Privacy Policy


1. Data Controller

The controller within the meaning of data protection laws (GDPR and Swiss revDSG) for this website is OBJECT ECM GmbH, Hohe Bleichen 12, 20354 Hamburg, Germany. OBJECT ECM AG, Albisriederstrasse 252, 8047 Zurich, Switzerland operates object.ch together with its subsidiary OBJECT ECM GmbH to serve visitors from Germany, Austria, and Switzerland.

Contact: [email protected], Tel. +49 40 79769100 (DE) / +41 44 2402266 (CH).

Data Protection Officer: DATA-ORG GmbH, Mr. Jürgen Maurer, Gottlieb-Daimler-Str. 5, 78467 Konstanz, Germany (E-Mail: [email protected]).

This privacy policy applies to the website object.ch as well as any other online offerings of OBJECT ECM in the DACH region. We treat personal data confidentially and in accordance with applicable data protection regulations (EU GDPR, Swiss DSG).

2. General Data Processing When Visiting the Website

Server Logfiles: When visiting our website purely for informational purposes (without registration or transmission of information), certain general access data is automatically collected. Our web server (or hosting provider) logs, for example: the accessed page, date and time, amount of data transferred, message about successful retrieval, browser used and version, operating system, previously visited page (referrer URL), and IP address of the requesting device. We need this information to deliver the website to your device, ensure the stability and security of our systems, and for administrative purposes. We do not merge this data with other data and do not draw conclusions about your identity. IP addresses are also processed only in truncated/anonymized form, if stored in logs. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in technical provision and security) and Art. 31 para. 2 lit. a revDSG. Server log data is usually deleted automatically after 7 days, unless security incidents require a longer retention period.

Content Delivery Network (Cloudflare): We use the service Cloudflare (Cloudflare, Inc., USA / Cloudflare Germany GmbH, Munich) to secure and accelerate the delivery of our website. All data transmissions between your browser and our website are routed through Cloudflare’s global server network. Cloudflare processes the IP address of the requesting device in server log files, among other things, to protect against attacks and optimize performance. Cloudflare acts as a data processor for us (Art. 28 GDPR); we have signed a contract including EU Standard Contractual Clauses. Data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in secure and efficient provision of our online offering. Your IP address is stored by Cloudflare only as long as necessary for security reasons; there is no permanent storage. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), ensuring an adequate level of data protection for transfers to the USA. Where applicable, data is processed within the EU or transmitted only to Cloudflare data centers in countries with adequate data protection. For more information on Cloudflare's data protection, visit cloudflare.com and Cloudflare DPA.

3. Cookies and Consent Management

Our website uses cookies and similar technologies. Cookies are small text files stored by your browser on your device. We use essential cookies necessary for the technical operation of the site (e.g., correct delivery or storage of your settings). These essential cookies are stored based on Art. 6 para. 1 lit. f GDPR (legitimate interest in technically error-free provision).

In addition, we use – only with your consent – cookies and tracking technologies for statistics, web analysis, and marketing purposes.

Upon your first visit to our website, you can choose whether to accept or reject the use of cookies. Selecting individual categories is not possible. Your decision is stored in the form of a consent cookie. You can withdraw or change your consent at any time for the future by revisiting our cookie settings via the website.

If you do not give consent, all non-essential services remain deactivated. Please note that rejecting some cookies may disable certain functions (e.g., embedded videos or analytics).

Cookie Categories:

  • Essential Cookies: These cookies are necessary for the website to function (e.g., session cookies for navigation or security cookies from Cloudflare). Legal basis: legitimate interest.

  • Statistics/Analytics: Help us evaluate website usage (e.g., Google Analytics 4). Used only with consent (Art. 6 para. 1 lit. a GDPR).

  • Marketing/Tracking: Used for marketing purposes such as conversion tracking or remarketing (e.g., Google Ads Remarketing). Used only with consent.

Details about individual services are provided below.

4. Embedded Content and External Services

YouTube Videos (2-Click Solution): On some subpages, we embed YouTube videos from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) in a privacy-friendly manner. By default, we display only a preview image. Only when you click “Watch YouTube Video” will the video load from YouTube and a connection to YouTube’s servers be established. YouTube will receive your IP address, device data, and the information that you visited our site. If you are logg...

Social Media Links: Our website contains links to our profiles on social networks (currently: Xing, LinkedIn, YouTube, Twitter/X, Facebook, Instagram, Pinterest, TikTok). These are only hyperlinks, not embedded plugins. When you visit our pages, no data is automatically transferred to these platforms. Only when you click such a link will you leave our website and be subject to the privacy policies of the respective social network. Please note that data (e.g., your IP ...

5. Newsletter Distribution (Rapidmail)

You can subscribe to our email newsletter on our website, which informs you about news, offers, or events. For this purpose, we use the service rapidmail (rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg, Germany) as a processor for sending.

Subscription: To subscribe, you must provide at least your email address and optionally your name. After submitting the form, you will receive a confirmation email, in which you must confirm your subscription by clicking the included link (double opt-in). Only after this confirmation will your address be added to our list. We log the subscription process to be able to prove it if necessary – including timestamps and IP address. This logging serves as p...

Dispatch and Performance Measurement: The newsletter is sent via rapidmail. The data you enter for newsletter purposes (email address, name, etc.) are stored on servers in Germany. Rapidmail uses this data to send and statistically evaluate newsletters on our behalf. Each email contains a tracking pixel that connects to rapidmail's servers upon opening. This allows us to know if the newsletter was opened. Newsletter links contain tracking li...

Legal Basis: Your consent, Art. 6 para. 1 lit. a GDPR (and where applicable, Art. 13 para. 1 DSG for Switzerland). This consent is granted via the double opt-in process.

Unsubscribe / Withdrawal: You can unsubscribe at any time by clicking the unsubscribe link at the bottom of each newsletter. Alternatively, you can email us directly using the contact details below. After unsubscribing, your data will be deleted from our and rapidmail’s systems unless retention is required by law. A brief listing in a suppression file may be kept to prevent accidental resending.

Processing & Data Protection: We have a data processing agreement with rapidmail under Art. 28 GDPR. This obliges rapidmail to process newsletter recipient data only in accordance with our instructions and in compliance with EU data protection regulations. rapidmail does not transfer data to third countries. The company is based in Germany and subject to strict GDPR rules. More details at rapidmail.de.

6. Contact Form and Inquiries (HubSpot CRM)

If you contact us via the contact form or other forms (e.g., appointment scheduling), your details will be processed to handle the request. We use HubSpot, a software provider from the USA (HubSpot, Inc., Cambridge, MA, USA) with a branch in Ireland (HubSpot, 2nd Floor, 30 North Wall Quay, Dublin 1).

Form Data Processing: We collect the mandatory fields marked in the contact form (typically: first name, last name, email address, company, and your message). These data are stored on HubSpot’s servers in our account and used to respond to your inquiry and perform requested actions (e.g., send documents, arrange a consultation). By submitting the form, you consent to the processing of your personal data. Depending on the inquiry, processing may be based on contract initiation (Art. 6 para. 1 lit. b GDPR) or on our legitimate interest in efficient communication (Art. 6 para. 1 lit. f GDPR). In Switzerland, this is based on Art. 31 para. 2 lit. a revDSG.

Meetings/Bookings: If you book appointments via HubSpot, the above also applies. The entered data (e.g., name, email, desired date) will be used to schedule the meeting. You may receive automated emails (confirmation/reminders). These processes are also based on Art. 6 para. 1 lit. b GDPR.

HubSpot CRM: We also use HubSpot as a CRM system for managing contacts. Form data and other communications (e.g., emails) may be saved to maintain a history of interactions. This is based on our legitimate interest in effective customer management (Art. 6 para. 1 lit. f GDPR). Without your consent, contact data is not used for unsolicited marketing.

Website Tracking via HubSpot: HubSpot offers analytics that tracks visitor behavior — but only with your explicit consent via the cookie banner (Art. 6 para. 1 lit. a GDPR). When consent is given, HubSpot can collect page visits, session times, device/browser info, and geographic data. If a prior interaction exists (e.g., newsletter signup), HubSpot can associate visits with known contacts and trigger automated responses. Without your consent, no personal tracking occurs, and no cookies are set. Data is typically aggregated or anonymized. IP addresses are not permanently stored unless linked to a user via interaction.

Data Transfer & Security: HubSpot processes data primarily in the EU/EEA. However, some data may be transferred to the USA. We have a data processing agreement with HubSpot including EU Standard Contractual Clauses. HubSpot Inc. is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework. See HubSpot's privacy policy and data transfer details at hubspot.de/data-privacy.

Retention: Contact inquiries are retained only as long as necessary or legally required. Business correspondence may be stored for 6–10 years per tax and commercial law. Pure interest-based inquiries are deleted once no further contact is expected. You may request deletion at any time (see rights below).

7. Web Analytics and Marketing

Google Analytics 4: Our website uses Google Analytics 4 (GA4) from Google Ireland Ltd., provided you consent via our cookie banner. GA4 uses cookies or similar technologies to analyze how you use the website. It collects data such as visited pages, session duration, browser and device info, general location (city/region), and referral source. Importantly: GA4 does not store your IP address; it is anonymized immediately. No precise location or device IDs are recorded without consent. Data processing is based solely on your consent (Art. 6 para. 1 lit. a GDPR). Without it, GA4 remains inactive.

Processor Agreement: Google Ireland Ltd. acts as our processor. We have a data processing agreement under Art. 28 GDPR. Google is also certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework. Additionally, we rely on EU Standard Contractual Clauses. Data is retained for 14 months (maximum) before deletion. Aggregated statistics remain available.

Opt-Out: You can disable tracking with the browser add-on (tools.google.com/dlpage/gaoptout). For more information, see Google's privacy pages.

Google Tag Manager: We use GTM to manage analytics and marketing tags. GTM itself does not use cookies or process personal data. However, when loading, your IP is transmitted to Google for technical reasons. GTM operates on a cookieless domain. Tags are only loaded after your consent. Legal basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).

Google Ads (Conversion Tracking & Remarketing): We use Google Ads for advertising and to analyze campaign effectiveness.

Conversion Tracking: If you reach our site via a Google ad, a cookie (“_gcl_aw”) is set to determine if a desired action occurred (e.g., form submission). Each advertiser gets a unique cookie. Data is anonymized. The cookie expires after approx. 30 days.

Remarketing: We may use remarketing tags to display targeted ads to past visitors. Google collects pseudonymized usage data (e.g., viewed subpages) to display ads across the web. We do not receive any personally identifiable data.

Legal basis: Consent, Art. 6 para. 1 lit. a GDPR. Google Ads tags are only active with your consent.

Data Transfer: Google may transfer data to the USA. Google LLC is certified under the DPF. We also use EU Standard Contractual Clauses.

Opt-Out: You can revoke consent at any time or disable ads via Google Ads Preferences, Network Advertising Initiative, or YourOnlineChoices.

8. Data Subject Rights

Access, Correction, Deletion, Restriction: You have the right to access your personal data (Art. 15 GDPR; Art. 25 revDSG), correct inaccurate data (Art. 16 GDPR; Art. 32 revDSG), and, under certain conditions, request deletion (Art. 17 GDPR). In Switzerland, deletion is carried out on request, provided there’s no legal obligation to retain data. You may also restrict processing (Art. 18 GDPR), e.g., if accuracy is contested or processing is unlawful.

Right to Object: If data is processed based on legitimate interest (Art. 6 para. 1 lit. f GDPR), you may object at any time for personal reasons (Art. 21 GDPR). In case of direct marketing, objection always applies (Art. 21 para. 2 GDPR).

Withdrawal of Consent: You may revoke your consent at any time with future effect. This includes cookie/tracking and newsletter consent. Processing remains lawful up to the time of withdrawal.

Data Portability: You have the right to receive data provided to us in a machine-readable format (Art. 20 GDPR; Art. 28 revDSG).

Complaint: If you believe your rights are violated, you may lodge a complaint with the relevant data protection authority (e.g., Hamburg, Austria DSB, or Switzerland’s FDPIC). We encourage you to contact us first to resolve concerns directly.

9. Further Information

Data Security: We protect personal data through appropriate technical and organizational measures. Our site uses SSL/TLS encryption (see “https://” and lock symbol). This prevents data from being read by third parties. Note: email communication may involve security gaps – for highly confidential matters, please consider postal mail.

External Links: Our website may link to other sites (e.g., partners). We are not responsible for their content or privacy practices. Please review their respective privacy policies.

Changes to This Privacy Policy: We may update this policy as needed, e.g., due to changes in our services or legal updates. The current version is available on this site. Significant changes will be clearly indicated. (As of August 2025)