Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

• CNT AG
• Ludwig-Erhard-Allee 20
• 76131 Karlsruhe
• Germany

info@cnt.net

If you have any questions about data protection or wish to exercise your rights under the GDPR, you can contact our Data Protection Officer at any time:

• Rechtsanwalt Mathias Link
• CNT AG
• Ludwig-Erhard-Allee 20
• 76131 Karlsruhe
• Germany

dsb@cnt.net

When you visit our website, certain general information is automatically collected by the system and stored in so-called server log files. This includes:

• Browser type and version
• Operating system used
• Language preferences transmitted by the browser (e.g., preferred language)
• Referrer URL (the previously visited page)
• Pages accessed within our website
• Date and time of access
• IP address
• Name of the internet service provider

This data is technically necessary to display our website correctly, ensure stability and security, and to enable technical traceability in the event of attacks. The data is evaluated exclusively for statistical purposes and to improve our services. No conclusions are drawn about individual users.

The legal basis for processing is Art. 6 (1) lit. f GDPR (legitimate interest in the secure and error-free provision of our website). The data is not merged with other personal data and is deleted after a defined retention period.

The processing of your personal data is always based on a legal foundation in accordance with Article 6(1) of the GDPR:

• Consent (lit. a): e.g., for tracking cookies
• Contract performance (lit. b): when data is required to initiate or fulfill a contract, such as in the case of inquiries, orders, or purchases
• Legal obligation (lit. c): e.g., to comply with tax-related obligations
• Legitimate interest (lit. f): e.g., for IT security, direct marketing, or internal administrative purposes (Our interest in such cases lies in efficient business operations for the benefit of our customers, employees, and partners.)

In rare cases, processing may also be necessary to protect the vital interests of the data subject or another natural person, for instance in medical emergencies occurring during a visit to our premises. In such cases, processing is based on Article 6(1)(d) of the GDPR.

We retain personal data only for as long as necessary to fulfill the respective processing purpose or as required by statutory retention periods. Once the processing purpose no longer applies or a legal retention period has expired, the data is deleted or blocked in accordance with Articles 17 and 18 of the GDPR.

Blocking is applied particularly when deletion is legally prohibited but further processing is not permitted. Criteria for determining the retention period may include statutory retention requirements (e.g., under commercial or tax law) or potential liability periods.

In certain cases, the provision of personal data may be required by law (e.g., due to tax regulations) or necessary as part of a contract or pre-contractual measure (e.g., to fulfill an offer or agreement).

If you do not provide this data, it may not be possible to enter into or carry out a contract.

If you have any questions about when the provision of personal data is mandatory or what the consequences of not providing it may be, you are welcome to contact us at any time.

When you use contact forms on our website, we process the personal data you voluntarily provide (e.g., name, email address, phone number) in order to handle your request.

Depending on the purpose, processing is carried out based on:

• Article 6(1)(f) GDPR (legitimate interest in responding to inquiries), or
• Article 6(1)(b) GDPR (pre-contractual measures)

Additionally, we store the IP address, date, and time at the moment the form is used. This serves to prevent misuse and ensure system integrity.

Your data is used internally or, if necessary, passed on to processors who act under our instructions (e.g., for email or hosting services). Data is not shared with third parties unless there is a legal obligation or a legitimate interest in an individual case.

Once your request has been fully processed or you withdraw your consent, we delete your data unless legal retention requirements apply.

You have the right at any time to request information about the data we have stored about you, to have it corrected, or to request its deletion – provided that no legal obligations prevent this.

To manage customer relationships and inquiries, we use the CRM system Pipedrive, provided by Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia. In this system, we process personal data of business partners, prospects, and customers that is transmitted to us in the context of inquiries, offers, or contracts.

Processing is carried out on the basis of Article 6(1)(f) GDPR (legitimate interest) to ensure a structured, efficient, and transparent organization of sales and communication processes. If the processing is based on your explicit consent—such as in the case of voluntary contact not related to a contract—it is additionally based on Article 6(1)(a) GDPR and Section 25(1) of the TDDDG (consent). You may withdraw your consent at any time with effect for the future.

We have entered into a data processing agreement with the provider in accordance with Article 28 GDPR. For more information on how Pipedrive processes data, please refer to: https://www.pipedrive.com/en/privacy

Our website is hosted by Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany. All personal data collected via our website is processed on their servers. This includes, among other things, IP addresses, contact requests, metadata and communication data, as well as information about page access.

The use of this hosting provider is based on our contractual obligations toward (potential) customers (Article 6(1)(b) GDPR) and our legitimate interest in providing a secure and reliable website (Article 6(1)(f) GDPR).

We have entered into a data processing agreement with the hosting provider in accordance with Article 28 GDPR to ensure that your data is processed exclusively in accordance with our instructions and in compliance with applicable data protection laws.

We use the headless content management system (CMS) Sanity and its associated content delivery network (CDN) to manage and deliver content on our website. The provider is Sanity AS, Thorvald Meyers gate 49, 0555 Oslo, Norway.

When our website is accessed, static content (e.g., text, images, media files) is delivered via the CDN. In doing so, your IP address is automatically transmitted to Sanity’s servers to technically enable content delivery. It cannot be ruled out that processing may also take place in third countries (e.g., the United States).

Purpose of Processing

The use of Sanity enables the efficient and stable delivery of content on our website.

Legal Basis

Data processing is based on our legitimate interest in the efficient and secure delivery of website content in accordance with Article 6(1)(f) GDPR.

For more information, please refer to Sanity’s privacy policy: https://www.sanity.io/legal/privacy

Depending on the nature and purpose of the processing, we may share personal data with the following recipients or categories of recipients:

• IT service providers (e.g., for maintenance, administration, and operation of our systems)
• Web hosting providers (see section “Web Hosting”)
• Providers of analytics and marketing tools (e.g., Google Analytics, Hotjar)
• Providers of CRM and communication solutions (e.g., Pipedrive)
• Where applicable, operators of social networks (e.g., LinkedIn, XING – see section “Social Networks and Platforms”)

An overview of all tools used, along with the respective providers and recipients (including location details), can be found starting in section 8 and in section 19 and following of this Privacy Policy.

Please note that this Privacy Policy does not apply to external websites of other providers that may be linked on our site. We have no control over what data is collected and processed on such websites. For further details, please refer to the privacy policies of the respective providers.

If we transfer personal data to service providers or partners located outside the European Economic Area (EEA), we ensure that such transfers comply with the legal requirements set forth in Articles 44 et seq. of the GDPR.

Transfers occur only if the European Commission has confirmed an adequate level of data protection for the respective third country (e.g., under the EU-U.S. Data Privacy Framework) or if other appropriate safeguards are in place—such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

For more information about the tools we use, their providers, and whether they are based in third countries, please refer to the relevant sections of this Privacy Policy.

To assess the creditworthiness of business partners, we routinely conduct credit checks. The legal basis for this processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, particularly to prevent payment defaults, and—where necessary in the context of pre-contractual measures—Article 6(1)(b) GDPR.

For this purpose, we work with Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss, Germany. We transmit business-related data, in particular the company name, address, and, if applicable, information about the existing business relationship. No personal data of consumers is requested.

Creditreform processes this data to assess corporate creditworthiness (scoring) and provides us with probability values regarding the company’s ability to pay. The calculation is based on a mathematical-statistical method, taking into account company-specific characteristics such as industry data, legal form, company history, and previous payment behavior.

For more information about how Creditreform Boniversum GmbH processes data and about your rights, please visit: https://www.creditreform.de/datenschutz

If you apply for a position with us, we process your personal data (e.g., contact details, résumé, certificates, notes from interviews) to handle your application and to decide whether to establish an employment relationship.

Processing is based on Section 26 of the German Federal Data Protection Act (BDSG) and Article 6(1)(b) GDPR.

If you have given explicit consent (e.g., for longer data retention), processing is additionally based on Article 6(1)(a) GDPR. You may withdraw your consent at any time with future effect.

Within our company, only those individuals involved in the application process will have access to your data.

Extended retention may also occur if you have granted consent (Article 6(1)(a) GDPR) or if legal retention obligations prevent deletion.

Retention Period for Rejected Applications

If no employment relationship is established, we retain your data for up to 7 months after the application process is completed to safeguard our legitimate interests (e.g., in the event of legal disputes), pursuant to Article 6(1)(f) GDPR. The data will then be deleted, unless legal retention obligations apply.

Applicant Pool (Voluntary Consent)

If you would like to be added to our applicant pool, we require your explicit consent (Article 6(1)(a) GDPR). In this case, your documents will be stored for up to two years so we can contact you for future job opportunities. This consent is voluntary, independent of the current application process, and may be revoked at any time.

We operate company profiles on social networks and online platforms—particularly on LinkedIn and XING—to communicate with users, prospects, and customers, and to share information about our services and activities.

In doing so, personal data of users may also be processed by the respective platform providers outside the EU. In such cases, data transfers are carried out in accordance with the legal requirements set forth in Articles 44 et seq. of the GDPR, such as through EU Commission adequacy decisions or the use of Standard Contractual Clauses (SCCs).

Please note that personal data may be processed when visiting our company profiles or interacting with them (e.g., likes, comments, direct messages), even if you do not have your own account on the respective platform. If you are logged in, your interactions can be directly linked to your user profile.

We ourselves receive only aggregated statistical data (e.g., reach or engagement metrics) and do not have access to personal profile information—unless you voluntarily provide it to us.

Even clicking an external link to a social network (e.g., via our website) may result in the transmission of technical data such as your IP address or referrer information to the platform provider.

Purpose of Processing

The purpose of this processing is external communication, public relations, and the provision of up-to-date information about our company.

Legal Basis

The legal basis for our data processing is Article 6(1)(f) GDPR (legitimate interest). Where independent processing is carried out by the platform provider, it is generally based on your consent to that provider (Article 6(1)(a) GDPR).

For more information on how the respective platform providers process personal data, please refer to their privacy policies: https://www.linkedin.com/legal/privacy-policy https://privacy.xing.com/de/datenschutzerklaerung

Under the GDPR, you have various rights regarding the processing of your personal data. You may exercise these rights at any time using the contact information provided in Section 2:

a) Right of Access – Article 15 GDPR

You have the right to know whether we process your personal data, and if so, which data, for what purposes, for how long, and who the recipients are.

b) Right to Rectification – Article 16 GDPR

You may request that inaccurate or incomplete personal data be corrected or completed.

c) Right to Erasure (“Right to Be Forgotten”) – Article 17 GDPR

You may request the deletion of your data, for example if the purpose of processing no longer applies or if you withdraw your consent. This does not apply where legal retention obligations exist.

d) Right to Restriction of Processing – Article 18 GDPR

You have the right to request the restriction of processing, for instance if you contest the accuracy of the data or require the data for the establishment, exercise, or defense of legal claims.

e) Right to Data Portability – Article 20 GDPR

You may request that we provide your data to you or another controller in a structured, commonly used, and machine-readable format.

f) Right to Object – Article 21 GDPR

You may object to the processing of your data if it is based on a legitimate interest. You may object to direct marketing at any time—including any related profiling.

g) Right to Withdraw Consent – Article 7(3) GDPR

You may withdraw any consent you have previously given at any time. This does not affect the lawfulness of processing carried out before the withdrawal.

h) Right to Lodge a Complaint – Article 77 GDPR

If you believe that we are unlawfully processing your data, you have the right to file a complaint with a data protection supervisory authority:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg Königstr. 10a 70173 Stuttgart Germany Telefon: +49 711 615541-0 poststelle@lfdi.bwl.de www.baden-wuerttemberg.datenschutz.de

Our website uses cookies. Cookies are small text files that are stored on your device and may contain information about your visit (e.g., language preferences).

Some cookies are technically necessary (essential cookies) to enable certain website functions (e.g., to save your cookie settings). Other cookies are used for statistical analysis or to optimize our services.

The legal basis for storing and accessing non-essential cookies is your consent in accordance with Article 6(1)(a) GDPR in conjunction with Section 25(1) of the TDDDG. You provide this consent via our cookie banner, where you can withdraw or adjust it at any time.

You can also disable the use of cookies at any time via your browser settings or delete already stored cookies. Please note that disabling essential cookies may limit the functionality of the website.

To manage your cookie preferences, we use a so-called consent tool (“cookie banner”), which is displayed when you first visit our website. Through this tool, you can view, modify, or withdraw your consent at any time. A corresponding link can be found in the footer of our website under “Cookies.”

We distinguish between the following categories:

For detailed information on the services and providers used, please refer to the following sections of this Privacy Policy.

We use the web analytics service Google Analytics 4 (GA4) on our website, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). GA4 enables us to analyze how you use our website.

Nature and Scope of Processing

Google Analytics 4 uses technologies such as cookies and similar tools to track certain interactions on our website as so-called "events." The following types of information may be processed:

• Time spent on pages
• Interactions with content
• Technical information about your browser and device
• Referrer URL
• Your truncated IP address (anonymized)
• General location data (e.g., country or city level)

IP Anonymization

Your IP address is automatically shortened by Google within the EU or EEA before being transmitted to servers in the United States. This ensures that it cannot be directly linked to any individual. Full IP addresses are neither stored nor permanently processed.

Data Transfers to Third Countries

Information generated by GA4 may be transferred to servers operated by Google LLC in the United States. Google is certified under the EU-U.S. Data Privacy Framework. However, there remains a residual risk regarding access by U.S. authorities. To ensure an adequate level of data protection, we have entered into EU Commission–approved Standard Contractual Clauses (SCCs) with Google.

Purpose of Processing

Data processing is used to analyze user behavior on our website in order to improve our content, services, and technical infrastructure.

Legal Basis

Google Analytics 4 is used exclusively based on your explicit consent in accordance with Article 6(1)(a) GDPR in conjunction with Section 25(1) of the TDDDG. We obtain and document this consent via our consent management tool.

Retention Period

Collected data is automatically deleted after a maximum of 14 months. Data stored by Google is pseudonymized and cannot be linked to any specific individual by us.

Revocation and Opt-Out Options

You may withdraw your consent at any time via our consent management tool. Additionally, you can prevent Google Analytics from collecting your data by installing the following browser add-on: 
https://tools.google.com/dlpage/gaoptout?hl=de

Further Information

Google Privacy Policy: https://policies.google.com/privacy Google Analytics Terms of Service: https://marketingplatform.google.com/about/analytics/terms/de/

We use the web analytics tool Hotjar, operated by Hotjar Ltd., Level 2, St Julian’s Business Centre, 3 Elia Zammit Street, STJ 1000, Malta. Hotjar collects pseudonymized information about user behavior on our website, such as mouse movements, clicks, scrolling behavior, and time spent on pages. IP addresses are stored only in truncated form. It is not possible to identify individual users.

Nature and Scope of Processing

Hotjar captures pseudonymized user interactions, including mouse movements, clicks, scrolling behavior, and session duration. IP addresses are stored only in truncated form. No personal identification of users is possible. The processing is carried out using cookies and may involve third-party services such as Amazon Web Services, Google Analytics, or Optimizely.

Data Transfers to Third Countries

Some data may be processed on servers located outside the EU. Hotjar applies appropriate safeguards in accordance with Articles 44 et seq. GDPR.

Purpose of Processing

Hotjar is used to analyze user behavior and identify areas for improvement. The aim is to enhance user experience and increase satisfaction with our website.

Legal Basis

Processing is based on your consent pursuant to Section 25(1) of the TDDDG and Article 6(1)(a) GDPR, which is obtained and recorded via our consent management tool. You may withdraw your consent at any time. In certain cases, processing may also be based on Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interest), e.g., for error analysis.

Retention Period

Data is retained only for as long as necessary for analysis purposes – typically up to 365 days. If you withdraw your consent, no further data will be collected via Hotjar. However, data already collected may be retained until the end of the regular retention period or anonymized, where possible, unless legal retention obligations require longer storage.

Opt-Out and Withdrawal Options

You can withdraw your consent at any time with future effect via our consent tool. Alternatively, you can set an opt-out cookie using the following link: https://www.hotjar.com/legal/compliance/opt-out. If you delete your cookies, you may need to repeat the opt-out process.

Further Information

https://www.hotjar.com/legal/policies/privacy

We use the analytics technology of SalesViewer® GmbH, Bongardstraße 29, 44787 Bochum, Germany, on our website to analyze the usage behavior of companies and to optimize our online services in a targeted manner.

Nature and Scope of Processing

Using an embedded tracking code, shortened IP addresses are used to identify which companies visit our website. This information is matched with publicly available business data. IP addresses are pseudonymized at an early stage. It is not possible to draw conclusions about individual persons. No personal data such as names, email addresses, or phone numbers is processed.

Purpose of Processing

The purpose of the processing is to identify interested companies, improve our online offerings, and enable targeted outreach to potential business customers.

Legal Basis

Processing is based on our legitimate interest in the economic and targeted optimization of our online presence in accordance with Article 6(1)(f) GDPR.

Retention Period

The data is deleted as soon as it is no longer required for its intended purpose and no legal retention obligations prevent its deletion.

Opt-Out and Deactivation Option

You can object to the collection and storage of your data by SalesViewer at any time with future effect. To do so, please visit the following link: www.salesviewer.com/opt-out. An opt-out cookie will be set. If you delete your cookies, you may need to repeat the process.

We reserve the right to update this Privacy Policy to reflect changes in legal requirements or new features on our website.

Effective date of this Privacy Policy: May 8, 2025