicable legal retention periods. The data is then deleted unless retention is required by law, such as under tax regulations.

Further information:
For more details about how Stripe processes your personal data and the security measures in place, please refer to Stripe’s Privacy Policy.
 

Processing of business contacts

In the course of our business activities, we process contact data of individuals from companies we work with or contract with.

Purpose:
We process this data for customer relationship management, communication, and contract execution.

Legal basis:

• Art. 6(1)(b) GDPR (contract performance)
• Art. 6(1)(f) GDPR (legitimate interest in effective communication)

Tools used:
We use tools such as Weclapp, MS Teams, MS Forms, and Join for management and communication.

Storage duration:
Contact data is stored as long as necessary for the respective purpose. It will be deleted if the purpose ceases or upon request, provided there are no legal retention obligations.
 

Use of third-party technologies

To enhance our services, analyze user behavior, and for marketing purposes, we use the following tools:

Analytics tools

Google Analytics
Google Analytics is used to analyze how visitors interact with our website. The collected data helps us understand usage patterns and improve user experience. Legal basis: your consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the United States. Since Google LLC is certified under the EU-U.S. Data Privacy Framework, such data transfers are legally compliant. For more information and opt-out options, please refer to Google's Privacy Policy.

Google Tag Manager
Google Tag Manager is used to manage tags and scripts on our website. It does not store personal data directly but facilitates the integration of analytics tools such as Google Analytics. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Google LLC. Further information is available in Google's Privacy Policy.

Fathom
Fathom is used to analyze user behavior on our website. Data is collected in an anonymized manner and helps us improve performance. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR). Fathom does not transfer data to third countries. For more details, see Fathom's Privacy Policy.

Mixpanel
Mixpanel enables us to track user behavior and optimize the user experience. Data is processed in anonymized form. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Mixpanel, Inc. in the U.S. More information is available in Mixpanel's Privacy Policy.

Hotjar
Hotjar is used to analyze user behavior on our website, particularly clicks, mouse movements, and scrolling. This helps us improve usability. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Hotjar Ltd. in Malta. See Hotjar's Privacy Policy for more information:

Google Search Console
Google Search Console helps us monitor the visibility of our website in Google search results. No personal data is collected, but data on search queries and technical aspects is gathered. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). More info in Google's Privacy Policy.

Sistrix
Sistrix is used to analyze search engine rankings and SEO metrics. Sistrix collects anonymized data to improve our online visibility. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Sistrix GmbH in Germany. See Sistrix's Privacy Policy for details.

Marketing and tracking tools:

Google Ads
We use Google Ads to target our products and services to relevant users. Cookies are used to analyze user behavior and display targeted ads. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the U.S. More info in Google's Privacy Policy.

Google Click Identifier (GCLID)
The Google Click Identifier is used to measure the effectiveness of our Google Ads. It’s an anonymous ID captured when clicking on an ad. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the U.S. See Google's Privacy Policy for more.

DoubleClick by Google / Google Marketing Platform
DoubleClick is an online marketing tool from Google Ireland Limited. It uses cookies to display relevant ads, improve campaign reporting, or avoid repeated ad impressions.
When visiting our site, DoubleClick may recognize ads you have interacted with and link them to your Google profile (if logged in). Data may be transferred to third countries, including the U.S. Details in Google's Privacy Policy.

Meta (Facebook Pixel)
The Facebook Pixel allows us to measure ad effectiveness on Facebook and target relevant audiences. It collects behavioral data on our website for marketing purposes. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Meta Platforms, Inc. More info in Meta's Privacy Policy.

LinkedIn Insight Tag
The LinkedIn Insight Tag helps us measure the performance of LinkedIn ads. Anonymized data on visits and interactions is collected. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to LinkedIn Corporation. See LinkedIn's Privacy Policy for details.

Optibase (A/B-Testing)
We use Optibase for A/B testing to improve our website and evaluate user interactions. It displays different content versions randomly and analyzes their performance anonymously. Cookies may be used.
No personal data such as IP addresses is stored permanently or merged with other data.

UX & product usage

Product Fruits
Product Fruits is used to analyze and understand user behavior within our products and services. The collected data helps us improve the user experience and product development. No personal data is processed without your consent. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). See Product Fruits' Privacy Policy for more.

Make (automations)
ake is used to automate workflows and integrate processes across different tools. Data is processed between applications to enhance automation efficiency. Make does not process sensitive personal data unless explicitly required for the process. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). More details in Make's Privacy Policy.

Apideck (API-Hub)
Apideck is used to integrate various APIs and ensure efficient data processing across platforms. It manages and automates API integrations. Data processed by Apideck primarily involves internal system communication and API calls. Personal data is processed only when necessary for service provision. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). See Apideck's Privacy Policy.

Other tools

Mailgun
Mailgun is used to send emails. Email metadata (e.g., open and click rates) may be collected. Legal basis: consent (Art. 6(1)(a) GDPR) or legitimate interest (Art. 6(1)(f) GDPR). See Mailgun's Privacy Policy for more.

Cleverreach
CleverReach is used for sending newsletters and marketing emails. Email addresses and interaction data are processed. Legal basis: consent (Art. 6(1)(a) GDPR). More information in CleverReach's Privacy Policy.

Cookiebot
Cookiebot manages user consent for cookies on our website, helping us comply with the GDPR and the ePrivacy Directive. Legal basis: consent (Art. 6(1)(a) GDPR). For more, see Cookiebot's Privacy Policy.

Userlike
Userlike enables live chat communication with visitors on our site. Personal data such as name and email address may be processed. Legal basis: consent (Art. 6(1)(a) GDPR). More information in Userlike's Privacy Policy.

Social Media  

We maintain online presences on the following platforms:

• LinkedIn
• Facebook
• YouTube

Purpose:
Our social media presence supports communication with customers and prospects, and represents our brand externally.

Legal basis:
Art. 6(1)(f) GDPR. Our legitimate interest lies in optimizing communication, customer engagement, and visibility on social networks.

Joint responsibility:
In accordance with Art. 26 GDPR, we share joint responsibility with platform operators (e.g., Meta Platforms, LinkedIn Corp., Google LLC) for the processing of personal data related to our social media presence.

Note:
The platform operators are typically responsible for data collected through platform use itself (e.g., post interactions, account creation). See their privacy policies for details:

• Meta Platforms (Facebook)
• LinkedIn
• YouTube (Google)

Objection:
If you have privacy-related questions or requests regarding your personal data, please contact us or the respective platform operator directly.

When you apply for a job

If you apply via our careers page, by email, post, or through our applicant management system Join, we process your personal data for the purpose of managing the application process.

Personal data we process

During the application process, we collect and process the following personal data:

• Name, title, contact details (email address, phone number, mailing address), gender, date and place of birth, marital status, number of children, driver’s license information, disability status.
• Professional Information:
  Resume, reference letters, cover letter, work authorization, previous employment, education history, language skills, relevant qualifications, and similar documents.

This data is necessary to identify suitable candidates, inform you about the outcome of your application, coordinate the process (e.g., invitation to interviews), and - if successful - initiate an employment relationship.

Legal basis for processing
Your personal data is processed in accordance with Section 26 (1) Sentence 1 of the German Federal Data Protection Act (BDSG) and Article 6 (1)(b) of the GDPR (performance of a contract or pre-contractual measures).

Data retention and withdrawal of consent
If your application is not successful, your personal data will be deleted six months after the conclusion of the application process, unless a longer retention period is required (e.g., to defend legal claims). If you have given us your consent to store your data longer, we will retain it for up to 180 days after the process ends.

Should you opt to have your data stored for future job openings, we will keep your information for an additional six months -provided we have your explicit consent.

Tools used
We use the applicant management system Join to manage applications. Join processes your data solely on our behalf and in accordance with applicable data protection laws.

Withdrawal of consent
You may withdraw your consent to the processing of your personal data at any time by withdrawing your application. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Userlike (Live Chat)

If you use our live chat service via Userlike, your IP address and your inquiries will be processed. This data is only processed if you voluntarily provide additional information, such as your email address or phone number.

Legal basis:
Art. 6 (1)(f) GDPR (legitimate interest)

Objection:
You can stop the processing at any time by disabling the chat feature or objecting to the data collection.

Participation in our webinars

We use Microsoft Teams to host our webinars. During registration, we collect specific personal data to facilitate your participation.

Data collected:

• Required: Email address
• Optional: First name, last name, company, job title

Purposes of processing:

We collect and process your data for the purpose of organizing and delivering the webinar. This includes:

• Confirming your registration
• Providing logistical information (e.g., schedule changes)
• Sending reminder emails
• Following up with you after the event with webinar-related content (e.g., presentation slides, recordings, additional materials, information, updates or feedback requests)

Legal basis:
Art. 6 (1)(b) GDPR (contract fulfillment or pre-contractual steps) and Art. 6 (1)(f) GDPR (legitimate interest in effective communication)

Tool used:
We use MS Teams to conduct the webinars. Microsoft Teams' Privacy Polocy applies.

Retention period:
Your data is stored only for as long as necessary to deliver and follow up on the respective webinar. Once the webinar and related communications are complete, your personal data will be deleted unless legal retention requirements apply.