Here you will find our privacy policy. Please read this statement carefully. You are welcome to contact us at any time if you have any questions about it.

Privacy is particularly important to us:

Vimmera AI Solutions GmbH implements even more extensive measures for data protection and data security than legally required. -Company data and personal data are sensitive and must be protected at all costs. We therefore rely on encryption and additional security measures for data transmission and data storage (if we store data at all).

Please feel free to contact us if you have any questions about this as well.

Fully encrypted and confidential communication with us is possible via email. -We use OpenPGP for this purpose. The public keys for encryption can be found on the corresponding key servers.

Privacy Policy

Vimmera AI Solutions GmbH, Löwestrasse 66, 14612 Falkensee, Germany

1. General information on data protection

The protection of your personal data is a special concern for us. We treat personal data confidentially and process it exclusively in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG), as well as other relevant data protection regulations.

With this privacy policy, we inform you about which personal data we collect, how and for what purposes we process it, on what legal basis the processing takes place, how long we store data, and which rights you are entitled to as a data subject.

We process personal data only to the extent necessary, in particular for providing a functional website, for communication, for initiating and performing contractual relationships, for providing our services, for security and abuse prevention, and for fulfilling legal obligations.

If we do not collect personal data directly from you, it originates – where applicable – from publicly accessible sources, from business relationships, from business partners, service providers, intermediaries, platforms, or from existing contractual relationships. In these cases, we will inform you in accordance with the legal requirements, in particular pursuant to Art. 14 GDPR, unless a legal exception applies.

The provision of personal data may be required by law or contract or may be necessary for the conclusion of a contract or the implementation of pre-contractual measures. Failure to provide such data may result in us being unable to process inquiries, conclude contracts, or provide services. Where data is provided voluntarily, failure to provide it generally has no adverse consequences, unless the respective processing is mandatory for the desired purpose.

2. Definitions

This privacy policy uses the terms defined in Art. 4 GDPR. These include in particular:

• Personal data means any information relating to an identified or identifiable natural person.
• Data subject means any identified or identifiable natural person whose personal data is being processed.
• Processing means any operation related to personal data, in particular the collection, recording, storage, use, disclosure, transmission, or deletion.
• Restriction of processing means the marking of stored personal data with the aim of limiting its future processing.
• Profiling means any form of automated processing of personal data for the purpose of evaluating personal aspects relating to a natural person.
• Pseudonymization means the processing of personal data in such a way that it can no longer be attributed to a specific person without additional information.
• Controller means the natural or legal person who decides on the purposes and means of processing.
• Processor means an entity that processes personal data on behalf of the controller.
• Recipient means an entity to which personal data is disclosed.
• Third party means any entity other than the data subject, controller, or processor.
• Consent means any freely given, informed, and unambiguous indication of the data subject’s wishes.

3. Controller

Vimmera AI Solutions GmbH

represented by the Managing Director: Rasmus Abromeit
Löwestrasse 66
14612 Falkensee
Germany

Telephone: +49 (0)163 8353802 or +49 (0)3322 8310939
Email: info@vimmera.de
Website: www.vimmera.de

4. Data Protection Officer

A data protection officer has currently not been appointed pursuant to Art. 37 GDPR, as the legal requirements for this are not met. For data protection concerns, please contact the contact details listed above.

5. Competent data protection supervisory authority

The State Commissioner for Data Protection and for the Right of Access to Files Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow
Germany

Email: poststelle@lda.brandenburg.de
Website: https://www.lda.brandenburg.de

6. Legal bases for processing

We process personal data on the basis of

• Art. 6 para. 1 lit. a GDPR (consent)
• Art. 6 para. 1 lit. b GDPR (contract / pre-contractual measures)
• Art. 6 para. 1 lit. c GDPR (legal obligations)
• Art. 6 para. 1 lit. f GDPR (legitimate interests)

Our legitimate interests consist in particular in providing a functional website and IT infrastructure, providing modern AI-supported functions, communicating with customers, prospective customers, and partners, optimizing and further developing our offering, as well as ensuring security and preventing abuse.

Withdrawal of consent in general:
Where we process personal data on the basis of consent pursuant to Art. 6 para. 1 lit. a GDPR, you may withdraw this consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing carried out until the withdrawal.

Recipients/categories of recipients, Art. 13 para. 1 lit. e GDPR:
Depending on the purpose of processing, personal data may be transmitted to recipients or categories of recipients, in particular to hosting providers, IT and cloud service providers, communication service providers, support and maintenance service providers, service providers for newsletter distribution (if used), as well as to authorities and public bodies where we are legally obliged to do so. Where processors are used, this is done on the basis of data processing agreements pursuant to Art. 28 GDPR.

7. Data collection on our website

7.1 Server log files

When our website is accessed, the following data is automatically processed

• IP address
• Date and time of access
• Pages and files accessed
• Referrer URL
• Browser type and version
• Operating system used
• Internet service provider

This data is processed for technical provision, system security, cyber defense, error analysis, and statistical evaluation.
It is not merged with other personal data.

Legal basis Art. 6 para. 1 lit. f GDPR
Storage period maximum 14 days, unless there is a security-related necessity.

Hosting is provided by STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin.
A data processing agreement pursuant to Art. 28 GDPR is in place.
Processing takes place exclusively in EU data centers with certified security standards.

7.2 Cookies, local storage, and similar technologies

Our website may use technologies that store or read information on your end device (e.g. cookies, local storage) in order to technically provide the website, operate it securely, and enable functions.

Technically necessary technologies:
Where cookies/similar technologies are required for the operation of the website (e.g. security functions), processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR as well as on the basis of the relevant provisions of the TDDDG.

Technologies requiring consent:
Where we use cookies/similar technologies for analysis or marketing purposes, this is done only after your prior consent. The legal basis is then Art. 6 para. 1 lit. a GDPR in conjunction with the TDDDG. You may withdraw consent once given at any time for the future, e.g. via your browser settings or a consent tool that may be used.

Note: If analysis or marketing cookies are currently used on our website, we will indicate this transparently in the respective consent banner or in the cookie settings.

8. Feedback forms and other forms

On our website, we provide forms through which users can submit feedback or transmit information (e.g. feedback on events, reviews, suggestions, or other notes). Our forms are – unless expressly stated otherwise – designed in such a way that no personal data is requested.

No entry of personal data

Personal data is generally neither required nor intended for the use of these forms. In the forms, we expressly point out that no personal data (e.g. name, contact details, or specific personal references) should be entered.

Processed data categories

We process exclusively the content entered by you (e.g. free text, ratings, selection fields). If, contrary to the notice, you transmit personal or sensitive information, we process it only insofar as this is necessary for reviewing and removing such content.

Purpose of processing

Processing is carried out exclusively for the purpose specified in each case, in particular for evaluation, quality assurance, and improvement of offers, services, or events.

Legal basis

Processing is carried out on the basis of our legitimate interest in quality assurance, evaluation, and optimization of our offerings pursuant to Art. 6 para. 1 lit. f GDPR.

Recipients / disclosure

The content is disclosed only insofar as this is necessary to achieve the respective purpose, in particular to responsible bodies or organizers (e.g. in the case of event feedback). Before any disclosure, trained, instructed personnel bound to confidentiality review the submitted content. In doing so, we remove personal data or sensitive content if it was entered contrary to the instructions.

Access restriction and confidentiality

Only authorized persons have access to the form data (need-to-know principle). Access is protected by suitable authorization and access concepts.

Storage period and deletion

We store form data only for as long as necessary for the respective purpose and then delete it. In the case of feedback on events, deletion takes place no later than within 3 months after the respective event, unless statutory retention obligations prevent this.

Voluntariness

The use of the forms is voluntary. You will not suffer any disadvantages if you do not use a form.

Technical notes (if applicable)

When using the website and its forms, server log data may arise for technical reasons (e.g. IP address, time of retrieval, browser/device information) in order to ensure the security and operation of the website. This processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR and is subject to the general provisions of this privacy policy regarding server logs.

9. Contact

If you contact us by email, telephone, or via a contact form, we process the personal data you provide in order to handle your inquiry and communicate with you.

Depending on the contact method, we process in particular the following data:

• Name
• Email address
• Telephone number (optional)
• Message content

Purpose of processing

Processing your inquiry, communication, and, if applicable, initiating or performing a contractual relationship.

Legal bases

Processing is carried out pursuant to Art. 6 para. 1 lit. b GDPR (performance of a contract or pre-contractual measures) and Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient handling of inquiries and communication).

Storage period

We generally store the data processed in the context of contacting us until your inquiry has been conclusively handled. Beyond that, we store data only insofar as statutory retention obligations exist or this is necessary for the assertion, exercise, or defense of legal claims.

Consequences of non-provision

The provision of the data marked as required is necessary in order to process your inquiry or to initiate or perform a contract. Without this information, processing your inquiry is generally not possible.

10. Newsletter

If you subscribe to our newsletter, we process the following data as part of the registration and newsletter dispatch: email address as well as technical verification data (e.g. IP address, date and time of registration and confirmation).

We use the double opt-in procedure.

Legal basis: Art. 6 para. 1 lit. a GDPR.
Withdrawal: possible at any time with effect for the future (e.g. via the unsubscribe link).
Storage period: until you withdraw your consent.

The newsletter is currently sent via our own systems or via the technical services used for this purpose within our IT infrastructure.

11. Application process

If you apply to us, we process your application data for the purpose of carrying out the application process.

Processed data: contact details, application documents, qualification data, communication data.

Legal bases: Section 26 BDSG and Art. 6 para. 1 lit. b GDPR.

Storage period:
If your application is rejected, we delete application data no later than after 3 months, unless longer storage is required for the assertion, exercise or defense of legal claims. If you are hired, we transfer the data to your personnel file.

Obligation to provide data:
The provision of application data is necessary in order to carry out the application process.

12. Social Media

12.1 Company profiles on social media

We operate company profiles on LinkedIn, XING, Facebook, Instagram and GitHub. If you visit our social media profiles, the respective platform operators process personal data under their own responsibility. The privacy policies of the respective providers apply. Data transfers to third countries may occur in this context.

Insofar as we receive statistical evaluations via the platforms (e.g. page insights), joint controllership pursuant to Art. 26 GDPR may exist with the respective platform operator. The platform operators provide the essential contents of the agreements in their privacy/insights information.

Legal basis for our processing in connection with the operation of the profiles: Art. 6 para. 1 lit. f GDPR (public relations, information and communication).

12.2 Social Media / Social Plugins on our website

We have integrated the social plugins of the social media services embedded on our website using the so-called “two-click solution”. These are the plugins of the following providers:

• Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”)
• LinkedIn, which is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn”)
• Twitter, which is operated by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“Twitter”)
• Pinterest, which is operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”)
• YouTube, which is operated by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“YouTube”)
• XING, which is operated by XING, a product of New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (“XING”)

“Two-click solution” means that when visiting our website and clicking on the social plugin of the respective social media service, no automated data transfer to the social media provider begins, but only after another click on the link that opens and redirects you to the page of the social media provider. Please note that the privacy policy of the respective social media provider applies to data processing on the page of the social media service.

12.3 Data collected, purpose of data processing, legal basis:

We process the data you enter in the respective social media service, in particular your username and the content published under your account, insofar as we may comment on your posts or refer to your presence in our posts. The legal basis for this processing is our legitimate interest (Art. 6 para. 1 f GDPR). The data published by you in the social media service in this way are incorporated by us into our offering and made accessible to our followers/fans and subscribers.

13. AI systems, Microsoft Azure and OpenAI

If users interact with functions of Vimmera AI Solutions GmbH that are based on Artificial Intelligence (AI), it is expressly pointed out that this is an AI-supported interaction and not communication with a natural person.

The labeling of the AI interaction is transparent and clear for users, including through corresponding notices in the user interface, in the system information, in the terms of use and, where applicable, within the dialogue itself.

The content generated by the AI is created automatically, is based on probabilistic models and may be incorrect, incomplete or misleading. It does not constitute binding statements, assessments, recommendations or decisions and does not replace professional advice. Users are obliged to review AI results on their own responsibility before they are reused.

The AI systems we use are subject to the transparency requirements of the Regulation (EU) on Artificial Intelligence (AI Act).
We therefore inform users when they interact with an AI system or use AI-generated content. The AI is used exclusively for assisting and supporting purposes. No automated decisions with legally binding effect for users take place.

According to the current mode of operation, the systems used are classified as limited risk.

We comply with the relevant transparency, documentation and due diligence obligations, in particular with regard to informing users, purpose limitation, traceability, and the responsible design and use of the systems.
The transparency information is reviewed regularly and adapted in the event of changes to the scope of functions, the legal situation or the regulatory framework conditions.

Processed data when using AI functions

When using AI-supported functions, the following may be processed

• User inputs (including associated personal data)
• technical metadata
• communication data

Use for training purposes does not take place without explicit agreement.

Infrastructure used

Microsoft Azure
Microsoft Ireland Operations Limited, Dublin, Ireland
EU data centers
certified security
Data processing agreement pursuant to Art. 28 GDPR

OpenAI
OpenAI Ireland Limited, Dublin, Ireland
Processing in accordance with European legal structure
if applicable, third-country transfer only in accordance with Art. 44 et seq. GDPR

Legal bases

• Art. 6 para. 1 lit. b GDPR (contract / pre-contractual measures),
• Art. 6 para. 1 lit. f GDPR (legitimate interests, e.g. system security),
• Art. 6 para. 1 lit. a GDPR (consent), insofar as use is expressly voluntary and based on consent.

Note

Users should, if possible, not enter any sensitive personal data. Processing nevertheless takes place in accordance with this privacy policy.
Internal systems (e.g. calendar) are operated on our own or contractually bound servers within the EU.

Transfer to third countries, appropriate safeguards

If, in individual cases, personal data is transferred to a third country outside the European Economic Area (EEA), this is done exclusively in compliance with the requirements of Art. 44 et seq. GDPR. Where necessary, appropriate safeguards are used, in particular EU Standard Contractual Clauses (SCC) or comparable mechanisms, insofar as these are required under the respective circumstances.

Storage period

User inputs and associated log data are stored only as long as necessary for the provision of the function, security, traceability and error analysis; they are then deleted or anonymized, unless statutory obligations prevent this.

14. Disclosure of personal data

Personal data is disclosed only if there is a legal basis for doing so, in particular in the case of a legal obligation, for contract performance, within the framework of data processing on behalf, or on the basis of your consent.

A transfer to third countries (states outside the EU or the EEA) takes place only in compliance with the requirements of Art. 44 et seq. GDPR, in particular where there is an adequacy decision, appropriate safeguards (e.g. EU Standard Contractual Clauses) or explicit consent.

15. Storage period and deletion

We delete or block personal data as soon as the purpose of processing no longer applies and no statutory retention obligations prevent this. Insofar as no specific storage periods are stated in this privacy policy, the storage period depends on the purpose of processing as well as on statutory retention obligations (e.g. retention periods under commercial and tax law).

Examples:

• Server log files: generally a maximum of 14 days.
• Application data in case of rejection: no later than after 3 months.
• Newsletter data: until consent is withdrawn.
• Contract and billing data: in accordance with statutory retention obligations, then deletion.

16. Rights of data subjects

You have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent (Art. 7 para. 3 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR).

Right to object (Art. 21 GDPR):
Insofar as we process data on the basis of Art. 6 para. 1 lit. f GDPR, you may object to this processing at any time for reasons arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds or the processing serves the assertion, exercise or defense of legal claims.

17. Data security

We take appropriate technical and organizational measures (TOM) pursuant to Art. 32 GDPR to protect personal data against accidental or intentional manipulation, loss, destruction and unauthorized access. In doing so, we take into account the state of the art, the implementation costs, the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons.

Our measures include in particular:

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, our website uses SSL/TLS encryption. You can recognize an encrypted connection in your browser’s address bar (e.g. “https://”) and by the lock symbol. Data that you transmit to us cannot therefore be read by third parties.

Access protection and authorization concepts

Access to personal data is restricted to those persons who need it to fulfill their tasks (need-to-know principle). We use role-based authorization concepts and suitable authentication procedures.

Integrity and availability

We use measures to ensure the integrity and availability of data, in particular regular backups, logging, and protection mechanisms against unauthorized access and attacks.

Training and confidentiality

Our employees receive regular training on data protection and data security and are obliged to maintain confidentiality.

Continuous improvement

We review and update our security measures regularly in order to adapt them to technical developments and risk situations.

18. No automated decision-making

No profiling pursuant to Art. 22 GDPR.

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place. In particular, personal data is not used to make decisions that produce legal effects concerning you or similarly significantly affect you.

19. Updating

This privacy policy is reviewed and updated regularly.

20. Version

Version: March 2026

If you would like to contact us: