Zum Inhalt springen

Datenschutzerklärung

Stand: 11. Juni 2026

General Information

We, HIGHCAT GmbH (hereinafter: “we” or “us”) would like to inform you here about the processing of personal data in our company.

The terms used below have the same meaning as in the General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”).

Data Controller

We are the controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:

HIGHCAT GmbH, registered in the Commercial Register of the Local Court of Freiburg im Breisgau under registration number HRB 728557
Brühlstraße 15, 78465 Constance
info@highcat.io

Data Protection Contact

If you have any questions regarding data protection, please contact us at: policy@highcat.io

Rights of Data Subjects

You can assert your rights as a data subject with regard to the processed personal data against us at any time. You have the following rights:

  • to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of the data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect data or the completion of your data stored by us;
  • in accordance with Art. 17 GDPR, to demand the deletion of your data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
  • in accordance with Art. 18 GDPR, to demand the restriction of the processing of your data if the accuracy of the data is disputed by you or the processing is unlawful;
  • in accordance with Art. 20 GDPR, to receive the data you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller (“data portability”);
  • pursuant to Art. 21 GDPR to object to the processing if the processing is based on Art. 6 para. 1 lit. e or lit. f GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. If you object to the processing of data for the purpose of direct marketing, we will cease processing immediately. This also applies to profiling insofar as it is associated with direct advertising;
  • in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time, if given prior. As a result, we may no longer continue the data processing that was based on this consent in the future;
  • to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. You can contact the supervisory authority of your usual place of residence or workplace or our company headquarters, in which case the contact details are: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, 030 138890.

If you exercise your rights, we will process your personal data in accordance with Art. 6 para. 1 lit. c GDPR in order to process your request and for identification purposes.

Website

When you visit our website, the following categories of personal data are collected, stored and processed by us:

Scope of data processing

When you visit our website, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:

  • the URL of the page from which the page was requested (so-called referrer URL),
  • the name and URL of the requested page,
  • the date and time of the access,
  • the description of the type, language and version of the web browser used,
  • the IP address of the requesting computer, which is shortened, so that a personal reference can no longer be established,
  • the amount of data transferred,
  • the browser,
  • the operating system,
  • the message whether the access was successful (access status/Http status code),
  • the GMT time zone difference.

Purpose of data processing: The storage of log data for the duration of the session is necessary to display our website to you. The processing also serves to ensure the permanent functionality and security of our websites and information technology systems.

Legal basis for data processing: The legal basis for the processing of log data is Art. 6 para. 1 lit. f GDPR, our legitimate interest being achieving the stated purposes.

Recipient of the data: We use external service providers for the operation of the website, who process personal data strictly in accordance with instructions on the basis of a data processing agreement in accordance with Art. 28 GDPR. We use the following service provider to host the website: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, United States.

Storage duration: The log data is stored for a period of seven days and then deleted, unless it needs to be retained for longer in exceptional cases to track an identified attack.

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard disk by means of a characteristic string of characters, through which certain information flows to the website that sets the cookie.

We use first-party and third-party cookies. First-party cookies come from our website and send information only to us; third-party cookies are placed on our website by third parties and send information about your device to other companies that recognize that cookie. In most cases, the information in a cookie is pseudonymized or anonymized because cookies generally do not identify you as a person, but your device. In a few cases, certain cookies may be linked to personal data. We will only process such information if you give us your consent or if the processing is necessary for you to use a particular service.

Technically necessary cookies: These are absolutely necessary to move around the website, to use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited; Necessary cookies cannot be deactivated as they are absolutely necessary for the provision of the website, but you can delete them in your browser after using the website. The legal basis for the processing of these cookies is our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. The basis of our legitimate interest is to ensure the security and functionality of our website. In addition, the storage of the necessary cookies in your browser or in your terminal device is necessary in accordance with Section 25 para. 2 No. 2 TDDDG so that the website you have called up can be made available with its services.

We also use cookies for analysis or advertising purposes. However, we only do this if you have given your prior consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time and without giving reasons. You can find more information about the respective cookies in our cookie banner.

Google Analytics

We use Google Analytics only with your prior consent, which you can provide via our cookie consent management tool. If you choose “accept only necessary cookies,” Google Analytics will not be activated and no related cookies will be set. You can withdraw or change your consent at any time via the cookie settings link in the footer of our website.

Google Analytics is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google uses cookies to help us analyze how visitors use our website. The information generated by these cookies about your use of the website may be transmitted to and processed by Google on servers in the United States. Please note that such transfers may involve certain risks due to the absence of an EU adequacy decision and limitations on enforcement of your rights.

For more information on how Google processes your data, please see Google’s privacy policy: https://policies.google.com/privacy?hl=en

Youtube

We integrate videos on our website using the video platform YouTube, which is operated by:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
https://policies.google.com/privacy

When you visit a page on our website that contains a YouTube video, a connection to YouTube’s servers is established. This informs YouTube’s server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your YouTube account before accessing our website.

YouTube may store cookies or use comparable recognition technologies on your device to analyse user behaviour, improve its services, and personalise content. Data processing may involve the transfer of personal data to the United States.

For more information on the handling of user data, please refer to YouTube’s privacy policy linked above.

Business communication

In the following, we inform you about how we process personal data of all relevant contact persons, including business contacts, potential or existing business partners, customers (current and potential), and their contacts.

Scope of data processing: When you engage with us for our services, we generally collect the following data:

  • Salutation, title, first name, surname;
  • Name and designation of the company or organization in which the respective person works;
  • E-mail address, address (business and private), telephone number, fax number;
  • Information and data that are necessary for the provision of our services and the management of the business relationship;
  • correspondence arising in the context of the business relationship with the personal data contained therein;
  • all data collected for the purpose of invoicing our services (activity records, if applicable with contact persons from telephone calls or meetings) including account details and, if necessary, tax identification number.

As part of our interactions and business relationship with you as a business contact, potential or existing business partner, customer (current or potential), or their contact person, we process the data that we receive from you, your employer, or your organization. This includes data that we receive when you or your colleagues have contact with our employees. Personal data collected as part of these business relationships or contacts are entered and managed in our Customer Relationship Management system. We process the following categories of data in this context:

  • Professional contact and organizational data: e.g. surname, first name, title, academic degree, gender, name of the company or organization you work for, department, professional e-mail address, address, telephone number;
  • Data on professional circumstances: e.g. job title, tasks, activity, qualifications.
  • Other: In addition, we may process other data that you provide during interactions with our employees or that we have legitimately collected about you from publicly available sources (e.g. commercial register).

Purpose of data processing: The processing of the aforementioned personal data takes place on the basis of the business relationship and is necessary for the lawful and appropriate provision of our services and the mutual fulfillment of obligations arising from the customer relationship. Furthermore, we process the data for correspondence with the customer, prospective customers, business partners, service providers and competent authorities, as well as for invoicing.

Legal basis for data processing: We process the data based on the following legal bases:

  • If you are personally our business partner or customer, or a potential business partner or customer, the processing is carried out based on Art. 6 para. 1 lit. b GDPR for the execution or initiation of a contract.
  • For fulfilling legal obligations, processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with legal and official requirements (e.g. from tax and commercial law).
  • If you are a business contact or an employee or contact person of a business partner or customer (current or potential), your data will be processed based on our overriding legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the functioning and practicable cooperation and communication with business contacts, business partners, customers, and their contacts.

Recipients of the data: Personal data will only be passed on to third parties if this is necessary for the above-mentioned purposes. This includes the disclosure of data to service providers, hosting providers, IT providers, recruitment service providers, tax advisors and public authorities. Third parties are legally obliged to use the data disclosed exclusively to the extent required or necessary for the purposes stated above.

In addition, data will only be passed on if consent has been given (Art. 6 para. 1 lit. a GDPR) or if we, as the controller, are legally obliged to pass on data in accordance with Art. 6 para. 1 lit. c GDPR, for example to tax and financial authorities in the context of corresponding audits.

As part of our tax obligations, we use the services of a tax advisor. Only if it is necessary for tax law reasons can the tax consultant view personal data (e.g. on fee invoices). The tax consultant is already obliged to protect your data because of their professional duty of confidentiality.

We use various service providers for the support, storage and hosting of our IT systems and applications, who only process your data in accordance with our instructions and based on an order processing contract in accordance with Art. 28 GDPR.

We may transfer data to countries outside the EU and the European Economic Area (“third countries”) if, for example, you communicate with us from a third country or via email providers in a third country. In these cases, the transfer to third countries takes place based on Art. 49 para. 1 lit. b GDPR.

Within HIGHCAT GmbH, only those people who need it for the purposes described have access to your data. In addition, your personal data is processed in our Customer Relationship Management system by an external CRM provider, who acts as a data processor on our behalf under a data processing agreement pursuant to Art. 28 GDPR and processes your data exclusively according to our instructions.

Storage period: We store your data for as long as we need it for the specific processing purpose. We regularly store your data for at least the duration of our business relationship with you or the business partner, customer, or organization for whom you work or represent.

In addition, we store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).

This applies to all categories of business contacts, potential and existing business partners, customers (current and potential), and their contacts whose data are stored and deleted in the CRM system according to these same retention and deletion principles. Data will be erased when it is no longer required for the purposes indicated above or when statutory retention obligations expire.

Video conferencing tools

We use third-party video conferencing tools to conduct video and audio conferences, webinars and other types of video and audio meetings. The following categories of data are processed:

  • Inventory data (e.g. names, addresses);
  • Contact details (e.g. e-mail, telephone numbers);
  • Content data (e.g. text entries, photographs, videos);
  • Meta/communication data (e.g. device information, IP addresses).

The purpose of processing the data is to set up and conduct online meetings / video conferences. The processing is carried out on the legal basis of Art. 6 para. 1 lit. b GDPR or in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interests in efficient and secure communication with our communication partners.

We have concluded a data processing agreement with the providers of the video conferencing solution in accordance with Art. 28 GDPR. The EU standard contractual clauses apply to ensure a sufficient guarantee for any data transfers to the USA or other third countries.

Applications

If you would like to become part of our team and apply for a job with us, we will process your personal data as follows:

Scope of data processing: We process the following categories of data during the application process:

  • Private contact and identification data: e.g. surname, first name, academic degree, gender, e-mail address, address and telephone number;
  • Data on professional qualifications, such as school and educational qualifications, language skills, as well as your place of study or training, certificates;
  • Curriculum vitae and data contained therein;
  • Other data provided as part of the application.

Transmission within the company: The application documents are sent to the contact person named in the job advertisement and are forwarded internally to other partners responsible for the application process and employees.

Processing via Recruitee: We use the HR management and recruiting software Recruitee to manage applications and the recruitment process. Recruitee is provided by:

Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, The Netherlands
https://www.recruitee.com/privacy-policy/

In this context, the application data submitted by you (as described above) will be stored and processed on Recruitee’s secure servers within the European Union. The use of Recruitee enables us to efficiently manage application documents, schedule interviews, and communicate with applicants.

Recruitee acts as a data processor on our behalf pursuant to Art. 28 GDPR. A corresponding data processing agreement is in place to ensure that your personal data is processed strictly in accordance with our instructions and in compliance with the GDPR. For more information on how Recruitee handles personal data, please refer to Recruitee’s privacy policy linked above.

Purpose of data processing: We process the application data exclusively for the purpose of carrying out the application process.

Legal basis for data processing: The legal basis for data processing is Section 26 para. 1 BDSG and Art. 6 para. 1 lit. b GDPR. If we receive personal data as part of the application that is not required for the application process, we will not process it.

Recipient of the data: Internally, only those persons have access to the application data who need it for the stated purposes. These are primarily the responsible partners and HR employees.

Storage period: If an employment relationship is established, we will continue to process the application data for the purposes of the employment relationship. Detailed information on this is provided in the data protection information for employees. In the event that no employment relationship is established, we generally store the application data for a period of six months from the date of rejection. The application documents are then deleted.

Social Media

We operate various social media profiles in order to provide information on the respective social media platforms and to be able to contact you. Please note that the respective platform operator may store cookies in your browser in which your usage behavior is stored for market research and advertising purposes. These usage profiles can also be created across devices. The platform operators evaluate these usage profiles in order to display personalized advertising to you. Data processing may also affect people who are not registered as users with the respective social media platform. The data may also be shared by the platform operators with other companies and transferred to countries outside the EU.

We receive information from the platform operator, in particular statistical evaluations, about visits to our social media profile. This may also involve personal data. Both we and the respective platform operator are jointly responsible for the processing of personal data in this context. A corresponding agreement on joint processing will be published by the respective platform operator. The processing of your personal data when you visit one of our social media profiles is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information option to improve our external presentation and communication with you. The legal basis for this is Art. 6 para. 1 lit. f GDPR. If you have given a platform operator your consent to data processing, Art. 6 para. 1 lit. a GDPR is the legal basis.

Further information on the scope, purpose and legal basis of data processing on social media platforms and your rights vis-à-vis the platform operator can be found here:

LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Irland: https://www.linkedin.com/legal/privacy-policy
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland: https://www.instagram.com/legal/privacy/

Data security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. TLS encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

We will be happy to provide you with further information on request. Please contact us at policy@highcat.io.

Profiling

We will not use personal data collected from you for any automated decision-making process (including profiling).