Privacy Policy
Last updated: April 2025. Created with heyData.
1. Introduction
In the following, we provide information about the processing of personal data when you use
- our website www.ella-group.io
- our profiles on social media.
Personal data is any data that can be related to a specific natural person, e.g. their name or their IP address.
1.1. Contact Details
The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Ella Tec GmbH, Friesenplatz 1, 50672 Köln, Germany, email: tec_office@ella-group.io. We are legally represented by Peter Steiner.
Our data protection officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.
1.2. Scope of Data Processing, Purposes of Processing and Legal Bases
We set out the scope of the processing of the data, the purposes of processing and the legal bases in detail below. In principle, the following may serve as the legal basis for a data processing operation:
- Art. 6 (1) sentence 1 lit. a GDPR serves as our legal basis for processing operations for which we obtain consent.
- Art. 6 (1) sentence 1 lit. b GDPR is the legal basis where the processing of personal data is necessary for the performance of a contract, e.g. when a site visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing that is necessary for pre-contractual measures, for example in the case of inquiries about our products or services.
- Art. 6 (1) sentence 1 lit. c GDPR applies where we fulfil a legal obligation through the processing of personal data, as may be the case, for example, under tax law.
- Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis where we can rely on legitimate interests for the processing of personal data, e.g. for cookies that are necessary for the technical operation of our website.
1.3. Data Processing Outside the EEA
Insofar as we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the EU Commission pursuant to Art. 45 (3) GDPR guarantee the security of the data during the transfer, where such decisions exist, as is the case, for example, for the United Kingdom, Canada and Israel.
For data transfers to service providers in the USA, the legal basis for the data transfer is an adequacy decision of the EU Commission, provided that the service provider has additionally certified itself under the EU US Data Privacy Framework.
In other cases (e.g. where no adequacy decision exists), the legal basis for the data transfer is, as a rule, that is, unless we provide a differing notice, standard contractual clauses. These are a set of rules adopted by the EU Commission and form part of the contract with the respective third party. Pursuant to Art. 46 (2) lit. b GDPR, they ensure the security of the data transfer. Many of the providers have provided contractual guarantees that go beyond the standard contractual clauses and that protect the data over and above the standard contractual clauses. These are, for example, guarantees regarding the encryption of the data or regarding an obligation of the third party to notify data subjects if law enforcement authorities seek to access data.
1.4. Storage Period
Unless expressly stated within this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations preclude deletion. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that we are required to retain for commercial or tax law reasons.
1.5. Rights of Data Subjects
Data subjects have the following rights vis-à-vis us with regard to the personal data concerning them:
- right of access,
- right to rectification or erasure,
- right to restriction of processing,
- right to object to processing,
- right to data portability,
- right to withdraw a consent given at any time.
Data subjects also have the right to lodge a complaint with a data protection supervisory authority about the processing of their personal data. The contact details of the data protection supervisory authorities are available at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
1.6. Obligation to Provide Data
In the context of a business relationship or other relationship, customers, prospective customers or third parties only have to provide us with those personal data that are necessary for the establishment, performance and termination of the business relationship or for the other relationship, or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or to provide a service, or we will no longer be able to perform an existing contract or other relationship.
Mandatory information is marked as such.
1.7. No Automated Decision-Making in Individual Cases
In principle, we do not use fully automated decision-making pursuant to Article 22 GDPR for the establishment and performance of a business relationship or other relationship. Should we use these procedures in individual cases, we will provide separate information about this insofar as this is legally required.
1.8. Making Contact
When you contact us, e.g. by email or telephone, the data provided to us (e.g. names and email addresses) is stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6 (1) sentence 1 lit. f GDPR) in answering inquiries addressed to us. We delete the data arising in this context once storage is no longer required, or we restrict the processing if statutory retention obligations exist.
1.9. Customer Surveys
From time to time we conduct customer surveys in order to get to know our customers and their wishes better. In doing so, we collect the respective data requested. It is our legitimate interest to get to know our customers and their wishes better, so that the legal basis for the associated data processing is Art. 6 (1) sentence 1 lit. f GDPR. We delete the data once the results of the surveys have been evaluated.
2. Newsletter
We reserve the right to inform customers who have already used services from us or purchased goods, from time to time by email or by other means, about our offers, unless they have objected to this. The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in direct marketing (Recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time and without additional costs, for example via the link at the end of each email or by email to our email address stated above.
On the basis of the consent of the recipients (Art. 6 (1) sentence 1 lit. a GDPR), we also measure the open and click-through rate of our newsletters in order to understand which content is relevant to our recipients.
We send newsletters using the HubSpot tool provided by HubSpot, Inc., 25 1st Street Cambridge, MA 02141, USA. In doing so, the provider processes content, usage, meta/communication data and contact data in the EU. Further information is available in the provider's privacy policy at https://legal.hubspot.com/de/privacy-policy.
3. Data Processing on Our Website
3.1. Notice for Website Visitors from Germany
Our website stores information on the terminal equipment of website visitors (e.g. cookies) or accesses information that is already stored on the terminal equipment (e.g. IP addresses). Which information this is in detail can be found in the following sections.
This storage and this access take place on the basis of the following provisions:
- Insofar as this storage or this access is strictly necessary for us to provide the service of our website expressly requested by website visitors (e.g. to operate a chatbot used by the website visitor or to ensure the IT security of our website), it takes place on the basis of Section 25 (2) no. 2 of the German Telecommunications Digital Services Data Protection Act (TDDDG).
- Otherwise, this storage or this access takes place on the basis of the consent of the website visitors (Section 25 (1) TDDDG).
The downstream data processing takes place in accordance with the following sections and on the basis of the provisions of the GDPR.
3.2. Informational Use of the Website
During the informational use of the website, that is, when site visitors do not separately transmit information to us, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, so that the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.
This data is:
- IP address
- date and time of the request
- time zone difference from Greenwich Mean Time (GMT)
- content of the request (specific page)
- access status/HTTP status code
- amount of data transferred in each case
- website from which the request comes
- browser
- operating system and its interface
- language and version of the browser software.
This data is also stored in log files. It is deleted when its storage is no longer required, at the latest after 14 days.
3.3. Web Hosting and Provision of the Website
Our website is hosted by Mittwald. The provider is Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp. In doing so, the provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact data, in the EU. Further information can be found in the provider's privacy policy at https://www.mittwald.de/datenschutz.
It is our legitimate interest to provide a website, so that the legal basis for the described data processing is Art. 6 (1) sentence 1 lit. f GDPR.
3.4. Contact Form
When you contact us via the contact form on our website, we store the data requested there and the content of the message. The legal basis for the processing is our legitimate interest in answering inquiries addressed to us. The legal basis for the processing is therefore Art. 6 (1) sentence 1 lit. f GDPR.
We delete the data arising in this context once storage is no longer required, or we restrict the processing if statutory retention obligations exist.
3.5. Job Advertisements
We publish job advertisements on our website, on pages connected to the website, or on third-party websites.
The processing of the data provided in the context of the application takes place in order to carry out the application procedure. Insofar as this data is necessary for our decision to establish an employment relationship, the legal basis is Art. 88 (1) GDPR in conjunction with Section 26 (1) BDSG. We have marked accordingly, or point out, the data necessary for carrying out the application procedure. If applicants do not provide this data, we cannot process the application.
Further data is voluntary and not required for an application. If applicants provide further information, the basis is their consent (Art. 6 (1) sentence 1 lit. a GDPR).
We ask applicants to refrain from providing information on political opinions, religious beliefs and similarly sensitive data in their CV and cover letter. This is not required for an application. If applicants nevertheless provide such information, we cannot prevent its processing in the course of processing the CV or cover letter. Its processing is then also based on the consent of the applicants (Art. 9 (2) lit. a GDPR).
Finally, we process the applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Art. 6 (1) sentence 1 lit. a GDPR.
We pass on the applicants' data to the responsible staff of the human resources department, to our processors in the recruiting area, and to the other staff involved in the application procedure.
If, following the application procedure, we enter into an employment relationship with the applicant, we delete the data only after the end of the employment relationship. Otherwise, we delete the data at the latest six months after the rejection of an applicant.
If applicants have given us their consent to also use their data for further application procedures, we delete their data only one year after receipt of the application.
3.6. Ella Chatbot
When you use our chatbot, we collect personal data that you transmit in the course of your interaction with the chatbot, in order to answer your inquiry and provide the service. The legal basis for the processing of this data is your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR. You can withdraw your consent at any time without affecting the lawfulness of the processing carried out up to the withdrawal. After withdrawal of consent, your data will be deleted, unless we are legally obliged to continue to retain it.
The processing takes place with the involvement of the following service providers:
- OpenAI, Inc., address: 3180 18th Street, San Francisco, CA 94110, USA. OpenAI provides the AI model that operates the chatbot. The data is processed in order to answer your inquiries and to ensure the functionality of the chatbot.
- Claude (Anthropic, Inc.), address: 100 1st Street, San Francisco, CA 94105, USA. Claude also provides AI models that enable the processing of your inquiries by the chatbot.
The recipients of the data are located partly in third countries, in particular in the USA. A transfer to these countries takes place on the basis of the standard contractual clauses (SCC) of the EU Commission or the EU-US Data Privacy Framework (DPF), provided that the providers are certified under it.
3.7. Booking of Appointments
Site visitors can book appointments with us on our website. For this, in addition to the data entered, we process meta or communication data. We have a legitimate interest in offering prospective customers a user-friendly way to arrange appointments. Therefore, the legal basis for the data processing is Art. 6 (1) sentence 1 lit. f GDPR. Insofar as we use a third-party provider's tool for the arrangement, the information on this can be found under "Third-Party Providers".
3.8. Customer Account
Visitors to the website can open a customer account on our website. We process the data requested in this context on the basis of the site visitor's consent. The legal basis for the processing is therefore Art. 6 (1) sentence 1 lit. a GDPR.
The consent can be withdrawn at any time, e.g. via the contact details stated in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the withdrawal. If the consent is withdrawn, we delete the data, insofar as we are not obliged or entitled to continue to retain it.
3.9. Technically Necessary Cookies
Our website uses cookies. Cookies are small text files that are stored in the web browser on the terminal device of a site visitor. Cookies help to make the offer more user-friendly, more effective and more secure. Insofar as these cookies are necessary for the operation of our website or its functions (hereinafter "technically necessary cookies"), the legal basis for the associated data processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in providing customers and other site visitors with a functional website. Specifically, we use technically necessary cookies for the following purpose or the following purposes:
- cookies that adopt language settings and
- cookies that remember search terms.
3.10. Third-Party Providers
3.10.1. HubSpot
We use HubSpot for lead generation, marketing automation and analysis. The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 02141, USA. The provider processes usage data (e.g. websites visited, interest in content, access times), content data (e.g. entries in online forms) and meta/communication data (e.g. device information, IP addresses) in the EU.
The legal basis for the processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in managing data in a simple and cost-effective way.
The data is deleted when the purpose of its collection has ceased to apply and no retention obligations preclude deletion. Further information is available in the provider's privacy policy at https://legal.hubspot.com/privacy-policy.
3.10.2. Google Analytics
We use Google Analytics for analysis. The provider is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
The legal basis for the processing is Art. 6 (1) sentence 1 lit. a GDPR. The processing takes place on the basis of consent. Data subjects can withdraw their consent at any time, for example by contacting us at the contact details stated in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the withdrawal.
The transfer of personal data to a country outside the EEA takes place on the legal basis of an adequacy decision. The security of the data transferred to the third country (that is, a country outside the EEA) is ensured because the EU Commission, within the framework of an adequacy decision pursuant to Art. 45 (3) GDPR, has decided that the third country offers an adequate level of protection.
The data is deleted when the purpose of its collection has ceased to apply and no retention obligation precludes deletion. Further information is available in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
3.10.3. Google Site Kit
We use Google Site Kit for the integration and evaluation of various Google services (such as Google Analytics, Google Search Console, PageSpeed Insights) directly in the WordPress dashboard. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) within the EU and, where applicable, in the USA.
The legal basis for the processing is Art. 6 (1) sentence 1 lit. a GDPR. The processing takes place on the basis of consent. Data subjects can withdraw their consent at any time, for example by contacting us via the contact details in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the withdrawal.
The transfer of personal data to a country outside the EEA takes place on the legal basis of an adequacy decision pursuant to Art. 45 (3) GDPR or with the application of suitable safeguards (e.g. standard contractual clauses).
The data is deleted when the purpose of its collection has ceased to apply and no retention obligations preclude deletion. Further information is available in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
3.10.4. WPML
We use WPML (WordPress Multilingual Plugin) for the multilingual presentation of our website. The provider is OnTheGoSystems Ltd., 22/F 3 Lockhart Road, Wanchai, Hong Kong. The provider processes technically necessary data such as IP addresses, browser information and preferred language settings, in order to ensure the language selection and the functionality of the website.
The legal basis for the processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in providing our website in multiple languages and thereby improving accessibility and the user experience.
The data is deleted when the purpose of its collection has ceased to apply and no statutory retention obligations exist. Further information is available in the provider's privacy policy at https://wpml.org/documentation/privacy-policy-and-gdpr-compliance/.
3.10.5. heyData
We have embedded a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g. IP addresses) in the EU.
The legal basis for the processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seals, which is why a mere image copy of the certificate does not represent a viable alternative for confirmation.
After collection, the data is masked so that there is no longer any personal reference. Further information is available in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung.
3.10.6. YouTube videos
Videos from YouTube are embedded on our website in extended privacy mode (youtube-nocookie.com). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Videos only load once you actively click them or have given prior consent. Only then is data (e.g. IP address, device information) transferred to YouTube or Google, potentially also to the USA.
The legal basis for the processing is your consent, Art. 6 (1) sentence 1 lit. a GDPR. Further information is available in the provider's privacy policy at https://policies.google.com/privacy.
3.10.7. Spotify
A podcast player from Spotify is embedded on our investor relations page. The provider is Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. The player only loads once you actively click it or have given prior consent. Only then is data (e.g. IP address, device information) transferred to Spotify.
The legal basis for the processing is your consent, Art. 6 (1) sentence 1 lit. a GDPR. Further information is available in the provider's privacy policy at https://www.spotify.com/legal/privacy-policy/.
4. Data Processing on Social Media Platforms
We are present on social media networks in order to present our organisation and our services there. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles from their online behaviour, which are used, for example, to show advertising that corresponds to the interests of the users on the pages of the networks and also elsewhere on the internet. For this purpose, the operators of the networks store information about usage behaviour in cookies on the users' computers. Furthermore, it cannot be ruled out that the operators combine this information with further data. Users can obtain further information as well as notes on how users can object to the processing by the site operators in the privacy policies of the respective operators listed below. It may also be the case that the operators or their servers are located in non-EU states, so that they process data there. This may give rise to risks for users, e.g. because the enforcement of their rights is made more difficult or because government bodies gain access to the data.
When users of the networks make contact with us via our profiles, we process the data provided to us in order to answer the inquiries. This constitutes our legitimate interest, so that the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.
4.1. Instagram
We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.
4.2. YouTube
We maintain a profile on YouTube. The operator is Google Ireland Limited Gordon House, Barrow Street Dublin 4. Ireland. The privacy policy is available here: https://policies.google.com/privacy?hl=de.
4.3. LinkedIn
We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE. An option to object to the data processing is available via the settings for advertisements: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
5. Changes to This Privacy Policy
We reserve the right to change this privacy policy with effect for the future. A current version is available here at any time.
6. Questions and Comments
For questions or comments regarding this privacy policy, we are happy to be available at the contact details stated above.