Privacy Policy
Last updated: April 2026
In accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR), we inform you below which personal data is processed by us in connection with the access of our website and what your related rights are.
1. General Information
Personal data means any information relating to an identified or identifiable natural person. Processing means any operation performed on such data, e.g. collection, organization, storage and erasure (Article 4 nos. 1 and 2 GDPR).
2. Data Controller
Many data protection obligations apply to the so-called “controller”. Whenever “we” or “us” is used below, this refers to the controller. The controller responsible for data processing in the context of intended or existing business relationships is:
X-ROADS Human AI GmbH
Freiherr-vom-Stein-Straße 17
65779 Kelkheim (Taunus)
3. Hosting
Our website is hosted by Amazon Web Services (AWS) GmbH. All data that is collected and stored by us when you visit our website is therefore stored on the servers of Amazon Web Services (AWS) GmbH or its contractually bound partner companies.
The servers of Amazon Web Services (AWS) GmbH are located in Germany. Amazon Web Services (AWS) GmbH processes the user data generated there strictly in accordance with the instructions of X-ROADS Human AI GmbH as the controller. We determine the purposes and means of the processing within the meaning of Article 28 GDPR.
The purpose of data processing in the context of hosting is to ensure the functionality and availability of our website. The legal basis is our legitimate interest in reliable and secure web hosting pursuant to Article 6(1)(f) GDPR.
4. Scope of Data Processing
When you access our website, we process in particular the following categories of personal data:
- Server log data (e.g. IP address, date and time of access, requested URL, browser used, operating system, referrer URL)
- Contact data when you use contact forms (e.g. name, email address, phone number)
- Communication data (content and metadata of your inquiries)
- Cookie and tracking data (e.g. online identifiers, usage behavior, reach measurement), insofar as such data is used with your consent or on the basis of legitimate interests
5. Purposes and Legal Bases of Processing
We process your personal data for the following purposes:
- Provision of the website and IT security (collection of server log data); the legal basis is our legitimate interest in the secure and stable operation of our website pursuant to Art. 6(1)(f) GDPR.
- Contact and communication when you contact us via forms or email; the legal basis is Art. 6(1)(b) GDPR (initiation/performance of contracts) or our legitimate interest pursuant to Art. 6(1)(f) GDPR in processing your inquiry.
- Web analytics, reach measurement and marketing, to the extent that we use analytics or tracking tools; this is generally based on your consent pursuant to Art. 6(1)(a) GDPR or, where permissible under data protection law, on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
- Compliance with legal obligations (e.g. commercial and tax law retention obligations) pursuant to Art. 6(1)(c) GDPR in conjunction with, in particular, Sec. 257 German Commercial Code (HGB) and the German Fiscal Code (AO).
- Where you have given us consent (e.g. to the use of certain cookies, newsletters), we process the data covered by such consent on the basis of Art. 6(1)(a) GDPR.
6. Cookies and Similar technologies
We use cookies and similar technologies on our website. Technically necessary cookies serve to provide basic functions and are processed on the basis of Article 6(1)(f) or (b) GDPR. Cookies for statistical or marketing purposes are only set with your consent pursuant to Article 6(1)(a) GDPR.
7.Cookie Consent Tool
We have implemented a cookie consent tool from Welches Cookie-Consent-Tool on our website in order to obtain valid user consent pursuant to Article 6(1)(a) GDPR for cookies and cookie-based applications that require consent. This Tool is displayed to users of our website when they access the website in the form of an interactive user interface. Within this interactive user interface, users can grant consent for the storage of cookies and/or cookie-based applications by checking a box. By using the Tool, cookies and services that require the user’s consent under Article 6(1)(a) GDPR are only activated if the user has granted their consent by checking the relevant box. This ensures that a corresponding cookie is stored on the user’s device only if the user has given consent.
The Tool sets technically necessary cookies in order to store the user’s cookie preferences. No personal data is collected in this process.
Information about the provider and configuration options of the cookie consent tool can be found directly in the corresponding user interface.
If, in individual cases, personal data (e.g. IP address) is processed for the purpose of storing, assigning or logging cookie preferences, this processing of personal data is carried out on the basis of Article 6(1)(f) GDPR. Our legitimate interest lies in legally compliant, user-specific and user-friendly consent management for cookies. Another legal basis for processing is Article 6(1)(c) GDPR. As controllers, we are under a legal obligation to make the use of non-essential cookies dependent on the respective user’s consent.
8. Data Deletion Rules
We store personal data only for as long as is necessary for the respective purposes (in particular operation of the website, responding to inquiries, contract performance) or as long as we are legally required to retain it (e.g. under HGB, AO).
The retention period also depends on how long we can still expect claims to be made. Personal data can therefore be retained if this is necessary in order to settle or clarify legal claims. The retention period is then determined in particular by the statutory limitation periods, e.g. Sections 195 et seq., 438 German Civil Code (BGB).
9. Disclosure of Your Data to Third Parties
In the context of data processing, we may disclose your data to the following categories of recipients :
- Hosting and IT service providers
- Web analytics and marketing service providers
- In the event of disputes, your data may also be passed on to attorneys or debt collection agencies
- X-ROADS Human AI GmbH may be subject to specific statutory or legal obligations to provide lawfully processed personal data to third parties, in particular public authorities (Article 6 (1) (c) GDPR).
Where we engage external service providers (so-called processors, see Article 28 GDPR) for data processing and such processors in turn use sub‑processors, we ensure by contract that data security and compliance with GDPR requirements are guaranteed.
10. Automated Decision-Making
Your data is not subject to automated decision-making within the meaning of Article 22 GDPR, in particular not to profiling.
11. Transfer of Data to Third Countries
“Third countries” are countries outside the European Union or the European Economic Area and thus outside the territorial scope of the GDPR. We endeavor to process personal data within the EU. In some cases, however, personal data may be transferred to recipients in third countries in the context of data processing. This is particularly the case if the data transfer is necessary for contract performance (e.g. in the case of deliveries to a third country) or if we engage external service providers (so-called processors, see Article 28 GDPR) located in a third country for data processing.
For some third countries, the European Commission has issued so-called adequacy decisions confirming that they provide a level of data protection comparable to the standard set by the GDPR (a list of these countries and copies of the adequacy decisions are available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). Due to the comparable level of data protection, data transfers to these countries do not require any special authorization or agreement.
Where no adequacy decision exists, personal data is transferred to recipients in a third country only on the basis of the standard data protection clauses pursuant to Article 46(2)(c) GDPR and subject to appropriate technical and organizational measures. If you wish to review or obtain a copy of the agreed standard contractual clauses, please contact our data protection officer named in section 2 above.
Where we engage external service providers (so-called processors, see Article 28 GDPR) for data processing and such processors in turn use sub-processors in third countries, we ensure that data security is guaranteed either by an adequacy decision of the European Commission or by the existence of appropriate safeguards within the meaning of Article 46 GDPR.
12. Consequences of Not Providing Data
For the mere use of the website, you only need to provide the data that is required for its technical operation (in particular IP address, browser data). Without this data, it is technically impossible to access the website. Where forms contain mandatory fields, these forms cannot be used without providing the required information.
13. Your Rights in Connection with Data Processing
The GDPR grants you, as a data subject of data processing, the following rights:
- Right of access: You have the right to obtain from us at any time confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to this personal data. The conditions and details can be found in Article 15 GDPR.
- Right to rectification: You have the right to obtain from us without undue delay the rectification and/or completion of personal data concerning you if it is inaccurate or incomplete. Conditions and details are set out in Article 16 GDPR.
- Right to erasure: You have the right to obtain the erasure of personal data concerning you stored by us, and we are obliged to erase such personal data without undue delay where the conditions of Article 17 GDPR are met.
- Right to restriction of processing: You also have the right to obtain restriction of processing of your personal data. Conditions and details can be found in Article 18 GDPR.
- Right to data portability: You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and you have the right to have this data transmitted directly from us to a third party. Conditions and details can be found in Article 20 GDPR.
- Right to withdraw consent: You may withdraw consent to the processing of personal data at any time, Article 7(3) GDPR. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Conditions and details can be found in Article 7 GDPR.
- Right to object to processing: Where we process your data on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, you have the right to object to such processing. Conditions and details can be found in Article 21 GDPR.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the competent supervisory authority. Conditions and details can be found in Article 77 GDPR. The competent supervisory authority for data protection matters is the state data protection authority of the German federal state in which the controller is established (see section 2 of this privacy policy). A list of the state data protection authorities and their contact details is available at the following link:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html