Privacy Policy

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data within our online offering and related websites, functions, and content (collectively referred to as "Platform" or "Online Offering").

We process personal data only in compliance with applicable data protection regulations, in particular the GDPR and BDSG. Processing only occurs when one of the following legal bases applies:

• Art. 6(1)(a) GDPR (Consent): The data subject has given consent to the processing.
• Art. 6(1)(b) GDPR (Contract Performance): Processing is necessary for the performance of a contract or for pre-contractual measures.
• Art. 6(1)(c) GDPR (Legal Obligation): Processing is necessary for compliance with a legal obligation.
• Art. 6(1)(f) GDPR (Legitimate Interests): Processing is necessary for the purposes of legitimate interests, unless overridden by the data subject's interests.

Types of Data Processed

• Inventory Data: Names, addresses, company information
• Contact Data: Email addresses, phone numbers
• Contract Data: Contract subject, duration, payment information
• Usage Data: Pages visited, access times, interactions
• Content Data: Form entries, company profile data
• Communication Data: Email correspondence, support inquiries

Categories of Data Subjects

Platform users, business customers, prospects, communication partners, and visitors to the online offering.

You have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You may request information about your personal data processed by us.
• Right to Rectification (Art. 16 GDPR): You may request correction of inaccurate or completion of incomplete data.
• Right to Erasure (Art. 17 GDPR): You may request deletion of your data, unless statutory retention obligations apply.
• Right to Restriction (Art. 18 GDPR): You may request restriction of the processing of your data.
• Right to Data Portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used format.
• Right to Object (Art. 21 GDPR): You may object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3) GDPR): You may withdraw consent at any time with effect for the future.
• Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact: info@vergabefix.de

In accordance with Art. 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

Our measures include:

• Encrypted data transmission using TLS/SSL (HTTPS)
• Encrypted storage of sensitive data
• Access control and authentication mechanisms
• Regular security updates and monitoring
• Physical security of server infrastructure
• Regular data backups

Our platform is hosted on Amazon Web Services (AWS) servers in the Frankfurt region (eu-central-1).

AWS is certified according to ISO 27001, SOC 2, and other standards. A Data Processing Agreement (DPA) is in place with AWS. Data processing occurs exclusively within the EU.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient provision of our online offering).

Information is automatically collected and stored in server log files with each access to our servers:

• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• IP address of the accessing device
• Date and time of access
• Files accessed and data volume transferred
• Access status message

This data is stored for a maximum of 90 days and then automatically deleted. Data required for evidence purposes is exempt from deletion until the respective incident is finally resolved.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in security and stability of the offering and investigation of misuse).

Our website uses cookies. Cookies are small text files stored on your device that store certain settings and data for exchange with our system via your browser.

Types of Cookies

Technically Necessary Cookies (Session Cookies):

These cookies are essential for the operation of the website. They enable basic functions such as page navigation, login status, and access to protected areas. These cookies are set without your consent.

Analytics Cookies:

These cookies help us understand how visitors interact with our website by anonymously collecting and reporting information. These cookies are only set with your consent.

Cookie Settings

On your first visit to our website, you will be asked for your consent to non-necessary cookies via a cookie banner. You can change your settings at any time via the "Cookie Settings" link in the footer.

You can also manage or delete cookies in your browser settings. Excluding cookies may result in functional limitations.

Legal Basis: Art. 6(1)(a) GDPR (consent) for non-necessary cookies; Art. 6(1)(f) GDPR (legitimate interest) for technically necessary cookies.

Registration is required to use our platform. During registration, we collect the following data:

Required Information:

• Email address
• Name (first and last name)
• Password (stored encrypted)

Optional Information (for optimal platform use):

• Company data (company name, address, legal form)
• Contact information (phone, website)
• Financial data (revenue, insurance)
• References and certifications
• CPV codes and areas of expertise

The optional information is used for platform personalization and automatic eligibility matching for tenders.

During registration and subsequent logins, we store the IP address and time of the action. This serves to protect against misuse.

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in protection against misuse).

In connection with the use of our platform, we process:

• Search Queries: Your search terms and filter settings to display relevant tenders.
• Alert Settings: Your saved search profiles for automatic notifications.
• Profile Information: The company data you enter for eligibility matching.
• Usage Statistics: Information about your interactions with the platform.

Tender data originates from public sources (TED, Bund.de) and is aggregated and processed by us.

Legal Basis: Art. 6(1)(b) GDPR (contract performance).

Our platform uses AI services from OpenAI for certain features:

• Semantic search
• Automatic tender summaries (Executive Summary)

Important Privacy Note:

Only non-sensitive data is transmitted to OpenAI:

• Search terms
• Publicly available tender texts

NOT transmitted to OpenAI:

• Sensitive company data (financial data, revenue)
• Insurance information
• Bank details
• Personal data from your profile

Transmission occurs via an encrypted connection. OpenAI processes the data in accordance with their privacy policy and the Data Processing Agreement concluded with us.

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in providing AI-powered features).

We use external payment service providers for payment processing:

Klarna

PayPal

Payment data (e.g., bank details, credit card numbers) is transmitted directly to the payment service provider during payment. We do not store complete payment data.

Legal Basis: Art. 6(1)(b) GDPR (contract performance).

When you contact us (by email, contact form, or ticket system), your information is stored for processing your inquiry and for possible follow-up questions.

Data processed:

• Name
• Email address
• Message content
• Time of inquiry

The data is deleted as soon as it is no longer required for the purpose for which it was collected and no statutory retention obligations apply.

Legal Basis: Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) or Art. 6(1)(f) GDPR (legitimate interest in answering inquiries).

With your consent, you can subscribe to our newsletter, which keeps you informed about current news and offers.

Double Opt-In: Registration uses the double opt-in procedure. After registration, you will receive an email to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address.

For newsletter delivery, we use:

Data Collected: Email address, optionally: name, registration time, IP address, confirmation time.

Statistical Analysis: Newsletters may contain a "web beacon" that is retrieved from our server when the newsletter is opened. This collects technical information such as browser information and IP address, as well as the time of retrieval. This information is used to technically improve our newsletter.

Unsubscribe: You can unsubscribe from the newsletter at any time. An unsubscribe link can be found at the end of each newsletter. After unsubscribing, your data will be deleted unless statutory retention obligations apply.

Legal Basis: Art. 6(1)(a) GDPR (consent).

We use Google Analytics, a web analytics service provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Purpose: Analysis of website usage to improve our offering.

IP Anonymization: We use Google Analytics with IP anonymization enabled. This means that your IP address is truncated by Google within EU member states or other EEA countries. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there.

Data Processed:

• Truncated IP address
• Pages visited and time spent
• Technical information (browser, operating system, screen resolution)
• Source of visit (referrer)

Retention Period: Data is stored for 14 months and then automatically deleted.

Opt-Out: You can prevent Google Analytics collection:

• By declining in the cookie banner
• By installing the browser add-on: tools.google.com/dlpage/gaoptout

More information: policies.google.com/privacy

Legal Basis: Art. 6(1)(a) GDPR (consent via cookie banner).

We use Google Fonts to display external fonts. Google Fonts is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit our website, a connection to Google servers is established to load the fonts. Your IP address is transmitted to Google in the process.

More information: developers.google.com/fonts/faq

Privacy Policy: policies.google.com/privacy

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in an appealing presentation of our online offering).

We use the scheduling service Calendly for booking onboarding meetings:

The following data is collected when booking an appointment:

• Name
• Email address
• Selected appointment
• Optional: Additional information you provide

Calendly is certified under the EU-U.S. Data Privacy Framework.

Legal Basis: Art. 6(1)(b) GDPR (pre-contractual measures).

Data is only disclosed to third parties in accordance with legal requirements:

• Data Processors: We use external service providers as data processors (e.g., for hosting, payment processing, newsletter delivery). Data Processing Agreements are in place with these providers.
• Legal Obligation: If we are legally obligated to do so or on the basis of a court order.
• Protection of Our Rights: If necessary for the assertion, exercise, or defense of legal claims.

Third-Country Transfers: If data is transferred to third countries (outside the EU/EEA), this only occurs if an adequate level of data protection is ensured (e.g., through EU Commission adequacy decisions, Standard Contractual Clauses, or certification under the EU-U.S. Data Privacy Framework).

We do not sell data to third parties.

Data stored by us is deleted as soon as it is no longer required for its intended purpose and deletion is not precluded by statutory retention obligations.

After Contract Termination:

• Your data will be retained for 30 days to allow you to export your data.
• After the 30-day period, the data will be irrevocably deleted.
• You can request a data export by email at any time.

Statutory Retention Obligations (German Law):

• 6 years pursuant to § 257(1) HGB (commercial letters, accounting records)
• 10 years pursuant to § 147(1) AO (books, records, tax-relevant documents)

If data must be retained due to legal obligations, its processing will be restricted (blocked).

We reserve the right to update this Privacy Policy to adapt it to changed legal situations or changes to the service and data processing.

The current version is always available on our website. For significant changes, we will notify you by email or through the platform.

We recommend that you regularly review this Privacy Policy.