Privacy policy

1. Introduction
We are very pleased about your interest in our company.
Personal data is any information relating to an identified or identifiable person. Pseudonymous data that we cannot assign to you directly, e.g. via a name or email address, is also personal data.
Because the protection of your personal data is of great importance to us, we provide you with this Privacy Policy to inform you about the nature, scope, and purpose of the personal data we process and your rights as a data subject.
At the end of this Privacy Policy, you will find, under the section "Definitions," various explanations of the terminologies used.
The data controller for the processing of personal data is:
Herren Thomas Paar und Jan Mußmann
Spandauer Str. 32
57072 Siegen
Tel.: +49 271 222958 - 0
Fax: +49 271 222958 - 90
The external corporate data protection officer (DPO) for UPONU GmbH is:
dokuworks GmbH
Herr Markus Weber
Birlenbacher Str. 20
57078 Siegen
Tel.: +49 271 77237-60
If you have any questions or suggestions regarding data protection, please feel free to contact us as the data controller or our data protection officer at any time.
2. Data Subject Rights
You may exercise the following rights with respect to your personal data:
  • Right to Information (Art. 15 GDPR)
  • Right to Rectification (Art. 16 GDPR) or Deletion (Art. 17 GDPR)
  • Right to Restriction of Processing (Art. 18 GDPR)
  • Right to Data Portability (Art. 20 GDPR)
  • Right to Object to Processing (Art. 21 GDPR)
If you request information from us, we will inform you in accordance with data protection regulations whether and what data we have collected from you. Our goal is always to ensure current and error-free data collection. If incorrect information has nevertheless been recorded, we will correct it promptly upon a corresponding request.
To do so, please send us a request to:
In addition to exercising your rights with us, you also have the right to lodge a complaint with a supervisory authority if you suspect a violation of data protection regulations (Art. 77 GDPR).
3. Data Transfer to the USA (via Analytical Tools)
On July 10, 2023, a new transatlantic data protection agreement, known as the "Data Privacy Framework," came into effect, also referred to as "Privacy Shield 2.0." This allows the use of tracking, analytical, and marketing tools from the USA, but subject to certain conditions. In the current adequacy decision, it is determined that the USA ensures an adequate level of protection for personal data transmitted from the EU to US companies compared to the EU/EEA, but only in relation to US companies participating in the new EU-US data protection agreement. For a US company to be considered a secure data recipient and adhere to the principles of the Data Privacy Framework, it must undergo a self-certification process with the US Department of Commerce (DoC). This self-certification process requires a company to submit a set of documents. Once these documents are complete, the organization is included in the DPF list (short for "Data Privacy Framework") and is considered self-certified according to the requirements of the new data protection framework.
As of the creation of this data protection notice, not all companies have completed this self-certification process since it has only recently come into effect. Therefore, in cases where this cannot yet be proven, we will continue to insist on compliance with the previously applicable law, which requires the use of EU Standard Contractual Clauses in conjunction with a Transfer Impact Assessment (TIA) to establish an adequate level of data protection with the service provider.
4. Privacy Notice for Business Partners
We are delighted that you have shown an interest in UPONU GmbH and have been in contact with us.
The protection of your data is of utmost importance to us. With this privacy notice, we provide you with the following information in accordance with Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of your personal data in the context of our business relationship.
For additional information about our company, details about our authorized representatives, and further contact options, please visit
What data do we process and for what purposes?
We only process personal data that we have received from you as part of our business relationship or, if applicable, from publicly available sources.
Personal data as defined by Article 4(1) of the General Data Protection Regulation (GDPR) may include names, telecommunications data, and address data. In addition, we also process offer, inquiry, and order data, data related to the fulfillment of our contractual obligations, product data, documentation data, as well as other data comparable to the mentioned categories. The provision of your personal data is necessary for the initiation, implementation and processing of the contractual relationship. If it is not provided, it will unfortunately not be possible for us to contact you to clarify pre-contractual or contractual questions.
What is the legal basis for processing your personal data?
Your personal data is processed in accordance with the legal provisions of the GDPR and the new version of the Federal Data Protection Act to fulfill contractual obligations or to take measures to initiate a contract (Art. 6 Para. 1 S. 1 lit. b GDPR).
In addition, we may use this data for additional purposes as part of our business relationship.
How long is the data stored?
We process and store your personal data for the duration of our business relationship and at least in accordance with the statutory retention periods such as for example the Commercial Code or Tax Code.
Who is the data passed on to and where is it processed?
We only use the personal data for our own purposes as part of the business relationship.
5. Applicant Management
The person responsible for processing collects and processes the personal data of applicants for the purpose of processing the application process. Processing can also take place electronically. This is particularly the case if an applicant submits relevant application documents to the person responsible for processing electronically, for example by email or via a web form on the website. If the person responsible for processing concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with legal regulations.
The legal basis for this processing is Section 26 Paragraph 1 Sentence 1 BDSG in conjunction with Article 88 Paragraph 1 GDPR.
If the person responsible for processing does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after the rejection decision is announced, provided that deletion does not conflict with any other legitimate interests of the person responsible for processing. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).
The legal basis in this case is Article 6 Paragraph 1 Letter f GDPR and Section 24 Paragraph 1 No. 2 BDSG. Our legitimate interest lies in legal defense and enforcement.
If you expressly consent to a longer storage of your data, for example for your inclusion in an applicant or interested party database, the data will be further processed based on your consent. The legal basis is then Article 6 Paragraph 1 Letter a GDPR. Of course, you can revoke your consent at any time in accordance with Art. 7 Para. 3 GDPR by notifying us with effect for the future.
6. Data protection when visiting our website
Type and purpose of processing:
When you access our website, the browser used on your device automatically sends information to our website server. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted, usually after one week.
  • IP-address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (Referrer URL)
  • Browser used and, if applicable, the operating system of your computer as well as the name of your access provider
The data mentioned will be processed in particular for the following purposes:
  • Ensuring problem-free connection to the website
  • Ensuring smooth use of our website
  • Evaluation of system security and stability
  • Clarification of any abusive page access (DoS/DDoS attacks or similar)
  • Optimization of our website
We do not use your data to draw conclusions about you personally. We reserve the right to do this in the event that this becomes necessary to investigate abusive page access. We generally evaluate information of this type anonymously and statistically in order to optimize our website and the technology behind it.
Legal basis and legitimate interest:
Processing is carried out in accordance with Article 6 Paragraph 1 Letter f of the GDPR based on our legitimate interest in improving the stability and functionality of our website.
Recipients of the data may be technical service providers who act as contract processors for the operation and maintenance of our website.
Storage period:
The data will be deleted as soon as it is no longer required for the purpose of collection. This is generally the case for the data used to provide the website when the respective session has ended.
If the data is stored in log files, this is usually the case after one week. Storage beyond this is possible. In this case, the users' IP addresses are anonymized so that it is no longer possible to assign the calling client.
Provision Required or Mandatory:
The provision of the aforementioned personal data is neither legally nor contractually required. However, without providing your IP address, the service and functionality of our website cannot be guaranteed. Additionally, certain services and features may not be available or may be limited. For this reason, objections to providing this data are not possible.
7. Hosting
We host the contents of our website ourselves:
UPONU GmbH, Spandauer Str. 32, 57072 Siegen, Germany.
The legal basis for hosting is our legitimate interests in the most reliable presentation of our website possible (pursuant to Art. 6 para. 1 lit. f DSGVO). Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.
8. Technologies used
This website uses various services and applications (collectively, “Tools”), provided either by ourselves or by third parties. This includes, in particular, tools that use technologies to store or access information on the end device:
  • Cookies
    Information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies are deleted after the session, while so-called persistent cookies are deleted after the set expiry date. Cookies can also be removed manually.
  • Web Storage (Local Storage / Session Storage):
    Information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiration date and is generally stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with time entry). Information in local and session storage can also be removed manually.
With the help of these technologies and also by simply establishing a connection on a page, so-called “fingerprints” can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints due to connection establishment cannot be completely prevented manually.
By default, most browsers are set to accept cookies, running scripts, and displaying graphics. However, you can usually adjust your browser settings to refuse all or certain cookies or to block scripts and graphics. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services are likely not to work or to function smoothly.
The tools we use are listed below, sorted by category, whereby we inform you in particular about the providers of the tools, the storage period of cookies or information in local storage and session storage, and how the data is passed on to third parties. It also explains in which cases we obtain your voluntary consent to use the tools and how you can revoke it.
8.1 Technically Necessary Cookies
Technically necessary cookies are those that secure the basic functions of the website, enabling its operation. This is solely about technical necessity, not economic aspects.
The legal basis for this is our legitimate interest in providing a functioning website, as per Article 6(1)(f) GDPR, or compliance with a legal obligation as per Article 6(1)(c) GDPR.
For the purposes mentioned above, we use the services of the following third-party providers, who are responsible for data processing that occurs through their respective services, as defined in Article 4(7) GDPR. You can find further information about data processing by these providers and your rights as a data subject in the privacy policies of the providers linked below:
  • Web Storage
    We use web storage to save the personal preferences of website visitors, specifically their settings in the cookie banner.
8.2 Statistical Cookies and Marketing Cookies
Statistical cookies help website owners understand how visitors interact with websites by anonymously collecting and reporting information.
Marketing cookies store user information regarding the visited website. This data is used, for example, to display personalized ads based on user interests, optimize offers, recognize the user, or simplify website usage.
The legal basis for this is your consent, according to Article 6(1)(a) GDPR.
For the purposes mentioned above, we use the services of the following third-party providers, who are responsible for data processing that occurs through their respective services, as defined in Article 4(7) GDPR. You can find further information about data processing by these providers and your rights as a data subject in the privacy policies of the providers linked below:
  • Google Analytics 4
    (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
    Google Privacy Policy Google Analytics Information
  • Google Tag Manager
    (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
    Google Privacy Policy
  • Google Advertising Products
    (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
    Google Privacy Policy
  • LinkedIn Insight
    (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA)
    LinkedIn Privacy Policy
    We use the LinkedIn Insight-Tag conversion tracking tool on our website. The service provider is the American company LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. For data protection aspects in the European Economic Area (EEA), the EU, and Switzerland, the company LinkedIn Ireland Unlimited (Wilton Place, Dublin 2, Ireland) is responsible.
  • Meta Pixel [+ Conversion Custom Event]
    (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
    Facebook Privacy Policy
  • SalesViewer
    (SalesViewer® GmbH, Huestr. 30, 44787 Bochum, GERMANY)
    SalesViewer Privacy Policy
8.3 Web Storage
Web Storage is a web application technology that stores data in a web browser. Web Storage can be viewed simply as a further development of cookies, but differs from them in a few ways.
Unlike cookies, which can be accessed by both server and client, Web Storage is completely controlled by the client. This means that data is not transferred to the server every time the website is accessed. Access is only possible locally via scripts on the website. Specifically, this means that third parties cannot access the information stored on the website. Only you and we can access the locally stored data.
We use Web Storage to obtain and manage your consent. This creates a banner that informs you about data processing on our website and gives you the opportunity to agree to all, individual or no data processing using optional tools. This banner appears the first time you visit our website and when you revisit your settings selection to change them or withdraw consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or the cookies or information in Web Storage's local storage have been deleted or have expired.
Data processing by Web Storage is necessary to provide you with the legally required consent management and to fulfill our documentation obligations. The legal basis for the use of Web Storage is Article 6 (1) (f) of the GDPR, based on our interest in meeting the legal requirements for consent management, in conjunction with Article 6 (1) (c), according to which we ourselves are responsible for compliance are obliged to comply with the legal requirement. In these cases, access to and storage of information on the device is absolutely necessary and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 Paragraph 2 TTDSG.
The legal basis for the use of Web Storage, which is absolutely necessary for the website to function, is Article 6 (1) Sentence 1 (f) GDPR (legitimate interest in data processing). The legitimate interest arises from our need to be able to offer you a functioning website. Web Storage is necessary because it is an integral part of current Internet technology and without it many functions of current websites would not be available. We therefore need Web Storage in order to be able to provide you with the website upon your request.
You can object to the processing of your data based on our legitimate interest at any time under the conditions of Art. 21 GDPR. To do this, please use the contact details provided in the Legal Notice.
However, we would like to point out that the processing of your data in Web Storage may be mandatory within the meaning of Art. 21 Para. 1 GDPR, as otherwise the website cannot be operated at all and we do not have the technical possibility to prevent use on certain individual devices. However, you may be able to do this yourself in your browser. For further information, please take a look at your browser instructions.
The legal basis for the use of Web Storage, which is not absolutely necessary for the website to function, is Article 6 (1) Sentence 1 (a) GDPR (consent of the data subject). When you first access the website, via an information text that appears, we ask you for your consent for usage. You can revoke your consent at any time with future effect by deleting all cookies in your browser. You can find out how this works in your browser in the browser instructions.
Revoking your consent or changing your preferences
You can revoke your consent for certain tools, i.e. for the storage and access to information on the device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. To do this, click on the “fingerprint symbol” in the lower left area of our website. There you can also change the selection of tools you wish to consent to using, as well as obtain supplementary information about the tools used. Alternatively, you can revoke your consent for certain tools directly with the provider.
10. Social Media
10.1 Integration of Social Media Buttons
The data controller has integrated components of social media on this website. We use the services of the following third-party providers, who are responsible for data processing that occurs through their respective services, as defined in Article 4(7) GDPR. These providers only collect personal data from you when you click the button and are redirected to the respective page. For further information about data processing by these third-party providers and your rights as a data subject, you can refer to the privacy policies linked below:
10.2 Use of Social Media Profiles
For the presentation of our content on a social media profile, we access the technical platform and services of the respective social media providers. As the operator of the social media profile, UPONU GmbH is jointly responsible with the operator of the social network, as defined in Article 4(7) of the General Data Protection Regulation (GDPR). When you visit our social media profile, personal data is processed by the responsible parties. We inform you about the data processed, how it is processed, and your rights regarding this data.
Please note that you use this website and its functions at your own risk. This applies especially to the use of interactive features (e.g., commenting, sharing, rating, etc.). We may use your comments and ratings as an opportunity to respond with our own comments. In doing so, we exercise our legitimate interest in interacting with active users of our profile (Article 6(1)(f) GDPR).
If you have any questions, you may have the option to contact us via personal messages. Your username may be automatically communicated to us in this context. Additional information may be provided voluntarily, especially when contacting us outside of social media. Data processing for the purpose of contacting us is based on your voluntarily given consent in accordance with Article 6(1)(a) GDPR. Personal data processed for contacting us will be automatically deleted after your request has been addressed unless legal retention obligations prevent this (e.g., because a contractual relationship has been established based on your request).
Beim Besuch unseres Social-Media-Profils erfasst der Anbieter u. a. Ihre IP-Adresse sowie weitere Informationen, die in Form von Cookies auf Ihrem PC vorhanden sind. Diese Informationen werden verwendet, um uns als Betreiber des Social-Media-Profils statistische Informationen über die Inanspruchnahme der Website zur Verfügung zu stellen.
When visiting our social media profile, the provider collects your IP address and other information in the form of cookies on your PC. This information is used to provide us, as the operator of the social media profile, with statistical information about the usage of the website.
The data collected about you in this context by the providers may be processed and potentially transferred to countries outside the European Union. The provider's general data usage policies describe what information the provider receives and how it is used. You can find information on how to contact the provider and how to adjust advertising settings in their data usage policies.
The extent to which providers use data from the visit to social media profiles for their own purposes, the allocation of activities on the websites to individual users, the retention period of this data, and whether data is passed on to third parties are not conclusively and clearly named, and we are not aware of this. When accessing a social media profile, the IP address assigned to your device is transmitted to the provider. This allows the provider to potentially associate IP addresses with individual users. If you are currently logged in as a user with a social media provider, a cookie with your identifier is stored on your device. As a result, the provider can track that you have visited this page and how you have used it. If you want to avoid this, you should log out of the respective social media provider or deactivate the "stay logged in" function, delete the cookies on your device, and restart your browser
For more information on your rights as a data subject according to the GDPR, please refer to section 2 "Data Subject Rights."
Weitere Informationen zu den Rechten, die Ihnen gem. DSGVO als betroffene Person zustehen, finden Sie unter dem Punkt 2 Betroffenenrechte. Additional information is available from the provider at the following links:
11. Contact
If you contact us (e.g. via contact form, chat or email), we will process your information to process the request and in the event that follow-up questions arise.
If the data processing is carried out to carry out pre-contractual measures at your request or, if you are already our customer, to carry out the contract, the legal basis for this data processing is Article 6 Paragraph 1 Sentence 1 Letter b GDPR.
12. Chatbox
You can also contact us directly via chat on our website. In order to support you most effectively with your matters, we use the LiveChat service. If you contact us via our chat, the chat history will be used for 30 days for the purpose of processing your request (Art. 6 Para. 1 lit. b) GDPR) and for internal purposes, e.g. B. Control and improvement of our business and service processes are stored for up to 6 months (Art. 6 Para. 1 lit. f GDPR), after which the chat history will be irrevocably deleted.
Further information about the data protection of the listed provider can be found at the following link:
13. Storage period
Unless specifically stated, we only store personal data for as long as is necessary to fulfill the purposes pursued.
In some cases, the law requires the storage of personal data, for example in tax or commercial law. In these cases, we will only continue to store the data for these legal purposes, but will not process it in any other way and will delete it after the statutory retention period has expired.
14. Definitions
The data protection declaration is based on the terms used by the European legislator when issuing the General Data Protection Regulation (GDPR). Our data protection declaration should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.
Personal Data
Personal data is any information that relates to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered to be identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Data subject
Data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
Processing is any operation or series of operations carried out on personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or modification, reading, querying, use, disclosure by transmission, distribution or other form of provision, alignment or association, restriction, deletion or destruction.
Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting their future processing.
Profiling is any form of automated processing of personal data that involves using these personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data not be assigned to an identified or identifiable natural person.
Controller or person responsible for processing
The person responsible or responsible for processing is the natural or legal person, public authority, institution or other body which, alone or jointly with others, decides on the purposes and means of processing personal data. If the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, public authorities which may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.
Third Party
Third party is a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.
Consent is any voluntary, informed and unambiguous expression of wishes given by the data subject for a specific case, in the form of a statement or other unambiguous confirmatory act, by which the data subject indicates that he or she agrees to the processing of personal data concerning him or her is.
15. Disclosure of Data to Third Parties
We do not transfer your personal data to third parties for purposes other than those listed below. We only disclose your personal data to third parties if:
  • You have given your explicit consent according to Article 6 (1) (a) GDPR.
  • The disclosure is necessary under Article 6 (1) (f) GDPR for the establishment, exercise, or defense of legal claims, and there is no reason to believe that you have an overriding legitimate interest in not disclosing your data.
  • There is a legal obligation to disclose the data under Article 6 (1) (c) GDPR.
  • The disclosure is legally permissible and necessary under Article 6 (1) (b) GDPR for the performance of a contract with you.
16. Data Security
We make every effort to ensure the security of your data in accordance with applicable data protection laws and technological capabilities.
Your personal data is transmitted to us in encrypted form. This applies to your orders and also to customer logins. We use the SSL (Secure Socket Layer) encryption system, but please be aware that data transmission over the Internet (e.g., when communicating via email) may have security vulnerabilities. It is not possible to provide complete protection of data from third-party access.
17. Actuality and change of this Privacy Policy
This Privacy Policy is currently valid and has the status October 2023. Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy.