Privacy Policy
IAN In A Nutshell GmbH

II. General Principles

Purposes and Principles of Data Processing

Protecting your personal data is a top priority for us. We process data exclusively in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications and Telemedia Data Protection Act (TTDSG).

You can generally use our website without actively providing personal data. We only process personal data (e.g. name, e-mail address) if you voluntarily provide it – for example, when contacting us or subscribing to our newsletter. Any processing is carried out solely for the purposes for which the data was provided.

Data is disclosed to third parties only on the basis of a data processing agreement, due to legal obligations, or – for certain platforms – in accordance with the provider’s standard data protection terms.

The transfer of data between your browser and our server is secured by state-of-the-art encryption (SSL/TLS). We implement technical and organizational measures to protect your data against loss, misuse, and unauthorized access.

Legal Basis for Processing

We process personal data on the following legal bases:

• Art. 6 (1) a GDPR – Consent (e.g. newsletter, cookies)
• Art. 6 (1) b GDPR – Contract performance or pre-contractual measures
• Art. 6 (1) c GDPR – Legal obligations
• Art. 6 (1) f GDPR – Legitimate interests (e.g. IT security, website optimization)

We process personal data within the meaning of Art. 4 (1) GDPR whenever there is a reference to an identified or identifiable individual.

Categories of Data

We process, in particular:

• Usage data (IP address, browser type, access times)
• Communication data (e.g. e-mail, phone number)
• Contract and application data (e.g. name, address, application documents)

III. Recipients and Data Sharing

Recipients / Processors

We cooperate with external service providers that process personal data on our behalf (Art. 28 GDPR). These include, among others, our hosting provider INGATE, the newsletter provider SendinBlue (Brevo), and communication platforms such as Starface.

Data processing agreements are in place with these providers. The list of processors is reviewed regularly and maintained internally.

Services with Standard Terms

For certain platforms and services (e.g. Google, Google Analytics, Microsoft Online Services, LinkedIn, Meta, OpenAI), an individual agreement is not possible. In these cases, the providers’ standard data protection terms apply, such as Standard Contractual Clauses (SCC), Joint Controller Agreements, or Data Protection Addenda. We have no control over the content of these terms.

The use of these services is based on these conditions. This declaration refers to the respective valid privacy notices of the providers.

IV. Specific Processing Activities

Server Log Files

Our hosting provider (currently STRATO AG, Berlin) automatically collects certain data each time you access our website, including:

• Browser type and version
• Operating system
• Referrer URL (previously visited page)
• Pages visited within our website
• Date and time of access
• IP address of the requesting device

The collection serves to ensure stability and security of our website. Data is deleted after seven days unless longer storage is required for evidence purposes.

Legal basis: Art. 6 (1) f GDPR (legitimate interest in security and functionality).

Cookies and Tracking

Our website uses cookies. Cookies are small text files stored on your device that may contain information such as browser or location data or IP address.

• Session cookies are automatically deleted at the end of the browser session.
• Functional cookies may be necessary to provide certain features (e.g. language selection). Legal basis: Art. 6 (1) b GDPR or Art. 6 (1) f GDPR.
• Third-party cookies (e.g. for analytics, advertising, embedded content) are used only with your consent (Art. 6 (1) a GDPR). You can withdraw your consent at any time via the cookie banner; details of the cookies used are also provided there.

Technically necessary cookies are set in accordance with § 25 (2) TTDSG without consent. For all other cookies, we request your consent via our cookie banner (opt-in).

You may withdraw your consent at any time via the cookie banner. Details of the cookies used can also be found there.

Unclassified Cookies

Some cookies may not yet be fully categorized by our consent tool (Cookiebot). Once classified, they are assigned to the appropriate category. These may originate from third-party providers embedded on our website. Once classification is complete, they are assigned to the appropriate category (e.g. preferences, statistics, marketing). Legal basis: either your consent under Art. 6 (1) a GDPR in conjunction with § 25 TTDSG, or, for technically necessary cookies, our legitimate interest under Art. 6 (1) f GDPR.

Managing Cookies

You can prevent or restrict the installation of cookies at any time in your browser settings. Already stored cookies can be deleted at any time.

Please note: Disabling cookies may limit some functions of our website.

You may also manage advertising cookies through the following portals:

• http://www.aboutads.info/choices/ (USA)
• http://www.youronlinechoices.com/uk/your-ad-choices/ (Europe)

Google Analytics

We use Google Analytics (Google Ireland Ltd., Dublin) to analyze website usage. Legal basis: your consent (Art. 6 (1) a GDPR). IP addresses are anonymized. Consent can be withdrawn at any time. Information: https://policies.google.com/privacy

Cloudflare

To secure and accelerate our website, we use Cloudflare (Cloudflare Germany GmbH). Cloudflare processes data as a processor. Information: https://www.cloudflare.com/privacypolicy/

Cookiebot

Our cookie banner is provided by Cookiebot (Cybot A/S, Copenhagen). Your consent decisions are logged. Information: https://www.cookiebot.com/de/privacy-policy/

Data Transfers to Third Countries

Where personal data is transferred to providers outside the EU/EEA (e.g. USA), this takes place – if no adequacy decision exists – on the basis of the EU Commission’s Standard Contractual Clauses (SCC) and, where necessary, supplementary measures (Transfer Impact Assessment). You may withdraw your consent at any time.

Contact and Communication

If you contact us by e-mail, we process your data solely to handle your request.
Legal basis: Art. 6 (1) b GDPR (contract/pre-contract) or Art. 6 (1) f GDPR (legitimate interest in communication).
We delete your data once your request has been completed, provided there are no legal retention obligations.

Applications

If you apply online, we process your data for the purpose of managing the recruitment process (§ 26 BDSG, Art. 88 GDPR).

• If hired, your data is added to your personnel file.
• Rejected applications are deleted within two months. For the purpose of legal defense, data may be retained for up to four to six months (Art. 6 (1) f GDPR in conjunction with AGG).
• With your consent, applications may be stored longer (talent pool). You may withdraw consent at any time.

Newsletter

If you subscribe to our newsletter, we process your data solely on the basis of your consent (double opt-in). You may unsubscribe at any time using the unsubscribe link. For performance measurement, newsletters may contain tracking pixels to record openings/clicks. Legal basis: your consent. Provider: SendinBlue (Brevo), Paris, France. A data processing agreement is in place. Information: https://www.brevo.com/legal/privacypolicy/#eu

V. Technical and Organizational Measures

Access Control and Logging

All central systems (Google Workspace, INGATE, Microsoft Teams) log access, changes, and logins. These audit logs ensure traceability. Access is restricted to administrators and the Data Protection Officer. The logs serve accountability and IT security.

Security

We protect your data with SSL/TLS encryption and appropriate technical and organizational measures (access and authorization concepts, logging, backups, clean-desk, staff training). Details of our TOMs are documented internally.

Retention and Deletion

Personal data is deleted when the purpose no longer applies or legal retention obligations expire.

Examples:

• Application data: 2 months after completion of recruitment (unless longer retention is required or consented to).
• Contract data: up to 10 years under statutory obligations.
• Newsletter data: deleted immediately upon unsubscribing.

A comprehensive overview of retention periods is documented in our internal deletion policy.

VI. Rights of Data Subjects

As a data subject, you have the following rights:

• Access (Art. 15 GDPR): Confirmation of whether personal data concerning you is being processed.
• Rectification (Art. 16 GDPR): Correction of inaccurate data or completion of incomplete data.
• Erasure (Art. 17 GDPR): Deletion of your data, unless legal retention obligations or other grounds under Art. 17 (3) GDPR apply.
• Restriction of processing (Art. 18 GDPR): Restriction of processing in certain cases, e.g. during the verification of your objections.
• Data portability (Art. 20 GDPR): Receipt of your data in a structured, commonly used format and transfer to another controller.
• Objection (Art. 21 GDPR): Objection to the processing of your data, in particular against processing for direct marketing purposes.
• Withdrawal of consent (Art. 7 (3) GDPR): Withdrawal of any consent previously given, with effect for the future.

To exercise your rights, please contact: alina.kannenberg@nutshell.de. We generally respond within one month (Art. 12 (3) GDPR). In justified cases, this period may be extended by two months; you will be informed accordingly.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), e.g.: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

VII. Social Media

Social Media Profiles

We maintain profiles on LinkedIn, Instagram, and Facebook. Responsibility is shared jointly with the respective providers (Art. 26 GDPR).

Providers may process data outside the EU (e.g. USA). We have no control over the type or scope of processing carried out by these providers.

Privacy notices:

• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Meta (Facebook and Instagram): https://privacycenter.instagram.com/policy

For page statistics, the providers’ joint controller agreements (Page Insights) apply. The essential contents are available on the platforms.

Links to Social Media

Our website links to our social media profiles via graphics and text links. A connection to the respective provider is established only when the link is clicked. From that point, the provider’s privacy policy applies.

VIII. Final Provisions

Amendments

We reserve the right to update this declaration in line with changes in our processes or legal requirements.

This Data Protection Declaration is based on the GDPR (Regulation (EU) 2016/679), the German Federal Data Protection Act (BDSG), and the German Telecommunications and Telemedia Data Protection Act (TTDSG).