Privacy
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Privacy Policy

Status: 16.07.2024

Data protection is of highest priority for us. The use of our website and/or App is possible without any indication of personal data. However, if a data subject wants to use special services via our website/App, processing of personal data could become necessary. Personal data is always processed in accordance with the EU General Data Protection Regulation (GDPR) and in compliance with the applicable country-specific data protection regulations.

With this data protection declaration, we would like to inform the public about the type, scope and purpose of the personal data we collect, use and process, as well as the possible rights of affected persons.

As the controller, we have implemented numerous technical and organizational measures to ensure the most complete protection of personal data.

1. Definitions

The following data protection declaration is based on the terms defined below:

a. Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b. Data subject
Data subject means any identified or identifiable natural person whose personal data are processed by the controller.

c. Processing
Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d. Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

e. Profiling
Profiling is any form of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

f. Pseudonymisation
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

g. Controller or person responsible for the processing
The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

h. Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i. Recipient
A recipient is a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law shall not be considered as recipients. Those authorities shall process that data in accordance with the applicable data protection laws, in accordance with the purpose of the processing.

j. Third party
Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.

k. Consent
Consent shall mean any freely given specific and informed indication of the data subject's wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

2. Controller

The controller within the meaning of the GDPR is:
leonardo. impact GmbH
Gärtnerweg 62
60322 Frankfurt am Main
Germany

E-Mail: hello@leonardo-impact.com

3. Cookies

Our internet pages use cookies. Cookies are text files that are stored on a computer system via an internet browser. Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which internet pages and servers can be assigned to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the person concerned from other internet browsers that contain other cookies. A specific internet browser can be recognised and identified via the unique cookie ID.

With these cookies, we can provide the users of our website with more user-friendly services that would not be possible without the cookie setting.

By means of a cookie, the information and offers on our website can be optimised in the sense of the user. As already mentioned, cookies enable us to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to enter access data each time he or she visits the website, because this is done by the website and the cookie stored on the user's computer system. Another example is the cookie of a shopping basket in an online shop. The online shop remembers the items that a customer has placed in the virtual shopping basket via a cookie.

The data subject can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time using an internet browser or other software programmes. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

4. Collection of general data and information

Our website collects a series of general data and information with each call-up of the website by a data subject or an automated system. This general data and information are stored in the server's log files.

The following can be recorded:

  • the browser types and versions used, 
  • the operating system used by the accessing system, 
  • the website from which an accessing system arrives at our website (so-called referrer), 
  • the sub-websites, 
  • the date and time of access to the website, 
  • an internet protocol (IP) address, 
  • the Internet service provider of the accessing system and 
  • other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

However, when using this general data and information, we do not draw any conclusions about the data subject.

Rather, this information is needed to:

  • deliver the contents of our website correctly, 
  • optimise the content of our website and the advertising for it, 
  • ensure the permanent operability of our information technology systems and the technology of our website, and 
  • provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

Therefore, we analyze anonymously collected data and information on one hand for statistical purposes and on the other hand for the purpose of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

5. How to contact us via the website

Due to legal provisions, our website contains data that enable a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purposes of processing or contacting the data subject. This personal data will not be disclosed to third parties.

6. Data protection in applications and the application procedure

The controller collects and processes the personal data of applicants for the purpose of managing the application procedure. The processing may also be carried out by electronic means. This is in particular the case when an applicant submits relevant application documents to the controller by electronic means, for example by e-mail. If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents are automatically deleted six months after the notification of the rejection decision, provided that no other legitimate interests of the controller oppose such deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

7. LinkedIn

With your consent, we activate a cookie from LinkedIn provided by

LinkedIn Ireland,
Wilton Plaza, Wilton Place,
Dublin 2,
Ireland

Each time a page of this website containing LinkedIn functions is accessed, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click the LinkedIn "Recommend" button and are logged into your LinkedIn account, it is possible for LinkedIn to associate your visit to this website with you and your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn.

The use of the LinkedIn plugin is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in ensuring the greatest possible visibility in social media. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

For more information, please see LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy


8. Google Analytics 4

Our website uses Google Analytics 4, a service provided by

Google Ireland Limited,
Gordon House,
4 Barrow St, Dublin,
D04 E5W5, Ireland

("Google"), to analyse the use of websites. When using Google Analytics 4, so-called "cookies" are used as standard. Cookies are text files that are stored on your terminal device and enable an analysis of your use of a website. The information collected by cookies about your use of the website (including the IP address transmitted by your terminal device, shortened by the last few digits, see below) is usually transmitted to a Google server and stored and processed there. This may also result in the transmission of information to the servers of Google LLC, a company based in the USA, where the information is further processed. When using Google Analytics 4, the IP address transmitted by your terminal device when you use the website is always collected and processed automatically and by default only in an anonymised manner, so that the information collected cannot be directly related to a person. This automatic anonymisation is carried out by Google shortening the IP address transmitted by your terminal device within member states of the European Union (EU) or other contracting states of the Agreement on the European Economic Area (EEA) by the last digits.

Google uses this and other information on our behalf to evaluate your use of the website, to compile reports about your website activities and usage behaviour and to provide us with other services related to your website and internet usage. In this context, the IP address transmitted and shortened by your terminal device within the scope of Google Analytics 4 will not be merged with other data from Google. The data collected in the context of the use of Google Analytics 4 will be stored for 2 months and then deleted.

Google Analytics 4 also enables the creation of statistics with statements about age, gender and interests of website users on the basis of an evaluation of interest-based advertising and with the inclusion of third-party information via a special function, the so-called "demographic characteristics". This makes it possible to determine and distinguish between groups of website users for the purpose of targeting marketing measures. However, data collected via the "demographic characteristics" cannot be assigned to a specific person and thus also not to you personally. This data collected via the "demographic characteristics" function is kept for two months and then deleted.

All processing described above, in particular the setting of Google Analytics cookies for the storage and reading of information on the end device used by you for the use of the website, will only take place if you have given us your express consent for this in accordance with Art. 6 (1) lit. a GDPR. Without your consent, Google Analytics 4 will not be used during your use of the website. You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service via the "Cookie Consent Tool" provided on the website.

We have concluded a so-called order processing agreement with Google for our use of Google Analytics 4, which obliges Google to protect the data of our website users and not to pass it on to third parties.
To ensure compliance with the European level of data protection, also in the event of any transfer of data from the EU or the EEA to the USA and possible further processing there, Google refers to the so-called standard contractual clauses of the European Commission, which we have contractually agreed with Google. Further legal information on Google Analytics 4, including a copy of the Standard Contractual Clauses, can be found at the following address:

Link: https://policies.google.com/privacy?hl=de&gl=de

Details on the processing triggered by Google Analytics 4 and Google's handling of data from websites can be found here: https://policies.google.com/technologies/partner-sites

9. Google reCAPTCHA

On our website we use the CAPTCHA service of Google. Data may also be transmitted to: Google LLC, USA.

For the visual design of the captcha window, the provider uses "Google Fonts", i.e. fonts loaded from the Internet by Google. No information other than that mentioned above, which is already transmitted to Google via the ReCaptcha functionality, is processed. The service checks whether an entry is made by a natural person or improperly by machine and automated processing, and blocks spam, DDoS attacks and similar automated malicious access. In order to ensure that an action is carried out by a human being and not by an automated bot, Cloudflare Turnstile collects the IP address of the end device used, recognition data of the browser and operating system type used as well as the date and duration of the visit and transmits these to servers of the provider for evaluation.

The legal basis is our legitimate interest in determining individual ownership on the Internet and preventing abuse and spam in accordance with Art. 6 para. 1 lit. f GDPR.

We have concluded an order processing contract with the provider, which ensures the protection of our site visitors' data and prohibits unauthorised disclosure to third parties.

For the transfer of data to the USA, the provider invokes standard contractual clauses of the European Commission, which are intended to ensure compliance with the European level of data protection.

10. Google Tag Manager

On our website, we also use the service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google Tag Manager). Google Tag Manager provides a technical platform for executing and bundling other web services and web tracking programmes by means of so-called "tags". In this context, Google Tag Manager stores cookies on your computer and analyses your surfing behaviour (so-called "tracking"), insofar as web tracking tools are executed using Google Tag Manager. This data sent by individual tags integrated in Google Tag Manager is merged, stored and processed by Google Tag Manager under a uniform user interface. All integrated "tags" are listed separately again in this data protection declaration. You can find more information on the data protection of the tools integrated in Google Tag Manager in the respective section of this data protection declaration. When you use our website with the integration of Google Tag Manager tags activated, data, such as in particular your IP address and your user activities, are transmitted to servers of Google Ireland Limited. With regard to the web services integrated by means of Google Tag Manager, the regulations in the respective section of this data protection declaration apply. The tracking tools used in Google Tag Manager ensure that the IP address is anonymised by Google Tag Manager before transmission by means of IP anonymisation of the source code. In doing so, Google Tag Manager is only enabled to record IP addresses anonymously (so-called IP masking).

Legal basis for the processing of personal data Pursuant to Art. 6 (1) lit. a GDPR, the legal basis for data processing is your consent in our information banner regarding the use of cookies and web tracking (consent through clear confirming action or behaviour).

Purpose of data processing On our behalf, Google will use the information obtained by means of Google Tag Manager to evaluate your visit to our website, to compile reports on website activities and to provide us with further services related to website and internet use.

Duration of storage Google will store the data relevant to the function of Google Tag Manager for as long as is necessary to fulfil the booked web service. The data collection and storage is anonymised. If there is a reference to a person, the data will be deleted immediately, as long as it is not subject to any legal obligations to retain data. In any case, the data will be deleted after expiry of the retention period.
You can prevent the collection and forwarding of personal data to Google (in particular your IP address) and the processing of this data by Google by deactivating the execution of script code in your browser, installing a script blocker in your browser or activating the "Do Not Track" setting in your browser. You can also prevent the collection of data generated by the Google cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link http://tools.google.com/dlpage/gaoptout?hl=de. Google's security and privacy policy can be found at https://policies.google.com/privacy.

11. Webflow

We host the contents of our website with

Webflow, Inc.,
398, 11th Street, 2nd Floor,
San Francisco,
CA 94103, USA

(hereafter referred to as Webflow).

When you visit our website, Webflow collects various log files including your IP addresses.
Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are necessary for the presentation of the page, for the provision of certain website functions and for ensuring security (necessary cookies).

For details, please refer to Webflow's privacy policy: https://webflow.com/legal/eu-privacy-policy .
The use of Webflow is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in ensuring that our website is presented as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and § 25 Para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://webflow.com/legal/eu-privacy-policy .

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that it only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

12. Amazon Web Services - Cloudfront

We use for our App the CDN service "Cloudfront" from Amazon Web Services. Amazon Web Services EMEA SARL ("AWS EU"), 38 Avenue John F. Kennedy, L-1855 Luxembourg, is the controller of personal data collected and processed through "Amazon Web Services" offerings. AWS EU is the authorised representative of Amazon Web Services Inc ("AWS US"), 410 Terry Avenue North, Seattle WA 98109, United States.

By using the services, data is transmitted to AWS EU and, under certain circumstances, from AWS EU to AWS US. The Amazon Group may process the transmitted data to create anonymised user profiles for statistical purposes. In principle, we have no influence on this data processing. AWS EU is therefore responsible for this data processing.

More information on the handling of user data can be found in the AWS EU privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr.


13. Hotjar

Our website uses as a provider the service of

Hotjar Ltd,
Level 2, St Julians Business Centre, 3,
3 Elia Zammit Street,
St. Julians STJ 1000,
Malta, Europe
(Website: https://www.hotjar.com).

Hotjar is a tool used to analyse your user behaviour on our website. Hotjar allows us to record, among other things, your mouse movements, scrolling movements and clicks. Hotjar can also determine how long you have stayed on a certain spot with the mouse pointer. From this information, Hotjar creates so-called heat maps, which can be used to determine which website areas are viewed preferentially by the website visitor.

Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you abandoned your entries in a contact form (so-called conversion funnels).
In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator's web offerings.

Hotjar uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or the use of device fingerprinting).

Insofar as consent has been obtained, the service is used exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and § 25 TTDSG. The consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Art. 6 para. 1 lit. f GDPR; the website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

14. Mixpanel

We use "Mixpanel", a service of

Mixpanel, Inc.,
405 Howard St., Floor 2,
San Francisco, CA 94105,
USA (hereinafter referred to as: "Mixpanel").

Mixpanel stores and processes information about your user behaviour on our website. For this purpose, Mixpanel uses, among other things, cookies, i.e. small text files which are stored locally in the cache of your web browser on your end device and which enable an analysis of your use of our website. We use Mixpanel for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. The statistical evaluation of user behaviour enables us to improve our offer and make it more interesting for you as a user. This is also our legitimate interest in the processing of the above data by the third-party provider. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR. You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We would like to point out that in this case you may not be able to use all the functions of our website to their full extent. You can also prevent Mixpanel from collecting the aforementioned information by setting an opt-out cookie on the website linked below:

https://mixpanel.com/optout/

Please note that this setting will be deleted when you delete your cookies. You can object to the collection and forwarding of personal data or prevent the processing of this data by deactivating the execution of Java Script in your browser. In addition, you can prevent the execution of Java-Script code altogether by installing a Java-Script blocker (e.g. https://noscript.net/ or https://www.ghostery.com). Please note that in this case you may not be able to use all the functions of our website to their full extent.

Further information from the third-party provider on data protection can be found on the following website: https://mixpanel.com/privacy/ .

15. HubSpot

We use the services of HubSpot, a customer relationship management (CRM) and marketing automation platform provided by:

HubSpot, Inc.
25 First Street,
Cambridge, MA 02141,
USA

HubSpot assists us in managing customer relationships, marketing efforts, sales processes, and customer service interactions. This includes the collection and storage of data such as contact information, interaction history, and other relevant customer data.

Data Collection and Usage:
HubSpot may collect and process the following types of personal data:

  • Contact information (e.g., name, email address, phone number)
  • Company information (e.g., company name, industry)
  • Communication data (e.g., email interactions, chat transcripts)
  • Behavioral data (e.g., website usage, interaction history)

The processing of this data allows us to:

  • Manage and improve customer relationships
  • Conduct marketing campaigns
  • Automate and personalize communications
  • Track and analyze interactions and engagement


Data transfer to HubSpot's servers in the USA is safeguarded by the standard contractual clauses of the EU Commission, ensuring compliance with the European level of data protection.

For more information on data protection and HubSpot, please refer to HubSpot's privacy policy: HubSpot Privacy Policy.

16. Routine deletion and blocking of personal data

The controller shall process and store personal data of the data subject only for the time necessary to achieve the purpose of storage or, where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European Directive and Regulation or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

17. Rights of data subject

Every data subject has the right to

  • information pursuant to Article 15 of the GDPR
  • rectification pursuant to Article 16 of the GDPR
  • deletion according to Article 17 GDPR
  • restriction of processing pursuant to Article 18 of the GDPR
  • object in accordance with Article 21 of the GDPR and
  • data portability in accordance with Article 20 of the GDPR.

The restrictions according to §§ 34 and 35 BDSG (German Data Protection Act) apply to the right of information and the right of deletion. Furthermore, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with & 19 BDSG).

You can revoke your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

18.  Legal basis
  • Art. 6 I lit. a GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose.
  • If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service, the processing is based on Article 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, such as in the case of enquiries about our products or services.
  • If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.
  • Ultimately, processing operations could be based on Art. 6 I lit. f GDPR. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override the need to protect personal data. Such processing operations are permitted in particular because they were explicitly mentioned by the European Directive and Regulation-maker. In this respect, it considered that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, second sentence, GDPR).
19. Duration of data storage

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data is routinely deleted if it is no longer required for the fulfilment or initiation of the contract.

20. Legal or contractual requirements to provide the personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of not providing the personal data.

We would like to inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact our data protection officer. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or by contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences of not providing the personal data would be.

21. Automated decision making

As a responsible company, we do not use automatic decision-making or profiling.

22. Final provisions

We reserve the right to adapt this data protection declaration at any time so that it always complies with the current legal requirements or to reflect changes in the application process or similar. The new data protection statement will then apply for a renewed visit or application.