Privacy Policy of we‑IT GmbH

As of January 30, 2026

Responsible party: we‑IT GmbH, Kriegerstr. 35, 82110 Germering, Germany

Contact for data protection concerns: datenschutz@we-it.de

Competent supervisory authority: Bavarian State Office for Data Protection Supervision (BayLDA)

Data protection officer: not appointed, as not required by law; for contact details, see above contact address.

We operate an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the certificate and further evidence are available at https://compliance.we-it.de.

This statement applies to our business data processing in the B2B environment and—where expressly indicated—to the use of our website. Regulations marked with "(Web)" relate exclusively to website operation.

1. Purposes, legal bases, and data categories

We process personal data exclusively on the basis of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Unless expressly stated otherwise, the provision of data is voluntary. Without certain information, we may not be able to provide individual services, in particular the processing of inquiries, the initiation or fulfillment of contracts, and support activities.

1.1 Business development, contract execution, and customer relations (B2B)

For the purpose of initiating, concluding, and executing contracts, maintaining ongoing customer relationships, providing services including support, and billing, we process in particular master data, communication and contact data, contract and billing data, as well as support and ticket information. The legal bases are Art. 6 (1) (b) GDPR (pre-contractual measures and contract fulfillment), Art. 6 (1) (c) GDPR (legal obligations, such as tax and commercial law retention requirements), and Art. 6 (1) (f) GDPR (legitimate interest in efficient communication, IT security, and the enforcement of legal claims).

1.2 Communication and ticket system

When you contact us by email or phone, we process your information in order to handle your inquiry and any follow-up questions. Registered customers can also submit inquiries via our ticket system (Freshdesk/Freshworks). Depending on the range of functions and the selected data center location, Freshdesk may process data in EU data centers; individual functions may involve transfer to third countries, in particular the USA. We base such transfers on an adequacy decision (EU-US Data Privacy Framework) or on EU standard contractual clauses. The legal basis is Art. 6 (1) (b) GDPR and Art. 6 (1) (f) GDPR (efficient communication and support).

1.3 Applications

When you apply for a position with us, we process your master data, contact details, application documents, and our correspondence for the purpose of the selection process. The legal basis for this is Section 26 (1) of the German Federal Data Protection Act (BDSG) and Article 6 (1) (b) of the GDPR. If we transfer your documents to an applicant pool after the selection process has been completed, this will only be done on the basis of your consent (Article 6 (1) (a) of the GDPR), which you can revoke at any time with future effect.

2. Web-specific processing

2.1 Hosting and infrastructure (web)

Our website is operated in data centers belonging to Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp (Germany). We use the infrastructure services provided there, including performance optimization (e.g., NitroPack) and security functions (e.g., Wordfence). The legal basis for this is Art. 6 (1) (b) GDPR, insofar as page content serves to initiate a contract, and Art. 6 (1) (f) GDPR, as we have a legitimate interest in the operation and security of a professional website.

2.2 Server log files (web)

When you visit our website, server log files are created that contain, among other things, the IP address, date and time of the visit, the requested resource, the referrer URL, and the user agent used. We use these logs for error analysis and to ensure stability and security, and we do not combine them with other data. We only store the log data for as long as is necessary for these purposes, usually up to fourteen days. In the event of security-related incidents, we may store logs for longer periods of time as necessary. Note: for email logs, the host may stipulate longer periods (e.g., four weeks) for technical reasons.

2.3 Cookies, consent, and categories (web)

We use the consent management tool Real Cookie Banner (devowl.io). This allows you to give or withhold your consent for the categories "Essential," "Functional," "Statistics," and "Marketing" and to change your selection at any time. We base essential and functional cookies on Art. 6 (1) lit. f GDPR in conjunction with § 25 (2) TTDSG, while statistics and marketing technologies are used exclusively with your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG. The current, dynamic list of services and cookies is available via the banner.
We use Weglot to make our website multilingual. This involves setting functional cookies and local storage entries (e.g., to store the language selection and cache translations). This processing is explained in more detail in the "Weglot" section (2.4).

2.4 Integrated web services (web)

The services listed below are either absolutely necessary for technical reasons or are only loaded after you have given your consent via the consent banner. We provide information about the purpose, legal basis, storage period, and possible transfers to third countries in each case.

Google Tag Manager (GTM)

We use Google Tag Manager to centrally manage integrated services. The tool does not create its own user profiles, but may process IP addresses for technical reasons. The legal basis is our legitimate interest (Art. 6 (1) (f) GDPR). If further data transfer is necessary in individual cases, we base this on consent (Art. 6 (1) (a) GDPR). Transfer to the USA is possible; the EU-US Data Privacy Framework and the EU Standard Contractual Clauses may be considered as legal bases.

Google Analytics (GA4)

We use Google Analytics in the GA4 version to analyze reach and usage. Processing only takes place with your consent (Art. 6 (1) (a) GDPR). We store event and usage data for fourteen months as standard. Google may transfer data to the US; the EU-US Data Privacy Framework or the standard contractual clauses serve as guarantees.

Google Ads (including conversion/remarketing)

We use Google Ads, including conversion and remarketing functions, to display and measure the success of online advertising. This is only used with your consent (Art. 6 (1) (a) GDPR). Data may be transferred to the USA; the EU-US Data Privacy Framework or the EU Standard Contractual Clauses serve as protective mechanisms.

ProvenExpert seal

We integrate a seal from Expert Systems AG (ProvenExpert) on our website to display customer reviews. Processing is based on our legitimate interest in transparent presentation (Art. 6 (1) (f) GDPR) or—if cookies/trackers are used—on your consent (Art. 6 (1) (a) GDPR).

Microsoft Bookings

We use Microsoft Bookings to schedule appointments. Microsoft Ireland Operations Limited is responsible for this; depending on usage, data may be transferred to Microsoft Corporation (USA). The legal basis is our legitimate interest in efficient appointment scheduling (Art. 6 (1) (f) GDPR) or your consent, if you give it (Art. 6 (1) (a) GDPR). The EU-US Data Privacy Framework and the EU Standard Contractual Clauses may be considered.

Wordfence (security plugin)

We use the Wordfence security plugin to protect against attacks. Processing is for IT security purposes and is based on Art. 6 (1) (f) GDPR. Data may be transferred to the USA; in this case, the EU standard contractual clauses apply.

OneDrive integrations

When we provide or embed files via Microsoft OneDrive, we process the necessary usage data for this purpose. Depending on the use, the legal basis is Art. 6 (1) (b) GDPR (contract/initiation) or Art. 6 (1) (f) GDPR; in the case of consent arrangements, Art. 6 (1) (a) GDPR applies. Transfers to the USA are possible and are secured in accordance with applicable law.

jQuery (CDN), if loaded externally

If the JavaScript library jQuery is integrated from a content delivery network, the CDN provider processes technical usage data such as IP address and retrieval times. The integration is carried out for efficient and stable delivery and is based on Art. 6 (1) lit. f GDPR; for components requiring consent, we use Art. 6 (1) lit. a GDPR.

Google Fonts (local) and Font Awesome (local)

We provide fonts and icons locally. Therefore, when you visit our pages, no connection to the servers of the respective providers is established.

reCAPTCHA (form protection)

We may use Google reCAPTCHA to protect against abusive automated entries. The tool is only loaded with your consent (Art. 6 (1) (a) GDPR). Transfer to the US is possible; it is secured in accordance with the EU-US Data Privacy Framework or the EU Standard Contractual Clauses.

Trustindex.io (review widgets)

We use Trustindex.io to display external rating widgets. When loading, IP addresses and device information may be transmitted to Trustindex or to CDNs used. We only integrate Trustindex with your consent (Art. 6 (1) (a) GDPR).

Weglot (multilingualism / website translations)

We use Weglot to provide our website in multiple languages. The provider is WEGLOT (SAS), 7 cité Paradis, 75010 Paris, France.
Technical usage data (e.g., IP address, browser/device information, browser language, URL accessed) is processed for the delivery of translations. Weglot also processes website content (text) to create and store translations (original text and translation). If, in exceptional cases, website content contains personal data, this may also be affected.

Depending on configuration and usage, Weglot may use the following storage technologies in particular:
wglang (cookie, session): stores the language selected by the user,
WG_CHOOSE_ORIGINAL (cookie, up to 1 month): if the original language was selected with auto-switching enabled,
wg-translations (local storage, permanent): stores translations (caching),
wg-slugs (local storage, permanent): stores translated URLs.

Processing is based on our legitimate interest in providing a user-friendly, multilingual online service (Art. 6 (1) (f) GDPR). If consent is required to store information on your device, this is done via our consent banner.

Weglot processes the data in this context as a processor; for this purpose, we conclude a data processing agreement in accordance with Art. 28 GDPR.

Weglot generally stores translation/project data for the duration of use; projects without API calls in the last six months are considered inactive and are then deleted.

Weglot may use subcontractors; Weglot provides a current list. If data is transferred to third countries in this context, this is done in accordance with Art. 44 et seq. GDPR (e.g., by means of standard contractual clauses).

3. Recipients, order processing, and transfers to third countries

Within our company, only those departments that need personal data to fulfill their respective purposes have access to it. External recipients are, in particular, processors for hosting, cloud/backup, email and ticket systems, IT maintenance and, depending on the process, tax consulting, accounting, shipping and printing service providers, payment services, and legal advice. We provide a current overview of our processors upon request. Transfers to third countries are only carried out under the conditions of Art. 44 ff. GDPR, i.e., on the basis of an adequacy decision (e.g., EU-US Data Privacy Framework) or appropriate safeguards, in particular the EU standard contractual clauses.

4. Storage locations, retention periods, and deletion

We operate our own systems in data centers in Germany. For external services, the storage location depends on their infrastructure within the EU/EEA or, if necessary, in third countries, in each case in compliance with data protection regulations. We delete or anonymize personal data as soon as the purpose no longer applies and there is no longer any legal basis or legal obligation for further storage. Further storage may take place on the basis of Art. 6 (1) lit. f GDPR for the assertion, exercise, or defense of legal claims until the expiry of the limitation periods.

4.1 Typical deadlines

We regularly store contract and billing documents for ten years in accordance with the provisions of the German Fiscal Code (AO) and the German Commercial Code (HGB). We store commercial and business correspondence for six years. We generally retain support tickets in Freshdesk for up to three years after completion, unless there are longer legal obligations. We generally delete application documents six months after the conclusion of the process; if consent has been given for retention, the retention period is up to twelve months. We retain logs from the consent management tool until the end of the relevant retention period, which is generally up to three years. Data from Google Analytics is stored for fourteen months by default. We generally retain server log files from the website for up to fourteen days; in the event of security-related incidents, the retention period may be longer depending on the circumstances. For technical reasons, email logs from the host may be retained for a period of approximately four weeks.

4.2 Backups and archives

As part of our ISO 27001-compliant ISMS, we maintain audit-proof backup and archiving systems, including for email and M365 data as well as SharePoint/OneDrive content. To the extent permitted by law, backup copies may be retained for compliance, evidence, and disaster recovery purposes for extended periods of time—up to twelve years. These backups are logically separated from the production system, subject to strict access restrictions, and used exclusively for recovery and verification purposes (Art. 6 (1) (c) and (f) GDPR). We implement deletion requests in the production system; physical overwriting within the backup sets takes place on a regular basis in accordance with the media or life cycle.

5. Your rights

You have the right to access, rectify, erase, restrict processing, and data portability (Articles 15–20 GDPR). You may object to processing if it is based on Article 6(1)(e) or (f) GDPR; this applies in particular to direct marketing (Article 21 GDPR). You may revoke your consent at any time with effect for the future (Art. 7 (3) GDPR). You also have the right to lodge a complaint with a data protection supervisory authority, in particular the BayLDA.

6. Information on transfers to third countries

When we use providers in third countries—particularly in the US—we base transfers on the EU-US Data Privacy Framework or, if no adequacy decision has been made, on the EU standard contractual clauses. We continuously monitor legal developments and adapt our transfers and the protective measures we have put in place accordingly. In section 2.4, we provide information about the specific providers affected; further details are available on request.

7. Technical and organizational measures (TOM)

To protect personal data, we use a range of measures, including access controls with role-based permissions and multi-factor authentication, encrypted data transmission (TLS), and—depending on the system—encryption of data at rest, hardening and patch management, logging and monitoring, and regular backup and recovery tests. Our supplier and processor management includes data processing agreements and, where necessary, transfer impact assessments. Audits and recertifications are carried out as part of our ISO/IEC 27001 system.

8. Forms, contact details, and no newsletter

If you contact us via forms, email, or telephone, we will process your information in order to respond to your inquiry. To protect the forms from spam, we only use reCAPTCHA with your consent. We do not offer a newsletter.

9. Changes to this privacy policy

We will update this privacy policy if the legal situation, our processes, or the services we use change. The published version with the date is valid.