Data Privacy Policy

Processing of (personal) data by the website operator (Personio)

1. General information

This website is provided by the company Personio GmbH & Co. KG, a business with headquarters in Germany that offers human resource and applicant management software (https://www.personio.com/legal-notice/). We provide you with this data privacy policy to inform you of how we handle your personal data collected on this website, our application and services.

2. Data controller

The controller under data protection law is:
Personio GmbH & Co. KG
Rundfunkplatz 4
80335 München
Phone: +49 / 89 1250 1005
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München (Munich Local Court)
Data Protection Officer contact: datenschutz@personio.de

3. Access and activity logs (“server logs”)

Each access to this website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual.

Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is section 15 subsection 1 of the German Telemedia Act (TMG), as well as article 6 (1) f of the GDPR.

Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web.

These access logs are stored for a period of up to 7 days. There is no right to object to this.

4. Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is section 15 subsection 1 of the German Telemedia Act (TMG), as well as article 6 (1) f) of the GDPR.

When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected.

These error logs are stored for a period of up to 7 days. There is no right to object to this.

5. Use of cookies

So-called cookies are used on parts of this website. They are small text files which are stored on the device with which you access this website. Different categories of cookies are used:

  • Essential cookies are necessary for ensuring the core functionality of our website
  • Functional cookies are cookies that are used for tracking user behaviour on our website to improve the functionality of our website
  • Marketing cookies are cookies we are using for serving interest-based ads
  • External media cookies: These cookies serve the purpose of displaying external media (such as videos or maps)

The legal basis for the use of essential cookies is Art. 6 (1) (f) GDPR -a legitimate interest. Our legitimate interest for the usage of these cookies is providing a functioning website.

The legal basis for the usage of the other cookies is Art. 6 (1) (a) GDPR — your consent. Without your consent no non-essential cookies will be set. You can withdraw your consent anytime with effect for the future here. Alternatively, you can deactivate all non-essential cookies using this Opt-Out-Link.

6. Use of third-party provider tools

In order to provide and continuously improve our services, we are using the services of the following third-party providers which may also process personal data. These third-party providers have been selected diligently and in line with the requirements of the GDPR.

a. Google

Unless otherwise stated in the data privacy policy, the operator of all Google services mentioned here is Google Ireland Limited,Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

i. Google Maps

This website incorporates the API service “Google Maps” in order to be able to depict geographical information. The use of Google Maps makes it possible for Google to collect, process and use data on your use of the service.  By using Google Maps, information about the use of this website including your IP address and the (start) address entered in the route planner function can be transmitted to Google in the USA.  The map content is transmitted by Google directly to your browser and integrated by it into the website. Personio has no influence on the scope of the data collected by Google in this way. Personio also has no influence on the further processing and use of the data by Google. We have no influence and therefore cannot accept any responsibility for this.You can find further information on the processing of your data by Google at the Google data privacy information.

The following data is collected and processed:

  • IP addresses
  • Location information
  • Usage data
  • Date and time of visit
  • URLs

The legal basis for this data processing is your consent according to Art. 6 (1)(a) GDPR.If you do not want Google to collect, process or use data about you via our website, you can refuse your consent or withdraw it at any time with effect for the future. 

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Google Ireland Limited:

  • Google LLC.
  • Alphabet Inc.

Data may be transferred to the USA as part of processing by Google Maps. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

ii. Google Tag Manager 

This website uses the service “Google Tag Manager”. The tag manager is a tool for managing so-called tags that are used during tracking in online marketing. In doing so, the tag manager does not process any personal data, since it merely serves to manage other services – e.g., Google Analytics, etc. 

You can find further information on the tag manager at: https://www.google.com/intl/de/tagmanager/use-policy.html

iii. Google Analytics

This website uses the service “Google Analytics”. The operator of this service is the company Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Analytics is a web analysis service, and, by placement of cookies and the information acquired by this, it enables us to make inferences about user behavior on our website.  The information generated by the cookies is sent to a Google server in the USA and stored there. Our website uses the service Google Analytics on an exclusively pseudonymous basis. Your IP address is only recorded in abbreviated form and is hence anonymized.

The following data is collected and processed:

  • IP-Addresses (anonymized)
  • Usage data
  • Click path
  • App updates
  • Browser information
  • Device information
  • JavaScript support
  • Pages visited
  • Referrer URL
  • Downloads
  • Flash-version
  • Location information
  • Purchase activity
  • Widget interactions
  • Date and time of visit

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR.. If you do not want Google Analytics to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Google Ireland Limited:

  • Google LLC.
  • Alphabet Inc.

Data may be transferred to the USA as part of processing by Google Analytics. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

iv. Google Audiences / Remarketing

This website uses the service “Google Audiences/Remarketing”. The operator of this service is the company Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The purpose of this service is to display advertising to users based on their interests. This requires conducting an analysis of website use, which is carried out using cookies. In this process, the cookies store anonymized or pseudonymized data regarding the use of the website.  If you visit additional websites that also use these services, then you will be shown advertising that matches your previous interests. You can find more information at https://www.google.com/privacy/ads/

The following data is collected and processed:

  • Pages visited
  • IP Addresses
  • Duration of visit
  • Other data on use of websites
  • Content user is interested in

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Google Audiences to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Google Ireland Limited:

  • Google LLC.
  • Alphabet Inc.

Data may be transferred to the USA as part of processing by Google Audiences. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

v. Google Ads (formerly GoogleAdwords) and Google Ads Conversion Tracking

This website uses the service “Google AdWords”. The operator of this service is the company Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The purpose of this service is so-called conversion tracking, i.e., we can detect what happened after you clicked on our advertisements. Cookies are placed for this purpose, but they are only valid for a limited time.

The following data is collected and processed:

  • Cookie-ID
  • Visited Pages
  • IP Addresses
  • Duration of visit
  • Usage data
  • Content user is interested in
  • Clicked Ads
  • Web requests
  • Cookie information
  • Referrer URL
  • Browser language
  • Browser type

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Google Ads to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Google Ireland Limited:

  • Google LLC.
  • Alphabet Inc.

Data may be transferred to the USA as part of processing by Google Ads. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

vi. YouTube

This website uses the service “YouTube” to insert videos into the page. The operator of the software necessary for this purpose is the company Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. 

The integration of YouTube content is carried out in “extended privacy mode”. This ensures that YouTube does not initially store cookies on your device. As a result, YouTube no longer stores any information about visitors until you watch the video.

When you click on the video, your IP address is sent to YouTube, which tells YouTube that you have watched the video. If you are logged in to YouTube, this information is also associated with your account. This can be prevented by logging out of YouTube before viewing the video.

Accordingly, the following data can be collected and processed:

  • IP Addresses
  • Referrer URL
  • Device Information
  • Watched videos

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want YouTube to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Google Ireland Limited:

  • Google LLC.
  • Alphabet Inc.

Data may be transferred to the USA as part of processing by YouTube. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

vii. Google Web Fonts

On this website the service Google Web Fonts is used. The service is provided by Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.  Google Web Fonts enables us to load and display external fonts, so-called Google Fonts, on our website. Google Web Fonts is locally integrated on our website. This means that the fonts are not loaded from Google servers. 

In the context of processing via Google Web Fonts, the following personal data is collected and processed:

  • IP address

The legal basis for this processing is Art. 6 (1)(f) GDPR — a legitimate interest. Our legitimate interest in the processing is to present the website in an attractive and user-friendly manner. Local hosting ensures that no data is transferred to Google, and no data transfer takes place. 

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. The data is deleted as soon as it is no longer required for the purpose.

b. Facebook Custom Audiences and Facebook Pixel

This website uses the service “Facebook Custom Audiences”. For this service Facebook-Pixel is used. Operator of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland. This service enables us to show the user advertising related to their interests on the social network – Facebook.

For this purpose we have implemented the Facebook Remarketing Tag on our website. When you visit the website, this tag creates a direct link with Facebook’s servers. This gives Facebook information on the pages that you have visited our website. Facebook then compares this with your Facebook user account. The next time that you visit Facebook, you will be shown customized advertisements – Facebook Ads – related with your interests. You can find further information in Facebook’s data privacy instructions: https://www.facebook.com/about/privacy/.

The following data is collected and processed:

  • Facebook-User-ID
  • IP Addresses
  • Browser information
  • Non-sensitive custom data
  • Facebook cookie information
  • Referrer URL
  • Pixel specific data
  • Pixel ID
  • Social media friend network
  • Usage Data
  • Views and interactions with content and ads
  • Viewed content
  • Device information
  • Success of marketing campaigns
  • transaction information
  • Hardware/software type
  • Browser type
  • Device operating system
  • Location
  • Cookie ID
  • Information from third party sources
  • User agent
  • Conversion

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Facebook to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

As part of the processing, the data may be transferred to the following recipients besides Facebook Ireland Limited :

  • Facebook Inc.

Data may be transferred to the USA as part of processing by Facebook. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

c. BingAds

This website uses the service “BingAds”. BingAds is a conversion and tracking service of the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Microsoft places cookies in the users’ devices that analyze the user behavior on our website. This presupposes that the user has reached our website through a BingAds advertisement. This only serves to provide use with information on the total number of users who have clicked on this type of advertisement. In this process, no IP addresses are stored, and no personal information on our users’ identity is shared. You can find further information in Microsoft’s data privacy statement in: https://privacy.microsoft.com/de-de/privacystatement.

The following data is collected and processed:

  • Engagement metrics
  • Number of visits
  • Bounce rates
  • Microsoft Click ID
  • Digital signature
  • UET ID tag
  • URLs
  • Referrer URL
  • Page title
  • Conversions
  • Screen height
  • Screen width
  • Browser language setting
  • Duration of visit
  • Screen color depth
  • Page response times
  • Clicked Advertisement

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Microsoft to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

Data may be transferred to the USA as part of processing by Microsoft. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

d. Zendesk

On this website we are using the Customer Relationship Management (CRM)  “Zendesk”. Operator of this service is the company Zendesk Inc., 989 Market Street #300, San Francisco, CA 94102, USA. Zendesk is used to integrate contact forms and forward your requests to us. The use of Zendesk is optional. If you do not agree to Zendesk collecting your information, we offer alternative ways to contact you to submit service requests by phone or mail. To use Zendesk, you must provide at least one correct e-mail address. The service can also be used pseudonymously. Your data will not be passed on to any additional third parties. More information about the data processing of Zendesk can be found here

In addition, Zendesk sets cookies. These cookies are cookies that are technically necessary to ensure the technical functionality of the website and to protect the website from bot-driven attacks. 

Regarding the contact forms the following data can be collected and processed:

  • E-mail addresses
  • Names
  • Addresses

Regarding the cookies the following data can be collected and processed:

  • IP Adresses

If the data collected via contac forms is used to provide contractual services to data subjects, the legal basis for processing is Art. 6 (1)(b) GDPR . Furthermore, Art. 6 (1)(a) GDPR serves as legal basis, provided that you have consented to the data processing.

The data processing that takes place via the cookies is based on art. 6 (1)(f) GDPR — a legitimate interest. Our legitimate interest is that we must ensure the functionality and security of our website.

The personal data will be stored for as long as they are required to fulfil the purpose of processing. The data will be deleted as soon as they are no longer required for the purpose.

Data may be transferred to the USA as part of processing by Zendesk. The security of the transmission of data is secured via so-called standard contractual clauses and binding corporate rules. If these standard contractual clauses and binding corporate rules are not sufficient to establish an adequate level of security, Art. 49 (1)(a) GDPR can serve as a legal basis. Please note the reference to the risk of data transfer to an unsafe country under sub-item “7. Forms”.

e. Capterra

On this website we use Capterra for our online marketing activities. Capterra is operated by the company Capterra Inc., a software company with headquarters at 901 North Glebe Road, Suite 1010, Arlington, VA 22203, USA.

If you initiate a so-called conversion event on a Personio website (e.g., registration for a user account or requesting a product demo), then Capterra will place cookies that will be required for purposes of marketing and analysis and will send the information to the servers of Capterra Inc. that a conversion event has taken place. More information about Capterra’s Privacy Policy. can be found here

The following data is collected and processed

  • IP Addresses
  • Data about Conversion Events

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Capterra to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

Data may be transferred to the USA as part of processing by Capterra. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

f. HubSpot

On this website we use HubSpot for different purposes. HubSpot is a software company from the USA with a branch office in Ireland. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Telephone: +353 1 5187500.

Hubspot is an integrated software solution that we use to cover different aspects of our online marketing. This includes, among others:

Email marketing, social media publishing & reporting, reporting, contact management (e.g., user segmentation & CRM), landing pages and contact forms. 

Our registration service enables visitors to our website to find out more about our company, to download contents and to provide their contact information, together with further demographic information. This information, together with the contents of our website are stored on the servers of our software partner HubSpot. We can use it to make contact with visitors to our website and to determine which of our company’s services are interesting for them. All information collected by us is subject to this data privacy policy. We use all information collected exclusively for optimizing our marketing measures. 

More information about the Privacy Policy can be found here.
More information about Hubspots  regarding the EU-Data Protection Regulations can be found here.

More Information about HubSpots Cookies can be found here and here.
As part of the optimization of our marketing activities, Hubspot may collect and process the following data:

  • Geographical position
  • Browser type
  • Navigation information
  • Reference URL
  • Performance data
  • Information about how often the application is used
  • Mobile apps data
  • HubSpot subscription service credentials
  • Files that are displayed on site
  • Domain names
  • Viewed pages
  • Aggregated use
  • Version of the operating system
  • Internet service provider
  • IP address
  • Device identification
  • Duration of the visit
  • Where the application was downloaded from
  • Operating system
  • Events that occur within the application
  • Access times
  • Clickstream data
  • Device model and version

We also use HubSpot’s contact forms. More information about this can be found at 7. of this Privacy Policy

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want Hubspot to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

Data may be transferred to the USA as part of processing by Hubspot. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, Art. 49 (1)(a) GDPR can serve as a legal basis. Please note the reference to the risk of data transfer to an unsafe third-country under sub-item “7. Forms”.

g. LinkedIn

We use the retargeting tool and the conversion tracking of LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn”). For this purpose the LinkedIn Insight Tag is incorporated into our webpage. LinkedIn uses it to collect statistical, pseudonymized data from your visit and use of our website and to provide us with the corresponding aggregated statistics based on these. In addition, this information serves to be able to show you relevant offers and recommendations specific to your interests, after you have inquired on the website about certain services, information and offers. The information in this regard is stored in a cookie. More information about Data Privacy of LinkedIn can be found here.

In this process this data will be collected and processed:

  • IP Address
  • Device information
  • Browser information
  • Referrer URL
  • Timestamp

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want LinkedIn to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

Data may be transferred to the USA as part of processing by LinkedIn. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

h. Usercentrics.

On this website we use the services of Usercentrics. The service is operated by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. Usercentrics is a consent management service. With the help of Usercentrics, the consent required under data protection law is obtained. 

The following data is collected and processed:

  • Browser Information
  • Opt-in and opt-out data
  • Request URLs of the website
  • Page path of the website
  • Geographical location
  • Date and time of the visit
  • Device Information

The legal basis of the processing is Art. 6 (1)(c) GDPR. The processing is necessary for the fulfilment of a legal obligation (obtaining and managing consents under data protection law). 

The data (consent and revocation of consent) are stored for as long as necessary for processing — regularly this is three years.

i. Vimeo

We use Vimeo on our website. The service is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, United States of America. Vimeo is used to display videos on our website.

In this context, the following data is collected and  processed:

  • IP address
  • Browser type
  • Device Information
  • Browser Information
  • Cookie Information
  • Browser language
  • Referrer URL
  • Visited pages
  • Operating system
  • Search query
  • Information from third party sources
  • Information that users provide on this website

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR.. If you do not want the aforementioned data to be collected and processed by Vimeo, you can refuse your consent or withdraw it at any time with effect for the future.

The personal data will be stored for as long as it is necessary to fulfill the purpose of the processing. The data will be deleted as soon as it is no longer needed for the processing purposes.

Data may be transferred to the USA as part of processing by Vimeo. The security of the transmission is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

j. Typeform

On this website the service Typeform is used. Typeform is operated by TYPEFORM SL, C/Bac de Roda, 163, 08018 Barcelona, Spain. Typeform is a service that we use to display online surveys on our website and to run promotional lotteries.

In this context, the following data may be collected and processed:

  • IP address
  • e-mail address
  • Visit duration
  • Date and time of the visit
  • If applicable, other data collected in the course of the survey/promotional lottery (in particular user names)

The legal basis of the processing is your consent according to Art. 6 (1)(a) GDPR. If you do not want the above data to be collected and processed by Typeform, you can refuse your consent or revoke it at any time with effect for the future.

The personal data will be stored for as long as it is necessary to fulfill the purpose of processing. The data will be deleted as soon as they are no longer required for the purpose.

Within the scope of processing via Typeform, data may be transferred to the USA. The security of the transmission is regularly ensured by so-called standard contract clauses, which guarantee that the processing of personal data is subject to a security level that corresponds to that of the DSGVO. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent will be obtained in advance from you within the framework of the Usercentrics consent management system in accordance with Art. 49 (1)(a) GDPR.

k. Hotjar

We use the Hotjar web analysis service of Hotjar Ltd, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (Hereinafter: Hotjar). Hotjar uses cookies, i.e. small text files, which are stored locally in the cache of your web browser on your end device and which enable an analysis of the use of our online presence by you. Personal data can thus be stored and evaluated, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system) and a tracking code (pseudonymised user ID). The information thus collected will be transferred by Hotjar to a server in Ireland and stored there in an anonymised form. Further information on the collection and storage of data by Hotjar can be found here.

In the context of processing by Hotjar, the following data may therefore be collected and processed:

  • Data and time of visit
  • Browser information
  • Usage data
  • Click path
  • IP addresses

The legal basis for this data processing is your consent according to Art. 6 (1)(a) GDPR.If you do not want Google to collect, process or use data about you via our website, you can refuse your consent or withdraw it at any time with effect for the future. 

The data will be stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes.

l. Intercom

On this website we use Intercom. Intercom is operated by INTERCOM R&D UNLIMITED COMPANY, 2nd Floor, Stephen Court 18-21, Stephen’s Green Dublin 2, Ireland.

Upon consent and use of Intercom’s chat function, the following data will be transmitted to Intercom’s servers:

  • Content of all chat messages sent and received.
  • Context information (e.g. page on which the chat was used)
  • IP address
  • Optional: e-mail address of the user (if provided by the user via chat function).

The legal basis of the processing is your consent pursuant to Art. 6 (1) lit. a DSGVO. If you do not want Intercom to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future.

Cookies are set for processing by Intercom after you have given your consent. You can find more information about the cookies used here. Further information on data protection at Intercom can be found here.

The personal data will be kept for as long as it is necessary to fulfill the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose.

In the context of processing via Intercom, data may be transferred to the USA. The security of the transfer is secured via so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

m. Visual Website Optimizer (VWO)

On this website we use Visual Website Optimizer (VWO) for the Optimization and Personalization (primarily by Carrying out A/B-Tests). VWO is operated by Wingfy Software Pvt Limited, 1104, 11th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, New Delhi 110034, India.

With consent, the following data can be transmitted to VWO:

  • Click path
  • (Anonymized) IP addresses
  • Use of elements
  • Duration of visit
  • Browser information
  • Geographic location
  • Date and time of visit
  • Device operating system

The legal basis of the processing is your consent pursuant to Art. 6 (1)(a) GDPR. If you do not want VWO to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future.

Cookies are set for processing by VWO after you have given your consent. You can find more information about the cookies used here. Further information on data protection at VWO can be found here.

The personal data will be kept for as long as it is necessary to fulfill the purpose of the processing. The data will be deleted as soon as it is no longer required to achieve the purpose.

In the context of processing via VWO, data may be transferred to the USA and India. The security of the transfer is secured via so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, we will obtain your consent in accordance with Art. 49 (1)(a) GDPR prior to the data processing.

n. Apideck

Within the Integration Marketplace, the APIDECK service is used for processing integration requests. APIDECK is operated by Apideck BVBA, with a registered seat at Kammenstraat 43 bus 301, 2000 Antwerp, Belgium. 

If you agree and use the APIDECK request form, the following data may be transmitted to APIDECK’s servers:

  • E-mail address
  • Company affiliation
  • Information about the usage status of Personio
  • Other information that you provide in the form. 

The legal basis of the processing is your consent pursuant to Art. 6 (1) lit. a GDPR. If you do not want APIDECK to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future.

The personal data will be kept for as long as it is necessary to fulfill the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose.

o. Albacross

On this website we use the targeting service Albacross. Albacross is operated by Albacross Nordic AB, Kungsgatan 26, 111 35 Stockholm, Sweden. Albacross is a targeting service that helps us serve targeted ads and improve services for us and our website (such as lead generation) by adding company data to their database.

The following data may be collected and processed in the process:

  • IP address
  • Domain from form input
  • Advertising identifier
  • Timestamp
  • Session duration

The legal basis for the processing is your consent in accordance with Art. 6 (1) (a) GDPR. If you do not want Albacross to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future.

Cookies are set for processing by Albacross after consent has been given. Further information on the cookies used can be found here. Further information on data protection at Albacross can be found here.

The personal data will be kept for as long as it is necessary to fulfill the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose.

p. Dreamdata

On this website we use the service “Dreamdata” for analytical and statistical purposes. Dreamdata is operated by Dreamdata Købmagergade 22, 2nd Floor, 1150 Copenhagen, Denmark. With the help of Dreamdata, we can determine how users interact with our website, from which channel they arrived at our website and which pages are most relevant to them.

With consent, the following data may be transferred to Dreamdata:

  • IP addresses
  • Browser information
  • Usage data
  • Date and time of visit
  • Location information
  • Cookie ID

The legal basis for the processing is your consent in accordance with Art. 6 (1)(a) GDPR. If you do not want Dreamdata to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future.

Cookies are set for processing by Dreamdata after you have given your consent. Further information on the cookies used can be found here.

Personal data is kept for as long as it is necessary to fulfil the purpose of processing. The data will be deleted as soon as it is no longer required to achieve the purpose.

7. Forms

We use the service HubSpot to provide you with the following online forms. For this purpose, we forward your data to HubSpot and Zendesk, which processes the data exclusively at our request. See data privacy policy on “HubSpot” and “Zendesk”.

Please note: If you contact us via contact forms, personal data may be transferred to service providers in third countries. These third countries do not have an adequate level of data protection. If the data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes, without you possibly being entitled to legal remedies. The security of the transfer is regularly ensured by so-called standard contractual clauses and, in the case of Zendesk, by Binding Corporate Rules, which ensure that the processing of personal data is subject to a level of security equivalent to that of the DSGVO. If the standard contractual clauses and binding corporate rules are not sufficient to establish an adequate level of security, your approval of this privacy policy will be deemed to be consent within the meaning of Art. 49 (1)(a)  GDPR, which justifies data transfer to unsafe third countries.

a. Free offer of digital contents

In order to provide you with our downloadable content, we collect personal data from you. Below we explain these data.

  • Collected data: Email address, last name, first name, title, job title
  • Purpose of use: Customized sending of contents requested
  • Storage period: As a general rule, the data is only stored for as long as is needed to fulfill the purpose. The data is deleted after sending the content.
  • Legal basis: article 6 (1) b) GDPR

b. Personio events

The Organizer requires personal data of the Participant for the planning and realization of events.

  • Collected data: E-mail address, family name, given name, company name, position in the company, city, country, company sector.
  • Purpose: Invitation management by e-mail, sending registration confirmations by e-mail, sending reminders before the event by e-mail, sending further information or last-minute changes to registered event Participants, optimizing event planning, general contract initiation. 
  • Storage period: The data are stored in principle only as long as it is necessary for the fulfilling of the purpose. If we invite you to an event, we will delete your data as soon as we no longer need this data for the organization and design of the event. In particular, we will delete your data immediately if we are unable to invite you to an event. An exception to this rule applies if you have registered for the newsletter (optional).
  • Legal basis: Art. 6 I b GDPR.

aa. If you participate in the event, we will transfer personal data to the following recipients 

Recipient: Bizzabo Inc.

In the context of its events, the Organizer uses a subprocessor for the above-mentioned purposes, i.e. the event platform Event Experience OS (https://www.bizzabo.com/) of Bizzabo, Inc., 31 W 27th St, New York, NY 10001, United States of America, as well as the associated mobile application.

If the Participant registers for a Personio event, participates in an online Personio event and uses the digital event platform via browser and mobile application for this purpose, the above mentioned personal data about the Participant will be transferred to third countries, in particular the USA.

If the Participant uses a corresponding mobile application of Bizzabo within the scope of a Personio event, the following additional personal data will be collected and transferred to the USA according to Bizzabo:

  • IP address
  • Device type
  • Browser type
  • Operating system or platform
  • Name of the Internet service provider
  • Website from which the Participant is redirected
  • Website from which the Participant is leaving
  • Websites visited on the app
  • Frequency, time, dates and duration of the visit to the Bizzabo-App
  • Location of the Participant
  • Notification if the Participant accesses the Bizzabo website from multiple devices
  • Other interactions that may occur on the Bizzabo-App
  • Unique device identifier (e.g. Unique Device Identifier (UDID) or International Mobile Equipment Identity (IMEI))
  • MAC or IP address of the mobile device
  • Information about the Participant’s mobile operator
  • Customer support related communications and information from such communications for statistical and reference purposes

Insofar as personal data is transferred to servers of Bizzabo in the USA and stored and further processed there, the Organizer has concluded standard data protection clauses with Bizzabo Inc. approved by the EU Commission, which allow the transfer of personal data to the USA in individual cases. 

Further information can be found in Bizzabo’s privacy policy: https://www.bizzabo.com/privacy

Storage period: The data are stored only as long as necessary to fulfill the purpose. If the Participant uses the Bizzabo event platform, the personal data processed by Bizzabo will be stored for 30 days.

bb. Transfer of data to partner companies

Within the context of H.U.G. Digital, the Participant can be contacted by partner companies (H.U.G. Digital Partner).

  • Collected data: E-mail address, family name, given name, company name, position in the company, city, country.
  • Purpose: Contacting Participants of an event session, including by email, chat or invitation to an event via the app, during and after the event for promotional purposes.
  • Recipient of the data: Partner companies (H.U.G Digital Partner) of H.U.G Digital.
  • Storage period: The data will generally be stored until the Participant’s consent is revoked or will be deleted prior to this, provided that the intended promotional activities with the Participant as addressee have been carried out to completion.
  • Legal basis: Art. 6 I a GDPR.

cc. Recording of the event and publication on the Personio Homepage

The Organizer intends to record the event, H.U.G. Digital. Furthermore, the Organizer intends to publish the recorded event on the Personio Homepage (https://hug.personio.com/). If a Participant publishes a comment under his or her name during the event or otherwise (re-)identifies him- or herself, the Organizer will process personal data of the Participant in the context of the event recording.

  • Collected data: Given name of the Participant.
  • Purpose: Event recording of the H.U.G. Digital, subsequent publication of the video on the Personio Homepage.
  • Storage period: The data are stored in principle only as long as it is necessary for the fulfilling of the purpose, however, will be deleted after 12 months at the latest.
  • Legitimate Interest: The processing is carried out on the basis of the legitimate interest of the controller to document the event it organised in a visual manner, to improve the quality of the event for future events and to report positively on it to a broader audience.
  • Legal basis: Art. 6 I f GDPR.

Optional:

See privacy policy on “Event Alarm”.

c. Newsletter

If you subscribe to our newsletter, then we store your email address and use this to send the newsletter. Your email address is not made public or disclosed to third parties.

  • Collected data: Email address, first name, last name, title, job title
  • Purpose of use: Sending of the newsletter requested
  • Storage period: As a general rule, the data is only stored for as long as is needed to fulfill the purpose. For the newsletter, the data are stored as long as it is expected that a newsletter will be sent and as long as you have not objected to the use of your data. 
  • Legal basis: article 6 (1) a) GDPR – consent
  • Revocation: You can unsubscribe from our newsletter at any time using a link included in each issue. We will then delete your email address from our distribution list. As an alternative, you can also unsubscribe from our newsletter at any time by sending an email to content@personio.de.

d. Web demo

If you request an appointment for a web demo, then we use your data to contact you and coordinate together with you an appointment and to hold the appointment.

  • Collected data: Email address, last name, first name, telephone number, (business)
  • Purpose of use: Coordination and holding of the web demo, as well as preparation for and follow-up on the demo
  • Storage period: As a general rule, the data is only stored for as long as is needed to fulfill the purpose. The data are stored as long as is needed to prepare, hold and follow-up on the appointment. 
  • Legal basis: article 6 (1) b) GDPR

e. Event alarm

If you sign up for our event alarm, then we use your data to keep you up-to-date on planned events.

  • Collected data: Email address, last name, first name, title, job title, city
  • Purpose of use: Sending of the requested event alarm newsletters
  • Storage period: As a general rule, the data is only stored for as long as is needed to fulfill the purpose. For the event alarm newsletter, the data are stored as long as it is expected that a newsletter will be sent and as long as you have not objected to the use of your data.
  • Legal basis: article 6 (1) a) GDPR – consent
  • Revocation: You can unsubscribe from our event alarm newsletter at any time using a link included in each issue. We will then delete your email address from our distribution list. As an alternative, you can revoke your consent at any time by sending an email to events@personio.de.

f. Webinars

If you register for a webinar, then we use your data to ensure that you receive the necessary information and to enable you to participate in the webinar.

  • Collected data: Email address, last name, first name
  • Purpose of use: Sending of the requested invitation to the webinar, as well as preparation, holding and follow-up on the webinar
  • Storage period: As a rule, the data is only stored for as long as is needed to fulfill the purpose. The data is deleted after holding the webinar.
  • Legal basis: article 6 (1) b) GDPR

g. Trial account

If you register for a trial account, then we use your data to ensure that you receive the necessary information and to introduce you to the test account and the features of the software.

  • Collected data: Email address, last name, first name, telephone number
  • Purpose of use: Provision of the requested test account and explanation of the features of the software
  • Storage period: As a general rule, the data is only stored for as long as is needed to fulfill the purpose. After the expiry of the test phase your data is deleted, if you do not become a customer.
  • Legal basis: article 6 (1) b) GDPR

h. Partner contact forms

For certain service offerings,we provide contact forms on our website that are related to a partner company. In this case, the data you have provided in the contact form may be transferred to the partner company. If this is the case, you will be informed of this in the contact form.

  • Data collected: Surname, first name, e-mail address, telephone number and, if applicable, other data requested in the contact form.
  • Purpose of use: Unless otherwise stated, the data is used to fulfil pre-contractual measures at the request of the data subject.
  • Storage period: The data is generally only stored for as long as is necessary to achieve the purpose. Please note that if the partner company is a data controller, the storage period is determined by the partner company.
  • Legal basis, unless otherwise stated: Article 6 (1) (b) GDPR

8. Personio Community 

If you use the Personio Community (available at www.community.personio.com) we will additionally process your personal data for the following purposes and on the basis of the following legal principles. 

a. Data that we process on the basis of a consent, Art. 6 (1)(a) GDPR:

We use and store the email address you provide to keep you informed about various Personio Community activities. You decide whether you want to receive this information. You can change these e-mail messages at any time in the “My settings” section according to your wishes and thus withdraw your consent.

Irrespective of the data processing described above, we use your email address and telephone number (if provided) to inform you about our products and services in the area of HR management and recruiting by email and telephone. You can revoke your consent to the use of your data for these purposes at any time free of charge (for contact details, see Section 2). In order to send you suitable information, we may take into account the information you provide during registration as well as your contributions and content from the community.

b. Data that we process for the fulfilment of a contract, Art. 6 (1)(b) GDPR

i. Contact
If you contact us (e.g. via e-mail), we will process and store the personal data provided in this context, such as name and email address, in order to process your request.

ii. Registration and participation in the Personio Community

If you register for the Personio Community at www.community.personio.com, we process and store the data provided in this context (e.g. name, e-mail address) for the purpose of providing this service.

The following personal data is processed for this purpose:

  • Name
  • first name
  • e-mail address
  • Company
  • City
  • Contributions and contents 
  • further information (if provided)

The provision of the above mentioned personal data is necessary to offer the Personio Community in its form. If you do not provide us with this data, you will only be able to use the Personio Community in a limited way (e.g. you will not be able to upload or comment on images or articles) or not at all.

Duration of storage: The data is stored only as long as necessary to achieve the purpose of the service.
If you use the Personio Community, we transfer personal data to the following recipients:
Recipient: inSided

On this website we use the Customer Success Community Platform inSided. inSided is operated by inSided B.V., a software company with headquarters at Singel 118a, 1015 AE, Amsterdam, The Netherlands. 

If you want to register in the community, write or comment on articles or give feedback on our products, the following data will be collected from you:

  • First and last name 
  • e-mail address
  • Company
  • City
  • Contributions and contents 
  • further information (if provided)

InSided collects and processes your data only to provide the publicly viewable community or information about community activities, to evaluate user activities, to provide the gamification offer and to forward any inquiries to us.

Duration of storage: The data will be stored only as long as necessary to achieve the purpose of the game.

The legal basis for the processing is — according to Art. 6 (1)(a) GDPR — your consent, which you give us in the context of the registration about the knowledge of the privacy policy

For more information, please refer to the inSided privacy policy: https://www.insided.com/docs/privacy-policy .

9. Rights of data subjects

If the company Personio GmbH & Co. KG processes personal data as data controller, then you as the data subject have certain rights derived from Chapter III GDPR, which depend on the legal basis and purpose of the processing. These rights include when relevant especially the right to information (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to cancellation (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR), and the right to objection (Art. 21 GDPR).  If the processing of personal data is based on your consent, then you have the right pursuant to Art. 7 III GDPR to revoke this consent granted under data protection law.

Please contact the Data Protection Officer of Personio GmbH & Co. KG (see Section 2) in order to assert you rights as data subject regarding the data processed for the operation of this website. Please be aware that you must contact the data controller directly to assert your rights as data subject derived from the processing by us, as data processor of our customers. We reserve the right not to respond to corresponding queries or to redirect them to the corresponding companies.

If Personio GmbH & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR.

Please contact the data protection officer of Personio GmbH & Co. KG to assert your rights with regards to the data processed for the operation of this software (see section 2). Please note that you must address yourself exclusively to the controller in order to assert your rights as a data subject from the processing of personal data by Personio as subprocessor on behalf of our customers. We reserve the right not to answer such questions or to pass them on to the controller of this data processing.

10. Right to lodge a complaint

We would hereby like to inform you that pursuant to article 77 GDPR you have the right to lodge a complaint with the supervisory authority if you believe that your personal data have been processed illegitimately by us. 

11. Right to object

You can object to the use of your data by using the appropriate opt-out or by making the appropriate adjustments in the Usercentrics consent management system.

12. Final clauses

Personio reserves the right to adjust this data privacy policy at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced or modifications are made on the website. In this case, the new data privacy statement applies to any later visit of this software.

Version 06-2022