Privacy policy

 

 

HvS Consulting GmbH is pleased about your interest in our company and our services/products.

We would like to inform you through the following privacy notice about which personal data is collected, processed, and potentially shared, to what extent and for what purpose, when you visit our website and use the services and offerings accessible through it.

If this website refers to external sites of other providers (links), you will be leaving our online offering by clicking these links. The operators of the linked pages are solely responsible for compliance with data protection regulations on those pages.
 

Data protection principles of HvS Consulting GmbH

Protecting your privacy and the security of all business data is a high priority for us and is integrated into our business processes. Data protection and information security are an integral part of our corporate policy.

We place the highest importance on the protection of your personal data and process it exclusively in accordance with the laws and regulations of the Federal Republic of Germany and applicable European law, in particular the EU General Data Protection Regulation (GDPR). Your personal data will be processed only to the extent and for the purposes described below. This means we only use your personal data when permitted by data protection laws or when you have given us explicit prior consent.

Data security

HvS Consulting GmbH implements technical and organizational security measures to protect the data we manage against manipulation, loss, destruction, unauthorized access, or unauthorized disclosure. In particular, only authorized personnel have access to your personal data, and only to the extent necessary for the purposes mentioned. Our security measures are reviewed regularly and continuously improved in line with technological developments.

Our employees are obligated to maintain confidentiality and receive regular training on data protection and security topics.

HvS Consulting GmbH operates an Information Security Management System (ISMS) and is certified for the TISAX® information security standard. TISAX is based on the international ISO 27001 standard and follows the procedures defined therein. In addition, requirements for implementing data protection according to GDPR are evaluated.

Definitions

The EU General Data Protection Regulation uses specific terms defined in Article 4, such as personal data, processing, pseudonymization, controller, processor, recipient, third party, and consent.

You can learn more about these definitions here.

Name and contact details of the controller

The controller in terms of the GDPR is:

HvS Consulting GmbH 
Parkring 20 
85748 Garching bei München 
Germany 

Phone.: +49 89 890 63 62 - 0 (main contact) 
Email: welcome@hvs-consulting.de
Website: www.hvs-consulting.de

For all privacy-related questions or to exercise your data subject rights, please contact our privacy team:
Email: datenschutz@hvs-consulting.de

This privacy notice also applies to other domains operated by the controller:

www.hvs-consulting.com
www.is-fox.com
get.is-fox.com

Name and contact details of the data protection officer

The data protection officer of the controller is:

Dr. Eddie Kohfeldt
Phone: +49 8133 9179319
Email: dpo@hvs-consulting.de 

General information on the processing of personal data

Scope of processing

We process personal data in order to provide a website with various content and features, and when it is necessary to offer, provide, and bill for our business services and products.

Purposes of processing

The purposes of processing personal data are based on the business operations of HvS Consulting GmbH and all associated ancillary business activities.

Legal bases for processing

  • We process personal data based on the currently applicable legal frameworks.
  • If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the legal basis is Article 6 (1) (b) GDPR. This also applies to processing activities required for pre-contractual measures.
  • If the processing is necessary for the purposes of a legitimate interest pursued by our company or a third party, and if this interest is not overridden by the interests, fundamental rights, or freedoms of the data subject, the legal basis is Article 6 (1) (f) GDPR.
  • Where we obtain the consent of the data subject for processing activities, the legal basis is Article 6 (1) (a) GDPR or, in the case of special categories of personal data, Article 9 (2) (a) GDPR.
  • If the processing of personal data is required for compliance with a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis.
  • In cases where the processing is necessary in order to protect the vital interests of the data subject or another natural person, the legal basis is Article 6 (1) (d) GDPR.
  • If data is transferred to third countries, such transfer takes place either based on an adequacy decision by the European Union (Article 45 GDPR), based on appropriate safeguards (Article 46 GDPR), or in accordance with Article 49 (1) (b) GDPR if required for the performance of a contract.

Legal or contractual requirements for providing personal data

In some cases, providing personal data may be required by law or contract or may be necessary for entering into a contract.

In particular, when concluding contracts, you may be obligated to provide us with personal data. If you do not provide the required personal data, we may be unable to enter into a contract with you.

Disclosure of personal data

We disclose your personal data to third parties only if:

  • it is necessary to fulfill a contractual relationship with you,
  • it is necessary for the purposes of our legitimate interests or those of a third party, unless overridden by your interests or fundamental rights and freedoms,
  • we are legally obligated to do so,
  • it is necessary to enforce our claims and rights,
  • we receive requests from authorities (e.g., regulatory or law enforcement agencies, where disclosure is necessary for public safety or the prosecution of criminal offenses),
  • or you have given your explicit consent.

In all such cases, personal data is only shared to the extent necessary for the specific purpose.

Use of external service providers

We are not experts in everything. That’s why we rely on external service providers to support specific areas of our business operations, such as:

  • data centers and cloud providers to securely operate our services
  • IT developers for the ongoing development of our applications
  • IT service providers for infrastructure maintenance
  • IT service providers for business applications (ERP, CRM, AI systems)
  • service providers for specific web applications
  • agencies and print shops for distributing email or printed materials

We have entered into data processing agreements (DPAs) with these service providers as legally required. These contracts clearly define what the provider is permitted to do with which data. In particular, any further transfer to third parties is contractually prohibited. All service providers are contractually bound to comply with applicable data protection laws.

Data deletion and storage duration

Personal data is deleted or blocked as soon as the purpose for which it was collected no longer applies. In certain cases, data may be stored longer if required by European or national legislation in EU regulations, laws, or other legal provisions to which the controller is subject (e.g., retention requirements), or if you have given your consent.

Deletion or blocking of the data takes place when a legally mandated retention period expires, unless further storage is necessary for another legitimate purpose.

Details on the processing of personal data


Provision of the website and creation of log files

When you visit our website for informational purposes only, without actively providing personal data, access data is automatically stored in so-called server log files. The following information is collected automatically and stored for a limited period:

  • Name of the requested file
  • Date and time of access
  • Amount of data transferred
  • Browser used
  • Operating system used
  • IP address of the requesting computer
  • Requested URL
  • Referrer URL (the URL you visited immediately before)
  • Requesting provider

Purpose of data processing
We process the data listed above for the following purposes:

  • Ensuring a smooth connection to the website
  • Ensuring a convenient use of the website
  • Evaluation of system security and stability
  • Additional administrative purposes

Legal basis
The legal basis for the processing of these personal data is Article 6(1)(f) GDPR. Our legitimate interest lies in the provision and operation of the website as well as ensuring its functionality.

Objection and deletion
The collection of this data for the provision of the website and the storage in log files is absolutely necessary for the operation of the website. Therefore, there is no possibility to object to this processing. The data is automatically deleted after a certain period unless it is required for an ongoing analysis or a legitimate interest.

Hosting
Our website is hosted by 1xINTERNET GmbH, Frankfurt am Main (www.1xinternet.de). The hosting provider supplies the technical infrastructure and processes access data on our behalf to ensure the website’s operational capability. A data processing agreement has been concluded with 1xINTERNET in accordance with Article 28 GDPR.

CMS platforms
Our websites are managed and maintained using the content management systems Drupal and Webflow, which support us in the administration and upkeep of our pages.

Integration of third-party services and external content

YouTube videos

Our website includes embedded videos from the YouTube platform. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When visiting a corresponding page, no connection to YouTube’s servers is initially established, as the videos are protected via a so-called two-click solution (consent request).

Only once you actively consent to the display of the YouTube video will a connection to YouTube be established, and personal data such as your IP address or information about your usage behavior may be transmitted to Google. This may also involve data transfers to the USA.
Your consent is stored via our consent tool. This means the consent prompt will not reappear on future visits unless you delete your cookies or revoke/change your consent via the tool.

Purpose:
User-friendly integration of video content

Legal basis:
Art. 6 (1) lit. a GDPR (Consent)

Recipient:
Google Ireland Ltd. / possibly Google LLC, USA
Click here for YouTube’s privacy policy
You may withdraw your consent at any time via our consent management tool.

ProvenExpert

Our website uses review badges and customer testimonials from the ProvenExpert platform, a service of Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin, Germany. When accessing a page that includes a ProvenExpert badge, a connection to ProvenExpert’s servers is established. This may involve the transmission of technically necessary data such as your IP address, date, and time of access.

If you provide your consent, ProvenExpert may place cookies on your device, which are used for statistical evaluation of user behavior and for displaying personalized content. These cookies are only activated after you have consented via our consent banner (Art. 6 (1) lit. a GDPR, § 25 (1) TTDSG).

We also publish selected customer reviews (anonymized or named), submitted via ProvenExpert, as social proof elements on our website.

Purpose of processing:
Building trust by displaying customer reviews and integrating a review badge.

Legal bases:
Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG (for optional cookies)
Art. 6 (1) lit. f GDPR (our legitimate interest in transparent communication and trust building)

Recipient of the data:
Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin, Germany

More information:
Click here for ProvenExpert’s privacy policy
 

Use of cookies

To make visiting our websites www.hvs-consulting.de, www.is-fox.de, and www.get-is-fox.de more appealing and to enable certain functions, we use so-called “cookies.” These are small text files that your browser automatically creates and stores on your device when you visit our sites.

Cookies allow us to:

  • Track and store your preferences
  • Identify you individually during a visit to our website
  • Make your user experience more efficient and optimize site functionality

Most of the cookies we use are deleted automatically at the end of your browser session (“session cookies”). Some cookies, however, remain on your device so we can recognize you on your next visit and analyze your usage behavior (“persistent cookies”).

  • We use the following types of cookies on our websites:
  • Technically necessary cookies (e.g., for storing consents via Cookiebot)
  • Statistical cookies (e.g., Google Analytics, Fathom)
  • Marketing cookies (e.g., LinkedIn Ads, Meta Pixel)

Legal basis:

  • Technically necessary cookies: Art. 6(1)(f) GDPR
  • Statistical and marketing cookies: Art. 6(1)(a) GDPR (consent)

Objection and changing settings:
You can change or revoke your consent to the use of cookies at any time. Cookie settings can be managed via the cookie consent banner on each of our websites. You can adjust or update your preferences during your initial visit or at any later time. The settings are accessible on each relevant page under “Cookie Settings.”

Contact via contact form, email, and telephone

Our website offers several options for quick electronic communication, particularly via our contact form. If you contact us via email or the contact form, the personal data you provide will be stored automatically.

We typically process the following personal data as part of handling your request:

  • First and last name
  • Email address
  • Company/employer
  • Telephone number
  • Content of your inquiry (e.g., issues, questions, specific requirements)
  • IP address (to prevent misuse and improve communication)

We use your personal data solely for processing your specific inquiry. Your data may be stored in a customer relationship management system (CRM) or another organizational tool to streamline communication and processing.

Storage duration:
Your data will be deleted once it is no longer required to fulfill the purpose for which it was collected. This is typically the case when the conversation is concluded or any resulting contract has ended and the data is no longer needed.

Legal basis:

  • Art. 6(1)(b) GDPR: Processing for the performance of pre-contractual measures (e.g., inquiries about offers or services)
  • Art. 6(1)(f) GDPR: Legitimate interest in effective communication and inquiry handling

Objection:
If the processing of your data is based on Art. 6(1)(f) GDPR, you may object at any time. In this case, we will cease processing unless there are compelling legitimate grounds for further processing.

Subscription to our newsletter

If you sign up for our newsletter, we process your personal data to regularly send you information about our products, services, and events.

We use the services of Cleverreach and Mailgun to send the newsletter. We have signed data processing agreements with these providers, requiring them to protect your data, process it according to this privacy policy on our behalf, and not disclose it to third parties. Your data is stored on the servers of Cleverreach and Mailgun.

To register, you must provide your email address. Optionally, you may also share your name. Registration uses a double opt-in process, which means you will receive a confirmation email after signing up that you must verify. This process is documented, including the registration and confirmation times and your IP address.

Legal basis:
Processing your personal data is based on your consent under Art. 6(1)(a) GDPR.

Withdrawal of consent:
You may withdraw your consent for the newsletter at any time with future effect. Simply use the unsubscribe link included in every newsletter. The withdrawal does not affect the legality of the data processing carried out prior to your withdrawal.

Use of the IS-FOX Awareness Platform

When you use our IS-FOX Awareness Platform, we process personal data to provide access to e-learning content and deliver personalized learning experiences. This includes data about your learning progress and training activities.

Purpose:

  • Providing personalized training content
  • Documenting and tracking learning progress
  • Managing users within the platform

Legal basis:
Art. 6(1)(b) GDPR (contract performance or pre-contractual measures)

Storage duration:
Data is stored as long as the user account is active and no statutory retention obligations prevent deletion.

Creating an account

Access to certain protected areas, such as demo content on our awareness platform, requires creating a user account. We collect basic contact and access information for this purpose.

Purpose:

  • Setting up and managing the user account
  • Controlling access to protected content (e.g., demo videos or trial training)

Legal basis:
Art. 6(1)(b) GDPR (contract performance)

Storage duration:
Data is stored until the user account is deleted or for as long as statutory retention obligations exist.

Use of payment services

For processing paid services on our website, we use the payment provider Stripe. Stripe is an international company that facilitates payment transactions for online services.

Purpose:
The personal data you submit is used by Stripe solely for payment processing. This includes collecting, storing, and sharing payment data such as credit card details, bank account information, or other payment methods you choose.

Legal basis:
Art. 6(1)(b) GDPR: Processing is necessary for the performance of the payment transaction and the contractual relationship.

Recipient:
The data collected during payment processing is transferred to Stripe Inc., located in the United States. Since Stripe operates outside the EU, data is transmitted to third countries, including the USA. However, Stripe is certified under the Privacy Shield framework, meaning it adheres to EU data protection standards.

Data transfer to third countries:
The transfer of data to the USA and other third countries takes place under Art. 44 ff. GDPR, as Stripe provides appropriate safeguards such as EU Commission standard contractual clauses.

Storage duration:
Stripe stores your personal data for the duration of the payment process and any applicable legal retention periods. The data is then deleted unless retention is required by law, such as under tax regulations.

Further information:
For more details about how Stripe processes your personal data and the security measures in place, please refer to Stripe’s Privacy Policy.
 

Processing of business contacts

In the course of our business activities, we process contact data of individuals from companies we work with or contract with.

Purpose:
We process this data for customer relationship management, communication, and contract execution.

Legal basis:

  • Art. 6(1)(b) GDPR (contract performance)
  • Art. 6(1)(f) GDPR (legitimate interest in effective communication)

Tools used:
We use tools such as Weclapp, MS Teams, MS Forms, and Join for management and communication.

Storage duration:
Contact data is stored as long as necessary for the respective purpose. It will be deleted if the purpose ceases or upon request, provided there are no legal retention obligations.
 

Use of third-party technologies

To enhance our services, analyze user behavior, and for marketing purposes, we use the following tools:

Analytics tools

Google Analytics
Google Analytics is used to analyze how visitors interact with our website. The collected data helps us understand usage patterns and improve user experience. Legal basis: your consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the United States. Since Google LLC is certified under the EU-U.S. Data Privacy Framework, such data transfers are legally compliant. For more information and opt-out options, please refer to Google's Privacy Policy.

Google Tag Manager
Google Tag Manager is used to manage tags and scripts on our website. It does not store personal data directly but facilitates the integration of analytics tools such as Google Analytics. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Google LLC. Further information is available in Google's Privacy Policy.

Fathom
Fathom is used to analyze user behavior on our website. Data is collected in an anonymized manner and helps us improve performance. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR). Fathom does not transfer data to third countries. For more details, see Fathom's Privacy Policy.

Mixpanel
Mixpanel enables us to track user behavior and optimize the user experience. Data is processed in anonymized form. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Mixpanel, Inc. in the U.S. More information is available in Mixpanel's Privacy Policy.

Hotjar
Hotjar is used to analyze user behavior on our website, particularly clicks, mouse movements, and scrolling. This helps us improve usability. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Hotjar Ltd. in Malta. See Hotjar's Privacy Policy for more information:

Google Search Console
Google Search Console helps us monitor the visibility of our website in Google search results. No personal data is collected, but data on search queries and technical aspects is gathered. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). More info in Google's Privacy Policy.

Sistrix
Sistrix is used to analyze search engine rankings and SEO metrics. Sistrix collects anonymized data to improve our online visibility. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Data may be transferred to Sistrix GmbH in Germany. See Sistrix's Privacy Policy for details.

Marketing and tracking tools:

Google Ads
We use Google Ads to target our products and services to relevant users. Cookies are used to analyze user behavior and display targeted ads. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the U.S. More info in Google's Privacy Policy.

Google Click Identifier (GCLID)
The Google Click Identifier is used to measure the effectiveness of our Google Ads. It’s an anonymous ID captured when clicking on an ad. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Google LLC in the U.S. See Google's Privacy Policy for more.

DoubleClick by Google / Google Marketing Platform
DoubleClick is an online marketing tool from Google Ireland Limited. It uses cookies to display relevant ads, improve campaign reporting, or avoid repeated ad impressions.
When visiting our site, DoubleClick may recognize ads you have interacted with and link them to your Google profile (if logged in). Data may be transferred to third countries, including the U.S. Details in Google's Privacy Policy.

Meta (Facebook Pixel)
The Facebook Pixel allows us to measure ad effectiveness on Facebook and target relevant audiences. It collects behavioral data on our website for marketing purposes. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to Meta Platforms, Inc. More info in Meta's Privacy Policy.

LinkedIn Insight Tag
The LinkedIn Insight Tag helps us measure the performance of LinkedIn ads. Anonymized data on visits and interactions is collected. Legal basis: consent (Art. 6(1)(a) GDPR). Data may be transferred to LinkedIn Corporation. See LinkedIn's Privacy Policy for details.

Optibase (A/B-Testing)
We use Optibase for A/B testing to improve our website and evaluate user interactions. It displays different content versions randomly and analyzes their performance anonymously. Cookies may be used.
No personal data such as IP addresses is stored permanently or merged with other data.

UX & product usage

Product Fruits
Product Fruits is used to analyze and understand user behavior within our products and services. The collected data helps us improve the user experience and product development. No personal data is processed without your consent. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). See Product Fruits' Privacy Policy for more.

Make (automations)
ake is used to automate workflows and integrate processes across different tools. Data is processed between applications to enhance automation efficiency. Make does not process sensitive personal data unless explicitly required for the process. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). More details in Make's Privacy Policy.

Apideck (API-Hub)
Apideck is used to integrate various APIs and ensure efficient data processing across platforms. It manages and automates API integrations. Data processed by Apideck primarily involves internal system communication and API calls. Personal data is processed only when necessary for service provision. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). See Apideck's Privacy Policy.

Other tools

Mailgun
Mailgun is used to send emails. Email metadata (e.g., open and click rates) may be collected. Legal basis: consent (Art. 6(1)(a) GDPR) or legitimate interest (Art. 6(1)(f) GDPR). See Mailgun's Privacy Policy for more.

Cleverreach
CleverReach is used for sending newsletters and marketing emails. Email addresses and interaction data are processed. Legal basis: consent (Art. 6(1)(a) GDPR). More information in CleverReach's Privacy Policy.

Cookiebot
Cookiebot manages user consent for cookies on our website, helping us comply with the GDPR and the ePrivacy Directive. Legal basis: consent (Art. 6(1)(a) GDPR). For more, see Cookiebot's Privacy Policy.

Userlike
Userlike enables live chat communication with visitors on our site. Personal data such as name and email address may be processed. Legal basis: consent (Art. 6(1)(a) GDPR). More information in Userlike's Privacy Policy.

Social Media  

We maintain online presences on the following platforms:

  • LinkedIn
  • Facebook
  • YouTube

Purpose:
Our social media presence supports communication with customers and prospects, and represents our brand externally.

Legal basis:
Art. 6(1)(f) GDPR. Our legitimate interest lies in optimizing communication, customer engagement, and visibility on social networks.

Joint responsibility:
In accordance with Art. 26 GDPR, we share joint responsibility with platform operators (e.g., Meta Platforms, LinkedIn Corp., Google LLC) for the processing of personal data related to our social media presence.

Note:
The platform operators are typically responsible for data collected through platform use itself (e.g., post interactions, account creation). See their privacy policies for details:

Objection:
If you have privacy-related questions or requests regarding your personal data, please contact us or the respective platform operator directly.

When you apply for a job

If you apply via our careers page, by email, post, or through our applicant management system Join, we process your personal data for the purpose of managing the application process.

Personal data we process

During the application process, we collect and process the following personal data:

  • Name, title, contact details (email address, phone number, mailing address), gender, date and place of birth, marital status, number of children, driver’s license information, disability status.
  • Professional Information:
    Resume, reference letters, cover letter, work authorization, previous employment, education history, language skills, relevant qualifications, and similar documents.

This data is necessary to identify suitable candidates, inform you about the outcome of your application, coordinate the process (e.g., invitation to interviews), and - if successful - initiate an employment relationship.

Legal basis for processing
Your personal data is processed in accordance with Section 26 (1) Sentence 1 of the German Federal Data Protection Act (BDSG) and Article 6 (1)(b) of the GDPR (performance of a contract or pre-contractual measures).

Data retention and withdrawal of consent
If your application is not successful, your personal data will be deleted six months after the conclusion of the application process, unless a longer retention period is required (e.g., to defend legal claims). If you have given us your consent to store your data longer, we will retain it for up to 180 days after the process ends.

Should you opt to have your data stored for future job openings, we will keep your information for an additional six months -provided we have your explicit consent.

Tools used
We use the applicant management system Join to manage applications. Join processes your data solely on our behalf and in accordance with applicable data protection laws.

Withdrawal of consent
You may withdraw your consent to the processing of your personal data at any time by withdrawing your application. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Userlike (Live Chat)

If you use our live chat service via Userlike, your IP address and your inquiries will be processed. This data is only processed if you voluntarily provide additional information, such as your email address or phone number.

Legal basis:
Art. 6 (1)(f) GDPR (legitimate interest)

Objection:
You can stop the processing at any time by disabling the chat feature or objecting to the data collection.

Participation in our webinars

We use Microsoft Teams to host our webinars. During registration, we collect specific personal data to facilitate your participation.

Data collected:

  • Required: Email address
  • Optional: First name, last name, company, job title

Purposes of processing:

We collect and process your data for the purpose of organizing and delivering the webinar. This includes:

  • Confirming your registration
  • Providing logistical information (e.g., schedule changes)
  • Sending reminder emails
  • Following up with you after the event with webinar-related content (e.g., presentation slides, recordings, additional materials, information, updates or feedback requests)

Legal basis:
Art. 6 (1)(b) GDPR (contract fulfillment or pre-contractual steps) and Art. 6 (1)(f) GDPR (legitimate interest in effective communication)

Tool used:
We use MS Teams to conduct the webinars. Microsoft Teams' Privacy Polocy applies.

Retention period:
Your data is stored only for as long as necessary to deliver and follow up on the respective webinar. Once the webinar and related communications are complete, your personal data will be deleted unless legal retention requirements apply.

Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

Right of access
You may request confirmation as to whether personal data concerning you is being processed and, if so, receive access to that data.

Right to rectification
You have the right to request the correction and/or completion of personal data concerning you if it is incorrect or incomplete.

Right to erasure ("right to be forgotten")
You may request the immediate deletion of your personal data, and the controller is obligated to delete such data without undue delay, provided certain grounds apply.

Right to restriction of processing
Under certain conditions, you may request the restriction of processing of your personal data (e.g., blocking usage or temporarily removing data from a website if it was published there).

Right to notification
If you have asserted your right to rectification, erasure, or restriction of processing, the controller is obliged to inform all recipients to whom your personal data was disclosed of this rectification or deletion of the data or restriction of processing.

Right to data portability
You have the right to receive the personal data you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to have this data transmitted directly to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR.
→ This includes, in particular, the right to object to direct marketing.

Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right not to be subject to automated decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing - including profiling - that produces legal effects concerning you or similarly significantly affects you.

Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority.

How to exercise your rights
You can exercise your rights by contacting us via email at datenschutz@hvs-consulting.de or by mail to the controller’s postal address.

If necessary, we may request additional information to verify your identity, such as a copy of an ID document.

Your requests will be processed promptly, typically within one month of receipt. If circumstances require, the response period may be extended by up to two additional months.

Changes to this privacy notice

We reserve the right to update this privacy notice in line with new services or legal changes, to ensure it always reflects the current legal requirements. The version valid at the time of your next visit to our website will apply.

Munich, May 2025