Privacy
Here you will find our privacy policy. Please read this statement. You are welcome to contact us at any time if you have any questions.
Data protection is particularly important to us: Vimmera AI Solutions GmbH implements measures for data protection and data security that go beyond what is legally required. Company data and personal data are sensitive and must be protected. We therefore rely on encryption and additional security measures for data transmission and data storage (if we store data at all). Please contact us if you have any questions about this. Fully encrypted and confidential communication with us is possible via e-mail. We use OpenPGP for this purpose. The public keys for encryption can be found on the respective key servers.
Privacy Policy
Vimmera AI Solutions GmbH, Löwestrasse 66, 14612 Falkensee, Germany
1. General information on data protection
The protection of your personal data is of particular importance to us. We treat personal data confidentially and process it exclusively in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telecommunications and Digital Services Data Protection Act (TDDDG, formerly TTDSG) and other applicable data protection regulations. With this privacy policy we inform you about which personal data we collect, how and for what purposes we process it, on what legal basis the processing is carried out, how long we store data and which rights you have as a data subject
We process personal data only to the extent necessary, in particular for providing a functioning website, for communication, for initiating and executing contractual relationships, for providing our services, for security and abuse prevention and for fulfilling legal obligations. If we do not collect personal data directly from you, it originates — where applicable — from publicly accessible sources, from business relationships, from business partners, service providers, intermediaries, platforms or from existing contractual relationships. In these cases we will inform you in accordance with the statutory provisions, in particular pursuant to Article 14 GDPR, unless a legal exception applies.
The provision of personal data may be required by law or contract or may be necessary for the conclusion of a contract or the performance of pre-contractual measures. Failure to provide data may result in us not processing enquiries, not concluding contracts or not providing services. Where data is provided voluntarily, failure to provide it will generally have no adverse consequences unless the respective processing is essential for the intended purpose.
2. Definitions
This privacy policy uses the terms defined in Article 4 GDPR. These include, in particular:
- Personal data: all information relating to an identified or identifiable natural person.
- Data subject: any identified or identifiable natural person whose personal data are processed.
- Processing: any operation performed on personal data, in particular collection, recording, storage, use, disclosure, transmission or deletion. – Restriction of processing: the marking of stored personal data with the aim of limiting their future processing.
- Profiling: any form of automated processing of personal data evaluating personal aspects of a natural person.
- Pseudonymization: processing personal data in such a way that they can no longer be attributed to a specific person without additional information.
- Controller: the natural or legal person who determines the purposes and means of the processing.
- Processor: an entity that processes personal data on behalf of the controller. – Recipient: an entity to which personal data are disclosed.
- Third party: any entity other than the data subject, controller or processor.
- Consent: any freely given, informed and unambiguous indication of the data subject’s wishes.
3. Responsible
Vimmera AI Solutions GmbH
Löwestrasse 66
14612 Falkensee
Germany
Phone: +49 (0)163 8353802 or +49 (0)3322 4298170
Email: info@vimmera.de
Website: www.vimmera.de
4. Data Protection Officer
A data protection officer has not been appointed pursuant to Article 37 GDPR because the statutory requirements are not met. For data protection concerns, please contact the contact details given above.
5. Competent Data Protection Supervisory Authority
The State Commissioner for Data Protection and the Right to Inspection of Files in Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow
Germany
Email: poststelle@lda.brandenburg.de
Website: https://www.lda.brandenburg.de
6. Legal basis of processing
We process personal data on the basis of
- Art. 6(1)(a) GDPR (consent)
- Art. 6(1)(b) GDPR (contract / pre-contractual measures)
- Art. 6(1)(c) GDPR (legal obligations)
- Art. 6(1)(f) GDPR (legitimate interests)
Our legitimate interests include, in particular, providing a functioning website and IT infrastructure, providing modern AI-supported features, communicating with customers, prospects and partners, optimizing and further developing our offerings, and preventing security incidents and abuse.
Revocation of consents in general: If we process personal data on the basis of consent pursuant to Art. 6(1)(a) GDPR, you may revoke this consent at any time with effect for the future. Revocation does not affect the lawfulness of processing carried out on the basis of the consent before its revocation.
Recipients / categories of recipients, Art. 13(1)(e) GDPR: Depending on the purpose of processing, personal data may be disclosed to recipients or categories of recipients, in particular hosting providers, IT and cloud service providers, communication service providers, support and maintenance service providers, newsletter service providers (if used), and to authorities and public bodies where we are legally obliged to do so. Where processors are used, this is done on the basis of data processing agreements pursuant to Article 28 GDPR.
7. Data collection on our website
7.1 Server log files
When our website is accessed, the following data are automatically processed:
- IP address
- Date and time of access
- Pages and files accessed
- Referrer URL
- Browser type and version
- Operating system used
- Internet service provider
These data are processed for the technical provision, system security, cyber defense, error analysis and statistical evaluation. No combination with other personal data takes place.
Legal basis: Art. 6(1)(f) GDPR Storage period: maximum 14 days, unless there is a security-related necessity.
Hosting is provided by STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin. A data processing agreement pursuant to Art. 28 GDPR is in place. Processing takes place exclusively in EU data centers with certified security standards.
7.2 Cookies, local storage and similar technologies
Our website may use technologies that store information on or read information from your device (e.g., cookies, local storage) to technically provide the website, operate it securely and enable functions.
Technically necessary technologies: Where cookies/similar technologies are necessary for the operation of the website (e.g., security functions), processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR and on the relevant provisions of the TDDDG. Technologies requiring consent: Where we use cookies/similar technologies for analysis or marketing purposes, this is done only after your prior consent. The legal basis is then Art. 6(1)(a) GDPR in conjunction with the TDDDG.
You can withdraw any consent given at any time with effect for the future, e.g., via your browser settings or any consent tool used.
Note: If no analysis or marketing cookies are currently used on our website, we will transparently indicate this in the respective consent banner or cookie settings.
8. Feedback forms and other forms
On our website we provide forms through which users can give feedback or submit information (e.g., feedback on events, reviews, suggestions or other notes). Our forms are – unless expressly stated otherwise – designed so that no personal data are requested.
No entry of personal data
Personal data are generally neither required nor intended for the use of these forms. In the forms we explicitly point out that no personal data (e.g., name, contact details or specific personal references) should be entered.
Categories of data processed
We process only the content you enter (e.g., free text, ratings, selection fields). If, contrary to the notice, you submit personal or sensitive information, we process it only to the extent necessary to review and remove such content.
Purpose of processing
Processing is carried out exclusively for the purpose indicated, in particular for evaluation, quality assurance and improvement of offerings, services or events.
Legal basis
Processing is based on our legitimate interest in quality assurance, evaluation and optimization of our offerings pursuant to Art. 6(1)(f) GDPR.
Recipients / disclosure
Content is forwarded only insofar as necessary to achieve the respective purpose, in particular to responsible entities or organizers (e.g., for event feedback). Trained, instructed and confidentiality-bound personnel review the incoming content before disclosure. We remove personal data or sensitive content if it was entered contrary to the instructions.
Access restriction and confidentiality
Only authorized persons have access to the form data (need-to-know principle). Access is protected by suitable authorization and access concepts.
Storage period and deletion
We store form data only as long as necessary for the respective purpose and delete it thereafter. For event feedback, deletion takes place at the latest within 3 months after the respective event, unless statutory retention obligations prevent this.
Voluntariness
Use of the forms is voluntary. No disadvantages arise if you do not use a form.
Technical notes (where applicable)
When using the website and its forms, server log data (e.g., IP address, time of access, browser/device information) may be generated for technical reasons to ensure the security and operation of the website. This processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR and is subject to the general provisions of this privacy policy on server logs.
9. Contact
If you contact us by e-mail, telephone or via a contact form, we process the personal data you provide in order to handle your request and to communicate with you. Depending on the means of contact, we process, in particular, the following data:
- Name
- E-mail address
- Telephone number (optional)
- Message content
Purpose of processing
Handling your request, communication and, if applicable, initiating or performing a contractual relationship.
Legal bases
Processing is carried out pursuant to Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient handling of enquiries and communication).
Storage period
We generally store data processed in the context of contact until your enquiry has been finally answered. In addition, we store data only insofar as statutory retention obligations exist or this is necessary for asserting, exercising or defending legal claims.
Consequences of non-provision
The provision of data marked as required is necessary to process your request or to initiate or perform a contract. Without this information, we will generally not be able to process your enquiry.
10. Newsletter
If you subscribe to our newsletter, we process the following data in connection with registration and sending the newsletter: e-mail address and technical verification data (e.g., IP address, date and time of registration and confirmation).
We use the double opt-in procedure.
Legal basis: Art. 6(1)(a) GDPR. Revocation: possible at any time with effect for the future (e.g., via the unsubscribe link).
Storage period: until you withdraw your consent.
Newsletter distribution is currently carried out via our own systems or the technical services used within our IT infrastructure.
11. Application procedure
If you apply to us, we process your application data to carry out the application procedure.
Processed data
contact details, application documents, qualification data, communication data.
Legal bases
§ 26 BDSG and Art. 6(1)(b) GDPR.
Storage period
In case of rejection, we delete application data no later than 3 months after notification of rejection, unless longer storage is necessary to assert, exercise or defend legal claims. In case of hiring, we transfer the data to the personnel file.
Obligation to provide
Providing application data is necessary to carry out the application procedure.
12. Social Media
We operate corporate profiles on LinkedIn, XING, Facebook, Instagram and GitHub. If you visit our social media profiles, the respective platform operators process personal data independently. The privacy policies of the respective providers apply. This may involve data transfers to third countries.
To the extent that we receive statistical evaluations from the platforms (e.g., page insights), joint responsibility pursuant to Art. 26 GDPR may exist with the respective platform operator. The essential contents of such agreements are provided by the platform operators in their privacy/insights information.
Legal basis for our processing in connection with operating the profiles: Art. 6(1)(f) GDPR (public relations, information and communication).
13. AI Systems, Microsoft Azure and OpenAI
If users interact with functions of Vimmera AI Solutions GmbH that are based on artificial intelligence (AI), it is expressly pointed out that this is an AI-assisted interaction and not communication with a natural person.
The marking of AI interaction is transparent and clear for users, including through notices in the user interface, in the system information, in the terms of use and, where applicable, within the dialog itself.
The contents generated by the AI are generated automatically, are based on probabilistic models and may be incorrect, incomplete or misleading. They do not constitute binding statements, assessments, recommendations or decisions and do not replace professional advice. Users are obliged to verify AI results independently before reusing them.
The AI systems we use are subject to the transparency requirements of the EU Regulation on Artificial Intelligence (AI Act). We therefore inform users when they interact with an AI system or use AI-generated content. The use of AI is exclusively for assistive and supportive purposes. No automated decisions with legally binding effects for users are made.
According to current functionality, the systems used are classified as limited risk.
We fulfill the relevant transparency, documentation and due diligence obligations, in particular with regard to informing users, purpose limitation, traceability and the responsible design and use of the systems. Transparency information is regularly reviewed and adapted in the event of changes to functionality, legal situation or regulatory framework.
Data processed when using AI functions
When using AI-assisted functions, the following may be processed:
- User inputs (including any personal data therein)
- Technical metadata
- Communication data
Use for training purposes does not take place without an explicit agreement.
Infrastructure used
Microsoft Azure Microsoft
Ireland Operations Limited, Dublin, Ireland
EU data centers
certified security
Data processing agreement pursuant to Art. 28 GDPR
OpenAI
OpenAI Ireland Limited, Dublin, Ireland
Processing in accordance with a European legal framework if applicable
transfer to third countries only in accordance with Articles 44 et seq. GDPR
Legal bases
- Art. 6(1)(b) GDPR (contract / pre-contractual measures)
- Art. 6(1)(f) GDPR (legitimate interests, e.g., system security)
- Art. 6(1)(a) GDPR (consent), if use is explicitly voluntary and based on consent
Note
Users should avoid entering sensitive personal data where possible. Processing nevertheless takes place in accordance with this privacy policy. Internal systems (e.g., calendars) are operated on our own or contractually bound servers within the EU.
Transfers to third countries, appropriate safeguards
If personal data are transferred to a third country outside the European Economic Area (EEA) in individual cases, this is done only in compliance with the requirements of Articles 44 et seq. GDPR. Where necessary, appropriate safeguards are used, in particular EU standard contractual clauses (Standard Contractual Clauses, SCC) or comparable mechanisms, insofar as required by the circumstances.
Storage period
User inputs and associated log data are stored only as long as necessary for provision of the function, security, traceability and error analysis; thereafter they are deleted or anonymized unless statutory obligations require retention.
14. Disclosure of Personal Data
Personal data are disclosed only if there is a legal basis for this, in particular in the case of a legal obligation, for contract performance, within the scope of a data processing agreement or on the basis of your consent.
A transfer to third countries (states outside the EU or the EEA) is made only in compliance with the requirements of Articles 44 et seq. GDPR, in particular where there is an adequacy decision, appropriate safeguards (e.g., EU standard contractual clauses) or an explicit consent.
15. Storage time and deletion
We delete or block personal data as soon as the purpose of processing ceases and no statutory retention obligations prevent this. Where no specific storage periods are stated in this privacy policy, the storage period depends on the purpose of processing and statutory retention obligations (e.g., commercial and tax retention periods). Examples:
- Server log files: generally a maximum of 14 days.
- Application data in case of rejection: no later than 3 months.
- Newsletter data: until consent is withdrawn.
- Contract and billing data: according to statutory retention obligations, thereafter deletion.
16. Rights of the data subjects
You have the right to:
- access (Art. 15 GDPR)
- rectification (Art. 16 GDPR)
- erasure (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- objection (Art. 21 GDPR)
- withdrawal of consent (Art. 7(3) GDPR)
- to lodge a complaint with a supervisory authority (Art. 77 GDPR).
Right to object (Art. 21 GDPR):
If we process data on the basis of Art. 6(1)(f) GDPR, you can object to this processing at any time for reasons arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims.
17. Data security
We take appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to protect personal data against accidental or intentional manipulation, loss, destruction and unauthorized access. We take into account the state of the art, implementation costs, the nature, scope, circumstances and purposes of processing, as well as the varying probabilities and severity of risks to the rights and freedoms of natural persons.
Our measures include in particular:
SSL/TLS encryption
Our website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection in your browser’s address bar (e.g., “https://”) and by the lock symbol. Data you transmit to us cannot be read by third parties as a result.
Access control and authorization concepts
Access to personal data is restricted to those persons who need it to fulfill their tasks (need-to-know principle). We use role-based authorization concepts and suitable authentication procedures.
Integrity and availability
We use measures to ensure the integrity and availability of data, in particular regular backups, logging, and protective mechanisms against unauthorized access and attacks.
Training and confidentiality
Our employees are regularly trained in data protection and data security and are bound to confidentiality. – Continuous improvement We regularly review and update our security measures to adapt them to technical developments and risk situations.
18. No automated decision-making
No profiling pursuant to Art. 22 GDPR.
There is no automated decision-making, including profiling, within the meaning of Art. 22 GDPR. In particular, personal data are not used to make decisions that have legal effects on you or similarly significantly affect you.
19. Update
This privacy statement is regularly reviewed and adjusted.
20. Version
Status: February 2026