Privacy Policy

Preamble

With this Privacy Policy we wish to inform you about the types of personal data (hereinafter also referred to simply as "data") we process, the purposes for which we do so, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: 22 June 2026

Table of Contents

Preamble
Controller
Our Brands (Adams Strategy · Matching Pioneers · Aerendal)
Overview of Processing Activities
Applicable Legal Bases
Security Measures
Transmission of Personal Data
International Data Transfers
General Information on Data Retention and Deletion
Rights of Data Subjects
Commercial Services
Acquirer Database and Matchmaking Platform
Business Processes and Procedures
Third-Party Providers and Services Used in Business Operations
Payment Processing
Credit Checks
Provision of the Online Offering and Web Hosting
Use of Cookies
Registration, Login and User Accounts
Blogs and Publication Media
Contact and Enquiry Management
Communication via Messaging Services
Artificial Intelligence (AI)
Video Conferences, Online Meetings, Webinars and Screen Sharing
Cloud Services
Newsletters and Electronic Notifications
Webinar Registration
Marketing Communications via E-Mail, Post, Fax or Telephone
Web Analytics, Monitoring and Optimisation
Online Marketing
Presence on Social Networks (Social Media)
Plug-ins and Embedded Functions and Content
Management, Organisation and Auxiliary Tools
Processing of Data in the Context of Employment Relationships
Recruitment Process
Amendments and Updates
Definitions

Controller

Adams Strategy GmbH & Co. KG
Rheinpromenade 4a, 40789 Monheim am Rhein

Authorised representative: Marielle Adams

E-mail address: info@adamsstrategy.de

Legal notice: www.adamsstrategy.de/en/impressum

Our Brands

Adams Strategy GmbH & Co. KG operates the following independent brands under its corporate group, each with its own online presence:

Adams Strategy (adamsstrategy.de) — M&A advisory for the German mid-market. This Privacy Policy applies to this offering.
Matching Pioneers (matchingpioneers.de) — B2B matchmaking platform for corporate transactions. A separate Privacy Policy for Matching Pioneers applies to this offering.
Aerendal (aerendal.de) — M&A advisory specialising in trades and commerce businesses (succession & business sale). A separate Privacy Policy on aerendal.de applies to this offering.

Each brand processes personal data independently under its respective Privacy Policy. The controller for all three brands is Adams Strategy GmbH & Co. KG, Rheinpromenade 4a, 40789 Monheim am Rhein.

Overview of Processing Activities

The following overview summarises the types of data processed and the purposes of their processing, and identifies the data subjects concerned.

Types of Data Processed

Master data
Employee data
Payment data
Contact data
Content data
Contract data
Usage data
Meta, communication and procedural data
Applicant data
Log data
Credit data

Purposes of Processing

Performance of contractual services and fulfilment of contractual obligations
M&A advisory and business intermediation (matchmaking)
Communication
Security measures
Direct marketing
Reach measurement
Office and organisational procedures
Recruitment process
Marketing
Provision of our online offering and user experience
Assessment of creditworthiness
Establishing and conducting employment relationships
IT infrastructure
Financial and payment management
Public relations

Applicable Legal Bases

Legal bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. In addition to the provisions of the GDPR, national data protection requirements may apply in your country or ours.

Consent (Art. 6(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6(1)(c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Recruitment as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR) — Where special categories of personal data within the meaning of Art. 9(1) GDPR are requested from applicants during the recruitment process, processing is carried out pursuant to Art. 9(2)(b), (c) or (h) GDPR.

National data protection provisions in Germany: In addition to the data protection provisions of the GDPR, national provisions apply, in particular the German Federal Data Protection Act (BDSG).

Security Measures

In accordance with statutory requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to data, as well as access to, input of, disclosure of, ensuring availability of and separation of such data.

TLS/SSL encryption (HTTPS): To protect data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Where a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

Protection of transmitted form data: All personal data submitted via our contact forms is transmitted exclusively via encrypted HTTPS connections (TLS). The data is stored server-side for internal processing and is not publicly accessible.

Security headers: We use HTTP security headers, including X-Frame-Options (SAMEORIGIN, preventing embedding in external frames), Content-Security-Policy (CSP), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (disabling camera, microphone and geolocation) and X-XSS-Protection. The CSP header additionally includes the directive frame-ancestors 'none', which prevents clickjacking attacks.

Rate limiting: To protect our contact forms against automated abuse, we implement server-side rate limiting. The IP address of the requester is temporarily stored in working memory and automatically deleted after 5 minutes — no permanent logging occurs.

Transmission of Personal Data

In the course of processing personal data, it may be transmitted to other bodies, companies, legally independent organisational units or persons. Recipients of such data may include, for example, service providers entrusted with IT tasks or providers of services and content. In such cases, we comply with applicable legal requirements and enter into appropriate contracts to protect your data.

Data transmission within the corporate group: We may transmit personal data to other companies within our corporate group or grant them access thereto, on the basis of our legitimate business and operational interests.

International Data Transfers

Where we transfer data to a third country (outside the EU/EEA), we do so exclusively in compliance with applicable legal requirements.

For data transfers to the United States, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we have entered into Standard Contractual Clauses with the relevant providers. This dual safeguard ensures comprehensive protection of your data. Further information on the DPF and a list of certified companies can be found at www.dataprivacyframework.gov.

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, express consent or legally required transfers.

General Information on Data Retention and Deletion

We delete personal data in accordance with statutory requirements as soon as the underlying consent is withdrawn or no further legal basis for processing exists. Exceptions apply where statutory obligations or special interests require longer retention.

Where multiple retention periods are specified, the longest period always prevails. Where a period does not expressly begin on a specific date and is at least one year in duration, it commences automatically at the end of the calendar year in which the triggering event occurred.

Statutory retention periods under German law:

10 years — Books, records, annual accounts, inventories (§ 147 AO, § 257 HGB)
8 years — Accounting vouchers, invoices, cost documents (§ 147 AO, § 257 HGB)
6 years — Other business records, commercial correspondence, calculation documents (§ 147 AO, § 257 HGB)
3 years — Data for warranty and damages claims (§§ 195, 199 BGB)

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR (Arts. 15–21 GDPR):

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time.
Right to withdraw consent: You have the right to withdraw consent given at any time.
Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to obtain access to such data and a copy thereof in accordance with statutory requirements.
Right to rectification: You have the right to request the completion or correction of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right to request that data concerning you be erased without undue delay, or alternatively to request restriction of processing.
Right to data portability: You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format, or to request its transmission to another controller.
Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

Commercial Services

We process data of our contractual and business partners (collectively referred to as "contracting parties") in the context of contractual and comparable legal relationships and associated measures, and in connection with communications with contracting parties, for example in response to enquiries.

We delete data upon expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data must be retained for legal reasons (e.g. for tax purposes, generally for ten years).

Types of data processed: Master data, payment data, contact data, contract data
Data subjects: Service recipients, clients, prospective clients, business and contractual partners
Purposes of processing: Performance of contractual services, communication, office and organisational procedures, business processes
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Further information on services used:

M&A Advisory / Business Sale: Processing of vendor data to provide advisory services in the preparation, execution and completion of corporate transactions, including business valuation, project documentation, negotiation support and invoicing. Legal basis: Art. 6(1)(b) GDPR.

Brokerage and Intermediary Services: Processing of client data in accordance with the underlying mandate, potentially including information on personal circumstances, assets and financial situation. Legal basis: Art. 6(1)(b) GDPR.

Business Consultancy: Processing of client data to provide advisory services, where applicable with disclosure to third parties such as authorities or IT service providers. Legal basis: Art. 6(1)(b) GDPR.

Acquirer Database and Matchmaking Platform

On our website, we offer prospective acquirers (corporate buyers, family offices, investment companies, strategic investors) the opportunity to register in our acquirer database. The registered data is used to identify and propose suitable acquisition mandates from our network and to facilitate a structured M&A matchmaking process.

Types of data processed: Master data (name, company, position), contact data (e-mail, telephone), content data (sector focus, revenue size, acquisition criteria), log data (IP address, timestamp of registration)
Data subjects: Prospective acquirers, investors, investment companies, family offices
Purposes of processing: Inclusion in the acquirer database, introduction of suitable businesses in the M&A process, contact in connection with specific acquisition mandates
Legal basis: Consent (Art. 6(1)(a) GDPR) — Registration takes place exclusively on the basis of express consent given by activating the data protection checkbox in the form.
Retention period: Data is retained for as long as there is an active interest in an acquisition. Following withdrawal of consent, data will be deleted within 30 days.
Disclosure to third parties: Data will not be disclosed to third parties without express consent. In the matchmaking process, contact details are exchanged between acquirer and vendor only after mutual confirmation of interest.
Withdrawal: Consent given may be withdrawn at any time by informal e-mail to info@adamsstrategy.de.

Acquirer Registration Form (adamsstrategy.de/en/fuer-kaeufer): Upon registration in the acquirer database, the following data is collected: name, company, e-mail address, telephone number, sector focus and acquisition criteria. Submitted data is encrypted on the server using symmetric encryption (Fernet) prior to storage. Exclusively German servers (IONOS SE) are used — no transfer to third countries.
Legal basis: Art. 6(1)(a) GDPR (consent).

Business Processes and Procedures

Personal data is processed in the context of contractual and pre-contractual measures to support business operations in the areas of customer management, sales, payment processing, accounting and project management.

Types of data processed: Master data, payment data, contact data, content data, contract data, log data, usage data, meta and communication data, employee data
Data subjects: Service recipients, prospective clients, communication partners, business partners, users, employees, customers
Purposes of processing: Performance of contractual services, office and organisational procedures, marketing, financial and payment management, IT infrastructure
Legal bases: Art. 6(1)(b), (c), (f) GDPR

Procedures used:

Customer Management / CRM: Customer acquisition, customer retention, communication, complaints management, data administration, customer segmentation. Legal bases: Art. 6(1)(b), (f) GDPR.

Client File Management: Acquisition, client care, file management, documentation of legal proceedings, secure deletion upon expiry of retention periods. Legal bases: Art. 6(1)(b), (c), (f) GDPR.

General Payment Processing: Transfers, direct debits, bank statements, incoming/outgoing payments, cash management. Legal bases: Art. 6(1)(b), (f) GDPR.

Accounting / Accounts Payable and Receivable: Invoicing, open items, dunning, account reconciliation. Legal bases: Art. 6(1)(b), (c), (f) GDPR.

Sales: Customer acquisition, preparation of proposals, order processing, sales controlling. Legal bases: Art. 6(1)(b), (f) GDPR.

Marketing and Sales Promotion: Market analysis, campaign planning, online marketing, event marketing, performance measurement. Legal basis: Art. 6(1)(f) GDPR.

Public Relations: Communications strategies, press releases, media relations, social media content, corporate branding. Legal basis: Art. 6(1)(f) GDPR.

Third-Party Providers and Services Used in Business Operations

In the course of our business operations, we use additional services, platforms and plug-ins from third-party providers, in compliance with applicable legal requirements. Their use is based on our interests in the proper, lawful and efficient conduct of our business operations.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), performance of a contract (Art. 6(1)(b) GDPR)

Lexoffice — Online software for invoicing, accounting, banking and tax submission.
Provider: Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany.
Privacy: lexoffice.de/datenschutz/

HubSpot CRM — Customer contact management, sales activities, marketing automation, CRM chatbots.
Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland.
Privacy: legal.hubspot.com/de/privacy-policy | DPA: legal.hubspot.com/dpa
Third-country transfer: EU/EEA & Switzerland — Data Privacy Framework (DPF) + Standard Contractual Clauses.

Pipedrive — Cloud-based software for managing customer and partner relationships and incoming e-mails and enquiries.
Provider: Pipedrive OÜ, Paldiski mnt 80, Tallinn 10617, Estonia.
Privacy: pipedrive.com/en/privacy

Payment Processing

In the context of contractual and other legal relationships, we offer data subjects efficient and secure payment options and, in addition to banks and credit institutions, engage further service providers for this purpose. Data processed includes master data, banking data, and contract and transaction amounts. We do not receive account or credit card information; we receive only payment confirmations or negative payment notifications.

Types of data processed: Master data, payment data, contract data, usage data, meta and communication data
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

PayPal — Payment services.
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
Privacy: paypal.com/de/webapps/mpp/ua/privacy-full

Stripe — Payment services (online payment methods).
Provider: Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
Privacy: stripe.com/de/privacy
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Credit Checks

Where we provide services in advance or assume comparable financial risks, we reserve the right to obtain identity and credit information from specialised credit reference agencies in order to protect our legitimate interests.

Types of data processed: Master data, payment data, contact data, contract data, credit data
Purposes: Assessment of creditworthiness
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR)

SCHUFA — Credit reference agency.
Provider: SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Köln.
Privacy: schufa.de/datenschutz/

Creditreform — Credit reference agency. Data is only transmitted to Creditreform where a specific credit check is required.
Provider: Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss.
Privacy: creditreform.de/datenschutz

Provision of the Online Offering and Web Hosting

We process users' data in order to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser.

Types of data processed: Usage data, meta and communication data, log data, content data
Purposes: Provision of the online offering, IT infrastructure, security measures
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Server log files are retained for a maximum of 30 days and are subsequently deleted or anonymised. Data whose further retention is required for evidential purposes is exempt until the relevant matter is finally resolved.

IONOS SE — Hosting and IT infrastructure. All data is processed exclusively on German servers.
Provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.
Privacy: ionos.de/terms-gtc/datenschutzerklaerung/
Third-country transfer: None — processing exclusively in Germany.

Google Cloud CDN — Content delivery network for fast delivery of media files and scripts.
Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
Privacy: policies.google.com/privacy
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Use of Cookies

The term "cookies" refers to functions that store and retrieve information on users' end devices. We use cookies in accordance with applicable legal requirements. Where consent is not required, we rely on our legitimate interests.

Retention period:

Temporary cookies (session cookies): Deleted at the latest after the user has left the online offering and closed their device.
Permanent cookies: Remain stored after the device is closed, generally for up to two years.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), consent (Art. 6(1)(a) GDPR)

Cookie Consent Management (adamsstrategy.de) — We use a GDPR-compliant consent management solution. When visiting the website, Google Analytics 4 Consent Mode v2 is set to "denied" by default. Activation occurs only upon express consent by the user. Consent (yes/no), the time of consent and the cookie version are stored exclusively in the local storage of the end device (localStorage) — no server-side tracking of consent.
Legal basis: Art. 6(1)(c) GDPR in conjunction with § 25 TTDSG.

Registration, Login and User Accounts

Users may create a user account. During registration, users are informed of the required mandatory information, which is then processed. Data processed includes in particular login information (username, password and e-mail address). We store the IP address and the timestamp of each user action on the basis of our legitimate interests.

Types of data processed: Master data, contact data, content data, usage data, log data
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

User profiles are not publicly visible or accessible. Upon termination of the user account, data will be deleted, subject to statutory retention obligations.

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (Strategy Academy). Readers' data is only processed for the purposes of the publication medium to the extent necessary for its display and for communication between authors and readers, or for security purposes.

Types of data processed: Master data, contact data, content data, usage data, meta and communication data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Contact and Enquiry Management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and in the context of existing user and business relationships, the information provided by the enquiring party is processed to the extent necessary to respond to the contact enquiry and any requested measures.

Types of data processed: Master data, contact data, content data, usage data, meta and communication data, payment data, contract data
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), performance of a contract (Art. 6(1)(b) GDPR), consent (Art. 6(1)(a) GDPR)

Contact form — Where contact is made via our contact form, by e-mail or other communication channels, we process the personal data submitted exclusively for the purpose of responding to and handling the relevant enquiry.
Legal bases: Art. 6(1)(b), (f) GDPR.

Communication via Messaging Services

We use messaging services for communication purposes. In the case of end-to-end encryption, the content of communications is not accessible — including to the messaging service providers themselves. We note that messaging service providers may process metadata (time, device information, and possibly location data).

Types of data processed: Contact data, content data, usage data, meta and communication data
Legal bases: Consent (Art. 6(1)(a) GDPR), performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Microsoft Teams — Chat, audio and video conferencing, file sharing, Office 365 integration, screen sharing.
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland.
Privacy: privacy.microsoft.com/de-de/privacystatement
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

WhatsApp — Text messages, voice and video calls, file transfer, group chat with end-to-end encryption.
Provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Privacy: whatsapp.com/legal
Third-country transfer: EU/EEA & Switzerland — DPF.

Artificial Intelligence (AI)

We use artificial intelligence (AI) systems, which involve the processing of personal data. Our AI systems are used in strict compliance with applicable legal requirements (GDPR, AI Act). We adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation and data minimisation.

Types of data processed: Content data, usage data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Claude (Anthropic) — AI-based service for understanding and generating natural language and for analysing information, including for the Exit Navigator and business valuation.
Provider: Anthropic, PBC, 548 Market St., San Francisco, CA 94104, USA.
Privacy: anthropic.com/privacy
Third-country transfer: USA — Standard Contractual Clauses.

ChatGPT — AI-based service for understanding and generating natural language and for analysing information.
Provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, Dublin 1, Ireland.
Privacy: openai.com/de/policies/eu-privacy-policy

DeepL — Translation of texts into various languages, as well as text correction and improvement.
Provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany.
Privacy: deepl.com/de/privacy

Video Conferences, Online Meetings, Webinars and Screen Sharing

We use conferencing platforms to conduct video and audio conferences, webinars and other types of online meetings. In connection with participation, personal data of participants is processed, including names, e-mail addresses, IP addresses, device data and audio and video data. Where recordings take place, participants are informed in advance.

Types of data processed: Master data, contact data, content data, usage data, log data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Microsoft Teams — Audio and video conferencing, chat, file sharing, screen sharing, optional recording, Office 365 integration.
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland.
Privacy: privacy.microsoft.com/de-de/privacystatement
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Cloud Services

We use internet-accessible software services (cloud services / Software as a Service) for the storage and management of content. In this context, personal data may be processed and stored on the providers' servers.

Types of data processed: Master data, contact data, content data, usage data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Microsoft Cloud Services — Cloud storage, cloud infrastructure services and cloud-based application software.
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland.
Privacy: privacy.microsoft.com/de-de/privacystatement
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Google Cloud Services — Cloud infrastructure services and cloud-based application software.
Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
Privacy: policies.google.com/privacy
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Newsletters and Electronic Notifications

We send our newsletter exclusively on the basis of the double opt-in procedure and with the express consent of recipients pursuant to Art. 6(1)(a) GDPR.

Content: M&A news, information on business sales and acquisitions, sector insights, event announcements.

Double opt-in procedure: After registering via our form, you will receive a confirmation e-mail containing a personalised link. Your registration will only be activated once you click on this confirmation link. Without this confirmation, you will not receive any newsletters.

Data processed: E-mail address, time of registration, time of confirmation, confirmation token
Distribution: We send the newsletter ourselves via our own SMTP infrastructure (IONOS SE, Germany). No external newsletter service provider is used.
Retention period: Your e-mail address is retained until you unsubscribe. Following unsubscription, we retain evidence of the consent given for up to three years in order to be able to demonstrate our legal authorisation.
Opt-out: You may withdraw your consent to receive our newsletter at any time. An unsubscribe link can be found at the bottom of every newsletter e-mail and directly at /newsletter/abmelden/ (the link is included individually for you in each e-mail).
Legal basis: Consent (Art. 6(1)(a) GDPR)

Webinar Registration

We regularly offer free online webinars on topics relating to business sale and M&A in the mid-market. Registration is required for participation.

Data processed: Name, e-mail address, company (optional), telephone (optional)
Purpose: Sending webinar access credentials and technical participation information, as well as post-webinar follow-up information
Legal basis: Consent (Art. 6(1)(a) GDPR) — registration is based on active confirmation of the data protection checkbox in the registration form
Retention period: Registration data is retained for up to 30 days after the webinar and subsequently deleted.
Disclosure to third parties: Registration data is not disclosed to third parties.

Marketing Communications via E-Mail, Post, Fax or Telephone

We process personal data for the purposes of marketing communications via various channels in accordance with applicable legal requirements. Recipients have the right to withdraw consent at any time or to object to marketing communications at any time.

Following withdrawal or objection, we retain data required to demonstrate prior authorisation for up to three years after the end of the year of withdrawal. To avoid further contact, we retain relevant contact details in a suppression list (blocklist).

Types of data processed: Master data, contact data, content data
Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Web Analytics, Monitoring and Optimisation

Web analytics is used to evaluate visitor flows to our online offering. Reach analysis enables us to identify when our online offering is used most frequently and which areas require optimisation. IP addresses are pseudonymised via IP masking. No clear-text data (such as e-mail addresses or names) is stored.

Types of data processed: Usage data, meta and communication data
Security measures: IP masking (pseudonymisation of IP address)
Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Google Analytics 4 (GA4) — Measurement and analysis of the use of our online offering based on pseudonymous user identification numbers. We use Google Analytics 4 with Consent Mode v2: tracking is disabled by default and is only activated upon your express consent. GA4 does not log individual IP addresses for EU users (IP anonymisation active).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Legal basis: Consent (Art. 6(1)(a) GDPR) — no tracking without active consent.
Opt-out: tools.google.com/dlpage/gaoptout
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Google Tag Manager — Software for the centralised management of website tags via a user interface. The Tag Manager itself does not create user profiles and does not store cookies containing user profiles.
Provider: Google Ireland Limited, Dublin 4, Ireland.
Legal basis: Consent (Art. 6(1)(a) GDPR).
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active on those platforms or to provide information about us. User data may be processed outside the EU.

Types of data processed: Contact data, content data, usage data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

LinkedIn — Social network; we are jointly responsible with LinkedIn Ireland Unlimited Company for the collection of data from visitors to our LinkedIn profiles (Page Insights). We have entered into a "Page Insights Joint Controller Addendum" agreement with LinkedIn.
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Privacy: linkedin.com/legal/privacy-policy
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Instagram — Social network; sharing of photos and videos, comments, messaging.
Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Privacy: privacycenter.instagram.com/policy/
Third-country transfer: EU/EEA & Switzerland — DPF.

TikTok — Our website contains a link to our TikTok profile. Clicking the link leads to the TikTok platform, which collects its own data.
Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.
Privacy: tiktok.com/legal/page/eea/privacy-policy/de-DE
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — link only, no embedded content.

Plug-ins and Embedded Functions and Content

We embed functional and content elements in our online offering that are sourced from the servers of their respective providers (third-party providers), e.g. graphics, videos or maps. Such embedding always requires those third-party providers to process the user's IP address.

Types of data processed: Usage data, meta and communication data, contact data, content data
Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Google Fonts — Provision of fonts and symbols for technically secure and consistent display. The provider receives the IP address and technical data. According to Google's own statement, Google does not use any of the information collected via Google Fonts to build profiles of end users or to serve targeted advertisements.
Provider: Google Ireland Limited, Dublin 4, Ireland.
Third-country transfer: EU/EEA & Switzerland — DPF.

Cal.com (Appointment booking) — On our initial consultation page, we embed the appointment booking tool Cal.com. When you book an appointment, your name, e-mail address and chosen time slot are transmitted to and processed by Cal.com.
Provider: Cal.com, Inc., 2261 Market Street, Suite 5765, San Francisco, CA 94114, USA (EU data processing via EU servers).
Privacy: cal.com/privacy
Data processed: Name, e-mail address, appointment data, IP address.
Legal basis: Consent (Art. 6(1)(a) GDPR) / performance of a contract (Art. 6(1)(b) GDPR).

Management, Organisation and Auxiliary Tools

We use services, platforms and software from third-party providers for the purposes of organising, managing, planning and providing our services. In this context, personal data may be processed and stored on the servers of those third-party providers.

Types of data processed: Content data, usage data, meta and communication data
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

GitHub — Platform for version control of software projects.
Provider: GitHub B.V., Netherlands.
Privacy: docs.github.com/de/site-policy/privacy-policies/github-general-privacy-statement

Microsoft 365 — Internal communications, document editing and collaboration.
Provider: Microsoft Ireland Operations Limited, Dublin 18, Ireland.
Privacy: privacy.microsoft.com/de-de/privacystatement
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Processing of Data in the Context of Employment Relationships

In the context of employment relationships, personal data of employees is processed to the extent necessary for the establishment, performance or termination of the employment relationship.

Types of data processed: Employee data (e.g. personnel master data, payroll data, holiday and sickness data, communication data, contract and performance data)
Data subjects: Employees (workers, trainees, interns)
Purposes: Personnel management, payroll processing, personnel development, occupational health and safety, security measures, internal communications
Legal bases: § 26 BDSG; Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(c) GDPR (legal obligations); Art. 6(1)(f) GDPR (legitimate interests)

DATEV — Payroll and accounting.
Provider: DATEV eG, Paumgartnerstr. 6–14, 90429 Nuremberg, Germany.
Privacy: datev.de/web/de/datev/unternehmen/datenschutz/

Retention Periods

Personnel file: 10 years after termination of employment (§ 257 HGB, § 147 AO)
Payroll records: 10 years (§ 147 AO)
Working time records: 2 years (§ 17 MiLoG)
Sickness notifications / certificates: 3 years after end of calendar year

Recruitment Process

We process applicant data only for the purpose of and in the context of the recruitment process. Processing is carried out on the basis of § 26 BDSG in conjunction with Art. 88 GDPR and Art. 6(1)(b) GDPR (initiation of an employment relationship). In the event of rejection, applicant data is deleted no later than 6 months after the decision.

Types of data processed: Applicant data (CV, evidence of qualifications, cover letter, references, contact details)
Purpose: Conducting the recruitment process, decision on appointment

LinkedIn Recruiter — Identification and approach of potential candidates; job postings.
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Privacy: linkedin.com/legal/privacy-policy
Third-country transfer: EU/EEA & Switzerland — DPF + Standard Contractual Clauses.

Amendments and Updates

We ask you to inform yourself regularly about the content of our Privacy Policy. We update the Privacy Policy as and when changes to our data processing activities require it. We will notify you as soon as an amendment requires action on your part (e.g. consent) or any other individual notification.

Where we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that addresses may change over time and we ask that you verify the information before making contact.

Definitions

This section provides an overview of the terms used in this Privacy Policy. Where terms are defined by law, their statutory definitions apply.

Employee data: Personal data of employees (including applicants and former employees) in the context of the employment relationship (§ 26 BDSG).
Master data: Data that serves to establish, give content to or amend a contractual relationship (e.g. name, address).
Content data: Data entered in the course of using online offerings (e.g. form inputs, reviews).
Contact data: Data recorded during contact or in a contract, such as name, e-mail address, telephone number.
Meta, communication and procedural data: Technical data such as IP addresses, timestamps, device identifiers, browser type.
Usage data: Data generated through the use of the online offering (e.g. pages visited, clicks, time spent).
Personal data: Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
Log data: Data automatically generated by systems, such as access logs (log files).
Controller: The natural or legal person that determines the purposes and means of processing personal data (Art. 4(7) GDPR).
Processing: Any operation carried out in relation to personal data (collection, storage, use, transmission, deletion, etc.) — Art. 4(2) GDPR.
Payment data: Data required for the processing of payments (bank details, credit card number, billing address).