Privacy Policy

Responsible body within the meaning of data protection laws, in particular the EU Data Protection Ordinance (DSGVO):

Xenium AG
Sapporobogen 6-8
80637 Munich
Telephone: +49 89 4207980
E-Mail: datenschutz@xenium.de

You can exercise the following rights at any time using the contact details provided by our data protection officer:

• information about your data stored by us and its processing (Art. 15 DSGVO),

• correction of incorrect personal data (Art. 16 DSGVO),

• deletion of your data stored by us (Art. 17 DSGVO),

• restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 DSGVO),

• objection to the processing of your data by us (Art. 21 DSGVO) and

• data portability, given you have consented to the data processing or have concluded a contract with us (Art. 20 DSGVO).

If you have given us consent, you can revoke this at any time with effect for the future.

You can lodge a complaint with a supervisory authority at any time, e.g. the competent supervisory authority in the federal state of your residence or the authority responsible for us as the controller.

A list of the supervisory authorities (for the non-public sector) with address can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Purpose

There is a contact form on our website that can be used to contact us electronically. If a user uses this option, the data entered in the input field will be transmitted to us and stored.

The following data is also stored once the message is sent:

• Date and time of the request

It is also possible to contact us via the e-mail addresses provided. In this case, the user's personal data transmitted with the e-mail will be stored. This includes the date and time the e-mail was sent, e-mail address, IP address and information on the servers involved in the e-mail communication.

You can also contact us via the telephone number provided. In this case, we collect log data that includes your telephone number and the duration of the call.

Legal basis

The data entered in the contact form is processed in accordance with a legitimate interest (Art. 6 para. 1 lit. f GDPR). Our legitimate interest in processing your data is to facilitate uncomplicated contact.

Recipient of the data

Recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.

Storage duration

Data will be deleted no later than 6 months after the request has been processed.

If there is a contractual relationship, we are subject to the legal storage periods. These are generally 6 or 10 years for the purposes of orderly accounting and tax law requirements.

Provision mandatory or required

The provision of your personal data is voluntary. However, we can only process your request if you provide us with the required data and the reason for the request.

Objection

Please read the information on your right to object under Art. 21 GDPR below.

Purpose, legal basis and legitimate interest

When you access our website, i.e. even if you do not register or otherwise submit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider, your IP address and the like..

In particular, they are processed for the following purposes:

• ensuring a problem-free connection setup,

• the website,

• ensuring the smooth use of our website,

• evaluating system security and stability, and

• for other administrative purposes.

We also reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

The processing is carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of our legitimate interest in improving the stability and functionality of our website.

Recipient of data

We use technical service providers for the operation and maintenance of our website who act as our processors.

Storage period

The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for data used to provide the website when the respective session has ended.

Provision prescribed or required

The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address and the cookie identifier, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or may be restricted.

Objection

Please read the information about your right to object according to Art. 21 DSGVO below.

Type and purpose of the processing

The personal data you provide when booking an appointment to arrange an initial consultation (e.g. name, email address, notes, desired appointment) will be processed for appointment planning, organization and execution.

Legal disclaimer

The legal basis is the fulfillment of the contract or pre-contractual measures in accordance with Art. 6 para. 1 lit. b) GDPR (if the appointment booking form is used to initiate a potential contractual agreement or to fulfill an existing contract) or consent in accordance with Art. 6 para. 1 lit. a) GDPR (if the appointment booking is not mandatory or is used for voluntary additional services (for voluntary information, reminder service or advertising-related communication).

Recipient

We use Microsoft Bookings as an internal calendar and communication system to organize appointments. In this context, your data may be transmitted to Microsoft Ireland Operations Limited as a service provider. We have signed a data processing agreement with Microsoft to protect your data.

Third country transfers

When using Microsoft Bookings, the transfer of personal data to third countries (in particular the USA) cannot be excluded. Microsoft is certified in accordance with the EU-U.S. Data Privacy Framework, which guarantees an adequate level of data protection in accordance with Art. 45 GDPR.

Storage period

Your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected and there are no legal obligations to retain it. As a general rule, deletion takes place no later than 8 weeks after the scheduled appointment, provided that no further communication or business relationship takes place.

Provision of data voluntary/obligatory. Consequences of refusal

Voluntary information (e.g. on special requests or for contacting for other purposes) can also be excluded without affecting the appointment booking.

Revocation, if applicable

If the processing of your data is based on your consent (Art. 6 para. 1 lit. GDPR), you have the right to revoke this consent at any time with immediate effect for the future. The legality of the data processing carried out until the revocation remains unaffected by this. You can send your revocation at any time informally by e-mail to info@xenium.de.

Purpose, legal basis and legitimate interest

You can send us your application via the online application form or by e-mail to karriere@xenium.com.

We will only process the data you provide to assess your professional suitability and to contact you.

The processing is carried out for the purpose of establishing an employment relationship as part of the implementation of pre-contractual measures, which are carried out upon request, § 26 BDSG.

Within the framework of the balancing of interests (Art. 6 para. 1 lit. f) DSGVO), we process your data, as far as necessary, beyond the actual decision on the establishment of an employment relationship. Examples of such cases are:

• measures to protect employees and customers as well as to protect the company's property and building and facility security (e.g. access controls, locking systems and video surveillance),

• assertion of legal claims and defence in legal disputes: disclosure of personal data may be necessary in the context of official/court measures for the purposes of gathering evidence, criminal prosecution or enforcement of civil claims,

• writing letters of application via LinkedIn, Xing and other applicant databases such as Absolventa, Indeed, etc.

Furthermore, we process your data on the basis of legal requirements (Art. 6 para. 1 lit. c) DSGVO in conjunction with. § 26 BDSG), e.g. in order to comply with tax law and similar control and reporting obligations.

Recipient of the data

Within the company, access to your data is granted to those offices that need it to fulfil contractual, legal and supervisory obligations and to safeguard legitimate interests (e.g. HR department, management, the future supervisor). The processing takes place on the systems and servers of Xenium AG.

Service providers and vicarious agents employed by us may also receive data for these purposes, insofar as they require the data to perform their respective services. These may be external service providers from the following areas: Support or maintenance of EDP or IT applications and personnel management software. All service providers are contractually bound and in particular obliged to treat your data confidentially.

Data will only be passed on to recipients outside our company in compliance with the applicable data protection regulations. Personal data may be passed on to the following third parties, for example: external data protection officer, authorities in the event of a duty to disclose data.

Third country transfers

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

Storage duration

If your application is rejected, it will be deleted six months after notification of the decision.

If an employment relationship is established, the application documents will be stored at Xenium AG for at least the duration of the employment period.

Provided you give us your explicit consent as part of your application, we will include your application documents in our talent pool. This enables us to consider you for future vacancies that match your qualifications and interests.

Your application data will be stored in the talent pool on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and will be stored for a period of 12 months. At the end of this period, your data will be automatically deleted unless you give us renewed consent to extend the storage period.

You can revoke your consent at any time with immediate effect for the future. An informal notification to karriere@xenium.com­ is sufficient. This does not affect the legality of the data processing carried out up to the point of revocation.

Provision prescribed or required

The provision of personal data is neither legally nor contractually required. However, it is not possible to process the application without this information.

Automated decision-making or profiling

We do not use fully automated decision-making pursuant to Article 22 of the GDPR for the establishment, implementation and termination of the working relationship. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law. We also do not process your data with the aim of automatically assessing certain personal aspects.

Revocation, if applicable

Please read the information on your right to objection under Art. 21 GDPR below.

Purpose and legal basis of processing

We use the privacy-friendly web analytics service Plausible Analytics to gain insights into how our website is used.

The aim is to continuously improve the functionality, user-friendliness, and relevance of our content.

In doing so, we collect information such as:

• which pages are visited most frequently

• from which countries and regions the visits originate (in anonymized form)

• which devices and browsers are used to access our website

• how long visitors stay on certain pages

Plausible Analytics operates without the use of cookies and does not employ tracking technologies that follow individual users across websites or visits.

In addition:

• IP addresses are not stored permanently; they are only processed in a truncated and anonymized form for the duration of the request

• no user profiles are created

• no personal data as defined by the GDPR is collected or stored

• all data is evaluated exclusively in aggregated and anonymized form

While we receive statistical insights into how the website is used, we cannot associate this data with individual persons.

Recipients of data

The data is processed by:

Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia – a company based in the European Union.

Additional recipients may include technical service providers who are contractually obligated to handle your data confidentially.­

Third country transfers

No personal data is transferred to third countries outside the European Union (EU) or the European Economic Area (EEA).

Storage period

Plausible only stores aggregated data with no personal identifiers.

IP addresses or other identifying data are neither stored permanently nor linked to other information.
No personal data is retained.

Provision mandatory or required

The use of Plausible Analytics is not required for visiting our website.

Its use is solely for technical and statistical optimization.

No automated decision-making takes place.

Right to object

You can technically prevent the collection of your data by activating “Do Not Track” in your browser settings.

Our system will recognize this signal and exclude your visit from analysis.

To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.

External Links

Xenium AG is only responsible for its "own content" that it makes available for use. If links to websites of other providers are provided, the statements of the Xenium AG privacy policy do not apply to the processing of personal data by these providers.

If you follow a link to one of these websites (which are outside our responsibility), we would like to point out that these websites have their own data protection information and that we are not responsible for this. We therefore recommend that you read the privacy policy on the other websites you visit before passing on your personal data to these website providers.

External links are marked with this symbol on our website: ↗

Please note that clicking on external links may also result in a data transfer to a third country (e.g. USA). In this case, it may be possible that foreign third parties, authorities or intelligence services receive your personal data (such as your IP address).

LinkedIn

We maintain a company profile on LinkedIn.

A simple link will take you from our website to our presence on LinkedIn. This platform is operated by LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland. We maintain this LinkedIn company page in order to inform users or interested parties as well as customers about our company. We provide information via our LinkedIn profile and offer users the opportunity to communicate with us.

Furthermore, we would like to point out that as the operator of a LinkedIn company profile, we are jointly responsible with LinkedIn for the processing of the personal data of the site visitors (Art. 26 DSGVO). For this purpose, we have entered into a corresponding joint responsibility agreement with LinkedIn, which specifies the distribution of data protection obligations between us and LinkedIn. You can access this contract under the following link https://legal.linkedin.com/pages-joint-controller-addendum. In accordance with this contract, LinkedIn is responsible for responding to data subject requests. To assert these data subject rights, you may contact LinkedIn online at https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or reach LinkedIn using the contact information in the Privacy Policy. You may also contact LinkedIn's Privacy Officer via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.

Once you visit our LinkedIn company profile, follow or engage with this site, LinkedIn processes personal data. As a result, LinkedIn provides us with insight and statistics in anonymized form, after which we are informed about the types of actions visitors take on our site (so-called page insights). It is not possible for us to derive conclusions about individual members via the information of the page insights. On the one hand, LinkedIn processes data that you have stored in your profile based on your own published information. In addition, LinkedIn processes in particular data about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page.

The processing of your personal data is based on your consent pursuant to Art. 6 (1) sentence 1 lit.a DSGVO, which you have given to LinkedIn as part of your registration.

Further information on the processing of your data by LinkedIn can be found in the privacy policy of LinkedIn https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv.

We cannot exclude that a third country transfer, e.g. to servers located in the USA, takes place when you call up our LinkedIn company presence.

Youtube

We maintain a profile on the YouTube platform, a service provided by YouTube, LLC (hereinafter referred to as "YouTube"), a subsidiary of Google, LLC (hereinafter referred to as "Google"), primarily to provide instructional videos on how to best use our products. We also provide videos informing about product updates, as well as video recordings of conference presentations. Personal data is processed by us through the use of the comment function.

Google's privacy policy applies:

- https://policies.google.com/privacy?hl=en#intro

The processing of data is based on your consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO, which you give to YouTube when visiting our YouTube channel.

YouTube and Google may process your data in the USA. An adequate level of data protection is ensured by standard contractual clauses.

Google may retain your data for longer periods of time. Some data may be deleted by you or will be deleted automatically.­ For more details, please refer to Google's privacy policy.

Providing your personal data is not required by law or contract. However, we cannot communicate with you without providing it.

XING

XING is a social network operated by XING SE, which is headquartered in Hamburg. Here, members can primarily manage their professional, but also private contacts and make new contacts. Organizations can set up a page with a logo and short profile, post news and initiate discussion groups.

A personal profile with administrator rights must be assigned to the company profile. Dialog in groups can only be done via the personal profile of a natural person.

To use the network functions you have to be registered as a user. There is a free basic version and a paid version with additional functions. Unlike other social networks, XING is based more on a combination of personal and electronic contact, and is less commercial and less visual. The focus is on professional exchange on specialist topics with people who have the same professional interests. In addition, XING is frequently used by companies and other organizations for recruiting personnel and presenting themselves as attractive employers. For this purpose, XING is linked to the employer rating platform Kununu.

Your personal data is processed on the basis of your consent pursuant to Art. 6 (1) sentence 1 lit. a DSGVO, which you have given to XING as part of your registration.

XING provides further information at: https://corporate.xing.com/de/unternehmen/

You can read the current information on data protection at https://privacy.xing.com/de/datenschutzerklaerung.

Kununu

We maintain a company profile on Kununu.

A simple link will take you from our website to our presence on Kununu. This platform is operated by Kununu as a service of New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. We maintain this Kununu company page in order to inform users or interested parties as well as customers about our company. We provide information via our Kununu profile.

Furthermore, we would like to point out that as the operator of a Kununu company profile, we are jointly responsible with Kununu for the processing of the personal data of the site visitors (Art. 26 DSGVO). For this purpose, we have concluded a corresponding joint responsibility agreement with Kununu, which specifies the distribution of data protection obligations between us and Kununu. 

As soon as you visit our Kununu company profile, or engage with this site, Kununu processes personal data. We have no influence on the type and scope of the data processed by Kununu.

On the one hand, Kununu processes data that you have stored in your profile based on your own published information. In addition, Kununu processes in particular data about how you interact with our Kununu company page, e.g. whether you are a follower of our Kununu company page.

The processing of your personal data is based on your consent pursuant to Art. 6 (1) sentence 1 lit. a) DSGVO, which you have given to Kununu as part of your registration. We would like to point out that you use the Kununu channel offered here and its functions on your own responsibility. This applies in particular to the use of the interactive functions.

Kununu processes your voluntarily entered data and evaluates any content you have shared or viewed.

Information about which data is processed by Kununu and for which purposes can be found in the Kununu privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements­ or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection statement will then apply to your next visit.

If you have any questions about data protection, please write us an e-mail or contact the person responsible for data protection in our organisation directly:

Data Protection Officer at Xenium AG
c/o activeMind AG
Potsdamer Str. 3
80802 Munich
Phone: +49 (0)89 / 91 92 94 – 900
www.activemind.de
datenschutz@xenium.de

Individual right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6(1)(f) DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 DSGVO.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Recipients of an objection

The objection can be made informally with the subject "Objection", stating your name, address or other identifiers, to:Xenium AG

Sapporobogen 6-8

80637 München

Phone: +49 89 4207980
E-Mail: info@xenium.de