(Status: 11/2025)

We inform you here about the processing of personal data when you use our online presence. This online privacy policy applies, accordingly, to this online presence as well as to our social media profiles.

Personal data is all data that can be related to you personally, including your name, address, email address, IP address and user behaviour.

With regard to the terms used, such as ‘processing’, ‘controller’ and ‘data subject’, please refer to the definitions in Art. 4 GDPR. The following, in particular, can be found there:

‘Personal data’ means any information relating to an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 para. 1 GDPR).

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as

collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 para. 2 GDPR).

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 para. 7 GDPR).

‘Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 para. 8 GDPR).

The terms ‘processing’ and ‘personal data’ in particular are very broad, so that almost any handling of data can be understood to be included under them.

1. Who is the responsible body?
2. Is there a data protection officer?
3. Who is affected by the data processing?
4. What data do we collect from you and for what purposes or on what legal basis do we process it?
5. To whom do we transfer your data?
6. Will your data be transferred outside the EU?
7. How long do we process your data?
8. What are your rights?
9. When and how can you object to data processing?
10. When and how can you withdraw your consent?
11. Where can you complain?
12. When and why is it necessary to provide your data?
13. Does automated decision-making (e.g. profiling) take place?
14. How can you get in touch with us?
15. How do we secure our website?
16. What are cookies and how do we use them?
17. How do we process your data when you use our contact form?
18. How do we handle applicant data?
19. How and why do we use Google Fonts?
20. How and why do we use a hosting service provider?

1. Who is the responsible body?

We are responsible for the processing of your data:

prometho GmbH
Managing Directors: Ruth Hoffmann, Jens Christoph Hoffmann
Beim Weissen Stein 13
56579 Bonefeld, Germany

Phone: 0 26 34 / 980 488
Email: info@prometho.de

2. Is there a data protection officer?

We are not legally obliged to appoint a data protection officer.

3. Who is affected by the data processing?

If you visit our online presence (website, social media profiles), e.g. as an interested party, customer, supplier, service provider or other visitor, your personal data will be processed in accordance with the statutory provisions and this declaration. All visitors to our online presence are referred to collectively under the term ‘user’.

4. What data do we collect from you and for what purposes or on what legal basis do we process it?

If you visit our website without registering or transmitting information to us in any other way, only the personal data that the browser you are using transmits to the web server will be processed. To the best of our knowledge, the data listed below, which is technically necessary to display our website and to ensure its stability and security, will then be processed:

– IP address of the requesting computer;

– date and time of the enquiry;

– time zone difference to Greenwich Mean Time (GMT);

– name and URL of the retrieved file;

– access status/HTTP status code;

– data volume transferred;

– website from which the enquiry originates (referrer URL);

– browser used/browser version;

– language setting;

– operating system/version.

If you also transmit personal data to us, e.g. in the course of an enquiry by email, we may also, among other things, process the following data:

– inventory data (e.g. name, address);

– contact data (e.g. email address, telephone number);

– content data (e.g. text input);

– usage data (e.g. sites visited);

– communication data/metadata (e.g. IP addresses).

We also process the following personal data, if you provide them, for the purposes of providing contractual services, service and customer care, as well as marketing/advertising:

– contract data (e.g. subject matter of the contract, customer number)
– payment data (e.g. bank details).

When you visit our website, we process your personal data for the following purposes:

– providing the functions and content of our online offering;

– ensuring a smooth connection to our website;

– ensuring our website is convenient to use;

– evaluating and ensuring system security and stability, as well as general security measures;

– answering any contact enquiries or communicating with you;

– other administrative purposes;

– provision of contractual services;

– customer service;

– marketing/advertising.

Unless we quote a specific legal basis in this privacy policy, the following applies to the processing of your personal data: the legal basis for obtaining consent is Art. 6 para. 1 (a), Art. 7 GDPR; the legal basis for data processing for the fulfilment of our services and the implementation of (pre-)contractual measures, as well as for the purpose of answering any enquiries, is Art. 6 para. 1 (b) GDPR; the legal basis for data processing for the fulfilment of legal obligations is Art. 6 para. 1 (c) GDPR. If the vital interests of the data subject or another natural person make data processing necessary, the legal basis is Art. 6 para. 1 (d) GDPR. Data processing to protect our legitimate interests is carried out on the basis of Art. 6 para. 1 (f) GDPR. Our legitimate interest arises from the above-mentioned purposes of data collection.

If, in the course of processing your personal data, we disclose it to third parties, transfer it to them or otherwise grant them access to the data, this is done exclusively on the basis of legal permission insofar as you have consented to this, if we are legally obliged to do so or on the basis of our legitimate interests. Legal permission exists in particular if the transfer of data is necessary for the fulfilment of contractual obligations (e.g. with payment or shipping service providers). A legitimate interest may exist if we use data for direct advertising or to prevent fraud or if you are a customer of ours. There may also be a legitimate interest, e.g. when using web or email hosts, cloud providers or similar service providers. Such service providers often act as ‘processors’ on the basis of a corresponding contract. They are also obliged to comply with data protection regulations and to guarantee this contractually. The legal basis for such order processing relationships is Art. 28 GDPR.

5. To whom do we transfer your data?

Unless otherwise stated in the privacy policy, we regularly work with the following recipients in particular:

– web hoster

We select external service providers carefully. In the case of order processing relationships (Art. 28 GDPR), these companies are contractually bound by our instructions and are regularly monitored by us. In the case of joint controllership (Art. 26 GDPR), there are corresponding contractual obligations

Basics. Further information can be found in the following descriptions of the individual services.

The legal basis for the transfer of your personal data is stated above under point 04.

6. Will your data be transferred outside the EU?

Your personal data will only be transferred to third countries (i.e. outside the EU or the EEA) or to an international organisation in exceptional cases. Further information can be found in the following descriptions of the individual services.

If we process your personal data in a third country, or have it processed by third parties, this will only take place if the purpose is to fulfil our (pre-)contractual obligations or on the basis of your consent, a legal obligation or our legitimate interests. Your personal data will only be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met, unless legal or contractual permission exists in individual cases. This means that data processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the European Union (known as an adequacy decision) or compliance with special, recognised contractual obligations (in particular the EU standard contractual clauses).

7. How long do we process your data?

The duration of the storage of your personal data is regularly based on existing statutory retention periods (e.g. under commercial or tax law). Unless otherwise stated below, your personal data will routinely be deleted after the expiry of any relevant period if they are no longer required for contract fulfilment or contract initiation, if we no longer have a legitimate interest in further storage and/or if you have not consented to further storage.

In Germany, there are special retention periods in the following areas, among others:

– in accordance with commercial law (six years, e.g. for opening balance sheets, annual financial statements, accounting documents, etc.);

– in accordance with tax law (eight or 10 years for all tax-relevant documents);

– in accordance with employment law (six months for documents relating to rejected applicants).

8. What are your rights?

You have the following rights vis-à-vis us with regard to the processing of your personal data:

– right to information (Art. 15 GDPR);

– right to rectification (Art. 16 GDPR);

– right to erasure (Art. 17 GDPR);

– right to restriction of processing (Art. 18 GDPR);

– right to data portability (Art. 20 GDPR);

– right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR);

– right to object (Art. 21 GDPR);

– right to withdraw consent given (Art. 7 para. 3 GDPR);

– right to lodge a complaint (Art. 77 GDPR).

The latter three rights are explained in more detail below. If you have any questions about your rights, please do not hesitate to contact us. The contact details can be found above in the sections on the responsible body.

9. When and how can you object to data processing?

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 (f) GDPR, you have the right to object to the data processing at any time. This means that we will no longer be permitted to continue processing your personal data in the future unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the data processing serves to assert, exercise or defend legal claims.

However, the right to object only applies if there are reasons for this arising from your particular situation or if your objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without your having to specify a particular situation.

If you wish to exercise your right to object, simply send a message to our postal address or an email (see point 01 above).

10. When and how can you withdraw your consent?

You can revoke your consent to us at any time. As a result, we will no longer be permitted to continue processing your personal data based on this consent in the future.

If you wish to exercise your right of withdrawal, simply send a message to our postal address or an email (see point 01 above).

11. Where can you complain?

With regard to the processing of your personal data by us, you have the right to lodge a complaint with a data protection supervisory authority. A list of the German data protection supervisory authorities can be found at the following address:

www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

12. When and why is it necessary to provide your data?

You provide us with your personal data (e.g. name or email address) when you submit support or other enquiries.

The provision of some of your personal data is required by law (e.g. by tax regulations). It may also be necessary for the implementation of (pre-) contractual measures. Failure to provide your personal data would mean that the contract with you could not be concluded or that your enquiry could not be answered.

The provision of the following data in particular is mandatory for the performance of contracts or pre-contractual measures or for communication with us:

– name/company;

– email address;

– telephone number, if applicable (e.g. for queries or answering customer enquiries);

– customer number, if applicable (e.g. for support activities).

Unless otherwise stated in this privacy policy, the provision of all other information is voluntary.

13. Does automated decision-making (e.g. profiling) take place?

No automated decision-making, including profiling, takes place.

14. How can you get in touch with us?

You can contact us e.g. by post, telephone, email or contact form. Our contact details can be found above, under the details of the responsible body.

If you contact us, e.g. by email or using a contact form, we automatically store the personal data you voluntarily transmit to us for the purpose of processing your enquiry or contacting you. This data will not be passed on to third parties unless you have consented to this.

15. How do we secure our website?

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the varying degrees of likelihood and severity of risk for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). These measures include, in particular, safeguarding the confidentiality, integrity and availability of data. In addition, we have set up business processes that ensure, in particular, the protection of data subjects’ rights, the erasure of data and also the response to data breaches. In addition, we observe the principles of data protection law, including data protection through technology design and data protection-friendly default settings (privacy by design and privacy by default, Art. 25 GDPR).

For security reasons, and to protect the transmission of your personal data and other confidential content, we use encrypted transmission on our website with the aid of an SSL/TLS certificate. You can recognise this by the fact that ‘https’ (instead of ‘http’), a lock symbol and a different colour display appear in the address line of your browser.

16. What are cookies and how do we use them?

We use ‘cookies’ on our website. These are small files with textual content that are saved by your browser and stored on your end device. The legal basis for the use of cookies is Art. 6 para. 1 (f) GDPR or, if applicable, your consent (Art. 6 para. 1 (a) GDPR). Further information on the cookies we use can be found in our ‘Cookie Policy (EU)’ under the corresponding menu item.

You have the option of setting your browser so that you are informed about the setting of cookies and can also decide in each individual case whether to accept or reject

them. Each browser differs in the way it manages cookie settings. Further information can be found in the help menu of each browser. Please note that if you do not accept cookies the functionality of our website may be limited.

17. How do we process your data when you use our contact form?

If you contact us by email or using our contact form, the personal data you provide will be stored automatically. Such personal data voluntarily transmitted to us by you will be processed for the purpose of handling your enquiry or contacting you. These data will not be passed on to third parties without your consent. The legal basis for the use of the contact form is Art. 6 para. 1 (f) GDPR.

18. How do we handle applicant data?

As required, we also offer on our website job advertisements to which you can respond in electronic form (i.e. by email or PDF file); we also accept unsolicited applications. Applicants’ data will be processed electronically for the purpose of handling the application procedure. These application data include, in particular, name, address, telephone number, email address,
date of birth, information on education or grades.

If an application results in the conclusion of an employment contract, the application data may be stored for the usual organisational and administrative process of the respective personnel file. Otherwise, i.e. in the event of rejection of applicants, the application data will be deleted six months after notification of rejection. This applies in any case if there are no specific legal requirements to the contrary or if the respective applicant has expressly consented to longer storage of their application data.

19. How and why do we use Google Fonts?

We use Google Fonts on our website to integrate external fonts (provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin, 4 Ireland). When you access our website, the required fonts are loaded into the cache of your browser in order to display the content of our website correctly.

Google Fonts are located locally on our web server so that no connection to the Google servers is established. Further information on Google WebFonts can be found at the following address: developers.google.com/fonts/faq. Google’s privacy policy can be found at the following address: policies.google.com/privacy?

The processing of your data (e.g. the IP address) represents a legitimate interest for us in accordance with Art. 6 para. 1 (f) GDPR.

20. How and why do we use a hosting service provider?

This website is hosted externally. The personal data collected on this website is stored on the web host’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

External hosting is carried out for the purpose of contract fulfilment towards our potential and existing customers (Art. 6 para. 1 (b) GDPR) and in the interest of secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 (f) GDPR). If appropriate consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 (a) GDPR and Section 25 para. 1 TDDDG (German Telecommunications Digital Services Data Protection Act), insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Our web host will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

We use the following web host:

ISP maxxi.de e. K.
Marktredwitzer Str. 1
95701 Pechbrunn, Germany