Data Protection

Privacy Policy – Candis GmbH

1. General Information
We are pleased that you are visiting our website, Candis.io. The protection and security of our customers’ and users’ data are important to us. We have therefore designed our website and business processes to collect and process as little personal data as possible. The following privacy policy explains what information we collect during your visit to our website and, where applicable, which parts of this information are used and how. Below, you can find detailed information on how we handle your personal data.

Candis takes the protection of your personal data very seriously and strictly adheres to the data protection laws of the Federal Republic of Germany, the Telecommunications and Digital Services Data Protection Act (TDDDG), and the data protection regulations of the European Union. Candis requires its employees to comply with the data protection requirements of the GDPR.

The following statement also provides an overview of how Candis ensures this protection and what types of data are collected and for what purposes.

For all questions regarding data protection, please contact us at the following email address: datenschutz@candis.io

2. Collection of Server Log Data and Hosting
We process so-called access data (in particular your IP address) on our website for statistical analysis for the purposes of operation, security, and technical optimization of our website. This allows us to present our website to you more effectively and identify errors. We collect access data when you visit our website and store it in a log file:

· Name of the webpage accessed,
· Date and time of the request,
· The amount of data transferred / notification of a successful request,
· Browser type and version,
· Operating system,
· Referrer URL,
· Requesting provider / your IP address

We cannot identify you from this data. Log data is deleted regularly and promptly, but no later than 90 days after collection. The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) of the GDPR.

Our website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA (“Vercel”). The website is served via servers located in the Frankfurt am Main region (Germany). Vercel processes the aforementioned access data on our behalf based on a data processing agreement between us and Vercel. This agreement ensures that data processing on our behalf is carried out in accordance with the General Data Protection Regulation, guaranteeing the protection of the rights of data subjects. To the extent that personal data is transferred to the United States in this context: Vercel has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants as well as in Vercel’s privacy policy: https://vercel.com/legal/privacy-policy.

3. Processing and Use
Unless otherwise expressly specified in this Privacy Policy, Candis collects, processes, and uses personal data exclusively for the purpose of fulfilling the contractual relationship pursuant to Article 6(1)(b) of the GDPR and to improve the user experience in accordance with Article 6(1)(a) of the GDPR and Article 6(1)(f) GDPR, i.e., for

● creating an account
● verifying the customer’s identity
● processing payments
● suggesting personalized improvements that are helpful to the customer

Personal data is transferred to third parties if, pursuant to Article 6(1), first sentence, letter a) of the GDPR, the data subject has expressly consented to such transfer; if there is a legal obligation to transfer the data pursuant to Article 6(1), first sentence, letter c) of the GDPR; and/or if it is necessary, pursuant to Article 6(1), first sentence, letter b) of the GDPR, for the performance of a contractual relationship with the data subject.

In other cases, personal data is not disclosed to third parties.

4. Use of Cookies
We use so-called “cookies” on our website. Cookies are small text files used by websites to simplify and speed up your visit to our website or that are necessary to enable you to use and access secure areas of the website.

Depending on where a cookie originates, a distinction is made between so-called first-party cookies and third-party cookies:

First-Party Cookies

Cookies that are generated and stored locally by the website operator—as the data controller—or by a data processor commissioned by the operator. Only the operator has subsequent access to these cookies.

Third-Party Cookies

Cookies that are generated, set, and accessed by third-party providers who are not acting as data processors on behalf of the website operator.

Depending on their duration, cookies can also be categorized as transient or persistent:

Transient Cookies

Cookies that are automatically deleted when you close your browser. These include, in particular, session cookies.

Persistent Cookies

Cookies that remain stored on your device for a specified period of time after you close your browser.

Depending on their nature and purpose, the use of certain cookies may require the user’s consent (Section 25 TDDDG). If consent is required, we will only use these cookies if you have given your consent in advance. When you visit our website, we display a “cookie banner” where you can grant or deny your consent for individual categories (statistics, marketing). You can change your selection at any time using the “Cookie Consent” feature in the website’s footer.

Strictly necessary cookies cannot be disabled via this website’s cookie banner. However, you can manage and disable these cookies at any time in your browser settings.

This site uses the following cookies:

Technically Necessary Cookies

These cookies are necessary for the operation of the website and are set without your consent.

Name

Provider

Purpose

Expiration

Type

cookies_settingsCandisSaves your selection made in the cookie banner.13 monthsHTTP cookie


Statistics Cookies

These cookies are set only with your consent and help us understand how visitors interact with the website.

Name

Provider

Purpose

Expiration

Type

_gaGoogle (Analytics 4)Registers a unique ID to generate statistical data about website usage.13 monthsHTTP cookie
_ga_MZC7RX36FFGoogle (Analytics 4)Stores the session state for Google Analytics 4.13 monthsHTTP cookie
FPIDGoogle (Server-Side Tag Manager)First-party visitor ID for server-side tagging; replaces the client ID of the _ga cookie.13 monthsHTTP cookie
FPLCGoogle (Server-Side Tag Manager)First-party counterpart to the _ga linking cookie for cross-domain measurement.20 hoursHTTP cookie
_clckMicrosoft ClarityStores a unique user ID for heatmaps and session recordings.12 monthsHTTP cookie
_clskMicrosoft ClarityLinks a user’s multiple page views into a single session recording.1 dayHTTP cookie
_vwo_uuid, _vwo_uuid_v2VWOUnique visitor ID to ensure you consistently see the same variant during A/B tests.12 monthsHTTP cookie
_vwo_dsVWOStores session data for VWO tests.90 daysHTTP cookie
_vwo_snVWOSession counter for VWO tests.30 minutesHTTP cookie
_vis_opt_sVWOTracks the number of visits during tests.100 daysHTTP cookie
_vis_opt_test_cookieVWOChecks whether the browser supports cookies.SessionHTTP cookie
ajs_anonymous_idSegmentPseudonymous random ID for tracking page views. Used only as a session cookie without consent for statistics; persistent with consent.Session / up to 13 monthsHTTP cookie
ajs_user_idSegmentPseudonymous user ID (hash value), set only when data is actively entered (e.g., via a form).Up to 13 monthsHTTP cookie


Marketing Cookies

These cookies are set only with your consent and are used to display more relevant ads and measure their effectiveness.

Name

Provider

Purpose

Expiration

Type

_fbpMeta (Facebook)Browser ID of the Meta pixel for recognition for advertising purposes.90 daysHTTP cookie
_gcl_auGoogle AdsConversion Linker: stores click information from Google ads for conversion tracking.90 daysHTTP cookie
FPAUGoogle Ads (Server-Side Tag Manager)First-party counterpart to _gcl_au for server-side tagging.90 daysHTTP cookie
_uetsidMicrosoft Advertising (Bing)Session ID of the UET tag for conversion tracking.1 dayHTTP cookie
_uetvidMicrosoft Advertising (Bing)Visitor ID of the UET tag for conversion tracking.13 monthsHTTP cookie
intercom-id-ay7crn72IntercomAnonymous visitor ID for the chat messenger.9 monthsHTTP cookie
intercom-device-id-ay7crn72IntercomDevice ID used to identify the chat user.9 monthsHTTP cookie
intercom-session-ay7crn72IntercomSession cookie for the chat messenger.7 daysHTTP cookie
gclid, gbraid, wbraid, msclkid, campaignCandis (First-Party)Stores click or campaign IDs from advertisements (Google/Microsoft) when you arrive at our site via an ad, so that these can be associated with your request when you submit a form. Without marketing consent, these are stored only for the duration of the session; data is transmitted to the advertising networks only with your consent.Session / 13 months with consentHTTP cookie
__Secure-ENID, AEC, SOCS, DVGoogle (google.com)Third-party cookies from Google that are set in connection with embedded Google services (specifically YouTube videos; see Section 7.4).Up to 13 monthsHTTP cookie

We process the data collected through the use of cookies requiring consent on the basis of Article 6(1)(a) of the GDPR.

5. Statistical Analysis, Tracking, and Services Used
We use the following services on our website to measure and analyze our website, optimize our content, and provide key functions (e.g., appointment booking, chat, search). Unless otherwise specified, the legal basis is the consent you have provided (Art. 6(1)(a) GDPR), which you may revoke at any time with future effect via the “Cookie Consent” feature in the footer.

5.1 Google Tag Manager
We use Google Tag Manager from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Tag Manager is a tool that allows us to centrally manage and deploy website tags (e.g., for the services described in sections 5.2 et seq.). Tag Manager itself does not set any of its own tracking cookies; however, it triggers the integrated tags only in accordance with the selection you made in the cookie banner (so-called “Consent Mode”). We handle parts of the tagging on the server side via our own subdomain (“server-side tagging”); in this process, first-party cookies (FPID, FPLC, FPAU, see Section 4) are set on our domain instead of third-party cookies being set directly.

The legal basis for using the Tag Manager as such is our legitimate interest in the technical administration of our website services (Art. 6(1)(f) GDPR); the services triggered via the Tag Manager are executed solely on the basis of your consent (Art. 6(1)(a) GDPR).

Google processes the data on our behalf based on a data processing agreement. Google has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.

5.2 Google Analytics 4
We use Google Analytics 4, a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies (see Section 4) that enable an analysis of website usage. Google Analytics 4 does not store or log users’ IP addresses; the IP address is used only at the time of collection to determine an approximate location (region) and is subsequently discarded. Data is collected only if you have consented to the “Statistics” category in the cookie banner.

Google will use this information on our behalf to evaluate how users use our online service, to compile reports on activity within this online service, and to provide us with other services related to the use of this online service and internet usage. In doing so, pseudonymous user profiles may be created from the processed data.

The legal basis is your consent, Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect using the “Cookie Consent” feature in the footer.

Google processes the data on our behalf based on a data processing agreement. Google has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants. For more information on Google’s use of data, visit https://policies.google.com/technologies/partner-sites.

5.3 Google Ads & Google Remarketing
We use Google Ads & Google Remarketing, an advertising service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google Ads & Google Remarketing enable us to display ads in the Google search engine or on third-party websites when a user enters specific search terms into Google (keyword targeting). Furthermore, targeted ads can be displayed based on user data available to Google (e.g., location data and interests) (audience targeting). As the website operator, we can evaluate this data quantitatively by, for example, analyzing which search terms led to the display of our ads and how many ads resulted in corresponding clicks.

The following data may be processed by or through the use of this service:

  • Your web request

  • the IP address

  • the browser type

  • the browser language

  • the date and time of your request

  • one or more cookies that may uniquely identify your browser (see Section 4: _gcl_au, FPAU, gclid)

Use of this service is based on your consent pursuant to Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TDDDG. You may revoke your consent at any time with future effect using the “Cookie Consent” feature in the footer.

Google processes the data on our behalf based on a data processing agreement. Google has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants. For more information on Google’s use of data, as well as options for settings and opting out, please see Google’s Privacy Policy (https://policies.google.com/technologies/ads) and the settings for Google’s ad display (https://adssettings.google.com/authenticated).

5.4 Microsoft Advertising (Bing Ads)
We use technologies from “Microsoft Advertising” (formerly Bing Ads) on our website, a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”).

Microsoft Advertising collects and stores data used to create usage profiles using pseudonyms. The so-called UET tag (Universal Event Tracking) enables us to track user activity on our website, provided that users have arrived at our website via Microsoft Advertising ads. For this purpose, the cookies _uetsid and _uetvid are set (see Section 4). We only receive the total number of users who clicked on an ad and were then redirected to a predetermined landing page (known as a “conversion page”). In addition, Microsoft may, under certain circumstances, track your usage behavior across multiple devices using “cross-device tracking” and set additional cookies on its own domains.

The legal basis is your consent, Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect using the “Cookie Consent” feature in the footer.

Microsoft processes the data on our behalf based on a data processing agreement. Microsoft has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants. For further details, visit: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/datenschutz.

5.5 Meta Pixel (Facebook)
We use the “Meta Pixel” from Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”) on our website. The pixel is loaded only if you have consented to the “Marketing” category in the cookie banner.

With the help of the Meta Pixel, we can measure the effectiveness of our ads on Facebook and Instagram (conversion tracking) and display interest-based ads to visitors to our website on those platforms (remarketing / Custom Audiences). To do this, a connection to Meta’s servers is established when you visit our website, and the _fbp cookie is set (see Section 4). This provides Meta with the information that you have visited our site using your IP address and may allow Meta to associate the visit with your Facebook/Instagram account. Please note that, as the provider of these pages, we have no knowledge of the content of the transmitted data or its further use by Meta.

The legal basis is your consent, Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect using the “Cookie Consent” feature in the footer.

Meta has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants. Information on ad preferences and Meta’s data use policies is available at the following link: https://www.facebook.com/about/privacy.

5.6 Microsoft Clarity
We use “Microsoft Clarity” on our website, a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”).

Clarity creates anonymized heatmaps and session recordings (e.g., mouse movements, clicks, scrolling behavior) to understand how visitors use our website and to identify usability issues. Input in form fields is masked during this process. The cookies _clck and _clsk are set for this purpose (see Section 4). The service is loaded only if you have given your consent in the cookie banner.

The legal basis is your consent, Art. 6(1)(a) GDPR. You can revoke your consent at any time with future effect via the “Cookie Consent” feature in the footer.

Microsoft processes the data on our behalf based on a data processing agreement. Microsoft has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and at https://privacy.microsoft.com/de-de/privacystatement.

5.7 VWO
We use the “VWO” software on our website, a service provided by Wingify Software Pvt. Ltd., headquartered in New Delhi, India (“Wingify”). Wingify’s representative in the European Union pursuant to Article 27 of the GDPR is Rickert Rechtsanwaltsgesellschaft mbH, c/o Wingify Software Pvt. Ltd., Colmantstraße 15, 53115 Bonn, Germany.

We use VWO to create different versions of a page (A/B testing) and to direct users to different variants for testing purposes. By statistically analyzing user behavior, we can improve our offering and make it more interesting for you as a user.

VWO only becomes active once you have consented to the “Statistics” category in the cookie banner; only then are the VWO cookies listed in Section 4 set and test data collected. Without your consent, you will always see the standard version of our website, and no VWO cookies will be stored. We have also configured VWO so that visitors’ IP addresses are not stored and no location information is collected.

The legal basis is your consent, Article 6(1)(a) of the GDPR. You can revoke your consent at any time with future effect via the “Cookie Consent” feature in the footer.

VWO processes the data on our behalf based on a data processing agreement between us and VWO. The data is stored on servers in the United States. Wingify has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and on VWO’s help page: https://vwo.com/de/compliance/gdpr/.

5.8 Segment
On our website, we use “Segment,” a service provided by Segment.io, Inc., 100 California Street, San Francisco, CA 94111, USA, a subsidiary of Twilio Inc. (“Segment”).

Segment is a customer data platform through which we aggregate usage events on our website (e.g., page views, form submissions) and forward them to our internal systems. The transmission takes place on the server side via our own infrastructure.

The scope of processing depends on your consent:

  • Without your consent, we process only pseudonymous data: a randomly generated identifier (stored only for the duration of the browser session), the page accessed, the referrer URL, language setting, and browser type (user agent). IP addresses and ad click IDs are not processed in this context. The legal basis is our legitimate interest in analyzing website reach and improving our website (Art. 6(1)(f) GDPR).

  • If you consent to statistics cookies, we also process your IP address and a persistent pseudonymous identifier (see Section 4, ajs_anonymous_id).

  • If you consent to marketing cookies, we also process ad click IDs (e.g., gclid, msclkid) to measure the effectiveness of our advertisements.

The legal basis for consent-based processing is Article 6(1)(a) of the GDPR; you may revoke your consent at any time with future effect via the “Cookie Consent” feature in the footer.

If you actively submit a form on our website, we process the data provided there (e.g., email address) together with the information described above (including any advertising click IDs present in your session) to process and assign your request (Article 6(1)(b) of the GDPR).

Segment processes the data on our behalf based on a data processing agreement. Segment/Twilio has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and at https://segment.com/docs/legal/privacy/.

5.9 Intercom (Chat)
We use “Intercom,” a service provided by Intercom, Inc., 55 Second Street, Suite 400, San Francisco, CA 94105, USA (“Intercom”), on our website for our chat function. The data of our website visitors is processed in Intercom’s EU hosting region.

The chat messenger is not loaded until you have consented to the “Marketing” category in the cookie banner or actively click the chat button, thereby agreeing to the loading of the service. Before it loads, you will only see a placeholder button provided by us, with no data transmitted to Intercom. When you use the chat, Intercom processes the content you provide in the chat as well as technical data (cookies, see Section 4).

The legal basis is your consent, Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect via the “Cookie Consent” feature in the footer.

Intercom processes the data on our behalf based on a data processing agreement. Intercom has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and at https://www.intercom.com/legal/terms-and-policies.

5.10 Demodesk (Appointment Scheduling)
To schedule product demos and consulting appointments, we use “Demodesk,” a service provided by Demodesk GmbH, Isartorplatz 8, 80331 Munich, Germany.

When you request an appointment via a form on our website, a Demodesk booking window (embedded as an iFrame) opens. This establishes a connection to Demodesk’s servers. During the booking process, Demodesk processes the data you provide (e.g., name, email address, company information, selected appointment) as well as technical access data. The integration only takes place through your active action (submitting the form or opening the booking dialog).

The legal basis is the implementation of pre-contractual measures in response to your request (Art. 6(1)(b) GDPR) as well as, in other respects, your consent (Art. 6(1)(a) GDPR).

Demodesk processes the data on our behalf based on a data processing agreement. For more information, please see Demodesk’s Privacy Policy: https://demodesk.com/legal/privacy-policy.

5.11 zeig (Digital Sales Rooms)
We use “zeig,” a service provided by Alexandi Software Solutions, owned by Emin Alexandi, Rigaer Str. 37d, 10247 Berlin, Germany, to provide customized digital sales rooms (“deal rooms”) for prospective clients and customers, thereby offering them a better user experience.

When using a deal room, the following data may be transmitted to zeig:

  • IP address

  • Browser, device, and location information

  • Pages viewed, content viewed, and duration

  • Referrer URL

  • Email address (if provided by you)

You can only access a deal room by clicking on a link that has been created specifically for you. The legal basis for this is your consent (Art. 6(1)(a) GDPR) or the implementation of pre-contractual measures (Art. 6(1)(b) GDPR).

zeig processes the data on our behalf based on a data processing agreement. For more information, please see zeig’s privacy policy: https://zeig.app/de/privacy.

5.12 Zapier and Salesforce (Processing of Form Data)
When you submit a form on our website (e.g., demo request, contact form, newsletter sign-up, price calculator), we transmit the data you provide (e.g., name, email address, company information, your selections in the form), as well as technical metadata (e.g., IP address, browser information, page accessed), via the automation service “Zapier” provided by Zapier, Inc., 548 Market St. #62411, San Francisco, CA 94104, USA, to our CRM system Salesforce (Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA) in order to process your inquiry and contact you. If you have consented to marketing cookies, campaign information (e.g., which ad led you to our site) may also be transmitted.

The legal basis is the implementation of pre-contractual measures in response to your inquiry (Art. 6(1)(b) GDPR) and, with regard to the campaign information, your consent (Art. 6(1)(a) GDPR).

We have entered into a data processing agreement with both Zapier and Salesforce. Both providers have submitted to the EU-U.S. Data Privacy Framework and have been certified. Further information can be found in the list of Data Privacy Framework participants as well as at https://zapier.com/privacy and https://www.salesforce.com/company/legal/privacy/.

5.13 Api2Pdf (PDF Creation)
When you request a customized price overview as a PDF on our website, we use “Api2Pdf,” a service provided by API2PDF, Inc., 4401 Fairfax Drive STE 200, Arlington, VA 22203, USA, to generate the PDF document. No personal information about you is transmitted to Api2Pdf; the service merely renders our price overview page—including your (non-personal) package selection—into a PDF document. When you download the finished document, your browser retrieves the file from Api2Pdf’s servers; for technical reasons, this generates access data (in particular, your IP address).

The legal basis is the performance of pre-contractual measures at your request (Art. 6(1)(b) GDPR) or our legitimate interest in efficient document generation (Art. 6(1)(f) GDPR). Further information: https://www.api2pdf.com/privacy-policy/.

5.14 Cloudflare Turnstile (Protection Against Abuse)
On certain pages, we embed an application operated by Candis via an iFrame that uses the “Turnstile” service provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (“Cloudflare”) to protect against abusive automated access (bots). Turnstile uses technical characteristics (including IP address, browser information, and interaction behavior) to determine whether a request originates from a human or a machine. In doing so, Cloudflare may set technically necessary cookies within the embedded application.

The legal basis for this is our legitimate interest in the security of our website and protection against misuse (Art. 6(1)(f) GDPR); the storage or retrieval of information on the end device is absolutely necessary for this purpose (Section 25(2)(2) TDDDG). Cloudflare has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and at https://www.cloudflare.com/privacypolicy/.

5.15 Algolia (Website Search)
We use “Algolia,” a service provided by Algolia SAS, 55 Rue d’Amsterdam, 75008 Paris, France, for the search function on our website.

When you use the search function, your search queries and technical access data (including your IP address) are transmitted to Algolia’s servers to display search results to you. Algolia does not set any cookies.

The legal basis is our legitimate interest in providing a functional and fast website search (Art. 6(1)(f) GDPR). Algolia processes the data on our behalf based on a data processing agreement. To the extent that data is transferred to countries without an adequacy decision, this is done on the basis of standard contractual clauses pursuant to Article 46(2)© of the GDPR. Further information: https://www.algolia.com/policies/privacy/.

5.16 Sentry (Error Monitoring)
To monitor the technical stability of our website, we use “Sentry,” a service provided by Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.

If a technical error occurs while visiting our website, information about the error (error message, affected page, browser type and version, operating system, and, if applicable, the IP address) is transmitted to Sentry so that we can investigate and resolve the error. The data is not used for advertising or profiling purposes.

The legal basis is our legitimate interest in ensuring the error-free and secure operation of our website (Art. 6(1)(f) of the GDPR). Sentry processes the data on our behalf based on a data processing agreement. Sentry has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and at https://sentry.io/privacy/.

5.17 Contentful (Content Management)
We manage the content of our website (text, images, video thumbnails) using “Contentful,” a service provided by Contentful GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany.

When you visit our website, images and other media content are loaded directly from Contentful’s content delivery network (images.ctfassets.net). For technical reasons, your IP address is transmitted to Contentful in order to deliver the content.

The legal basis for this is our legitimate interest in the efficient and secure provision of our website content (Art. 6(1)(f) GDPR). Contentful processes the data on our behalf based on a data processing agreement. Further information: https://www.contentful.com/legal/de/privacy/.

6. Research / Surveys & Interviews

The following section applies to you only if you participate in our research program. We are constantly working to improve Candis and rely on feedback to do so. For this reason, we conduct user interviews, surveys, and other measures to obtain feedback that we can evaluate. In the following paragraphs, we’d like to explain which tools we use for this purpose and how these tools process data. Requests to erase data collected in the course of research activities pursuant to Art. 17 of the GDPR may be directed to research@candis.io.

6.1 Recruiting Participants via LinkedIn

We may use LinkedIn to reach out to and recruit potential participants for our research program. In doing so, we may process, in particular, publicly visible profile information, details about your professional role and your company, as well as communication data, to the extent necessary to contact you, assess your suitability for research activities, and organize your potential participation.

The legal basis for this is our legitimate interest pursuant to Article 6(1)(f) of the GDPR to identify suitable users for research activities, to gather feedback on our products and services, and to further develop Candis. You may object to the processing of your personal data for this purpose at any time.

LinkedIn is provided by LinkedIn Ireland Unlimited Company, which also processes personal data on its own behalf in connection with the use of the platform. For more information on LinkedIn’s processing of personal data, please see the LinkedIn Privacy Policy.

6.2 Creating Forms with Tally

To easily implement surveys and forms relevant to us, we also use Tally, a service provided by Tally BV, August Van Lokerenstraat 71, 9050 Ghent, Belgium.

When using Tally, personal data such as your name, email address, company affiliation, and the information you provide in the respective form may be processed. We store the information you provide in the Tally form, including the data you enter, in order to evaluate your feedback, improve our products and services, and contact you in the event of follow-up questions.

We will retain this data until you request its deletion, revoke your consent to its storage, or the purpose for storing the data no longer applies. This is without prejudice to relevant legal provisions—in particular, retention periods.

The use of Tally is based on your consent pursuant to Article 6(1)(a) of the GDPR.

We have entered into a data processing agreement with Tally. This ensures that Tally uses user data only within the framework of EU data protection standards, exclusively for the purpose of processing inquiries, and does not disclose it to third parties without authorization.

For more information, please see Tally’s Privacy Policy: https://tally.so/help/privacy-policy

6.3 Scheduling Appointments with Calendly

To make scheduling appointments simple, fast, and hassle-free, we use the Calendly tool, a service provided by Calendly, LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA. We use Calendly to easily schedule appointments with interview participants.

When using this tool, you will be asked to provide personal data such as your name, email address, and phone number. You also have the option to describe your request and provide us with additional information. When you use the tool, the information you enter in the request form—including any details you provide—will be stored and transmitted over the internet. The processing of the data you enter is based solely on your consent (Art. 6(1)(a) GDPR).
Calendly has submitted to the EU-U.S. Data Privacy Framework and has been certified. As such, Calendly is committed to complying with the standards and regulations of European data protection law. Further information can be found in the list of Data Privacy Framework participants.

This Privacy Policy, as well as the provider’s privacy policy, applies to the handling of data collected through the use of Calendly. We have entered into a data processing agreement with Calendly. You can find Calendly’s privacy policy at: https://calendly.com/pages/privacy

6.4 Creating Surveys with SurveyMonkey

To easily conduct surveys relevant to us regarding our product, we use the survey management software SurveyMonkey from the U.S. company Momentive Inc. (1 Curiosity Way, San Mateo, California 94403-2396). For the European Economic Area, the Irish company Momentive Europe UC (2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland) is responsible.
SurveyMonkey processes your email address (if provided) and, in all cases, a customer ID, as well as the results of the survey you completed, in a confidential manner. The data is retained for the duration of the statutory retention period and is subsequently deleted or anonymized. The processing of the data you provide is based exclusively on your consent (Art. 6(1)(a) GDPR).
Momentive has submitted to the EU-U.S. Data Privacy Framework and has been certified. As such, Momentive is committed to complying with the standards and regulations of European data protection law. Further information can be found in the list of Data Privacy Framework participants.
For more information on how your data is processed, please see Momentive’s Privacy Policy: https://www.surveymonkey.de/mp/legal/privacy/.

6.5 Recording of Interviews with Grain

We use Grain, a service provided by Grain (Grain San Francisco, 543 Market Street, CA 94104), to record, transcribe, and analyze user interviews and research meetings. Grain enables us to record and transcribe conversations and subsequently analyze the content to improve our products and services.

When using Grain, the following data in particular may be processed: your name, your email address, meeting metadata, audio and video recordings, transcripts, and the content you share during the conversation. Recordings are made only if you have been informed of this and have given your consent.

We use the recordings and transcripts created with Grain to transparently analyze feedback from research conversations, document insights internally, and further develop our products and services. Processing is based exclusively on your consent pursuant to Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect.

The data will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for storing the data no longer applies. This is without prejudice to relevant legal provisions—in particular, retention periods.

We have entered into a data processing agreement with Grain. To the extent that the use of Grain involves the transfer of personal data to third countries, particularly the United States, this transfer is safeguarded by appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR.

For more information, please see Grain’s privacy policy: https://support.grain.com/en/articles/9253291-how-secure-is-my-data-on-grain

6.6 Storage of Research Results in Salesforce

We use Salesforce to document and track research results internally. Salesforce is a service provided by Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA.

In particular, Salesforce may store contact information, details about your organization, information regarding your participation in research activities, meeting notes, summarized research results, as well as internal evaluations and follow-up activities. This data is stored to evaluate feedback in a structured manner, assign feedback to specific product areas, and improve our products and services based on the feedback received.

Processing is based on your consent pursuant to Article 6(1)(a) of the GDPR, to the extent that you participate in research initiatives. To the extent that the documentation and tracking of research results serve to improve our products and services and to maintain existing customer relationships, processing may also be based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR.

We will retain the data until you request its deletion, revoke your consent to its storage, or the purpose for storing the data no longer applies. This is without prejudice to relevant legal provisions—in particular, retention periods.

We have entered into a data processing agreement with Salesforce. To the extent that personal data is transferred to the United States or other third countries, this is done on the basis of appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR.

For more information, please see Salesforce’s Privacy Policy: https://www.salesforce.com/company/legal/privacy/

6.7 Data Transfer via Zapier

To automatically transfer data from Tally to Salesforce, we use Zapier, a service provided by Zapier, Inc., 548 Market St. #62411, San Francisco, CA 94104, USA (for the use of Zapier for website forms, see Section 5.12).

Zapier is used to automatically transfer data collected via Tally as part of research surveys and forms to Salesforce. In particular, the information you provide in the respective form—such as your name, email address, company affiliation, responses to research questions, and technical metadata—may be processed.

Zapier is used to efficiently document research results, evaluate them internally, and utilize them to improve our products and services. Processing is based on your consent pursuant to Article 6(1)(a) of the GDPR, provided that you participate in research activities.

We have entered into a data processing agreement with Zapier. Zapier processes personal data as a data processor within the scope of the agreed-upon services. To the extent that the use of Zapier involves the transfer of personal data to the United States or other third countries, this is safeguarded by appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR. In particular, Zapier provides standard contractual clauses for this purpose and is certified under the EU-U.S. Data Privacy Framework.

For more information, please refer to Zapier’s Privacy Policy and Privacy Notice: https://zapier.com/privacy and https://zapier.com/legal/data-privacy

7. Social Media and Embedded Content
We maintain online presences on social networks and video services to communicate with users active on those platforms and to provide information about us there.

For a detailed description of the respective forms of data processing and the options for objecting, please refer to the privacy policies and information provided by the operators of the respective networks.

7.1 LinkedIn
Our website links to our profile on the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Simply visiting our website does not result in any data being transferred to LinkedIn. If you click on a LinkedIn link, you will be redirected to LinkedIn’s pages; from that point on, LinkedIn processes your data under its own responsibility. If you are logged into your LinkedIn account, LinkedIn may associate your visit with your account. For more information, please see LinkedIn’s Privacy Policy at: https://www.linkedin.com/legal/privacy-policy.

LinkedIn has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.

7.2 Facebook (Fan Page)
We operate a so-called “Fan Page” on Facebook to provide information about topics related to our software. This is a service offered by Meta Platforms Ireland Ltd. (hereinafter “Facebook”), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We have agreed to the terms and conditions for the commercial use of Facebook.

When you visit our fan page on Facebook, Facebook places cookies on your device and collects so-called “Insights data” about your use of our fan page:

· Information about your visit to our Facebook fan page (your IP address, last visited website, file name, URL)
· Information about your Facebook interactions with our content (“Likes”)
· If applicable, your comments will be stored, along with a timestamp

Each of these Facebook cookies has a unique cookie ID. Based on the data processing carried out by Facebook, we receive anonymized statistical data about fan page visitors from Facebook, in accordance with our joint responsibility under Article 26 of the GDPR. We are unable to identify you personally at any time during your visit to our fan page based on the Insights feature and the statistics it provides.

The legal basis for Facebook’s collection and processing of your personal data on our behalf for the aforementioned statistical purposes is Article 6(1), first sentence, letter a) of the GDPR.

Only Facebook knows when and in what form it corrects, transfers, stores, or deletes your personal data. We have no influence over this. Information on how to contact Facebook, on ad settings, and on the data usage policies is available at the following link: https://www.facebook.com/about/privacy. For more information on our joint responsibility with Facebook, please visit: https://www.facebook.com/legal/terms/page_controller_addendum.

Facebook (Meta) has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.

7.3 Wistia
Our website uses the Wistia video service provided by Wistia Inc., 120 Brookline Street, Cambridge, Massachusetts 02139, USA, to display videos to you. The legal basis is Article 6(1)(a) of the GDPR.

The integration is click-based: When you visit a page with a Wistia video, only a preview image hosted by us is initially displayed; the Wistia player is not loaded until you actively start the video. A connection to Wistia’s server in the U.S. is established only when you play a Wistia video. This connection is necessary to display the video on our website via your web browser. In the process, Wistia will collect and process at least your IP address, the date and time, and the webpage you visited.
Wistia tracks how you interact with the videos on this website: how much of a video you play, at which points in a video you pause or rewind, etc. In some media, we pause the video and ask you to provide your email address or name. You are not required to provide this information, but we reserve the right to restrict certain media to identified users. Wistia aggregates the data collected through the media, including names and email addresses, and provides it to us. Aside from providing this data to us, Wistia does not sell or disclose the data collected from our media to third parties.

Wistia processes the data on our behalf based on a data processing agreement between us and Wistia. This agreement ensures that data processing on our behalf is carried out in accordance with the General Data Protection Regulation, guaranteeing the protection of data subjects’ rights.

Wistia has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.

For more information on how user data is handled, please see Wistia’s Privacy Policy at: https://wistia.com/support/account-and-billing/privacy-and-data-protection.

7.4 YouTube
On some pages of our website, we embed videos from the YouTube service. The provider is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

The embedding is click-based: When you visit a page with an embedded YouTube video, only a preview image hosted by us is initially displayed; no data is transmitted to Google at this point. Only when you actively start the video is the YouTube player loaded and a connection established to the servers of YouTube or Google. In the process, Google is informed which of our pages you have visited, and cookies may be set by Google (see Section 4). If you are logged into your YouTube/Google account, Google can associate the visit with your account. When the video is played, Google also receives information about your use of the video.

The legal basis is your consent, Art. 6(1)(a) GDPR. Google has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants and in Google’s Privacy Policy: https://policies.google.com/privacy.

8. Newsletter
On our website, you can subscribe to our newsletter to receive information. We process the voluntary information you provide to us for this purpose solely for the purpose of sending you the newsletter. Our legal basis for processing is your consent pursuant to Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect.

8.1 Salesforce Email Studio
The newsletters are sent via “Email Studio,” a newsletter distribution platform provided by the cloud service provider Salesforce (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany).

The email addresses of our newsletter subscribers, as well as their other data described in this notice, are stored on Salesforce’s servers. Salesforce uses this information to send and analyze the newsletters on our behalf.

The legal basis for this type of data processing is your consent, Article 6(1)(a) of the GDPR, e.g., when you subscribe to the newsletter or register on our website. You can object to the sending of newsletters and mailings by Salesforce at any time with future effect by clicking the unsubscribe link in the respective email. If, for example, you unsubscribe from the newsletter, your data will be deleted in accordance with the statutory retention periods.

Salesforce has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.
Salesforce processes the data on our behalf (Art. 28 GDPR). You can view the mailing service provider’s privacy policy here: https://www.salesforce.com/de/company/privacy/.

8.2 Intercom
We send newsletters via “Intercom,” a service provided by Intercom, Inc., 55 Second Street, Suite 400, San Francisco, CA 94105, USA (hereinafter referred to as “Intercom”).

The email addresses of our newsletter subscribers, as well as their other data described in this notice, are stored on Intercom’s servers. Intercom uses this information to send and analyze the newsletters on our behalf.

The legal basis for this type of data processing is your consent, Article 6(1)(a) of the GDPR, e.g., when you subscribe to the newsletter or register on our website. You can object to the sending of newsletters and mailings by Intercom at any time with future effect by clicking the unsubscribe link in the respective email. If, for example, you unsubscribe from the newsletter, your data will be deleted in accordance with the statutory retention periods.

For marketing and optimization purposes, particularly to improve and analyze our newsletter, we use the performance tracking provided by Intercom. This tracks whether the newsletter is opened. The legal basis for this type of data processing is your consent, Article 6(1)(a) of the GDPR.

Intercom processes the data on our behalf based on a data processing agreement between us and Intercom. This agreement ensures that data processing on our behalf is carried out in accordance with the General Data Protection Regulation (GDPR), guaranteeing the protection of the rights of data subjects.

Intercom has submitted to the EU-U.S. Data Privacy Framework and has been certified. Further information can be found in the list of Data Privacy Framework participants.

You can find further information from the third-party provider regarding data protection on the following website: https://www.intercom.com/legal/terms-and-policies.

9. Your Rights as a Data Subject
With regard to the data processing described here, you have various rights as a data subject, which are governed by the GDPR.

Right of Access
First, you have the right to obtain information about the data you have provided to us and that we process (Art. 15 GDPR).

Right to Rectification, Erasure, and Restriction
In addition, you may request the rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), and restriction (Art. 18 GDPR) of your data.

Right to Data Portability and Right to Object
You also have the right to data portability (Art. 20 GDPR) and the right to object (Art. 21 GDPR).

Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority. To do so, you may contact the data protection supervisory authority at your usual place of residence or at our corporate headquarters. The address of the supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin

Phone: 030 13889-0
Email: mailbox@datenschutz-berlin.de

10. Data Controller / Data Protection Officer
If you have any further questions, for example regarding the personal data we have stored about you, please feel free to contact us.

Candis GmbH
CityQuartier DomAquarée
Karl-Liebknecht-Straße 5
10178 Berlin

Represented by:
Managing Director: Christian Ritosek

Contact:
Phone: 030 346 556 100
Email: info@candis.io

Our Data Protection Officer is Mr. Ali Tschakari, LL.M., Bitkom Servicegesellschaft mbH, Albrechtstraße 10, 10117 Berlin. You can contact him directly at datenschutz@bitkom-consult.de or datenschutz@candis.io.

11. Status and Updates to This Privacy Policy
This Privacy Policy is effective as of July 9, 2026.