PRIVACY POLICY.

1. Introduction

The following information is intended to provide you, as an “affected person”, with an overview of how we process your personal data and your rights under data protection laws. In general, you can use our website without providing any personal data. However, if you wish to use specific services offered by our company via our website, the processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the state-specific data protection regulations applicable to “SWAP (Sachsen) GmbH Verbundwerkstoffe”. Through this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use and process.

We, as the party responsible for data processing, have implemented numerous technical and organizational measures to ensure the most comprehensive protection possible for the personal data processed through this website. However, internet-based data transmissions may inherently involve security vulnerabilities, meaning that absolute protection cannot be guaranteed. For this reason, you are free to provide us with your personal data through alternative means, such as by phone or mail.

Your side, too, can take simple and easy-to-implement steps to protect your data from unauthorized access by third parties. We would therefore like to offer you some tips on how to handle your data securely:

• Protect your account (login, user account, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with strong passwords.
• Only you should have access to the passwords.
• Make sure you use your passwords only for one single account (login, user, or customer account).
• Do not use the same password for different websites, applications, or online services.
• Especially when using publicly accessible IT systems or those shared with others, it is essential that you log out after every session on a website, application, or online service.

2. Entity responsible for data processing (“data controller”)

The data controller within the meaning of the GDPR is:

SWAP (Sachsen) GmbH Verbundwerkstoffe

Gewerbering 7

09669 Frankenberg (Sachsen)

Deutschland

Representative of the data controller:

Dr. Udo Gassner

3. Data Protection Officer

You can contact the Data Protection Officer as follows:

Vetter Consulting

Datenschutz- und Informationssicherheitsberatung

Steve Vetter

Oschatzer Str. 46

01127 Dresden

Email: info@vc-datenschutz.de

Phone: +49 351/500 817 50

If you have any questions or suggestions regarding data protection, you can contact our Data Protection Officer directly at any time.

4. Definitions

This Privacy Policy is based on the terminology used by European legislators and regulators when enacting the General Data Protection Regulation (GDPR). Our Privacy Policy is intended to be easy to read and understand for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

In this Privacy Policy, we use the following terms, among others:

1. Personal Data

Personal data refers to any information relating to an identified or identifiable natural person. A natural person is considered identifiable if the person can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data controller (our company).

3. Processing

Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or any other form of making available, the alignment or combination, restriction, erasure, or destruction.

4. Restriction of processing

Restriction of processing refers to the marking of stored personal data with the aim of limiting its future processing.

5. Profiling

Profiling means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

6. Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure the personal data is not attributed to an identified or identifiable natural person.

7. Data processor

A processor is a natural or legal person, public authority, agency, or other organisation that processes personal data on behalf of the controller.

8. Recipient

A recipient is a natural or legal person, public authority, agency, or other organisation to whom personal data is disclosed, regardless of whether or not that entity is a third party. However, public authorities that may receive personal data in the course of a specific investigative mandate under Union law or the law of the Member States are not considered recipients.

9. Third party

A third party is a natural or legal person, public authority, agency, or other organisation other than the data subject, the controller, the processor, and the persons authorized to process the personal data under the direct authority of the controller or the processor.

10. Consent

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, expressed in the form of a statement or by a clear affirmative action, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

5. Legal basis for processing

Article 6(1)(a) of the GDPR (in conjunction with Section 25(1) of the TDDDG (formerly TTDSG)) serves as the legal basis for our company’s processing activities in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party – as is the case, for example, with processing operations required for the delivery of goods or the provision of other services or consideration – the processing is based on Article 6(1)(b) of the GDPR. The same applies to processing operations necessary for the implementation of pre-contractual measures, such as in cases of inquiries regarding our products or services.

If our company is subject to a legal obligation that requires the processing of personal data – such as to fulfil tax obligations – the processing is based on Article 6(1)(c) of the GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor got injured on our premises and their name, age, health insurance information, or other vital information had to be disclosed to a doctor, a hospital, or other third parties. In such cases, the processing would be based on Article 6(1)(d) of the GDPR.

Ultimately, processing operations may be based on Article 6(1)(f) of the GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal bases, provided that the processing is necessary to safeguard a legitimate interest of our company or a third party, unless the interests, fundamental rights, and freedoms of the data subject override those interests. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this regard, the legislator took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47, Sentence 2 of the GDPR).

Our services are generally intended for adults. Persons under the age of 16 may not transmit any personal data to us without the consent of their parents or legal guardians. We do not request personal data from children and adolescents, do not collect such data, and do not disclose it to third parties.

6. Technology

6.1 SSL/TSL encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential information, such as orders, login credentials, or contact requests, that you send to us as the site operator. You can recognize an encrypted connection by the fact that the browser’s address bar displays “https://” instead of “http://” and by the lock icon in your browser’s address bar.

We use this technology to protect the data you transmit.

6.2 Data Collection When Visiting the Website

When you use our website solely for informational purposes – that is, if you do not register, do not otherwise provide us with information, or do not consent to processing activities requiring consent – we collect only data that is technically necessary to provide the service. This typically consists of data that your browser transmits to our server (in so-called server log files). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server’s log files. The following may be collected:

1. browser types and versions used,
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (known as the referrer),
4. the subpages accessed on our website via the accessing system,
5. the date and time of access to the website,
6. a truncated Internet Protocol address (anonymized IP address), and
7. the Internet service provider of the accessing system.

We do not use this general data and information to identify you personally. Rather, this information is needed to

1. to deliver the content of our website accurately,
2. to optimize the content of our website and the advertising on it,
3. to ensure the ongoing functionality of our IT systems and the technology underlying our website, and
4. to provide law enforcement agencies with the information necessary for criminal prosecution in the event of a cyberattack.

We therefore analyse this collected data and information both for statistical purposes and with the aim of enhancing data protection and data security within our company, ultimately to ensure an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from any personal data provided by a data subject.

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interest arises from the purposes of data collection listed above.

6.3 Hosting with IONOS

Hosting by IONOS

The website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. When you visit the site, IONOS collects log files, including IP addresses. Data is processed in accordance with Article 6(1)(f) of the GDPR to ensure the reliable display of the website; or, if consent is provided, in accordance with Article 6(1)(a). [1]

Data Storage and Data Processing

Data processing is carried out as commissioned processing on servers within the EU, with data generally stored for 8 weeks. A data processing agreement has been concluded. Further details can be found in the IONOS Privacy Policy at https://www.ionos.de/datenschutzerklaerung.

7. Cookies

7.1 General Information About Cookies

Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website.

The cookie stores information related to the specific device you are using. However, this does not mean that we thereby gain direct knowledge of your identity.

We use cookies to make your experience on our website more enjoyable. For example, we use so-called session cookies to recognize that you have already visited certain pages on our website. These are automatically deleted when you leave our site.

In addition, to optimize user-friendliness, we also use temporary cookies that are stored on your device for a specific, predetermined period of time. If you visit our site again to use our services, the system automatically recognizes that you have previously visited us and recalls the entries and settings you made, so you do not have to re-enter them.

We also use cookies to collect statistical data on the use of our website and to evaluate our offerings for the purpose of optimization. These cookies allow us to automatically recognize that you have previously visited our website when you return. The cookies set in this way are automatically deleted after a specified period of time. The specific storage duration of the cookies can be found in the settings of the consent tool used.

7.2 Legal basis for the use of cookies

The data processed by cookies that are necessary for the proper functioning of the website is therefore required to safeguard our legitimate interests and those of third parties pursuant to Article 6(1)(f) of the GDPR.

For all other cookies, you have given your consent via our opt-in cookie banner in accordance with Article 6(1)(a) of the GDPR.

7.3 Instructions for blocking cookies in common browsers

You can use your browser settings to delete cookies, allow only certain cookies, or disable cookies entirely at any time. For more information, please visit the support pages of the respective providers:

• Chrome: https://support.google.com/chrome/answer/95647?tid=311178978.
• Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac?tid=311178978.
• Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen?tid=311178978.
• Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09.

7.4 Real Cookie Banner (Consent Management Tool)

This website uses cookie consent technology (“Real Cookie Banner”) to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies, and to document this in compliance with data protection regulations.

The provider of this technology is devowl.io GmbH, Tannet 12, 94539 Grafling.

The following personal data, among others, is transmitted to Real Cookie Banner:

• Your consent(s) or the withdrawal of your consent(s)
• Your IP address
• Information about your browser
• Information about your device
• The time of your visit to the website

In addition, Real Cookie Banner stores a cookie in your browser to associate the consents you have given – or their revocation – with your account. The data collected in this way is stored until you request that we delete it, delete the Real Cookie Banner cookie yourself, or the purpose for storing the data no longer applies. Mandatory legal retention requirements remain unaffected.

The functionality of the website cannot be guaranteed without this processing.

Real Cookie Banner is used to obtain the legally required consents for the use of certain technologies. The legal basis for this is Art. 6(1)(c) of the GDPR.

For more information about data processing by Devowl, please visit: https://devowl.io/de/wordpress-real-cookie-banner/.

8. Content on our website

8.1 Contact Us / Contact Form

When you contact us (e.g. via the contact form or email), personal data is collected. The specific data collected when using a contact form is indicated on the respective contact form. This data is stored and used exclusively for the purpose of responding to your inquiry or for establishing contact and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your inquiry pursuant to Art. 6(1)(f) of the GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6(1)(b) of the GDPR. Your data will be deleted after your inquiry has been fully processed; this is the case when it can be inferred from the circumstances that the matter in question has been conclusively resolved and there are no legal retention obligations preventing deletion.

8.2 Privacy Notice for Job Applicants

In connection with your application, we process your personal data solely for the purpose of conducting and managing the application process. The legal basis for this is Article 6(1)(b) of the GDPR (processing for the purpose of entering into an employment relationship).

Your data will be treated as strictly confidential and will only be shared with those internally responsible for the selection process. Your data will not be transferred to third parties, unless we engage a data processor. In such cases, we work exclusively with carefully selected service providers who are contractually obligated under Article 28 of the GDPR to treat your data as confidential.

Your application documents will be stored for the duration of the selection process. After the application process is completed, we will delete your data no later than six months after notifying you of the decision, unless there is a legal obligation to retain the data or you have expressly consented to longer storage.

Rights of the data subject:
Under the GDPR, you have the right at any time to:

– Access your stored personal data (Art. 15 GDPR)

– Rectification of inaccurate or incomplete data (Art. 16 GDPR)

– Erasure of your data, provided there are no retention obligations (Art. 17 GDPR)

– Restriction of processing (Art. 18 GDPR)

– Objection to processing (Art. 21 GDPR)

– Data portability (Art. 20 GDPR)

We have appointed an external data protection officer, who can be reached at: www.vc-datenschutz.de or by email at info@vc-datenschutz.de

In addition, you have the right to file a complaint with a data protection supervisory authority. The competent authority is generally the supervisory authority in your place of residence or where our company is headquartered.

9. Our social media activities

To enable us to communicate with you on social media and keep you informed about our services, we maintain our own pages on these platforms. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing operations triggered thereby, within the meaning of Article 26 of the GDPR.

We are not the original provider of these pages but merely use them within the scope of the options offered to us by the respective providers.

Therefore, as a precaution, we would like to point out that your data may also be processed outside the European Union or the European Economic Area. Using these platforms may therefore involve data protection risks for you, as it may be difficult to exercise your rights – such as the right to access, erasure, or objection – and processing on social networks is often carried out directly by the providers for advertising purposes or to analyse user behaviour without us being able to influence this. If the provider creates usage profiles, cookies are often used, or your usage behaviour is linked to the social media profile you have created.

The processing of personal data described above is carried out in accordance with Article 6(1)(f) of the GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a timely manner and informing you about our services. If you are required to provide consent to data processing as a user with the respective providers, the legal basis is Article 6(1)(a) of the GDPR in conjunction with Article 7 of the GDPR.

Since we do not have access to the providers’ data, we would like to point out that it is best to exercise your rights (e.g., to access, rectification, erasure, etc.) directly with the respective provider. We have listed further information regarding the processing of your data on social networks below for each social network provider we use:

9.1 Facebook

(Joint) Data Controller in Europe:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Unless you object, Meta (Facebook) may process content from adult users in the EU – such as photos, posts, or comments – to train its own AI models. This is based on a legitimate interest pursuant to Art. 6(1)(f) of the GDPR. As a company, we have no influence over this specific data processing by Meta. Users can object to this via an online form on the Meta platforms.

Privacy Policy (Data Policy):

https://www.facebook.com/about/privacy

9.2 Instagramm

(Joint) Data Controller in Germany:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Unless you object, Meta (Instagram) may process content from adult users in the EU – such as photos, posts, or comments – to train its own AI models. As a company, we have no influence over this specific data processing by Meta. The basis for this is a legitimate interest pursuant to Art. 6(1)(f) of the GDPR. Users can object to this via an online form on the Meta platforms.

Privacy Policy (Data Policy):

https://instagram.com/legal/privacy/

9.3 Linkedin

(Joint) Data Controller in Europe:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy Policy:

https://www.linkedin.com/legal/privacy-policy

9.4 Pinterest

(Joint) Data Controller in Germany:

Pinterest Inc., 651 Brannan Street, San Francisco, CA 94107, USA.

Privacy Policy:

https://policy.pinterest.com/de/privacy-policy

9.5 YouTube

(Joint) Data Controller in Europe:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy Policy:

https://policies.google.com/privacy

10. Plugins and other services

10.1 (Whistleblower system)

Whistleblower System via WPForms

Nature and Scope of Processing
We use the WPForms plugin (provider: WPForms, LLC, 12127 Mall Rd, West Palm Beach, FL 33411, USA) on this website to provide a digital reporting system. When you submit a report via the form, the data you enter (e.g. details of the incident, documents, and optionally your name) will be processed.

Purpose and Legal Basis
Data processing is carried out for the purpose of receiving, documenting, and processing reports in accordance with the Whistleblower Protection Act (HinSchG). The legal basis is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR in conjunction with the provisions of the HinSchG (Section 10).

Measures to ensure anonymity
To protect your privacy, we have disabled the collection of IP addresses and user-agent data in the WPForms settings. Unless you voluntarily provide personal information, no technical data that could be used to identify you will be stored.

Retention period
The data will be stored for as long as necessary to process the report and prepare the subsequent documentation. In accordance with Section 11 of the HinSchG, the documentation is generally deleted three years after the conclusion of the proceedings, unless other legal provisions require it to be retained for a longer period.

Data transmission
The data remains on our server. It will only be disclosed to third parties if necessary for an internal investigation or due to a legal obligation (e.g., to law enforcement agencies).

The whistleblower system enables the submission, receipt, and investigation of reports in order to prevent and detect violations of applicable law or company policies and/or to take follow-up action.

The following data, among others, may be collected, provided that the report is not submitted anonymously:

• Information identifying the whistleblower, such as first and last name, address, phone number, and email address;
• Employment details;
• Information about the individual named in the report, such as first and last name, gender, address, phone number, and email address;
• Information regarding violations that may allow for the identification of a natural person.

The processing of data relating to the whistleblower’s personal identification is based on the legal obligation under the Whistleblower Protection Act (HinSchG) in accordance with Article 6(1)(c) of the GDPR.

If additional information regarding the employee’s status, information about the data subject, or other information that allows for the identification of natural persons is processed, this is done either to fulfill legal obligations under the Whistleblower Protection Act (HinSchG) pursuant to Art. 6(1)(c) of the GDPR or, in the case of the voluntary provision of a whistleblowing system, on the basis of a legitimate interest pursuant to Art. 6(1)(f) of the GDPR. Our legitimate interest consists in processing reports in order to be able to take follow-up measures.

10.2 Use of hCaptcha

We use the hCaptcha service on our website, provided by Intuition Machines, Inc. (IMI), 350 Alabama St, San Francisco, CA 94110, USA.

Purpose of processing:

hCaptcha is used to verify whether entries on our website (e.g., in a contact form or during login) originate from a human or an automated program (bot). To do this, hCaptcha analyses the website visitor’s behaviour based on various characteristics to prevent abuse and spam. [1]

Data processing:

As soon as you visit a page with hCaptcha, personal data is transmitted to IMI. This includes: [1]

The user’s IP address

Time spent on the website

Mouse movements

Browser information and device data [1]

Legal Basis:

The use of hCaptcha is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR to protect our website from automated scraping, spam, and abuse. [1]

Data Transfer to the U.S.:

The collected data is transferred to servers operated by Intuition Machines, Inc. in the United States. Intuition Machines, Inc. is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection. In addition, standard contractual clauses are used to legitimize the data transfer. [1, 2, 3]

Retention Period & Objection:

Further information about the processing of data by hCaptcha and hCaptcha’s privacy policy can be found at: https://www.hcaptcha.com/privacy.

11. Your rights as a data subject

11.1 Right to Confirmation

You have the right to request confirmation from us as to whether we are processing personal data concerning you.

11.2 Right of access (Art. 15 of the GDPR)

You have the right to request, at any time and free of charge, information from us regarding the personal data we have stored about you, as well as a copy of that data, in accordance with applicable laws.

11.3 Right of rectification (Art. 16 of the GDPR)

You have the right to request the correction of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, taking into account the purposes of the processing.

11.4 Erasure (Article 17 of the GDPR)

You have the right to request that we delete your personal data without delay, provided that one of the grounds specified by law applies and the processing or storage of such data is not necessary.

11.5 Restriction of processing (Article 18 of the GDPR)

You have the right to request that we restrict the processing of your personal data if any of the legal requirements are met.

11.6 Data Portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller to whom the personal data has been provided, without hindrance from us, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20(1) of the GDPR, you have the right to have the personal data transmitted directly from one controller to another controller, provided this is technically feasible and does not infringe upon the rights and freedoms of others.

11.7 Right to object (Article 21 of the GDPR)

You have the right to object at any time, on reasons relating to your particular situation, to the processing of personal data that is carried out pursuant to Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) of the GDPR.

This also applies to profiling based on these provisions within the meaning of Article 4(4) of the GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defence of legal claims.

In certain cases, we process personal data for the purpose of direct marketing. You may object at any time to the processing of your personal data for such marketing purposes. This also applies to profiling to the extent that it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for these purposes.

In addition, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you that we carry out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures that use technical specifications.

11.8 Withdrawal of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time, with effect for the future.

11.9 Complaint to a regulatory authority

You have the right to file a complaint with a data protection supervisory authority regarding our processing of personal data.

12. Routine storage, deletion and blocking of personal data

We process and store your personal data only for as long as is necessary to fulfil the purpose of storage or as required by the laws to which our company is subject.

If the purpose of storage no longer applies or a mandatory retention period expires, the personal data will be routinely blocked or deleted in accordance with legal requirements.

13. Retention period for personal data

The criterion for determining how long personal data is stored is the applicable statutory retention period. Once this period has expired, the relevant data is routinely deleted, provided it is no longer necessary for the performance or initiation of a contract.

14. Updates and Changes to the Privacy Policy

This Privacy Policy is currently in effect and is dated May 2026.

As our website and services evolve, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. You can view and print the most current version of the Privacy Policy at any time on our website at “https://swap-sachsen.com/datenschutz/”.

This privacy policy was created with the support of the data protection software: VC Data Security Manager.