Privacy Policy.

1. Privacy at a glance

General information

The following notes give a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information, please see the further sections of this privacy policy.

Who is responsible for data collection?

Data processing on this website is carried out by the website operator (contact details in Section 2 and the Imprint).

How do we collect your data?

Data is collected partly because you actively provide it to us, for example via the contact form or by email. Other data is collected automatically by the server when you visit the website, primarily technical data such as browser, operating system, or time of access (server log files).

What do we use your data for?

Part of the data serves to ensure error-free provision of the website. Other data, when third-party services are active (see Sections 11 and 12) and with your consent, may be used by these third parties to analyze your user behavior. Automated decision-making within the meaning of Art. 22 GDPR does not take place.

What rights do you have regarding your data?

You have the right at any time to information, correction, deletion, restriction of processing, data portability, and objection (see Section 13). You also have the right to lodge a complaint with the competent supervisory authority.

2. Controller

The controller responsible for data processing on this website is:

GermanAI Defense GmbH
Neue Mainzer Straße 6-10
60311 Frankfurt am Main
Germany

Phone: 06171 277 98 71
Fax: +49 (0) 69 50 50 60 4155
E-Mail: info@germanaidefense.de
Managing Director: Abdussamed Nazik

3. General information and mandatory disclosures

Data protection

We take the protection of your personal data seriously. We treat it confidentially and in accordance with the legal data-protection regulations and this privacy policy. Complete protection of data against access by third parties during transmission over the open internet is not technically possible.

Protection of vulnerable groups / children

Our website and services are not specifically aimed at children under the age of 16. We do not knowingly process personal data of children within the meaning of Art. 8 GDPR. If we inadvertently learn of data from children, we delete it without delay in accordance with Art. 17 GDPR.

Special categories of data (Art. 9 GDPR)

Special categories of personal data pursuant to Art. 9 GDPR (e.g., health, religious, or political data) are not processed as part of our web presence.

Automated decision-making / profiling

Automated decision-making or profiling within the meaning of Art. 22 GDPR does not take place on this website. In particular, we do not deploy AI systems on the website that analyze or evaluate visitor input or behavioral data, even though our business itself includes AI-powered security solutions.

4. Legal bases of processing

We process personal data exclusively on the basis of the GDPR:

• Art. 6 (1)(a) GDPR, consent
• Art. 6 (1)(b) GDPR, performance of a contract or pre-contractual measures
• Art. 6 (1)(c) GDPR, compliance with legal obligations
• Art. 6 (1)(f) GDPR, legitimate interests (e.g., secure operation of the website)

Where consent for the storage of cookies or access to the end device is requested, processing additionally takes place on the basis of § 25 (1) TDDDG. Consent can be withdrawn at any time.

5. Data processing and third countries

We generally process personal data within the European Union and the European Economic Area (EEA). The services embedded on this website are deliberately data-minimizing: hosting and fonts are operated in Germany or served locally, reach measurement (Plausible) is cookieless and runs on servers within the EU, and the map material (OpenStreetMap) is processed in the United Kingdom, for which an adequacy decision of the EU Commission under Art. 45 GDPR exists.

A transfer to the United States may occur in individual cases if you hold an online meeting with us via Microsoft Teams (see Section 8). Microsoft is certified under the “EU-US Data Privacy Framework” (DPF); in addition, standard contractual clauses under Art. 46 GDPR are in place. In this case, a level of data protection fully comparable to the EU cannot be guaranteed. Beyond that, the website itself does not transfer data to insecure third countries.

Recipients of personal data

In the course of our business, we work with various external bodies. Personal data is only transferred where this is necessary for the performance of a contract, where we are legally obliged to do so, where we have a legitimate interest under Art. 6 (1)(f) GDPR, or where another legal basis permits the transfer. When using processors, personal data is only transferred on the basis of a valid data-processing agreement.

6. Hosting and infrastructure

This website is operated on servers within the European Union:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Datacenter Nuremberg

A data-processing agreement (DPA) pursuant to Art. 28 GDPR is in place with the hosting provider.

7. Collection and processing when visiting the website

Server log files

When you visit our website, our hosting provider automatically stores technical information in server log files:

• IP address
• Date and time of access
• Page accessed (URL)
• Amount of data transferred
• Browser type and version
• Operating system
• Referrer URL

This data is processed exclusively to secure operation, for error analysis, and to defend against attacks (legal basis: Art. 6 (1)(f) GDPR). The data is not combined with other data sources. Server log files are deleted after no more than 30 days, unless they are needed longer to investigate or defend against a specific security incident.

Cookies

Our website uses so-called “cookies” and comparable technologies (e.g., Local Storage). Cookies are small data packages stored in your browser and serve, for example, to recognize you on a subsequent visit. They have different functions:

• Strictly necessary cookies, required for certain website functions to work (e.g., storing your cookie consent).
• Functional cookies, improve convenience and usability.
• Third-party cookies, set only when you actively enable embedded third-party content (on this website, the OpenStreetMap map display).

Strictly necessary cookies are stored on the basis of Art. 6 (1)(f) GDPR. Where cookies require consent, storage takes place exclusively on the basis of your consent pursuant to Art. 6 (1)(a) GDPR and § 25 (1) TDDDG. Consent can be withdrawn at any time. You can configure your browser to inform you about cookies being set and to allow cookies only on a case-by-case basis or to exclude them entirely.

SSL / TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL / TLS encryption. You can recognize an encrypted connection by the “https://” in the address bar and the lock symbol in your browser.

8. Contact

Contact form

Through our contact form we collect the following data:

• Name (mandatory)
• Company (mandatory)
• Email address (mandatory)
• Phone number (optional)
• Industry (optional)
• Topic / service category (optional)
• Message (mandatory)
• Confirmation of the privacy policy (mandatory via checkbox)

Processing takes place on the basis of Art. 6 (1)(b) GDPR insofar as the inquiry relates to the performance of a contract or to pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling requests addressed to us (Art. 6 (1)(f) GDPR) and on your express consent pursuant to Art. 6 (1)(a) GDPR by checking the privacy notice.

The submitted data is used exclusively to process your inquiry and any follow-up questions. We do not share this data with third parties without your consent.

Inquiry by email or phone

If you contact us by email or phone, your inquiry and the resulting personal data will be stored with us for the purpose of processing your request. We do not share this data without your consent.

Retention period

The data submitted in the course of your inquiry remains with us until you ask us to delete it, withdraw your consent, or the purpose for storage ceases to apply (typically after the inquiry has been processed). Mandatory legal provisions, in particular retention periods, remain unaffected.

Online meetings and video conferences (Microsoft Teams)

For consulting, demo and coordination calls we use Microsoft Teams (provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) after a prior appointment. This feature is not embedded on the website; processing only takes place if you actively join such a meeting.

In doing so we process in particular your name, email address, meeting metadata (time, duration, IP address) and the audio, video and chat content you transmit. Meetings are not recorded without an explicit notice and your consent. The legal basis is Art. 6 (1)(b) GDPR (performance of pre-contractual or contractual measures) or Art. 6 (1)(f) GDPR (legitimate interest in efficient communication). A data processing agreement under Art. 28 GDPR is in place with Microsoft. Regarding a possible transfer to the United States, see Section 5. Further information: privacy.microsoft.com.

9. Processing during the application process

If you apply with us, via the application form in the Careers section (including the file upload of your resume) or by email, we process the personal data you provide exclusively to carry out the application process.

What data we process

• Master and contact data (name, address, email, phone number)
• Application documents (cover letter, resume, references, certificates, recommendations)
• Data from interviews and aptitude assessments
• Other information voluntarily provided during the application process

Purpose and legal basis

Processing takes place to conduct the pre-contractual relationship and to decide on the establishment of an employment relationship. The legal basis is § 26 (1) BDSG in conjunction with Art. 88 GDPR and Art. 6 (1)(b) GDPR. If you provide us with data that is not required for the application process (e.g., special categories of personal data under Art. 9 GDPR), processing takes place on the basis of your consent under Art. 9 (2)(a) GDPR or § 26 (3) BDSG.

Recipients

Your application data is viewed exclusively by persons involved in the application process (management, where applicable HR, line managers). Disclosure to third parties only takes place where this is legally required or necessary for entering into a contract with you.

Retention period

If you are hired, your data will be transferred into the employment relationship. If you are not hired, your application documents will be deleted no later than six months after the application process ends. This period takes into account the retention periods under the General Equal Treatment Act (AGG).

Addition to our talent pool

In the application form we offer you the option, by way of a separate and voluntary consent, to agree to being added to our talent pool. In that case we store your application documents beyond the current process in order to consider you for suitable future positions. The legal basis is your consent under Art. 6 (1)(a) GDPR in conjunction with § 26 (2) BDSG. Storage takes place for no longer than 6 months; you may withdraw your consent at any time with effect for the future, informally by email to info@germanaidefense.de, whereupon we will delete your data.

10. Newsletter and mailing lists

If you sign up for our newsletter or a mailing list, we collect the data entered in the form (at minimum the email address) and use it exclusively to send the requested information. Sign-up takes place via double opt-in: after you enter your email address we send a confirmation email; your data is only processed once you confirm the link.

The legal basis is your consent pursuant to Art. 6 (1)(a) GDPR. You can withdraw this consent at any time with effect for the future, by clicking the unsubscribe link in any newsletter email or by sending an informal notice to info@germanaidefense.de. The lawfulness of processing carried out before withdrawal remains unaffected. After unsubscribing, your data is deleted from the distribution list, unless longer storage is legally required.

11. User account

You can create a personal user account on this website to manage configurations, requests, and applications centrally. Creating an account is voluntary. All functions of the website (contact form, application, newsletter, configurator) can also be used without an account.

Data collected during registration and within the account

• Mandatory: first and last name, email address, password (stored as a bcrypt hash, never in plain text)
• Optional: phone number, company, role/position, address, industry, profile type
• Account-related data generated through use: saved service configurations, saved services (“Saves”), request-cart contents, submitted requests, submitted applications with associated file attachments

Legal basis and purpose

Processing takes place on the basis of your consent (Art. 6 (1)(a) GDPR) and for the performance of pre-contractual measures (Art. 6 (1)(b) GDPR) where the account is used in connection with a specific inquiry or contract initiation. The purpose is the personal management of your requests and configurations, as well as efficient communication with you.

Login sessions (cookies)

On login, a strictly necessary session cookie (session ID) is set. This cookie is HttpOnly, Secure, and SameSite=Lax. It cannot be read by JavaScript and is only transmitted to GermanAI Defense GmbH’s own server. The cookie is valid for 7 days and is deleted immediately on logout. The legal basis is § 25 (2) no. 2 TDDDG (strictly necessary cookie).

Retention period and deletion

Account data is stored for as long as your account is active. You can delete your account at any time via the account area or by sending an informal email to info@germanaidefense.de. After deletion, personal profile data is removed promptly. Certain data (e.g., application documents, submitted requests) may be retained longer due to legal or contractual retention periods. You will typically be informed of this during the deletion process.

Data security

Passwords are stored exclusively as bcrypt hashes. Application files and sensitive content are stored outside the public web root on GermanAI Defense GmbH’s server. Access to account data is exclusively encrypted (HTTPS).

12. Plugins and tools

OpenStreetMap

On the Contact and About pages we embed map material from the OpenStreetMap platform. The provider is the OpenStreetMap Foundation (OSMF), St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. When the map loads, your IP address is transmitted to OSMF’s servers so the map material can be loaded.

Use is based on Art. 6 (1)(f) GDPR (legitimate interest in an attractive location display). Where consent has been requested, processing takes place on the basis of Art. 6 (1)(a) GDPR and § 25 (1) TDDDG. An adequacy decision by the EU Commission under Art. 45 GDPR exists for the United Kingdom. To our knowledge, OpenStreetMap does not set tracking cookies. OSM privacy policy: wiki.osmfoundation.org/wiki/Privacy_Policy.

Plausible Analytics

For reach and usage statistics we use Plausible Analytics (provider: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia). The analytics script is loaded from the provider's servers within the European Union. Plausible sets no cookies and does not use any cross-device recognition. IP addresses are processed only in hashed form and are not stored permanently, so no conclusions can be drawn about individual persons.

On our website Plausible is loaded only after your active consent via the consent banner. The legal basis is therefore your consent under Art. 6 (1)(a) GDPR in conjunction with § 25 (1) TDDDG; consent can be withdrawn at any time with effect for the future. A data processing agreement under Art. 28 GDPR is in place with the provider. Privacy policy: plausible.io/privacy.

Locally hosted fonts

To display fonts consistently, this website uses exclusively fonts stored locally on our server. When the pages are loaded, no connection to third-party servers (such as Google Fonts or Adobe Fonts) is established; no personal data is transferred to third parties for this purpose.

13. Your rights

You have the following rights against us regarding personal data concerning you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7 (3) GDPR)
• Right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR)

Right to object (Art. 21 GDPR)

If data processing is based on Art. 6 (1)(e) or (f) GDPR, you have the right at any time, on grounds relating to your particular situation, to object to the processing of your personal data. This also applies to profiling based on these provisions. If your data is processed for direct marketing, you have the right to object at any time without giving reasons.

14. Supervisory authority

Competent supervisory authority:
The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box 3163, 65021 Wiesbaden
datenschutz.hessen.de

15. Data security

We use technical and organizational security measures to protect your data against accidental or unlawful destruction, manipulation, loss, or unauthorized access. Our security measures are continuously adapted in line with technological developments.

16. Status and changes

This privacy policy is current as of June 2026. Changes to our website or to legal requirements may make adjustments necessary. The current version is always available on this page.