Privacy Policy

Information on the processing of your personal data in accordance with the GDPR.

As of: 31 May 2026 (Version 2.0)

This is a convenience translation — the legally binding version is the German original.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Vergabefix GbR

Albert-Einstein-Straße 1

49076 Osnabrück

Germany

Represented by: Managing Director: Keno Neese

Email: info@vergabefix.de

2. Basis of data processing

This Privacy Policy informs you about the nature, scope and purpose of the processing of personal data within our online offering and the associated websites, functions and content (hereinafter jointly referred to as the "platform" or "online offering").

We process personal data only in compliance with the relevant data protection provisions, in particular the GDPR and the German Federal Data Protection Act (BDSG). Processing only takes place if one of the following legal bases applies:

  • Art. 6 (1) (a) GDPR (consent): The data subject has given consent to the processing.
  • Art. 6 (1) (b) GDPR (performance of a contract): Processing is necessary for the performance of a contract or for the implementation of pre-contractual measures.
  • Art. 6 (1) (c) GDPR (legal obligation): Processing is necessary for compliance with a legal obligation.
  • Art. 6 (1) (f) GDPR (legitimate interests): Processing is necessary to safeguard legitimate interests, provided that the interests of the data subject do not override them.

Types of data processed

  • Master data: names, addresses, company data
  • Contact data: email addresses, telephone numbers
  • Contract data: subject matter of the contract, term, payment information
  • Usage data: pages visited, access times, interactions
  • Content data: entries in forms, company profile data
  • Communication data: email correspondence, support requests

Categories of data subjects

Users of the platform, business customers, prospective customers, communication partners and visitors to the online offering.

3. Rights of data subjects

You have the following rights vis-à-vis us with regard to the personal data concerning you:

  • Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request the rectification of inaccurate data or the completion of your data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided that no statutory retention obligations conflict with this.
  • Restriction of processing (Art. 18 GDPR): You may request the restriction of the processing of your data.
  • Data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data where this is based on legitimate interests.
  • Withdrawal of consent (Art. 7 (3) GDPR): You may withdraw consent you have given at any time with effect for the future.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact: info@vergabefix.de

Competent supervisory authority:

Die Landesbeauftragte für den Datenschutz Niedersachsen

Prinzenstraße 5, 30159 Hannover

Website: www.lfd.niedersachsen.de

4. Security measures

In accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include in particular:

  • Encrypted transmission of data using TLS/SSL (HTTPS)
  • Encrypted storage of sensitive data
  • Access control and authentication mechanisms
  • Regular security updates and monitoring
  • Physical security of the server infrastructure
  • Regular data backups

5. Hosting and infrastructure

Our platform, our database and our email infrastructure are operated in data centres in Germany.

Provider (server hosting, database, email dispatch): 1&1 IONOS SE

Elgendorfer Straße 57, 56410 Montabaur, Germany

Privacy policy: ionos.de/terms-gtc/datenschutzerklaerung/

The servers are located exclusively in Germany; data processing takes place exclusively within the EU. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the secure and efficient provision of our online offering).

6. Collection of access data and log files

Each time our servers are accessed, information is automatically collected and stored in server log files:

  • Browser type and version
  • Operating system used
  • Referrer URL (previously visited page)
  • IP address of the accessing computer
  • Date and time of access
  • Files retrieved and amount of data transferred
  • Notification of successful retrieval

This data is stored for a maximum of 90 days and then automatically deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the security and stability of the offering as well as the investigation of misuse).

7. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device and that store certain settings and data for exchange with our system via your browser.

Types of cookies

Technically necessary cookies (session cookies):

These cookies are strictly necessary for the operation of the website. They enable basic functions such as page navigation, login status and access to protected areas. These cookies are set without your consent.

No analytics or marketing cookies:

We do not use any cookies for analytics, tracking or marketing purposes. The web analytics solution we use (Umami) works entirely without cookies (see section 14). For this reason, no cookie banner and no separate consent is required.

Local storage (local/session storage):

In the logged-in area, in order to maintain your session, we store a session identifier and basic account information (e.g. user and company identifier) in the local or session storage of your browser. This data is technically necessary for the login, remains on your device and is removed upon logout or after the session expires. No cookie is set for this purpose.

You can manage or delete cookies in your browser settings. Disabling cookies may lead to functional limitations.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest) for technically necessary cookies.

8. Registration and user account

Registration is required in order to use our platform. During registration, we collect the following data:

Mandatory information:

  • Email address
  • Name (first and last name)
  • Password (stored in encrypted form)

Voluntary information (for optimal use of the platform):

  • Company data (company name, address, legal form)
  • Contact data (telephone, website)
  • Financial data (turnover, insurance)
  • References and certifications
  • CPV codes and areas of expertise

The voluntary information serves to personalise the platform and to prepare relevant tenders for you.

During registration and subsequent logins, we store the IP address and the time of the action. This serves to protect against misuse.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (f) GDPR (legitimate interest in protection against misuse).

9. Use of the vergabefix platform

As part of the use of our platform, we process:

  • Search queries: your search terms and filter settings to display relevant tenders.
  • Alert settings: your saved search profiles for automatic notifications.
  • Profile information: the company data you enter to personalise the platform.
  • Usage statistics: information about your interactions with the platform.

Uploaded documents and third-party data: When working on tenders, you can upload documents (e.g. proof of suitability, application documents) and record reference projects with contact persons. These may contain personal data of third parties (e.g. of employees or reference customers). You are responsible under data protection law for the content you provide; we process it exclusively on your behalf in order to deliver our service. Uploaded files are stored in object storage in a data centre within the EU.

The tender data originates from public sources (TED, Bund.de) and is aggregated and processed by us.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).

10. AI-supported features

For certain features, our platform uses AI services provided by OpenAI:

  • Semantic search
  • Automatic summaries of tenders (executive summary)

Provider: OpenAI, L.L.C.

3180 18th Street, San Francisco, CA 94110, USA

Privacy policy: openai.com/privacy

Important data protection note:

Only non-critical data is transmitted to OpenAI:

  • Search terms
  • Publicly available tender texts

The following is not transmitted to OpenAI:

  • Sensitive company data (financial data, turnover)
  • Insurance information
  • Bank details
  • Personal data from your profile

The transmission takes place via an encrypted connection. As OpenAI is based in the USA, this involves a transfer to a third country. OpenAI is certified under the EU-U.S. Data Privacy Framework; in addition, standard contractual clauses (SCC) and a data processing agreement are in place. The transmitted data is not used to train OpenAI's models. Personal data of our users as well as profile, financial and bank data are not transmitted to OpenAI.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (f) GDPR (legitimate interest in providing AI-supported features).

11. Payment processing

For payment processing (subscriptions and invoices) we use the payment service provider Stripe. Stripe handles all payments; depending on your selection, credit card, SEPA direct debit and PayPal are available.

Stripe

Provider: Stripe Payments Europe, Ltd.

The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (parent company: Stripe, Inc., USA)

Privacy policy: stripe.com/de/privacy

When you pay, the required payment and invoicing data (e.g. name, billing address, VAT ID, payment method) is transmitted directly to Stripe and processed there. We do not store complete payment method data (e.g. credit card numbers); from Stripe we receive only pseudonymous reference identifiers and the master data required for invoicing.

If you choose PayPal as your payment method, the payment is forwarded via Stripe to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (privacy policy).

Transfer to third countries: Stripe also processes data in the USA. Stripe is certified under the EU-U.S. Data Privacy Framework; in addition, standard contractual clauses and a data processing agreement are in place.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (c) GDPR (compliance with statutory retention and accounting obligations).

12. Contacting us

When you contact us (by email, contact form or ticket system), your details are stored in order to process the enquiry and in case of follow-up questions.

Data processed:

  • Name
  • Email address
  • Content of the message
  • Time of the enquiry

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected and no statutory retention obligations conflict with this.

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures or performance of a contract) or Art. 6 (1) (f) GDPR (legitimate interest in responding to enquiries).

13. Newsletter

With your consent, you can subscribe to our newsletter, with which we inform you about current news and offers.

Double opt-in: Registration takes place using the so-called double opt-in procedure. After registering, you receive an email to confirm your registration. This confirmation is necessary so that no one can register using someone else's email address.

For sending the newsletter we use:

Provider: rapidmail GmbH

Wentzingerstraße 21, 79106 Freiburg, Germany

Privacy policy: rapidmail.de/datenschutz

Data collected: email address, optionally: name, time of registration, IP address, time of confirmation.

Statistical analysis: The newsletters may contain a so-called "web beacon" that is retrieved from our server when the newsletter is opened. In doing so, technical information such as browser information and IP address as well as the time of retrieval is collected. This information serves the technical improvement of our newsletter.

Unsubscribing: You can unsubscribe from the newsletter at any time. You will find an unsubscribe link at the end of each newsletter. After unsubscribing, your data will be deleted, unless statutory retention obligations conflict with this.

Legal basis: Art. 6 (1) (a) GDPR (consent).

14. Web analytics with Umami

For the statistical analysis of the use of our website, we use Umami, a privacy-friendly open-source analytics software. Umami is self-hosted by us and operated exclusively on our own servers in Germany (domain: umami.vergabefix.de). No data is transferred to third parties or to third countries.

Purpose: analysis of the use of our website (e.g. pages visited, buttons clicked) to improve our offering.

No cookies, no personal data: Umami does not use cookies and does not place any identifiers on the device. No personal data is collected and no profiles are created across multiple websites or sessions. IP addresses are not stored; they are only used briefly to derive anonymous, aggregated metrics (e.g. approximate region of origin) and are not logged.

Data processed (anonymised and aggregated):

  • Pages visited and time spent
  • Events triggered (e.g. clicking a button)
  • Technical information (browser type, operating system, screen resolution)
  • Origin of the visit (referrer) and approximate country of origin

Legal basis: Art. 6 (1) (f) GDPR. Our legitimate interest lies in the needs-based design and statistical analysis of our website. Since Umami works without cookies and without processing personal data, no consent is required for this.

Further information on the software used can be found at umami.is.

15. Fonts and external resources (CDN)

To display our offering, we embed fonts (Google Fonts) as well as program libraries (including Tailwind CSS, jsDelivr) via external content delivery networks (CDN). When our pages are accessed, a connection is established to the servers of the respective providers; in doing so, your IP address is transmitted to the provider.

Google Fonts – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. A transfer to Google servers in the USA is possible; Google LLC is certified under the EU-U.S. Data Privacy Framework. Privacy policy

Tailwind CSS / jsDelivr (CDN) – for the delivery of design and script libraries. Your IP address is processed for the technical delivery of the files.

We intend to deliver these resources ourselves in the future (self-hosting) in order to avoid external connections.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a secure, consistent and appealing presentation of our online offering).

16. Appointment booking with Calendly

For booking onboarding calls, we use the scheduling service Calendly:

Provider: Calendly, LLC

271 17th St NW, Ste 1000, Atlanta, GA 30363, USA

Privacy policy: calendly.com/privacy

When booking an appointment, the following data is collected:

  • Name
  • Email address
  • Selected appointment
  • Optional: further information you provide

Calendly is certified under the EU-U.S. Data Privacy Framework.

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures).

17. Disclosure of data

Data is only disclosed to third parties within the framework of the statutory requirements:

  • Processors: We engage carefully selected service providers as processors. Data processing agreements pursuant to Art. 28 GDPR are in place with them (see list below).
  • Legal obligation: Where we are legally obliged to do so or on the basis of a court decision.
  • Protection of our rights: Where it is necessary for the assertion, exercise or defence of legal claims.

Processors engaged:

  • 1&1 IONOS SE (server hosting, database, email dispatch) – Germany
  • Stripe Payments Europe, Ltd. (payment processing) – Ireland/USA (EU-U.S. DPF)
  • OpenAI, L.L.C. (AI features, exclusively public tender texts) – USA (EU-U.S. DPF)
  • Umami (web analytics) – self-hosted in Germany
  • LetterXpress (postal dispatch of invoices) – Germany
  • rapidmail GmbH (newsletter dispatch) – Germany

Transfer to third countries: Insofar as data is transferred to third countries (outside the EU/EEA), this only takes place where an adequate level of data protection is ensured (e.g. through an adequacy decision of the EU Commission, standard contractual clauses or certification under the EU-U.S. Data Privacy Framework).

We do not sell data to third parties.

18. Deletion of data

The data stored by us is deleted as soon as it is no longer required for its intended purpose and provided that no statutory retention obligations conflict with the deletion.

After termination of the contract:

  • Your data is retained for 30 days to enable you to export your data.
  • After the 30 days have elapsed, the data is irrevocably deleted.
  • You can request a data export by email at any time.

Statutory retention obligations:

  • 6 years pursuant to § 257 (1) HGB (commercial letters, accounting vouchers)
  • 10 years pursuant to § 147 (1) AO (books, records, tax-relevant documents)

Where data must be retained due to legal obligations, its processing is restricted (blocked).

19. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy in order to align it with changed legal situations or in the event of changes to the service and the data processing.

The current version is always available on our website. In the event of material changes, we will inform you by email or via the platform.

We recommend that you regularly review the content of this Privacy Policy.

Contact for data protection enquiries

If you have any questions about data protection, please contact:

Vergabefix GbR

Albert-Einstein-Straße 1

49076 Osnabrück

Germany

Represented by: Managing Director: Keno Neese

Email: info@vergabefix.de