Privacy Policy
The protection of your data is of particular concern to us. With this privacy policy, we want to inform you about the processing of your personal data and how we comply with the requirements of the EU General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act ("BDSG") and the German Telecommunications Digital Data Protection Act ("TDDDG") on our website and in the event that you wish to contact us after visiting our website.
"Personal data" within the meaning of this Privacy Notice is all information that can be used to establish a connection to a person. For example, on the basis of certain characteristics that allow conclusions to be drawn about the identity (e.g. the assignment of an IP address to a specific person by querying the connection with an Internet service provider). We use the term "personal data" in this Privacy Notice as it is defined in Art. 4 No. 1 GDPR.
 
1. Data Controller and Contact Details
Rulemapping Group GmbH
Friedrichstraße 123
10117 Berlin
E-Mail: info@rulemapping.com

2. Our Data Protection Officer
Our Data Protection Officer,
Clandestine GmbH
Dornberger Straße 27
33615 Bielefeld
www.clandestine.de
can be reached via post under the above address or via email under privacy@rulemapping.com
 
3. What kind of personal data do we process and where do we obtain them from?
In order for websites to work, some data must necessarily be transmitted to us, such as your IP address. Without this, the provision of websites would not work. In addition, there are a number of optional processing operations, especially if you voluntarily contact us via the website or allow us to collect pseudonymized statistics via cookies.
In detail:
We collect data that is necessarily collected when you visit our website (see a.). We also process data that is collected when you contact us (see b.), use our Agent (see c.) or after you have given your consent (see d.).
a) Data that is necessarily collected when you visit our website
When you visit our website, the following data is collected for technical reasons in order to enable its functionality. Some of this data is personal data. These are then stored for a short time in a server log file:
  • IP address of the request;
  • Name of the retrieved file;
  • Name/type of your web browser;
  • The operating system you are using; 
  • if applicable, a referrer URL (this is the URL of the website from which you reached our website when you clicked on a link); and
  • Timestamp of the retrieval.
b. Data that is collected when you contact us
When you contact us, in particular via the contact form on this website or by email, you generally provide us with the following personal data
  • your name;
  • your e-mail address;
  • your IP address;
  • other contact details, such as your telephone number (if you provide it to us voluntarily); and
  • so-called metadata, which is typically generated when sending an e-mail (if you do not use the contact form but write us an e-mail).
We may also store your contact details for a limited period of time if we wish to remain in contact with you.
c. Data that is processed when using the Rulemapping Agent
When you use our Rulemapping Agent, the following data is collected in addition to the data processed in a. above.
- Content to be checked (screenshots or text inputs)
- e-mail address
d. Data that is processed when consent is given
Like many other website operators, we would like to compile pseudonymized statistics primarily to measure our website access figures and usage time so that we can improve the attractiveness of our website and make the content interesting for our target group. However, we only use the tools used for this if you give us your consent to do so. For reasons of clarity, we have regulated the topic of cookies and other technologies in a separate section of this Privacy Notice. You can find this below under point 6.
 
4. For what purposes do we process your personal data?
For all data processing that allows our website to work properly in the first place or if you enter into a contract with us, we can process the necessary data without asking for your consent. In all other cases, we must ask you for your consent in advance. In very rare constellations, e.g. if you conclude a contract via our contact form, we even have to retain data for a period of time determined by law and must therefore process it.
In detail:
According to the applicable data protection laws, we may only process personal data if there is a legal basis for doing so. In the following, we describe the purposes for which we process the data mentioned in section 2:
a. Data processing based on your consent (Art. 6 (1) (a), Art. 7 GDPR)
If you give your consent to all or certain data processing via our Consent Management Tool: for example, if you consent to pseudonymized tracking measures being carried out or third-party technologies being displayed (e.g. Google fonts), you expressly consent to the processing of your personal data. For details, please refer to Section 6 of this Privacy Notice.
b. Data processing on the basis of a contract (Art. 6 para. 1 lit. b GDPR)
If you use our Rulemapping Agent, you are using a free service provided by us. We process the data required for this to fulfil this contract that has been entered into by utilizing such service.
c. Data processing due to legal obligation (Art. 6 (1) (c) GDPR)
In rare cases, emails may constitute so-called commercial or business letters. This may also include messages that you send via the contact form. We are obliged under applicable statutory provisions, in particular those of the German Commercial Code ("HGB") and the German Fiscal Code ("AO"), to retain business correspondence, which includes such emails, for a certain period of time. We therefore process this data in the context of our website on the basis of this legal obligation.
d. Data processing based on legitimate interests (Art. 6 (1) (f) GDPR)
The provision of our website is a free service that we provide to every visitor.
This processing is necessary to safeguard our legitimate interests, as we have an interest in presenting our services to an interested audience. The fundamental rights and freedoms of website visitors as data subjects do not prevail here, as the personal data processed are those that are inevitably collected for technical reasons when any website is accessed. It would only be necessary to draw conclusions about specific persons with additional knowledge that is not readily available (e.g. to draw conclusions about a possible user from a specific IP address via an Internet service provider).
We also use service providers as data processors, e.g. our web host. As these are data processors (see section 5 for more details), no separate legal basis is required for this.
 
5. To whom will your personal data be forwarded?
Our website is stored on a server of a professional web hosting provider. As a result, data is also transmitted to this service provider each time the website is accessed and delivered by these service provider. If you send us an email via the contact form, i.e. the message arrives in our email inboxes, our email provider will necessarily also be involved. Your data will also be transferred to other countries outside the European Union, but we have ensured that it is still adequately protected.
In detail:
a. Web hosting provider
We do not host our website on our own server, but use a web hosting service provider. This is Amazon Webservices EMEA SARL, 38 Avenue John F. Kennedy L-1855 Luxemburg. This is a data processor with whom we have entered into a data processing agreement in accordance with Art. 28 GDPR.
b. E-mail correspondence
For our email correspondence, we use the services Google Workspace of Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland and Microsoft 365 of Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Both service providers are data processors. We have entered into a data processing agreement with each of them in accordance with Art. 28 GDPR and configured the most data protection-friendly settings possible, so that, for example, personal data is stored within the European Union wherever possible. Nevertheless, parts of the data processing may take place in the USA. The USA is a third country within the meaning of the GDPR, as it is located outside the European Union and the European Economic Area. Both providers are certified under the EU-U.S. Data Privacy Framework, so that suitable guarantees are in place for data transfer to the USA.
In some cases, we use the provider Mailjet GmbH, Alt Moabit 2 10557 Berlin for sending emails. Mailjet is a processor. We have concluded an order processing contract with them in accordance with Art. 28 GDPR and configured the most data protection-friendly settings possible so that, for example, personal data is stored within the European Union wherever possible.
 
6. Cookies and other third-party technologies
Like many other website providers, we use various third-party services, e.g. to collect pseudonymized statistics or to integrate content from these third-party providers on our website. For the most part, these are Cookies and Pixels, which we only use with your consent. Some of it is content that is loaded from other sites (e.g. fonts). Information on this can be found in the overview in this section and, with regard to individual Cookies and Pixels, in the settings of our Consent Management Tool.
In detail:
Cookies are files that are stored in the browser environment on your terminal device (e.g. PC, Mac, Android smartphone, iOS smartphone) and in which information about you and the use of the website is stored.
We use cookies and pixels for the following purposes 
  • Improving user-friendliness ("performance cookies"): These cookies store user preferences (e.g. language settings) in order to display the website as usual when you use it again;
  • Statistics: We want to collect pseudonymized statistics (i.e. statistics that cannot easily be traced back to the person behind them) about the use of the website so that we can draw conclusions about usability and attractiveness;
We use a cookie consent management tool with the help of which we obtain consent for tracking measures
We also use the following types of other third-party technologies that embed data from other sources on our website:
  • Fonts: We use Google's Fonts service to integrate fonts on our website that are not stored locally on the web space.
The above-mentioned third-party services are also either controlled by the consent management tool (i.e. only loaded when you give your consent there), or you must confirm that the service is loaded by clicking at the place of integration (e.g. at the place where the Google Maps are to be integrated).
 
7. How long will we retain your personal data?
How long your data is retained depends on the legal basis of the data processing.
In detail:
We generally retain data that we process on the basis of your consent for as long as the consent exists. After this, we may retain the documentation of consent for a further period of up to three years in order to be able to defend ourselves against possible claims; during this time, however, consent will of course not be used. However, this does not apply without exception. If we do not make use of the data that we have obtained on the basis of consent for a longer period of time or discontinue the underlying service, we will delete the data without you having to revoke your consent.
Data that is retained on a contractual basis will be retained for three years from the end of the year in which the contract was fulfilled or completed due to the exchange of services.
Data that is necessarily collected when visiting the website is deleted 7 days after the log file is created.
We delete data that is retained to fulfill legal obligations as soon as the legal retention periods have expired. According to the German Commercial Code (HGB) and the German Tax Code (AO), this is six to ten years for business and commercial letters.
Data that we process on the basis of our legitimate interest is generally processed for as long as the legitimate interest exists. This depends on the specific individual case. If you would like more information on this, you are welcome to contact us. As it is unreasonable to check every day for each stored date whether the purpose for storage still exists, we may check this at regular intervals. Therefore, data may be retained for a limited period of time (deletion period), even if the legitimate interest has already ceased to exist. The data will not be processed for other purposes within the deletion period.
 
8. Your rights as a data subject and your withdrawal of consent
As a data subject, you have various rights, which we explain in detail in this section. In particular, you can withdraw your consent at any time with effect for the future (i.e. all past data processing based on consent remains lawful) and you can simply object to data processing that we only carry out on the basis of our legitimate interest (e.g. marketing measures that are permitted without consent in exceptional cases). Please note that in this section we describe all the rights to which you may be entitled as a data subject. This does not definitively determine whether you are actually entitled to a right.
In detail:
According to the GDPR, you are entitled to the following rights as soon as the conditions for exercising the respective right are met in detail:
  • you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, the details of the data processing (Art. 15 GDPR: Right of access by the data subject);
  • you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Art. 16 GDPR: right to rectification);
  • you have the right to obtain from us the erasure of personal data concerning you without undue delay (Art. 17 GDPR: right to erasure/to be forgotten)
  • you have the right to obtain from us restriction of processing of personal data concerning you (Art. 18 GDPR: right to restriction of processing)
  • in the case of processing based on consent or for the performance of a contract, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us or to have the data transmitted directly to another controller, where technically feasible (Art. 20 GDPR: Right to data portability);
  • You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable law (Art. 77 GDPR in conjunction with Section 19 BDSG: Right to lodge a complaint with a supervisory authority).
You also have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) in the exercise of official authority vested in us, or (iii) which we process on the basis of our legitimate interest (Art. 21 GDPR: right to object). In this case, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If personal data is processed for the purpose of direct marketing (marketing and business development), you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. In this case, the personal data will no longer be processed for direct marketing purposes.
If you have given us your consent, you can withdraw this consent at any time. All data processing that we have carried out up to your revocation remains lawful.
You can assert the above-mentioned rights against us using the contact details provided in section 1.
 
9. Am I obliged to provide my personal data?
In principle, you are not obliged to provide us with your personal data. However, without the personal data, we will not be able to provide certain services or contact you.
If you browse our website, however, you cannot avoid providing the data mentioned under point 3. a), as the operation of the website would otherwise not be technically possible. If you take technical precautions to prevent the transmission of this data, you may not be able to access the website. However, you are free to disguise this data (e.g. by using a VPN service or masking) so that we cannot draw any conclusions from this technically necessary data (e.g. by using your real IP address to determine your approximate location).
 
10. Automated decision-making and profiling
We do not use automated decision-making or profiling.
 
11. Data Security
We have implemented technical and organizational measures to ensure a high standard of data security, data availability and data integrity. All employees are subject to contractual confidentiality obligations and have been informed and instructed accordingly about the confidential handling of personal data.

12.Special provisions for our LinkedIn page
The following applies with regard to our LinkedIn page (available at https://www.linkedin.com/company/rulemapping-group/ If you access the website https://www.linkedin.com or the LinkedIn service via mobile apps, the data controller for data processing is
LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2
IRELAND
("LinkedIn")
If you transmit personal data to us via the linkedin.com website (e.g. via the message function) and we alone decide on the purposes and means of data processing, we are the sole data controller under data protection law.

You can find LinkedIn’s Privacy Notice here.
Insofar as LinkedIn processes personal data in connection with the LinkedIn page and we contribute to the decision on the purposes and means of processing, LinkedIn and we are joint controllers of the data processing in this respect.
The joint controllership exists in particular for the Page Insights function. LinkedIn provides this function for operators of LinkedIn pages. This provides us with aggregated user statistics and enables us to recognize, for example, which target groups view our LinkedIn account and interact with posts and which of the posts receive a particularly large response. These statistics are compiled using information from our page visitors.
The legal basis for this processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in evaluating the activities on our account and tailoring our offers to the needs of our users. We want to improve our services in this way. As the user data is aggregated and anonymized, we do not believe that the data processing poses any significant risk to the rights and freedoms of the data subjects.
We have entered into a joint controllership agreement with LinkedIn in accordance with Art. 26 GDPR. This agreement sets out our respective responsibilities and obligations in relation to data subjects and their rights. You can find the agreement here.
We summarize the joint controllership agreement as follows: Views of LinkedIn pages, i.e. also of our page, are recorded statistically. This enables us to filter the page views according to various criteria (e.g. age, professional seniority, region) and to gain insights into our user structure. LinkedIn does not transmit any clear user data to us, i.e. apart from the presentation of the statistics, we have no insight into the underlying data. With regard to the Page Insights function, LinkedIn assumes the data protection obligations under Art. 12-22 and 32-34 GDPR.
In addition, as mentioned above, we process personal data from you as a LinkedIn user that you provide to us via LinkedIn. These are, for example, messages via the Messenger service. Insofar as these are aimed at the conclusion of a contract, Art. 6 (1) (b) GDPR serves as the legal basis for the processing, otherwise we process this personal data out of our legitimate interest in continuing to contact you.
 
January 2025