1. Controller
The controller responsible for the processing of personal data in connection with this website and the Cernavio platform within the meaning of the GDPR is CITO GmbH, represented by its managing director Sebastian Johnston, based in Hamburg, Germany. Cernavio is a brand of CITO GmbH. Please direct all data protection matters to the contact address below. We deliberately do not operate a telephone line, so communication takes place in writing by email.
2. Data Protection Officer
A data protection officer has not been appointed, as the statutory requirements for a mandatory appointment are currently not met. Should such an obligation arise in the future, we will name the data protection officer and provide the contact details here. For all data protection matters you can reach the controller via hello@cernavio.com.
3. General information on data processing
We process personal data only to the extent necessary to provide a functional website together with our content and services, or where you have given your consent. Personal data is any information relating to an identified or identifiable natural person.
Legal bases
Depending on the purpose, processing is based on one of the following legal grounds:
- Consent of the data subject (Art. 6(1)(a) GDPR), for example for a future newsletter subscription.
- Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), for example when requesting a demo.
- Compliance with a legal obligation (Art. 6(1)(c) GDPR), for example commercial and tax retention requirements.
- Protection of our legitimate interests (Art. 6(1)(f) GDPR), for example security, operation and improvement of our offering.
4. Hosting and provision of the website
This website is hosted by Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. Vercel provides the infrastructure, computing power and delivery of the website. Delivery takes place primarily via server locations within the European Union. In doing so, technically required data generated when the website is accessed is processed. The processing is carried out to safeguard our legitimate interest in a secure and efficient provision of the website (Art. 6(1)(f) GDPR).
We have concluded a data processing agreement with Vercel pursuant to Art. 28 GDPR. Where a transfer of data to the USA cannot be ruled out in individual cases, it takes place on the basis of the EU Commission's standard contractual clauses (Art. 46(2)(c) GDPR) together with supplementary safeguards.
5. Server log files
Each time the website is accessed, the system automatically collects data and information from the device making the request. These server log files typically include:
- anonymised or shortened IP address of the requesting device
- date and time of access
- page requested, volume of data transferred and status message
- browser type and version used
- operating system and referrer URL (previously visited page)
The log files serve technical delivery, the protection of system security and analysis in the event of disruptions or attacks. The legal basis is Art. 6(1)(f) GDPR. The log files are deleted after seven days at the latest, unless they are still required to investigate a security incident.
7. Contact and demo requests
If you contact us via a form, a demo request or by email to hello@cernavio.com, we process the data you provide in order to handle and respond to your request. This is usually your name, your business email address, where applicable your company, and the content of your message.
We use the service web3forms (Web3Forms) as a processor to transmit the form data. The data you enter in the form is forwarded via web3forms to our email inbox, where it is handled. The legal basis is Art. 6(1)(b) GDPR where the request relates to entering into or performing a contract, and otherwise our legitimate interest in responding to enquiries (Art. 6(1)(f) GDPR). We delete the data once it is no longer required to achieve the purpose and no statutory retention obligations apply.
8. Login demo
The login area of this website is currently a pure demo environment with preconfigured sample data. No real user accounts are created and no personal registration data is collected or stored. Only the technically necessary cookie cv_session is set to maintain the demo session (see section 6). As soon as real user accounts are offered, we will provide information here about the associated data processing.
9. Web analytics
We currently do not use any web analytics or tracking services. Should we introduce a privacy-friendly analytics tool in the future, we will update this privacy policy and, where required, obtain your consent (Art. 6(1)(a) GDPR).
10. Recipients and processors
Your data is transferred to third parties only where this is permitted or required by law. Service providers that process data on our behalf (currently in particular Vercel for hosting and web3forms for form transmission) are engaged under data processing agreements pursuant to Art. 28 GDPR and are bound to the level of protection required by the GDPR.
11. Transfers to third countries
Where data is transferred to service providers outside the European Union or the European Economic Area (for example to Vercel in the USA), we ensure an adequate level of protection, for example through an adequacy decision of the EU Commission or through standard contractual clauses together with supplementary safeguards (Art. 46(2)(c) GDPR). We provide information on the relevant safeguards on request.
12. Retention period
We store personal data only for as long as is necessary for the respective purposes or as required by statutory retention periods (for example under commercial and tax law). Once the purpose no longer applies and any periods have expired, the data is deleted or anonymised.
13. Your rights as a data subject
Subject to the statutory requirements, you have the following rights:
- access to the data we process about you (Art. 15 GDPR)
- rectification of inaccurate or incomplete data (Art. 16 GDPR)
- erasure of your data, provided no obligations prevent it (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability in a structured, common format (Art. 20 GDPR)
- objection to processing based on legitimate interests (Art. 21 GDPR)
- withdrawal of a given consent with effect for the future (Art. 7(3) GDPR)
To exercise these rights, an informal message to hello@cernavio.com is sufficient.
14. Right to lodge a complaint with a supervisory authority
Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. The authority responsible for us is generally the supervisory authority at the controller's registered office in Hamburg: the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). You may also contact the supervisory authority of your usual place of residence.
15. Data security
We take technical and organisational measures to protect your data against loss, manipulation and unauthorised access, including encrypted transmission via TLS. Our measures are continuously adapted in line with technological developments.
16. Changes to this privacy policy
We update this privacy policy whenever the legal situation, the services we use or our processing changes. The current version published here applies in each case.
17. Data protection contact
For questions about data protection and to exercise your rights, you can reach the controller at:
CITO GmbH
Managing Director: Sebastian Johnston
Jungfrauenthal 8
20149 Hamburg
hello@cernavio.com