Privacy Policy
1. Controller
The controller within the meaning of data protection laws (GDPR and Swiss revFADP) for this website is OBJECT ECM GmbH, Neuer Wall 71, 20354 Hamburg, Germany. OBJECT ECM AG, Albisriederstrasse 252, 8047 Zurich, Switzerland operates object.ch together with its subsidiary OBJECT ECM GmbH in order to serve visitors from Germany, Austria and Switzerland.
Contact: [email protected], Tel. +49 40 79769100 (DE) / +41 44 2402266 (CH).
Data Protection Officer: DATA-ORG GmbH, Mr Jürgen Maurer, Gottlieb-Daimler-Str. 5, 78467 Konstanz, Germany (email: [email protected]).
This Privacy Policy applies to the website object.ch and, where applicable, other online offerings of OBJECT ECM in the DACH region. We treat personal data confidentially and in accordance with the applicable data protection regulations (EU GDPR, Swiss FADP).
2. General data processing when visiting the website
Server log files: When you visit our website for purely informational purposes (without registration or transmission of information), certain general access data is automatically collected. Our web server (or hosting provider) logs, for example: the page accessed, date and time, amount of data transferred, notification of successful retrieval, browser used and version, operating system, previously visited page (referrer URL) and IP address of the requesting device. We need this information to deliver the website to your device, to ensure the stability and security of our systems and for administrative purposes. We do not combine this data with other data and do not draw conclusions about your person. IP addresses are also processed only in shortened/anonymised form, insofar as they are stored in logs. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in technical provision and security) as well as Art. 31 para. 2 lit. a revFADP. Server log data is generally deleted automatically after 7 days, unless security incidents require longer retention.
Content Delivery Network (Cloudflare): We use the service Cloudflare (Cloudflare, Inc., USA / Cloudflare Germany GmbH, Munich) to secure and accelerate the delivery of our website. All data transmissions between your browser and our website pass through Cloudflare’s global server network. In doing so, Cloudflare processes, among other things, the IP address of the requesting device in server log files for protection against attacks and for performance optimisation. Cloudflare acts as a processor for us (Art. 28 GDPR); we have concluded a corresponding agreement including EU Standard Contractual Clauses. The data processing is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the secure and efficient provision of our online offering. Your IP address is stored by Cloudflare only for as long as this is necessary for security reasons; permanent storage does not take place. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), which ensures an adequate level of data protection for data transfers to the USA. Where applicable, data is processed within the EU or transferred only to Cloudflare data centres in countries with an adequate level of data protection. Further information on data protection at Cloudflare can be found at cloudflare.com and in the Cloudflare DPA.
Cloudflare Zaraz and consent management: We use functions of Cloudflare Zaraz to technically manage certain embedded services and scripts and to take into account the choice made via our consent banner. Zaraz can be used in particular to control whether services requiring consent, such as analytics or marketing services, are loaded. The current purposes managed via Zaraz are Statistics (Google Analytics 4) and Marketing and CRM (HubSpot and HubSpot Embed). Essential functions for storing your selection and technically providing the website run independently of consent where they are technically required. Technical data such as IP address, browser and device information, time of access and information about the selected consent setting may be processed. This processing serves to manage your consents, technically control services and securely provide the website. The legal basis is our legitimate interest in legally compliant and secure technical provision of the website and, where required, your consent.
3. Cookies and consent management
Our website uses cookies and similar technologies. Cookies are small text files that your browser stores on your end device. We use essential cookies and comparable storage technologies that are required for the technical operation of the website, for example for secure provision, correct delivery of the site or storing your cookie and consent settings. These essential technologies are stored on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in technically error-free and secure provision).
In addition, we use services and technologies requiring consent for statistics as well as marketing and CRM. These services are controlled via Cloudflare Zaraz based on your selection and are loaded only if you have consented to the respective purpose.
When you first visit our website, you can make your selection for the purposes Statistics and Marketing and CRM. Essential technologies are required for the operation of the website and cannot be disabled insofar as they are technically necessary. Your decision is documented in the form of a consent cookie or comparable storage. You can withdraw or change your consent at any time with effect for the future by reopening the cookie settings via our website.
If you do not give consent, all non-essential services remain disabled. This applies in particular to Google Analytics 4 as well as HubSpot tracking or HubSpot Embed via Zaraz. Embedded content that you actively start, such as YouTube videos or ScoreApp surveys, is loaded only after this active action.
Cookie categories:
- Essential cookies: These cookies and comparable technologies are necessary for the website to function. This includes, in particular, technical security and delivery functions as well as storing your cookie and consent selection. Legal basis: legitimate interest.
- Statistics: Helps us evaluate the use of the website and improve content and user guidance. We currently use Google Analytics 4 for this purpose. It is used only with your consent (Art. 6 para. 1 lit. a GDPR).
- Marketing and CRM: Enables us to use HubSpot functions, for example for website tracking, forms, appointment bookings, download elements, campaign measurement and CRM functions. It is used only with your consent (Art. 6 para. 1 lit. a GDPR), insofar as the respective function requires consent.
Details on individual services can be found below.
4. Embedded content and external services
YouTube videos (2-click solution): On some subpages we embed YouTube videos from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), but in a privacy-friendly manner. By default, we only display a preview image. Only when you click on “Watch YouTube video” is the video loaded from YouTube and a connection to the YouTube servers established. In doing so, YouTube receives your IP address, device data and the information that you have visited our site. If you are logged in to YouTube/Google, Google may associate the access with your Google profile. Due to the 2-click mechanism, this data transfer takes place only after your consent, namely through the active loading of the video. The legal basis is Art. 6 para. 1 lit. a GDPR (consent).
When playing a YouTube video, cookies from Google may be stored on your end device, for example to collect video statistics or analyse your user behaviour. We have no influence over this. You can withdraw your consent at any time by not loading any further videos or by changing your cookie settings. Further information can be found in the privacy notices of YouTube/Google. Google is certified under the EU-U.S. Data Privacy Framework.
ScoreApp surveys: On individual subpages, we use ScoreApp, a service provided by Hyper Targeted Marketing Limited trading as ScoreApp, C/O Hillier Hopkins LLP, First Floor, Radius House, 51 Clarendon Road, Watford, United Kingdom, WD17 1HP, to provide interactive surveys and evaluations.
The ScoreApp survey is loaded only when you actively start the survey. At that point, a connection to ScoreApp is established. ScoreApp may process, in particular, technical connection data such as IP address, date and time of access, browser and device information, as well as information about the page accessed. In addition, the information that you voluntarily enter or select as part of the survey may be processed.
We use ScoreApp to technically provide the survey, evaluate responses and display suitable results or additional information depending on the survey process. If you provide contact details at a later stage, these may be used to contact you in connection with the survey and the requested information.
Depending on the specific use, the legal basis is your consent, the performance of pre-contractual measures or our legitimate interest in providing and evaluating the survey. Participation in the survey is voluntary.
ScoreApp processes data in the United Kingdom and may also process data in other countries where applicable. For data transfers to countries without an adequate level of data protection, appropriate safeguards are used.
Further information on data processing by ScoreApp can be found in ScoreApp’s Privacy Policy at scoreapp.com/privacy-policy.
Social media links: On our website you will find links to our profiles on social networks (currently: Xing, LinkedIn, YouTube, Facebook, Instagram, Pinterest, TikTok). These are hyperlinks only, not embedded plug-ins. Therefore, when you visit our pages, no data is automatically transferred to these platforms. Only when you click on such a link do you leave our website and the privacy provisions of the respective social network apply. Please note that data (e.g. your IP address, visited page) may be transferred to servers of the respective provider (in some cases in the USA). We have no influence over the scope and further use of the data by the platform operators. Information on the purpose and scope of data collection as well as further processing by the provider can be found in the privacy policies of the respective social networks: e.g. Xing Privacy, LinkedIn Privacy Policy, Facebook Data Policy, Instagram Data Policy, Pinterest Privacy, TikTok Privacy. We maintain these social media presences in order to communicate with customers and interested parties. Usage profiles may be created by the platforms. Any analyses carried out by us are performed exclusively in anonymised form (e.g. statistics on page views).
5. Newsletter dispatch (Rapidmail)
You can register on our website for our email newsletter, which informs you about news, offers or events. For this purpose, we use the service rapidmail (rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg, Germany) as a processor for dispatch.
Registration: For newsletter registration, at least your email address and, where applicable, your name are required. After submitting the registration form, you will receive a confirmation email in which you must confirm your registration by clicking on the link contained therein (double opt-in). Only after this confirmation will your address be added to our mailing list. This procedure ensures that no third party has used your email address. We log the registration process in order to be able to prove it in case of doubt – the time of registration and confirmation as well as the IP address of the registering person are stored. This logging serves our proof and security in case your address was entered improperly by third parties.
Newsletter forms and embedded content from rapidmail: On individual subpages, we embed forms and content from rapidmail or the domain emailsys1a.net used by rapidmail, for example for newsletter registration or to display a newsletter archive. When such content is accessed, a connection to rapidmail’s servers may be established. Technical connection data such as IP address, date and time of access, browser and device information as well as information about the page accessed may be processed.
The embedding is used to technically provide newsletter registration and access to related content. If you submit a newsletter form, the data you enter is transmitted to rapidmail and processed there on our behalf. Processing is based on your consent and on the technical provision of the requested function.
Dispatch and performance measurement: The newsletter is sent via rapidmail. The data you enter for the purpose of receiving the newsletter (email address, name…) is stored on the servers of rapidmail in Germany. Rapidmail uses this information to send and statistically evaluate the newsletters on our behalf. Each newsletter email contains a so-called tracking pixel from rapidmail, which establishes a connection to the rapidmail servers when the email is opened. This allows us to recognise whether a newsletter has been opened. In addition, newsletter links contain so-called tracking links, with which it is measured which links you have clicked. This tells us which newsletter content was of particular interest. We use the analyses to improve future newsletters. Performance measurement is carried out pseudonymously; we cannot directly identify you as a person. If you do not want this analysis, you can unsubscribe from the newsletter at any time.
Legal basis: Your consent, Art. 6 para. 1 lit. a GDPR (and, where applicable, Art. 13 para. 1 FADP for Switzerland). You grant us this consent through the double opt-in procedure.
Unsubscription/withdrawal: You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link at the end of each newsletter email. This withdraws your consent for the future. Alternatively, you can also send your withdrawal to us at any time (by email to us or using the contact details provided below). After unsubscription, your data stored for the newsletter will be deleted from our system and rapidmail’s system, provided that no statutory retention obligation prevents this. Short-term storage in a suppression list may take place in order to prevent accidental future email delivery to this email address.
Processing & data protection: A processing agreement pursuant to Art. 28 GDPR exists with rapidmail. In it, rapidmail is obliged to process the data of our newsletter recipients only according to our instructions and to comply with EU data protection rules. According to rapidmail, data transfer to third countries does not take place; rapidmail processes the data in Germany. rapidmail GmbH is a German provider and is subject to the strict requirements of the GDPR. Further information on data protection at rapidmail can be found here and on rapidmail’s data security here rapidmail.de.
6. Contact form and enquiries (HubSpot CRM)
If you contact us via our contact form or other forms (e.g. appointment scheduling), your details will be processed to handle the enquiry. We use the tool HubSpot for our online forms and customer relationship management. HubSpot is a software provider from the USA (HubSpot, Inc., Cambridge MA, USA) with a branch in Ireland (HubSpot, 2nd Floor, 30 North Wall Quay, Dublin 1).
Data processing in forms: Via the contact form, we collect the information marked as mandatory fields (typically first name, last name, email address, company and your message text). This data is stored by HubSpot on our HubSpot account servers so that we can receive and process your enquiry. Even during entry, HubSpot may carry out certain validations (e.g. to prevent spam or to check whether the email address is valid). When you submit the form, you consent to the processing of your personal data for the purpose of contacting you. We use the data to answer your enquiry and to carry out any requested actions (e.g. send documents, arrange a consultation). Depending on the content of the enquiry, the processing may be carried out for the initiation of a contract and thus be based on Art. 6 para. 1 lit. b GDPR (for pre-contractual enquiries) or on our legitimate interest in effective communication with interested parties and customers (Art. 6 para. 1 lit. f GDPR). In Switzerland, processing is based on Art. 31 para. 2 lit. a revFADP (enquiries from the data subject). Your information is used exclusively to process the enquiry and for any follow-up questions.
Meetings/bookings: If we offer online appointment booking via HubSpot (calendar function), the above explanations apply accordingly. The data entered by you (e.g. name, email, desired appointment) is used to arrange appointments and processed by HubSpot on our behalf. You may receive automatic emails from HubSpot to confirm or remind you of the appointment. These processes are also based on Art. 6 para. 1 lit. b GDPR (performance of pre-contractual measures at your request).
HubSpot CTAs, download elements and embedded content: On individual subpages, HubSpot CTAs, download buttons, form elements, appointment bookings or related content may also be embedded. When such elements are loaded or clicked, a connection to HubSpot may be established. Technical connection data such as IP address, browser and device information, time of access, page accessed and information about your interaction with the respective element may be processed. If you enter data via a HubSpot element or request content, the data you provide will be processed to provide the requested content, handle your enquiry and, where applicable, for further communication.
HubSpot CRM: We also use HubSpot as a CRM system to manage customers and interested parties. The data collected via forms as well as further communication (e.g. email correspondence with you) may be stored in HubSpot in order to maintain a history of our interaction. This serves our legitimate interest in efficient customer care and communication (Art. 6 para. 1 lit. f GDPR). HubSpot helps us answer enquiries more quickly and provide content in a targeted manner. However, without your consent, we do not use the contact data stored in HubSpot for unsolicited advertising.
Website tracking by HubSpot: HubSpot offers web analysis functions that can be used to record the behaviour of website visitors – particularly if they are already stored as contacts in our CRM. For this purpose, HubSpot uses cookies that enable the visitor to be recognised and previous interactions with our company to be linked. This tracking takes place exclusively on the basis of your explicit consent via our cookie banner (Art. 6 para. 1 lit. a GDPR). If you give your consent, HubSpot can automatically collect certain usage data, including in particular: pages accessed, duration and time of visits, geographical origin (based on IP addresses), device used and browser type as well as interactions with forms or CTAs. As soon as a personal reference has been established through a previous interaction (e.g. newsletter registration or form), we can assign the data to a specific contact and trigger corresponding follow-up actions (e.g. emails for repeated visits). Without your consent, this function remains disabled and no personal tracking takes place. In this case, HubSpot does not set any tracking cookies on your device. According to HubSpot, aggregated or anonymised usage statistics are provided in most analyses. HubSpot does not permanently store the full IP address and does not directly link it to a contact – except where identification has occurred via interactions (e.g. email clicks or form submission).
Data transfer and security: HubSpot processes the data primarily on servers within the EU or the EEA. Nevertheless, it cannot be ruled out that data may be transferred to the USA, particularly since HubSpot Inc. is a US company. We have concluded a processing agreement with HubSpot, which includes the current EU Standard Contractual Clauses. These are intended to ensure an adequate level of data protection for data transfers to the USA. In addition, HubSpot, Inc. is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF), which means that a recognised level of protection exists for EU and Swiss data. HubSpot thereby undertakes to comply with the principles of the Data Privacy Framework. Further details can be found in HubSpot’s Privacy Policy and on HubSpot’s page on data protection and data transfer (including DPF certificate) at hubspot.de/data-privacy.
Retention period: Contact enquiries via HubSpot are retained by us only for as long as is necessary to fulfil the purpose or due to legal obligations. Business correspondence (e.g. emails) may have to be archived for up to 6 or 10 years under commercial and tax law. Pure interested-party enquiries are deleted when there is no further interest and no retention obligations apply. You can request the deletion of your data at any time (see rights below).
7. Telephone contact and telephone service (Offinea)
If you contact us by telephone, we process the personal data arising in this context in order to handle your request, to respond, to forward it internally and to maintain our customer and interested-party relationships. This includes in particular your name, your telephone number, date and time of the call, your company as well as the content or matter of your call, insofar as this information is provided during the conversation or is necessary for processing.
For the acceptance and processing of incoming telephone calls, we use the telephone service of offinea AG, Zugerstrasse 32, Postfach 1535, 6341 Baar, Switzerland. Offinea answers calls on our behalf, creates call notes where necessary and transmits to us the information required for further processing.
Depending on the content of your request, the processing is carried out for the performance of pre-contractual measures or for the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR or Art. 31 para. 2 lit. a revFADP. Insofar as the telephone handling is not directly contract-related, it is carried out on the basis of our legitimate interest in reliable, efficient and customer-friendly communication pursuant to Art. 6 para. 1 lit. f GDPR or Art. 31 para. 1 revFADP.
Offinea processes the data on our behalf and only according to our instructions. We have concluded the data protection agreements required with Offinea, in particular regarding confidentiality, data security and purpose-bound processing of the data. The data is stored only for as long as is necessary to handle your request, to carry out the business relationship or due to statutory retention obligations.
Further information on data processing by Offinea can be found in Offinea’s Privacy Policy at offinea.ch/datenschutz.
8. Web analysis
Google Analytics 4: Our website uses Google Analytics 4 (GA4), a web analysis service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), provided you have consented to the purpose Statistics. GA4 uses cookies or similar technologies to evaluate your usage behaviour on our website. The cookies set by Google Analytics (e.g. _ga) enable us to recognise returning visitors and obtain statistics on website activities. Google Analytics processes, among other things, the following data: pages visited and their sequence, length of stay, bounce rate, technical information about your browser and device, approximate geolocation data (country/city) and the source from which you came to our site. According to Google, Google Analytics 4 does not permanently store IP addresses; your IP address is used only briefly for geolocation and then discarded or anonymised. We have configured GA4 so that data processing takes place only with your consent. The legal basis is Art. 6 para. 1 lit. a GDPR. Without your consent, Google Analytics remains inactive.
Google as processor: For users in the EU, Google Ireland Ltd. is the contractual partner. We have concluded a data processing addendum with Google (pursuant to Art. 28 GDPR). Google processes the analysis data for evaluation on our behalf. Google Analytics does not store directly identifying data such as names or email addresses. The information generated by GA4 about your use of the website is transferred to Google servers and stored there. This may also include servers in the USA. However, Google is DPF-certified (EU-U.S. & Swiss-U.S. Data Privacy Framework), so that a transfer takes place on the basis of an adequacy decision pursuant to Art. 45 GDPR. In addition, we rely on the EU Standard Contractual Clauses that Google has integrated into its terms in order to ensure an adequate level of protection.
Google uses the data to evaluate your use of the website for us, compile reports on website activities and provide related services. By default, we have set the data retention for user and event data in GA4 to 14 months; after this period, the data is automatically deleted. We can continue to view aggregated analyses.
Withdrawal/opt-out: You can withdraw your consent at any time with effect for the future by reopening the cookie settings via our website. In addition, you can install the browser add-on to deactivate Google Analytics, which is available at tools.google.com/dlpage/gaoptout. Further information on data protection at Google Analytics can be found in Google’s Privacy Policy and in Google’s information on GA4 and privacy.
9. Rights of data subjects
Access, rectification, deletion, restriction: Within the framework of the legal requirements, you have the right at any time to obtain information about the data stored about you (Art. 15 GDPR; Art. 25 revFADP). Upon request, we will inform you which personal data we have stored about you, its origin, recipients and the purpose for which the processing takes place. You also have the right to rectification of inaccurate data (Art. 16 GDPR; Art. 32 para. 1 revFADP) and – under the conditions of Art. 17 GDPR – the right to deletion of your data. Note: An explicit “right to be forgotten” does not exist under Swiss data protection law; however, we will delete your data upon request, provided that there is no entitlement or obligation for further retention. Furthermore, you have the right to request restriction of processing (Art. 18 GDPR) – for example, if you dispute the accuracy of the data or the processing is unlawful, you may request restriction instead of deletion.
Right to object: Insofar as we process data on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR), you have the right, on grounds relating to your particular situation, to object to this processing at any time (Art. 21 para. 1 GDPR). If you exercise your right to object, we will no longer process the data concerned for these purposes, unless we can demonstrate compelling legitimate grounds that outweigh your interests. If your data is processed for the purpose of direct advertising, you may also object to processing for such advertising purposes at any time (Art. 21 para. 2 GDPR); in this case we will no longer use your data for direct advertising.
Withdrawal of consents: You can withdraw consent given for data processing at any time with effect for the future. This particularly concerns consents to the use of cookies/tracking (see cookie banner) and to receiving the newsletter. After your withdrawal, we will stop the data processing insofar as no other legal basis (e.g. legal obligation) applies. The lawfulness of processing until withdrawal remains unaffected.
Data portability: You have the right to request the data that we process automatically on the basis of your consent or for the performance of a contract in a common, machine-readable format (Art. 20 GDPR). Upon request – insofar as technically feasible – we can also transfer this data directly to another controller named by you. This right to data portability also exists analogously under Swiss law (Art. 28 revFADP) under the conditions specified there.
Right to lodge a complaint: If you believe that we are processing your data unlawfully or violating your data protection rights, you may lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). In Germany, this is the authority of the federal state in which we are based (Hamburg Commissioner for Data Protection and Freedom of Information) or the supervisory authority at your place of residence. A list of German data protection supervisory authorities can be found here: bfdi.bund.de/anschriften. In Austria, you can contact the Data Protection Authority (dsb.gv.at). In Switzerland, you can lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). The right to lodge a complaint exists without prejudice to other administrative or judicial remedies. We would appreciate it if you first sought dialogue with us so that any concerns can be clarified directly.
10. Further information
Data security: We protect your personal data against unauthorised access, loss or destruction through appropriate technical and organisational measures. Our website uses, for example, SSL/TLS encryption, recognisable by “https://” and the lock symbol in the browser. Transmitted data cannot therefore be read by third parties. Please note that the transmission of information by email may have security vulnerabilities; for highly confidential information, we may recommend using postal mail.
External links: Our website may contain links to other websites (e.g. partner companies). We are not responsible for their content and data protection practices. Please inform yourself there in the respective privacy policies.
Changes to this Privacy Policy: We reserve the right to update this Privacy Policy as needed, for example in the event of adjustments to our services or due to changes in the legal situation. The current version is available on this website. We will clearly indicate any material changes. (Status of this Policy: June 2026)