Privacy policy

We will inform you below about what happens to your personal data when you visit our website. Personal data is all data that can be related to you personally, such as name, address, e-mail addresses or usage behaviour. In this way, we would like to inform you about our processing activities and at the same time fulfil our legal obligations, in particular those arising from the EU General Data Protection Regulation (GDPR).

The privacy policy for our website is organised in a modular way. To find the parts that are relevant to you, please refer to the following overview, which shows a breakdown of the privacy policy:
 

Part Designation For you this part is …
A General information … always relevant.
B Websites, SaaS products and e-mail marketing … relevant if you use one of our websites (including landing pages and social media sites) or  one of our SaaS products or are the recipient of our e-mail marketing.
C Business partners … relevant if you want to work with us as a service provider, supplier or similar partner, are already in an ongoing business relationship with us or have been in the past.
D Applicants … relevant if you are applying for a job with us.

Part A – General information

1. Controller

The controller pursuant to  Article 4(7) GDPR  is Xempus AG, Arnulfstr. 126, 80636 Munich, Germany (Imprint). Our data protection team and our data protection officer can be contacted by e-mail at  datenschutz@xempus.com  or by post, stating “Data protection team” as a reference.

2. Data security

We use suitable technical and organisational security measures to protect your data. These security measures are continuously improved in line with technological developments.

3. Cooperation with processors

In some cases, we use external service providers to process your data. These are carefully selected by us, are bound by our instructions and are regularly inspected.

4. Conditions for the transfer of personal data to third countries

In the context of our website, your personal data may be shared with or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. We will inform you about the respective details of such disclosure at the relevant points below.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions. However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct.

5. No automated decision making (including profiling)

We do not intend to use personal data collected from you for automated decision making (including profiling).

6. No obligation to provide personal data

In principle, we do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a user, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this is the case within the context of our website, you will be informed of this separately.

7. Storage period

Unless an explicit storage period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies.

However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings or if storage is provided for by statutory provisions to which we are subject as the controller (Section 257 of the German Commercial Code (HGB),  Section 147 of the German Fiscal Code (AO)). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

8. Minors

Our website offer is not aimed at children and young people under the age of 16. Do not avail of our offer if you have not yet reached the age of 16 and do not transmit any personal data to us. If you have submitted personal data to us even though you are under the age of 16, please have a parent or guardian contact us.

9. Your rights

9.1 Rights of data subjects

As the data subject, you have the following rights vis-à-vis the controller with regard to personal data concerning you:

  • Right to information
  • Right to rectification or erasure
  • Right to restriction of processing
  • Right to object to processing
  • Right to data portability

9.2 Revocation of consent

If you have given us consent to process your data, you can withdraw this consent at any time with effect for the future by sending us an informal message, for example by e-mail to  widerruf@xempus.com. The legality of the data processing carried out until consent is withdrawn remains unaffected by any revocation.

9.3 Right of appeal

In the event of breaches of data protection law, the data subject also has a right of appeal to the competent supervisory authority. The supervisory authority responsible for us is the  Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27 (Schloss), 91522 Ansbach, Germany.

10. Your right to object

10.1 Right to object to processing based on a legitimate interest

If we base the processing of your personal data on a legitimate interest in accordance with Article 6(1)(f) GDPR, you may object to the processing at any time on grounds relating to your particular situation.  This also applies to profiling based on this provision.

10.2  Right to object  to direct marketing

If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. This also applies to profiling insofar as it is associated with such direct marketing.

Part B – Websites, SaaS products and e-mail marketing

1. Introduction

Websites (including landing pages and social media sites) and SaaS products are hereinafter also referred to collectively as the “online offer”.

2. Online offer

The following points listed in this section apply equally to all our online offers.

2.1 Log data

When using our online offer purely for information purposes, your browser automatically transmits the following data to us:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

The web server used in conjunction with our online offer stores this information in log files.

The legal basis for this processing is the legitimate interest pursuant to Article 6(1)(f) GDPR to operate our online offer professionally and securely.

2.2 Processing of data from your end devices (“cookie policy”)

When using our online offer, technical aids for various functions, in particular cookies, may be stored on your end device. When you access our online offer and at any time thereafter, you can choose to allow the setting of cookies in general or decide which individual additional functions you would like to select. You can make changes in your browser settings or via our  website under the menu item Cookie Preferences.

Cookies are small text files that are stored by your browser on your hard drive and which provide certain information to the website that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer. They serve to make the website more user friendly and effective overall.

You can configure your browser settings according to your preferences and refuse to accept individual or all cookies. We would like to point out that you may then not be able to use all functions of our online offer.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested are stored on the basis of Article 6(1)(f) GDPR. The basis for this is the legitimate interest in storing cookies for the technically correct and optimised provision of our online offer.

If cookies are also used for other purposes (e.g. tracking cookies to analyse your surfing behaviour), these are dealt with in the corresponding section of the privacy policy. The following types of cookies can generally be used on this website:

Session cookies

Session cookies are absolutely necessary to guarantee essential functions of the online offer. Without these, the website cannot be used as intended. Session cookies are deleted once you have finished using the online offer. Your consent to the use of these cookies is not required.

Performance cookies

Performance cookies record how visitors use our online offer, for example which pages are most frequently accessed by users and whether error messages are displayed. These cookies do not store any further information. They are used exclusively to increase user-friendliness and to customise the website more specifically to the user. This data is also stored exclusively in anonymised form. The cookies have a lifetime of 13 months.

Marketing cookies

Marketing cookies are used to present the user with customised and relevant marketing content. Enable the use of marketing cookies to customise marketing content to your needs and display relevant content. Select “Allow cookies” in your browser to make the best possible use of cookies for this online offer. You can use the “Cookie settings” option to manage or switch off the use of cookies yourself. You can revoke your consent at any time.

2.3 Consent management platform

This online offer uses the consent management of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. The purpose of this service is to enable you to manage your consent simply and transparently and thereby fulfil our legal obligations. The legal basis for this use is Article 6(1)(c) GDPR in order to operate our online offer in a legally compliant manner, in particular in compliance with data protection regulations.

For this purpose, we have concluded a corresponding order processing agreement (Art. 28 GDPR) with the service provider, in which we oblige the service provider to handle the transmitted data with due care.

2.4 Registration

The legal basis for the processing of personal data during registration is Article 6(1)(b) GDPR for implementation of pre-contractual measures taken in response to your enquiry. In addition, in accordance with Article 6(1)(f) GDPR, the controller has a legitimate interest in identifying the users of the portal and thus making it possible to operate a system based on user accounts and clients. Disclosure to third parties or processing for another purpose will only take place in the cases prescribed by law or if we are otherwise authorised to do so in relation to you, for example in the case of your consent.

2.5 Customer management

This online offer uses the CRM platform of salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany. The data you provide as part of the registration process, when subscribing to e-mail marketing or when contacting us will also be processed on this CRM platform. The purpose is to process your enquiries faster and more professionally and to further improve our customer relationship management. We have a legitimate interest in this pursuant to Article 6(1)(f) GDPR.

To this end, we have concluded a corresponding order processing agreement (Art. 28 GDPR) with salesforce, in which we oblige salesforce to handle the transmitted data with due care and not to pass it on to third parties who are not affiliated with salesforce as a company, and only to the extent that it is ensured that the data processed on our behalf remains within the scope of the GDPR (EU/EEA).

2.6 Statistics and analysis of product usage (general)

When you register with our online offer, we will analyse your product usage. The results of this analysis are used solely to optimise your user experience and that of other users and to further develop our website. We will not pass on the results to third parties without a legal basis, for example your consent. The basis for the analysis of your product usage is our legitimate interest in the optimised provision of our website in accordance with Article 6(1)(f) GDPR, from which you and our other website users can benefit.

The data collected from you will be pseudonymised as soon as the purpose of processing allows it and deleted from our servers at the latest when the purpose of processing ceases to apply.

You can object to this analysis for reasons relating to your particular situation at  any time with effect for the future, for example by e-mail to  widerruf@xempus.com.

2.7 Hosting providers used for the online offer

We use the following companies in order to provide you with our online offer. For this purpose, we require computing capacity, disk space and database services as well as technical maintenance services.

As the controller, we have a legitimate interest in the use of these services to ensure the technically correct and optimised provision of our online offer in accordance with Article 6(1)(f) GDPR. Within the scope of hosting, we process inventory, contact, content, contract, usage, meta and communication data of users of our online offer.  We have concluded a corresponding order processing agreement (Art. 28 GDPR), in which we oblige the hosting provider to handle the transmitted data with due care and not to pass it on to third parties.

2.7.1 The unbelievable Machine Company GmbH, Grolmanstr. 40, 10623 Berlin, Germany

2.7.2 HostPress GmbH, Bahnhofstraße 34, 66571 Eppelborn, Germany

2.7.3 Host Europe GmbH, Hansestraße 111, 51149 Cologne, Germany

2.7.4 ORACLE Deutschland B.V & Co. KG, Riesstraße 25, 80992 Munich, Germany

2.7.5 salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany

3. Other services used for the online offer

3.1 Managed through our consent management platform

3.2 Two-factor authentication

You can increase the security of your user account by activating two-factor authentication (2FA). If you choose 2FA, where you opt to receive a one-time login code via SMS, our website uses the services of Messagebird, a service of MessageBird B.V., Trompenburgstraat 2C, 1079 TX Amsterdam, Netherlands, to send you this code to the mobile phone number you have provided. You can find Messagebird’s privacy policy at: https://www.messagebird.com/de/legal/privacy/

3.3 Mailing

For mailing, we use the services of Binect GmbH, Brunnenweg 17, 64331 Weiterstadt, Germany, to ensure that mail items are created efficiently and securely and dispatched correctly. As the controller, we have a legitimate interest in the use of these services in accordance with Article 6(1)(f) GDPR. Inventory, contact, content, contract, usage, meta and communication data of our website users may be processed as part of the mailing process. We have concluded a corresponding order processing agreement (Art. 28 GDPR), in which we oblige the processor to handle the transmitted data with due care and not to pass it on to third parties.

3.4 XEMPUS bAV check

Prior to conclusion of a corporate pension, our corporate pension (bAV) calculator will help you to get a better picture of the topic of company pension schemes. Our bAV calculator therefore essentially aims to reflect your personal pension situation. In order to ensure that the calculation result is a good approximation of your personal circumstances, you therefore have to specify some key parameters (e.g. age, tax class or monthly gross income). If you do not provide this information, default values will be used in the bAV calculator, which may only coincidentally correspond to your personal situation.

If you enter the key parameters in the bAV calculator, your information will be processed for the purpose of an approximate calculation of your personal pension situation.

The data entered in the bAV calculator is processed on the basis of Article 6(1)(b) GDPR for implementation of pre-contractual measures taken in response to your enquiry. Disclosure to third parties or processing for another purpose will only take place in the cases prescribed by law or if we are otherwise authorised to do so in relation to you, for example in the case of your consent.

We will retain the data you enter in the bAV calculator until you ask us to delete it or until the purpose of processing no longer applies (e.g. after you have finished using the bAV calculator). Mandatory statutory provisions – in particular retention periods – remain unaffected.

3.5 XEMPUS bAV calculator for employees

Before you inform your employer of your wish for a corporate pension (bAV), our bAV calculator should help you to get a better picture of the subject of company pension schemes. Our bAV calculator therefore essentially aims to reflect your personal pension situation and show you how a corporate pension can affect your pension situation. In order to ensure that the calculation result is a good approximation of your personal circumstances, some key parameters (e.g. age, tax class, health insurance, federal state, number of children, monthly gross income, your contribution to the corporate pension or existing corporate pension schemes) must be available. If this information is not available, default values are initially used in the bAV calculator, which may only coincidentally match your personal situation. If you decide to carry out a precise calculation and enter the necessary data, we will forward this to the pension provider’s tariff calculator in order to receive a detailed offer from them. On the basis of this calculation result, you can then submit your desired corporate pension to your employer.

The data entered in the bAV calculator is processed on the basis of Article 6(1)(b) GDPR for implementation of pre-contractual measures taken in response to your enquiry.

We will retain the data you enter in the bAV calculator until you ask us to delete it or until the purpose of processing no longer applies. Mandatory statutory provisions – in particular retention periods – remain unaffected.

4. Websites (including landing pages and social media sites)

4.1 Domain xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.2 and the following services are used in addition to Section 2:

XEMPUS bAV check, as described in Section 3.4.

4.2 Domain welcome.xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.3 Domain videoberatung.xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.4 Domain connected.xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.5 Domain help.xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.6 Domain community.xempus.com

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.7 Landing pages of bAVnet

The content of this domain is provided with the help of the company named in Section 2.7.3 and the following services are used in addition to Section 2:

4.8 Social media sites

We maintain the following social media channels:

4.8.1 https://www.linkedin.com/company/xempus-ag

4.8.2 https://www.xing.com/pages/xempus

4.8.3 http://www.facebook.com/xempus.vorsorge

4.8.4 https://twitter.com/XempusAG

4.8.5 https://www.youtube.com/channel/UCf9rku7ISyeahcfbR08omQA

4.8.6 http://www.kununu.com/de/xempus

5. SaaS products

5.1 XEMPUS manager

Xempus manager is our SaaS solution for employers for simple policy management and handling of pension, life and health insurance processes.  You can easily recognise that you are currently using XEMPUS manager by the reference to the “XEMPUS premium products” in the footer of the page.  XEMPUS manager is provided with the help of the company named in Section 2.7.1 and the following services are used in addition to Section 2:

Two-factor authentication, as described in Section 3.2.
Mailing, as described in Section 3.3.

5.2 XEMPUS advisor

XEMPUS advisor is our SaaS solution for agents to support advising employers and employees on pension, life and health insurance.  You can easily recognise that you are currently using XEMPUS advisor by the fact that the product name “XEMPUS advisor” or “bAVberater” is explicitly mentioned in the footer of the page.  XEMPUS advisor is provided with the help of the company named in Section 2.7.1 and the following services are used in addition to Section 2:

Two-factor authentication, as described in Section 3.2.

5.2 myXEMPUS

myXEMPUS is our SaaS product for employees on all aspects of pension, life and health insurance.  You can easily recognise that you are currently using myXEMPUS by the fact that the address you have called up begins with my.xempus.com.  myXEMPUS is provided with the help of the company named in Section 2.7.1 and the following services are used in addition to Section 2:

Two-factor authentication, as described in Section 3.2.

XEMPUS bAV calculator for employees, as described in Section 3.5.

6. E-mail marketing

6.1 E-mail marketing with your consent

With your consent, we will address you personally by e-mail to send you information (e.g. on news, promotions, events or surveys) about our company, its services and products and on the subject of pension, life and health insurance. In particular, this includes our newsletter or else e-mails for other reasons, such as the release of new product features, a new tutorial on the product or information on our current promotions and offers.

Legal basis

Data processing with regard to this e-mail communication is based on your consent in accordance with Article 6(1)(a) GDPR, Article 7 GDPR in conjunction with Section 7(2) No. 2 of the German Unfair Competition Act (UWG).

Your consent is saved and logged by us using the double opt-in process in order to be able to prove your consent in the event of doubt. The logging, in particular of the time of consent and the time of confirmation of your consent, is carried out on the basis of Article 6 (1)(f) GDPR. Accordingly, we have a legitimate interest in ensuring secure and legally compliant e-mail communication in order to prevent or stop any misuse and so as not to inconvenience third parties.

You can revoke your consent at any time or unsubscribe from our e-mail communication. We provide a link for this purpose in each of these e-mails. Alternatively, you can also opt out of receiving such e-mails in the future at any time by sending us an informal declaration, for example by e-mail to  widerruf@xempus.com. The legality of the data processing operations that have already taken place remains unaffected by revocation or deregistration.

Storage period

The data you provide us with for the purpose of receiving these e-mails will be stored by us until you unsubscribe or withdraw your consent and will then be deleted both from our servers and from the servers of a service provider used by us. Data that we store for other purposes remains unaffected by this.

For example, we may store your e-mail address for up to four years on the basis of our legitimate interest so that we can prove that you have previously given your consent. The processing of this data is limited to the purpose of a possible defence against claims. The data will be deleted once the purpose of processing no longer applies. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed to us at the same time.

6.2 E-mail marketing to registered users

We will inform our registered users from time to time by e-mail about our own similar products and services of Xempus AG. We have a legitimate interest in this pursuant to Article 6(1)(f) GDPR, which means that we can, for example, send you information about Xempus AG products to the e-mail address you provided during registration (Section 7(3) of the German Unfair Competition Act (UWG)).

You can object at any time to this use of your e-mail address by sending us an informal message, for example by e-mail to  widerruf@xempus.com. Alternatively, you can also use the link provided for this purpose in the e-mail we send you. At no time will your objection incur any costs other than the transmission costs according to the basic tariffs.

6.3 E-mail marketing with Eloqua

We use the marketing automation software “Eloqua” from the provider Oracle to send e-mails. Our contractual partner is ORACLE Deutschland B.V & Co. KG, Riesstraße 25, 80992 Munich, Germany; the application is operated in data centres in the EU. You can view ORACLE’s privacy policy at  https://www.oracle.com/de/legal/privacy/ .

Eloqua is used to prepare, send, track and analyse marketing e-mails in order to determine whether our e-mails are opened and which links are clicked. The application will only be used if consent has been given. With regard to the tracking of marketing e-mails, the tracking data collected is only linked to the e-mail address and the website tracking data. The analysis helps us to technically improve the sending of e-mails and to adapt the content of the e-mails even better to your interests and the interests of readers in general in the future. Reference is made to the existing rights of the user. If you do not wish to be tracked within our marketing e-mails, you must cancel the e-mail subscription.

Part C – Business partners

If you have a business relationship with us as a contractual partner,  service provider or supplier, we also use the following services to ensure smooth communication with you:

Services used

Part D – Applicants

If you are applying for a job with us, please note the following information:

Application procedure

The job adverts included on our  website  via an iframe from the external provider Personio are linked with our online application procedure ,  for which a separate privacy policy is available  .

If you do not use this online application procedure and apply to us directly by e-mail, for example as part of an unsolicited application, we will collect and process your personal data for the purpose of handling the application procedure. The legal basis for this is Article 6(1)(b) GDPR for implementation of pre-contractual measures taken in response to your enquiry.

Privacy policy of Xempus AG – Version dated 15 September 2022