Mate iT – Digital Architects

Privacy Policy

Translation notice: This English version is provided for reader convenience. The legally binding version is the German original (“Datenschutzerklärung”) at /datenschutz. In case of discrepancies between the German and English text, the German version prevails.

Privacy Policy

for the website and B2B web shop of Mate iT GmbH

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Mate iT GmbH Authorised representative: Managing Director Matthias Grdan Karlsruher Straße 17 78048 Villingen-Schwenningen Germany

Phone: +49 (0) 7721 807 8009 Email: team@mateit.de Web: https://www.mateit.de

2. Data Protection Officer

To the extent legally required, we have appointed a Data Protection Officer. You can reach them at:

Data Protection Officer of Mate iT GmbH Menschen, Computer und Systeme GmbH Email: datenschutz@mateit.de Postal address as above with the addition “Datenschutzbeauftragter”

3. General information on data processing

3.1 Scope and purpose of processing

We process personal data of website visitors, prospects, and customers to the extent necessary

  • to provide our website,
  • to operate the closed B2B web shop,
  • to respond to inquiries,
  • for contract initiation and performance,
  • for IT security,
  • to fulfil legal obligations,
  • and — where permissible — for marketing and analytics purposes.

Personal data is any information relating to an identified or identifiable natural person (e.g. name, contact details, IP address).

Our website and B2B web shop are primarily addressed to businesses (B2B). The protection of personal data of natural persons (e.g. contact persons of our customers, website visitors) applies regardless.

We process personal data based on the GDPR, in particular:

  • Art. 6 (1) (b) GDPR — performance of a contract / pre-contractual measures
  • Art. 6 (1) (c) GDPR — legal obligations (e.g. commercial and tax retention)
  • Art. 6 (1) (f) GDPR — legitimate interests (e.g. IT security, error analysis, spam defence)
  • Art. 6 (1) (a) GDPR — consent (e.g. for certain cookies, tracking, newsletters, marketing)

For storing and reading information on end devices (e.g. cookies), the requirements of § 25 TDDDG (formerly TTDSG) apply additionally.

3.3 Categories of data subjects

  • Visitors of our website
  • Registered users of the B2B web shop
  • Contact persons of our customers and suppliers
  • Prospects, newsletter subscribers

4. Your rights (data subject rights)

Under GDPR you have, in particular, the following rights:

  • Access (Art. 15 GDPR) to the personal data we process
  • Rectification (Art. 16 GDPR) of inaccurate or incomplete data
  • Erasure (Art. 17 GDPR), where no retention obligations apply
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR), where applicable
  • Objection (Art. 21 GDPR) to certain processing operations
  • Withdrawal of consent (Art. 7 (3) GDPR) with effect for the future
  • Right to lodge a complaint (Art. 77 GDPR) with a data protection supervisory authority

To exercise your rights, an informal notice to the contact details above is sufficient.

5. Hosting and server log files

5.1 Hosting

Our website and B2B web shop are operated by an external service provider (host). Personal data collected on our websites is processed on the host’s servers, in particular:

  • IP addresses
  • access timestamps
  • pages/files accessed
  • browser type/version, operating system
  • referrer URL
  • other technical protocol data, if applicable

The host is engaged on the basis of Art. 6 (1) (f) GDPR (legitimate interest in secure, fast, and efficient delivery of our online offering) and Art. 28 GDPR (order processing).

5.2 Server log files

When our website is accessed, server log files are automatically recorded. This data is technically necessary

  • to deliver the website,
  • to ensure stability and security,
  • to analyse attacks and disruptions.

This data is not merged with other data sources unless there is specific cause (e.g. suspicion of abuse).

Retention: typically 7–30 days, then deletion or anonymisation.

Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in technical functionality, security, and optimisation of the website).

6.1 Use of cookies

We use cookies and comparable technologies on our website. We distinguish:

Strictly necessary cookies Necessary for the operation of the website (e.g. login, shopping cart, session ID). Permitted without consent (§ 25 (2) TDDDG).

Optional cookies (statistics, comfort, marketing) Set only if you have given prior consent (§ 25 (1) TDDDG, Art. 6 (1) (a) GDPR).

On your first visit, a cookie banner is displayed. There you can:

  • choose whether to accept only necessary cookies, or
  • additionally consent to optional cookies,
  • modify or revoke your selection at any time afterwards.

7. Contact

If you contact us by email, phone, or via contact forms, we process your information to handle your request.

Legal basis:

  • Art. 6 (1) (b) GDPR for contractual relationships
  • Art. 6 (1) (f) GDPR (legitimate interest) in other cases

Retention: as long as necessary for processing, plus statutory retention periods (6–10 years).

8. Customer account and B2B web shop

To use our closed B2B web shop, you need a customer account. Access is granted only to business customers by invitation or activation.

During registration we process: company name, address, contact person, contact details, login credentials, and VAT ID where applicable.

Legal basis: Art. 6 (1) (b) GDPR (contract initiation/performance).

9. Newsletter

If we offer a newsletter, we use a double opt-in procedure. You will receive an email with a confirmation link.

Legal basis: your consent, Art. 6 (1) (a) GDPR.

Withdrawal: at any time via the “unsubscribe” link in every newsletter.

10. Study download (lead magnet)

When you request a study from our website (e.g. “Mid-Market ERP Study 2026”), we process the following personal data:

  • Email address (required)
  • Company name (required)
  • Employee size band (required; 1–10, 11–50, 51–200, 200+)
  • First and last name (optional)

The legal basis is Art. 6 (1) (b) GDPR (pre-contractual measure — you actively request a service) and your consent under Art. 6 (1) (a) GDPR via the explicit checkbox in the request form.

Processing purpose:

  • Creation and delivery of the personalised download link (HMAC-signed token, valid 7 days)
  • Sending a confirmation email with the download link
  • Lead qualification within Mate iT GmbH’s sales process
  • Follow-up contact in the event of a subsequent inquiry

Retention:

  • Lead record (email, company, employee size, name if provided): max. 24 months from the request date. Earlier erasure on your request.
  • Email-delivery logs at processor Resend: 30 days.
  • Token: not persisted — cryptographically derived from your email address, study slug, and a server-side secret, with an expiration date (7 days).

Recipients: Email infrastructure is operated by Resend, Inc. (San Francisco, USA) as a processor. There is a DPA under Art. 28 GDPR with Resend; Resend is certified under the EU-US Data Privacy Framework. Resend processes only the data required for email delivery and deletes them after 30 days. See resend.com/privacy.

No newsletter: We do not use your request for newsletter sending or other marketing. After the download link, at most one single follow-up email is sent after 14 days asking if any questions are open — no drip sequence, no list intake.

11. Recipients and data transfers

We pass personal data on to third parties only insofar as necessary for contract performance, legally required, performed by processors, or you have consented.

Typical recipients: IT service providers, shipping companies, payment service providers, tax advisors.

For transfers to third countries (e.g. USA) we observe the requirements of the GDPR (EU-US DPF, Standard Contractual Clauses).

12. Retention periods

  • Website / log data: 7–30 days
  • Customer account / contract data: statutory retention (6–10 years)
  • Newsletter data: until withdrawal
  • Study lead data: max. 24 months from request

13. Data security

We take appropriate technical and organisational measures (TOMs):

  • Encryption of data transmission (TLS/HTTPS)
  • Access restrictions and role/rights management
  • Regular updates and security patches
  • Backup procedures
  • Logging and monitoring

14. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy if the legal situation changes or new services are introduced.

Status: November 2025