Privacy Policy according to Art. 13 GDPR

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

Bridge ITS GmbH
Käthe-Kollwitz-Ufer 76
01309 Dresden
Germany

Contact
info@bridge-systems.com

Name and Address of the Data Protection Officer

The Data Protection Officer of the controller is:

3 P Datenschutz GmbH
Stefan Leißl
Sanderstraße 47
86161 Augsburg
Telefon: 0821 6508 8582
E-Mail: leissl@3-p-datenschutz.de

General Information on Data Processing

Legal Basis for Processing Personal Data

In accordance with Art. 13 GDPR, we inform you about the legal bases of our data processing. Unless the legal basis is specifically mentioned in the privacy policy, the following applies:
The legal basis for obtaining consent is Art. 6(1)(a) in conjunction with Art. 7 GDPR. The legal basis for processing to fulfill our services and implement contractual measures as well as to respond to inquiries is Art. 6(1)(b) GDPR. The legal basis for processing to fulfill our legal obligations is Art. 6(1)(c) GDPR. If the processing of your data is necessary to protect a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6(1)(f) GDPR serves as the legal basis for processing. In cases where vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6(1)(d) GDPR serves as the legal basis.

Data Deletion and Storage Duration

We adhere to the principles of data minimization according to Art. 5(1)(c) GDPR and storage limitation according to Art. 5(1)(e) GDPR. We store your personal data only for as long as necessary to achieve the purposes mentioned here or as required by statutory retention periods. After the respective purpose ceases to exist or after these retention periods expire, the corresponding data will be deleted promptly.

Note on Data Transfer to Third Countries

Our website also includes tools from companies based in third countries (notably the USA). If these tools are active, your personal data may be transferred to the servers of the respective companies. The data protection level in third countries generally does not correspond to EU data protection law. Therefore, there is a risk that your data may be disclosed to authorities in these countries. We have no influence on these processing activities.

Use of AI-supported conversation transcription and automated summarization

The bridge platform offers the possibility to create a transcription and automated summary of the conversation using Artificial Intelligence (AI) during consultation sessions. The aim is to improve the quality of consultation and enable more precise documentation of conversation content.

The activation of this function occurs exclusively situatively and by the respective consultant. Before any recording, the customer is transparently informed that an AI-supported processing of their statements will take place. The function is activated only after explicit, voluntary consent. During transcription, the customer can see that this function is activated and has the option to deactivate it at any time.

By consenting, the customer confirms that they have been informed about the purpose, scope and technical functionality and have read and understood the privacy notice regarding the processing.

The legal basis for data processing is Art. 6(1)(a) GDPR (consent). The consent can be revoked at any time with effect for the future. The revocation has no disadvantages for further consultation.

There is no automated decision making based on the captured data. The stored transcripts and summaries are used exclusively for internal consultation purposes. They are deleted once the purpose ceases to exist or at the request of the data subject, provided there are no legal retention obligations. The customer can request their own transcript and its deletion at any time.

The usage is in accordance with the transparency requirements of the EU AI Act (Art. 52). An interaction with Artificial Intelligence exists and is marked accordingly.

Processing of Personal Data for Appointments

The bridge platform enables end users to independently book consultation appointments with their personal advisor. As part of this process, we collect and process various personal data to ensure smooth and efficient communication and appointment handling.

Specifically, we process first name and last name, email address, optionally a phone number, contents of the free text field such as concerns or appointment type as well as the calendar entry with associated metadata like timestamp and status.

Note: Please do not provide any sensitive information according to Art. 9 GDPR in the free text field, such as health data or information about religious beliefs.

Purpose of Processing

The data collected during appointment booking is used exclusively to efficiently organize the consultation process. This includes sending you appointment confirmations and reminders, contacting you for questions or changes, maintaining calendar functionality and avoiding double bookings. Additionally, this information allows us to optimally manage advisor availability.

An appointment can be scheduled maximum 120 days in advance. After the consultation, the data remains stored for maximum 49 days. This is necessary to enable short-term inquiries, conduct follow-ups or ensure technical system integrity. After that, the data records are automatically deleted.

Legal Bases under GDPR

The legal basis for data processing is Art. 6(1)(b) GDPR, as the processing is necessary for the implementation of pre-contractual measures as well as for the fulfillment of a contract. Additionally, Bridge ITS GmbH has a legitimate interest in the technically stable and user-friendly execution of the appointment process and in quality assurance. This interest is also legally secured according to Art. 6(1)(f) GDPR.

Data may remain stored even after the actual appointment if this serves quality assurance or internal documentation purposes. This also occurs within the scope of our legitimate interest.

Integration into Customer Profile

The information collected during appointment scheduling – i.e. name, email address and if applicable phone number – is automatically transferred to the central Customer Relationship Management system of the bridge platform. This system serves the structured management of all customer interactions and enables us to analyze, improve and efficiently control usage processes.

Bridge ITS GmbH is responsible for this data processing. It occurs on the same legal bases as the appointment booking itself. If there is a technical interface to a CRM system of the consulting partner, the data can additionally be transferred there once an appointment is accepted.

External Links

This website may contain links to third-party websites or to other websites under our responsibility. If you follow a link to any websites outside our responsibility, please note that these websites have their own privacy policies. We do not accept any responsibility or liability for these external websites and their privacy notices. Therefore, please check before using these websites whether you agree with their privacy policies.

You can recognize external links either by being slightly offset in color from the rest of the text or by being underlined. Your cursor will indicate external links when you hover over such a link. Only when you click on an external link will your personal data be transmitted to the link destination. The operator of the other website receives in particular your IP address, the time at which you clicked the link, the page on which you clicked the link, as well as other information that you can find in the privacy policy of the respective provider.

Please also note that individual links may lead to data transmission outside the European Economic Area. This could allow foreign authorities to access your data. You may not have any legal remedies against such data access. If you do not want your personal data to be transferred to the link destination or even unintentionally exposed to access by foreign authorities, please do not click on any links.

Rights of the Data Subject

As a data subject within the meaning of the GDPR, you have various rights that you can exercise. The data subject rights under the GDPR include the right of access (Art. 15), the right to rectification (Art. 16), the right to erasure (Art. 17), the right to restriction of processing (Art. 18), the right to object (Art. 21), the right to lodge a complaint with a supervisory authority, and the right to data portability (Art. 20).

Right of Withdrawal:

Some data processing operations can only be carried out with your express consent. You have the right to withdraw your consent at any time. The lawfulness of data processing, up until the withdrawal, remains unaffected.

Right to Object:

If processing is based on Art. 6(1)(e) or (f) GDPR, you as a data subject have the right to object at any time to the processing of personal data concerning you on grounds relating to your particular situation. This right also applies to profiling based on these provisions within the meaning of Art. 4(4) GDPR. If we cannot demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or processing serves the establishment, exercise or defense of legal claims, we will cease processing your data after your objection.

If personal data is processed for direct marketing purposes, you also have the right to object at any time. The same applies to profiling related to direct marketing. Here too, we will no longer process personal data once you raise an objection.

Right to Lodge a Complaint with a Supervisory Authority:

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, place of work or place of the alleged violation, without prejudice to any other administrative or judicial remedy.

Right to Data Portability:

If your data is processed based on consent or contract performance in an automated manner, you have the right to receive this data in a structured, commonly used and machine-readable format. Furthermore, you have the right to request the transfer and provision of the data to another controller, insofar as this is technically feasible.

Right of Access, Rectification and Erasure:

You have the right to obtain information about your processed personal data regarding the purpose of data processing, the categories, recipients and duration of storage. For questions on this topic or other topics regarding personal data, you can of course contact us via the contact details provided in the imprint.

Right to Restriction of Processing:

You can request restriction of the processing of your personal data at any time. To do so, you must meet one of the following requirements:

You contest the accuracy of the personal data. For the duration of verifying the accuracy, you have the right to request restriction of processing.
If processing is unlawful, you can request restriction of data use instead of erasure.
If we no longer need your personal data for processing purposes but you need the data for the establishment, exercise or defense of legal claims, you can request restriction of processing instead of erasure.
If you object to processing pursuant to Art. 21(1) GDPR, a balancing of interests between your and our interests will be carried out. Until this balancing is completed, you have the right to request restriction of processing.

A restriction of processing means that personal data may only be stored and not processed in any other way, except with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Website Hosting (Web Hosting Provider)

Our website is hosted by:

IONOS SE Elgendorfer Straße 57, 56410 Montabaur
Germany

When you visit our website, we automatically collect and store information in server log files. This information is automatically transmitted by your browser to our server or to the server of our hosting company.

This includes:

IP address of the website visitor's device
Device used
Hostname of the accessing computer
Visitor's operating system
Browser type and version
Name of the retrieved file
Time of server request
Amount of data
Information whether the data retrieval was successful

This data is not combined with other data sources.

The legal basis for processing this data is Art. 6(1)(f) GDPR. Our legitimate interest is the technically error-free presentation and optimization of this website.

Instead of operating this website on our own server, we can also have it operated on the server of an external service provider (hosting company). In this case, the personal data collected on this website is stored on the servers of the hosting company. In addition to the above-mentioned data, this may include contact requests, contact details, names, website access data, meta and communication data, contract data and other data generated through a website.
As an additional legal basis, the purpose of pre-contractual or contractual performance with respect to the data subject is cited. (Art. 6(1)(b) GDPR). In the event that we have commissioned a hosting company, there is a data processing agreement with this service provider.

Use of Local Storage Items, Session Storage Items and Cookies

Our website uses local storage items, session storage items and/or cookies. Local storage is a mechanism that enables the storage of data within the browser on your device. This data usually includes user preferences, such as "day mode" or "night mode" of a website, and remains stored until you manually delete the data. Session storage is very similar to local storage, whereas the storage duration only lasts during the current session, i.e. until the current tab is closed. After that, the session storage items are deleted from your device. Cookies are information that a web server (server providing web content) stores on your device to identify this device. They are either stored temporarily for the duration of a session (session cookies) and deleted after your visit to a website or permanently (permanent cookies) on your device until you delete them yourself or automatic deletion occurs through your web browser.

These objects can also be stored on your device by third-party companies when you enter our site (third-party requests). This enables us as operators and you as visitors of this website to use certain services from third parties that are installed on this website. Examples include the processing of payment services or the display of videos.

These mechanisms have various applications. They can improve the functionality of a website, control shopping cart functions, increase the security and convenience of website usage, and conduct analyses regarding visitor flows and behavior. Depending on the individual functions, these are to be classified under data protection law. If they are necessary for the operation of the website and intended to provide certain functions (shopping cart function) or serve to optimize the website (e.g. cookies to measure visitor behavior), then their use is based on Art. 6(1)(f). As website operators, we have a legitimate interest in storing local storage items, session storage items and cookies for the technically error-free and optimized provision of our services. In all other cases, the storage of local storage items, session storage items and cookies only occurs with your express consent (Art. 6(1)(a) GDPR).

If local storage items, session storage or cookies are used by third-party companies or for analysis purposes, we will inform you separately about this within this privacy notice. Your consent will be requested and can be revoked at any time.

Use of External Services

Our website uses external services. External services are third-party services that are used on our website. This can be for various reasons, for example for embedding videos or for website security. When using these services, personal data is also transferred to the respective providers of these external services. If we do not have a legitimate interest in using these services, we obtain your revocable consent as a visitor to our website before using them (Art. 6(1)(a) GDPR).

Web Fonts

This page uses web fonts for the uniform display of fonts, which are provided by an external provider and loaded by your browser when the website is accessed. When doing so, the web font provider gains knowledge that our website was accessed from your IP address, since your browser establishes a direct connection to the web font provider.

Processing only takes place if you explicitly consent to this data processing (via our consent banner on the website). The legal basis for consent is Art. 6(1)(a) GDPR. Without your consent, data processing does not take place in the manner described above. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. The lawfulness of processing that took place up until withdrawal remains unaffected.

Google Fonts

We use the Google Fonts service on our website. The service provider is Google Ireland Ltd., Gordon House, Barrow Street Dublin 4, Ireland.

Use of the service may result in data transfer to a third country (USA). Further information can be found in the provider's privacy policy at the following URL: https://policies.google.com/privacy.

Web Security

On our website, we use tools that protect against unauthorized access, spam or other attacks. This increases the security of our website.

We base this processing on a legitimate interest (Art. 6(1)(f) GDPR).

Our legitimate interest is to ensure the security of our website and protect ourselves against unauthorized access, spam and other attacks.

Matomo

We use the Matomo service in our web application. EU representative as controller or processor not established in the Union (Art. 27 GDPR) is: ePrivacy Holding GmbH, Große Bleichen 21, 20354 Hamburg, Germany.

Matomo is a self-hosted open source software that we use to anonymously analyze user behavior in our web application.

The visitor behavior data is collected to continuously improve the offered services and functions and to identify and fix potential problems during use.

For this purpose, Matomo creates detailed statistics, including about used devices, browsers and user origin. Matomo is considered one of the best-known tracking tools alongside Google Analytics. However, Matomo represents a privacy-sensitive alternative in direct comparison.

The data processing is based on the principle of legitimate interest.

Processing the data helps us determine what works in our web application and what doesn't. For example, we can find out whether and how content and functions are used or how we can improve the structure of the web application.

Further information can be found in the provider's privacy policy at the following URL: Matomo Privacy Policy

Google reCAPTCHA

We use the Google reCAPTCHA service on our website. The service provider is Google Ireland Ltd., Gordon House, Barrow Street Dublin 4, Ireland.

Use of the service may result in data transfer to a third country (USA).

Further information can be found in the provider's privacy policy at the following URL: https://policies.google.com/privacy.

The service stores the following data in the browser's local/session storage:

Name: rc::a: Storage duration: Permanent; Type: 3rd-Party Local Storage, www.recaptcha.net; Purpose: Used to read and filter requests from bots.
Name: rc::c: Storage duration: Session; Type: 3rd-Party Local Storage, www.recaptcha.net; Purpose: Used to read and filter requests from bots.