Privacy Policy
1. Controller
The controller within the meaning of data protection laws (GDPR and Swiss revFADP) for this website is OBJECT ECM GmbH, Neuer Wall 71, 20354 Hamburg, Germany. OBJECT ECM AG, Albisriederstrasse 252, 8047 Zurich, Switzerland operates object.ch together with its subsidiary OBJECT ECM GmbH in order to serve visitors from Germany, Austria and Switzerland.
Contact: [email protected], Tel. +49 40 79769100 (DE) / +41 44 2402266 (CH).
Data Protection Officer: DATA-ORG GmbH, Mr Jürgen Maurer, Gottlieb-Daimler-Str. 5, 78467 Konstanz, Germany (email: [email protected]).
This Privacy Policy applies to the website object.ch and, where applicable, other online offerings of OBJECT ECM in the DACH region. We treat personal data confidentially and in accordance with the applicable data protection regulations (EU GDPR, Swiss FADP).
2. General data processing when visiting the website
Server log files: When you visit our website for purely informational purposes (without registration or transmission of information), certain general access data is automatically collected. Our web server (or hosting provider) logs, for example: the page accessed, date and time, amount of data transferred, notification of successful retrieval, browser used and version, operating system, previously visited page (referrer URL) and IP address of the requesting device. We need this information to deliver the website to your device, to ensure the stability and security of our systems and for administrative purposes. We do not combine this data with other data and do not draw conclusions about your person. IP addresses are also processed only in shortened/anonymised form, insofar as they are stored in logs. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in technical provision and security) as well as Art. 31 para. 2 lit. a revFADP. Server log data is generally deleted automatically after 7 days, unless security incidents require longer retention.
Content Delivery Network (Cloudflare): We use the service Cloudflare (Cloudflare, Inc., USA / Cloudflare Germany GmbH, Munich) to secure and accelerate the delivery of our website. All data transmissions between your browser and our website pass through Cloudflare’s global server network. In doing so, Cloudflare processes, among other things, the IP address of the requesting device in server log files for protection against attacks and for performance optimisation. Cloudflare acts as a processor for us (Art. 28 GDPR); we have concluded a corresponding agreement including EU Standard Contractual Clauses. The data processing is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the secure and efficient provision of our online offering. Your IP address is stored by Cloudflare only for as long as this is necessary for security reasons; permanent storage does not take place. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), which ensures an adequate level of data protection for data transfers to the USA. Where applicable, data is processed within the EU or transferred only to Cloudflare data centres in countries with an adequate level of data protection. Further information on data protection at Cloudflare can be found at cloudflare.com and in the Cloudflare DPA.
3. Cookies and consent management
Our website uses cookies and similar technologies. Cookies are small text files that your browser stores on your end device. We use essential cookies that are required for the technical operation of the site (e.g. for correct delivery or to store your settings). These essential cookies are stored on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in the technically error-free provision).
In addition, we use cookies and tracking technologies for statistics, web analysis and marketing purposes only with your consent.
When you first visit our website, you can choose whether you wish to consent to the use of cookies or reject them. It is not possible to select individual categories. Your decision is stored in the form of a consent cookie. You can withdraw or change your consent at any time with effect for the future by reopening the cookie settings via our website.
If you do not give consent, all non-essential services remain disabled. Please note that if you reject certain cookies, some functions (e.g. embedded videos or analysis functions) may not be available.
Cookie categories:
- Essential cookies: These cookies are necessary for the website to function (e.g. session cookies for navigation or security cookies from Cloudflare). Legal basis: legitimate interest.
- Marketing/analytics: Help us evaluate the use of the website (e.g. Google Analytics 4). Serve marketing purposes such as conversion tracking or remarketing (e.g. Google Ads Remarketing). Used only with consent (Art. 6 para. 1 lit. a GDPR).
Details on individual services can be found below.
4. Embedded content and external services
YouTube videos (2-click solution): On some subpages we embed YouTube videos from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), but in a privacy-friendly manner. By default, we only display a preview image. Only when you click on “Watch YouToube video” is the video loaded from YouTube and a connection to the YouTube servers established. In doing so, YouTube receives your IP address, device data and the information that you have visited our site. If you are logged in to YouTube/Google, Google may associate the access with your Google profile. Due to the 2-click mechanism, this data transfer takes place only after your consent, namely through the active loading of the video. The legal basis is Art. 6 para. 1 lit. a GDPR (consent).
When playing a YouTube video, cookies from Google may be stored on your end device, for example to collect video statistics or analyse your user behaviour. We have no influence over this. You can withdraw your consent at any time by not loading any further videos or by changing your cookie settings. Further information can be found in the privacy notices of YouTube/Google. Google is certified under the EU-U.S. Data Privacy Framework.
Social media links: On our website you will find links to our profiles on social networks (currently: Xing, LinkedIn, YouTube, Facebook, Instagram, Pinterest, TikTok). These are hyperlinks only, not embedded plug-ins. Therefore, when you visit our pages, no data is automatically transferred to these platforms. Only when you click on such a link do you leave our website and the privacy provisions of the respective social network apply. Please note that data (e.g. your IP address, visited page) may be transferred to servers of the respective provider (in some cases in the USA). We have no influence over the scope and further use of the data by the platform operators. Information on the purpose and scope of data collection as well as further processing by the provider can be found in the privacy policies of the respective social networks: e.g. Xing Privacy, LinkedIn Privacy Policy, Facebook Data Policy, Instagram Data Policy, Pinterest Privacy, TikTok Privacy. We maintain these social media presences in order to communicate with customers and interested parties. Usage profiles may be created by the platforms. Any analyses carried out by us are performed exclusively in anonymised form (e.g. statistics on page views).
5. Newsletter dispatch (Rapidmail)
You can register on our website for our email newsletter, which informs you about news, offers or events. For this purpose, we use the service rapidmail (rapidmail GmbH, Wentzingerstr. 21, 79106 Freiburg, Germany) as a processor for dispatch.
Registration: For newsletter registration, at least your email address and, where applicable, your name are required. After submitting the registration form, you will receive a confirmation email in which you must confirm your registration by clicking on the link contained therein (double opt-in). Only after this confirmation will your address be added to our mailing list. This procedure ensures that no third party has used your email address. We log the registration process in order to be able to prove it in case of doubt – the time of registration and confirmation as well as the IP address of the registering person are stored. This logging serves our proof and security in case your address was entered improperly by third parties.
Dispatch and performance measurement: The newsletter is sent via rapidmail. The data you enter for the purpose of receiving the newsletter (email address, name…) is stored on the servers of rapidmail in Germany. Rapidmail uses this information to send and statistically evaluate the newsletters on our behalf. Each newsletter email contains a so-called tracking pixel from rapidmail, which establishes a connection to the rapidmail servers when the email is opened. This allows us to recognise whether a newsletter has been opened. In addition, newsletter links contain so-called tracking links, with which it is measured which links you have clicked. This tells us which newsletter content was of particular interest. We use the analyses to improve future newsletters. Performance measurement is carried out pseudonymously; we cannot directly identify you as a person. If you do not want this analysis, you can unsubscribe from the newsletter at any time.
Legal basis: Your consent, Art. 6 para. 1 lit. a GDPR (and, where applicable, Art. 13 para. 1 FADP for Switzerland). You grant us this consent through the double opt-in procedure.
Unsubscription/withdrawal: You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link at the end of each newsletter email. This withdraws your consent for the future. Alternatively, you can also send your withdrawal to us at any time (by email to us or using the contact details provided below). After unsubscription, your data stored for the newsletter will be deleted from our system and rapidmail’s system, provided that no statutory retention obligation prevents this. Short-term storage in a suppression list may take place in order to prevent accidental future email delivery to this email address.
Processing & data protection: A processing agreement pursuant to Art. 28 GDPR exists with rapidmail. In it, rapidmail is obliged to process the data of our newsletter recipients only according to our instructions and to comply with EU data protection rules. According to rapidmail, data transfer to third countries does not take place; rapidmail processes the data in Germany. rapidmail GmbH is a German provider and is subject to the strict requirements of the GDPR. Further information on data protection at rapidmail can be found here and on rapidmail’s data security here rapidmail.de.
6. Contact form and enquiries (HubSpot CRM)
If you contact us via our contact form or other forms (e.g. appointment scheduling), your details will be processed to handle the enquiry. We use the tool HubSpot for our online forms and customer relationship management. HubSpot is a software provider from the USA (HubSpot, Inc., Cambridge MA, USA) with a branch in Ireland (HubSpot, 2nd Floor, 30 North Wall Quay, Dublin 1).
Data processing in forms: Via the contact form, we collect the information marked as mandatory fields (typically first name, last name, email address, company and your message text). This data is stored by HubSpot on our HubSpot account servers so that we can receive and process your enquiry. Even during entry, HubSpot may carry out certain validations (e.g. to prevent spam or to check whether the email address is valid). When you submit the form, you consent to the processing of your personal data for the purpose of contacting you. We use the data to answer your enquiry and to carry out any requested actions (e.g. send documents, arrange a consultation). Depending on the content of the enquiry, the processing may be carried out for the initiation of a contract and thus be based on Art. 6 para. 1 lit. b GDPR (for pre-contractual enquiries) or on our legitimate interest in effective communication with interested parties and customers (Art. 6 para. 1 lit. f GDPR). In Switzerland, processing is based on Art. 31 para. 2 lit. a revFADP (enquiries from the data subject). Your information is used exclusively to process the enquiry and for any follow-up questions.
Meetings/bookings: If we offer online appointment booking via HubSpot (calendar function), the above explanations apply accordingly. The data entered by you (e.g. name, email, desired appointment) is used to arrange appointments and processed by HubSpot on our behalf. You may receive automatic emails from HubSpot to confirm or remind you of the appointment. These processes are also based on Art. 6 para. 1 lit. b GDPR (performance of pre-contractual measures at your request).
HubSpot CRM: We also use HubSpot as a CRM system to manage customers and interested parties. The data collected via forms as well as further communication (e.g. email correspondence with you) may be stored in HubSpot in order to maintain a history of our interaction. This serves our legitimate interest in efficient customer care and communication (Art. 6 para. 1 lit. f GDPR). HubSpot helps us answer enquiries more quickly and provide content in a targeted manner. However, without your consent, we do not use the contact data stored in HubSpot for unsolicited advertising.
Website tracking by HubSpot: HubSpot offers web analysis functions that can be used to record the behaviour of website visitors – particularly if they are already stored as contacts in our CRM. For this purpose, HubSpot uses cookies that enable the visitor to be recognised and previous interactions with our company to be linked. This tracking takes place exclusively on the basis of your explicit consent via our cookie banner (Art. 6 para. 1 lit. a GDPR). If you give your consent, HubSpot can automatically collect certain usage data, including in particular: pages accessed, duration and time of visits, geographical origin (based on IP addresses), device used and browser type as well as interactions with forms or CTAs. As soon as a personal reference has been established through a previous interaction (e.g. newsletter registration or form), we can assign the data to a specific contact and trigger corresponding follow-up actions (e.g. emails for repeated visits). Without your consent, this function remains disabled and no personal tracking takes place. In this case, HubSpot does not set any tracking cookies on your device. According to HubSpot, aggregated or anonymised usage statistics are provided in most analyses. HubSpot does not permanently store the full IP address and does not directly link it to a contact – except where identification has occurred via interactions (e.g. email clicks or form submission).
Data transfer and security: HubSpot processes the data primarily on servers within the EU or the EEA. Nevertheless, it cannot be ruled out that data may be transferred to the USA, particularly since HubSpot Inc. is a US company. We have concluded a processing agreement with HubSpot, which includes the current EU Standard Contractual Clauses. These are intended to ensure an adequate level of data protection for data transfers to the USA. In addition, HubSpot, Inc. is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF), which means that a recognised level of protection exists for EU and Swiss data. HubSpot thereby undertakes to comply with the principles of the Data Privacy Framework. Further details can be found in HubSpot’s Privacy Policy and on HubSpot’s page on data protection and data transfer (including DPF certificate) at hubspot.de/data-privacy.
Retention period: Contact enquiries via HubSpot are retained by us only for as long as is necessary to fulfil the purpose or due to legal obligations. Business correspondence (e.g. emails) may have to be archived for up to 6 or 10 years under commercial and tax law. Pure interested-party enquiries are deleted when there is no further interest and no retention obligations apply. You can request the deletion of your data at any time (see rights below).
7. Telephone contact and telephone service (Offinea)
If you contact us by telephone, we process the personal data arising in this context in order to handle your request, to respond, to forward it internally and to maintain our customer and interested-party relationships. This includes in particular your name, your telephone number, date and time of the call, your company as well as the content or matter of your call, insofar as this information is provided during the conversation or is necessary for processing.
For the acceptance and processing of incoming telephone calls, we use the telephone service of offinea AG, Zugerstrasse 32, Postfach 1535, 6341 Baar, Switzerland. Offinea answers calls on our behalf, creates call notes where necessary and transmits to us the information required for further processing.
Depending on the content of your request, the processing is carried out for the performance of pre-contractual measures or for the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR or Art. 31 para. 2 lit. a revFADP. Insofar as the telephone handling is not directly contract-related, it is carried out on the basis of our legitimate interest in reliable, efficient and customer-friendly communication pursuant to Art. 6 para. 1 lit. f GDPR or Art. 31 para. 1 revFADP.
Offinea processes the data on our behalf and only according to our instructions. We have concluded the data protection agreements required with Offinea, in particular regarding confidentiality, data security and purpose-bound processing of the data. The data is stored only for as long as is necessary to handle your request, to carry out the business relationship or due to statutory retention obligations.
Further information on data processing by Offinea can be found in Offinea’s Privacy Policy at offinea.ch/datenschutz.
8. Web analysis and marketing
Google Analytics 4: Our website uses (provided you have consented) Google Analytics 4 (GA4), a web analysis service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). GA4 uses cookies or similar technologies to evaluate your usage behaviour on our website. The cookies set by Google Analytics (e.g. _ga) enable us to recognise returning visitors and obtain statistics on website activities. Google Analytics processes, among other things, the following data: pages visited and their sequence, length of stay, bounce rate, technical information about your browser and device, approximate geolocation (country/city) and the source from which you came to our site. Important: Google Analytics 4 stores no IP addresses of users – your IP is used only briefly for geolocation and then discarded or anonymised. GA4 thus takes data protection into account. Personal data such as precise location data or unique device identifiers are not collected in GA4 without your consent. We have configured GA4 so that data processing takes place only with your consent (Consent Mode). The legal basis is Art. 6 para. 1 lit. a GDPR. Without your consent, Google Analytics remains inactive.
Google as processor: For EU users, Google Ireland Ltd. is the contractual partner. We have concluded a data processing addendum with Google (pursuant to Art. 28 GDPR). Google processes the analysis data for evaluation on our behalf. Google Analytics does not store directly identifying data such as names or email addresses. The information generated by GA4 about your use of the website is transferred to Google servers and stored there. This may also include servers in the USA. However, Google is DPF-certified (EU-U.S. & Swiss-U.S. Data Privacy Framework), so that a transfer takes place on the basis of an adequacy decision pursuant to Art. 45 GDPR. In addition, we rely on the EU Standard Contractual Clauses that Google has integrated into its terms of use in order to ensure an adequate level of protection.
Google uses the data to evaluate your use of the website for us, compile reports on website activities and provide further services. Google Analytics 4 has generally been designed to be more privacy-friendly (including no storage of IPs, shorter retention periods). By default, we have set the data retention for user and event data in GA4 to 14 months (maximum available), after which the data is automatically deleted. We can continue to view aggregated analyses.
Objection/opt-out: You can install the browser add-on to deactivate Google Analytics (available at tools.google.com/dlpage/gaoptout). This prevents future collection by Google Analytics on websites on which it is activated. Further information on data protection at Google Analytics can be found in Google’s Privacy Policy as well as in Google’s information on GA4 and privacy.
Google Tag Manager: We use the Google Tag Manager (GTM) from Google Ireland to centrally manage the aforementioned analysis and marketing tags. The Tag Manager itself does not set cookies and does not collect personal data. It merely serves to trigger other scripts (e.g. Google Analytics, Google Ads) on the website. However, when loading the Tag Manager code, your browser transmits your IP address to Google because a connection to Google’s servers is established. This IP processing is carried out for technical reasons, but according to Google is not stored for its own purposes. The Tag Manager runs on a cookieless domain. Nevertheless, as a precaution, we treat its use as part of the services requiring consent. This means: Google Tag Manager loads analysis/marketing tags only if you have consented to them. If, for example, you have rejected Analytics or Ads in the consent banner, GTM ensures that the corresponding tags are not loaded. The legal basis for the Tag Manager is our legitimate interest (Art. 6 para. 1 lit. f GDPR) in efficient management of website tags.
Google Ads (conversion tracking & remarketing): We use the online advertising programme Google Ads of Google Ireland Ltd. and, within this framework, conversion tracking and remarketing functions.
Conversion tracking: If you have reached our website via a Google advertisement, Google Ads sets a cookie on your end device (cookie name usually “_gcl_aw”). This cookie enables Google and us to track whether a visitor came to us via the ad and performed a predefined action (e.g. contact enquiry, purchase completion). Each Ads customer receives a different conversion cookie, so cookies cannot be tracked across the websites of different Ads customers. The information obtained using the conversion cookie is used to create conversion statistics for Ads customers. We receive the anonymous total number of users who clicked on our ad and completed a conversion. However, we do not receive any information that personally identifies users. The conversion cookie expires after approx. 30 days.
Remarketing: Our website may use Google remarketing tags in order to address visitors to the site again later with advertisements. In doing so, Google collects pseudonymous information about your use of our website via cookies or mobile IDs (e.g. which subpages you viewed). This allows Google to address you with advertisements tailored to you on other websites in the Google Display Network or in Google search results (“remarketing” or “retargeting”). For this purpose, either a corresponding Google Ads cookie is set when visiting our site or an existing Google Advertising cookie is read. The cookies serve the unique identification of a web browser on a specific end device and not the identification of a person. We ourselves do not receive any personal data from Google, but rather anonymised campaign reports.
Legal basis: Your consent, Art. 6 para. 1 lit. a GDPR. We integrate Google Ads tracking only after your consent via the consent banner. Without consent, no remarketing takes place.
Data transfer: The data collected within the framework of Google Ads is transferred by Google to servers in the EU and, where applicable, the USA. Google LLC (based in Mountain View, CA, USA) is certified under the EU-U.S. Data Privacy Framework, which guarantees an adequate level of data protection. In addition, we have agreed standard data protection clauses with Google.
Objection: If you do not wish to receive interest-based advertising, you can withdraw your consent (change cookie settings) or, for example, deactivate personalised advertising via the Google Ads Preferences Manager. In addition, you can object to collection by participating advertising networks via the page of the Network Advertising Initiative or YourOnlineChoices.Please note that after an opt-out you will continue to be shown advertising, but it will no longer be selected based on the interests collected about you. Further information on Google Ads can be found in Google’s privacy notices as well as at policies.google.com/technologies/ads.
9. Rights of data subjects
Access, rectification, deletion, restriction: Within the framework of the legal requirements, you have the right at any time to obtain information about the data stored about you (Art. 15 GDPR; Art. 25 revFADP). Upon request, we will inform you which personal data we have stored about you, its origin, recipients and the purpose for which the processing takes place. You also have the right to rectification of inaccurate data (Art. 16 GDPR; Art. 32 para. 1 revFADP) and – under the conditions of Art. 17 GDPR – the right to deletion of your data. Note: An explicit “right to be forgotten” does not exist under Swiss data protection law; however, we will delete your data upon request, provided that there is no entitlement or obligation for further retention. Furthermore, you have the right to request restriction of processing (Art. 18 GDPR) – for example, if you dispute the accuracy of the data or the processing is unlawful, you may request restriction instead of deletion.
Right to object: Insofar as we process data on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR), you have the right, on grounds relating to your particular situation, to object to this processing at any time (Art. 21 para. 1 GDPR). If you exercise your right to object, we will no longer process the data concerned for these purposes, unless we can demonstrate compelling legitimate grounds that outweigh your interests. If your data is processed for the purpose of direct advertising, you may also object to processing for such advertising purposes at any time (Art. 21 para. 2 GDPR); in this case we will no longer use your data for direct advertising.
Withdrawal of consents: You can withdraw consent given for data processing at any time with effect for the future. This particularly concerns consents to the use of cookies/tracking (see cookie banner) and to receiving the newsletter. After your withdrawal, we will stop the data processing insofar as no other legal basis (e.g. legal obligation) applies. The lawfulness of processing until withdrawal remains unaffected.
Data portability: You have the right to request the data that we process automatically on the basis of your consent or for the performance of a contract in a common, machine-readable format (Art. 20 GDPR). Upon request – insofar as technically feasible – we can also transfer this data directly to another controller named by you. This right to data portability also exists analogously under Swiss law (Art. 28 revFADP) under the conditions specified there.
Right to lodge a complaint: If you believe that we are processing your data unlawfully or violating your data protection rights, you may lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). In Germany, this is the authority of the federal state in which we are based (Hamburg Commissioner for Data Protection and Freedom of Information) or the supervisory authority at your place of residence. A list of German data protection supervisory authorities can be found here: bfdi.bund.de/anschriften. In Austria, you can contact the Data Protection Authority (dsb.gv.at). In Switzerland, you can lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). The right to lodge a complaint exists without prejudice to other administrative or judicial remedies. We would appreciate it if you first sought dialogue with us so that any concerns can be clarified directly.
10. Further information
Data security: We protect your personal data against unauthorised access, loss or destruction through appropriate technical and organisational measures. Our website uses, for example, SSL/TLS encryption, recognisable by “https://” and the lock symbol in the browser. Transmitted data cannot therefore be read by third parties. Please note that the transmission of information by email may have security vulnerabilities; for highly confidential information, we may recommend using postal mail.
External links: Our website may contain links to other websites (e.g. partner companies). We are not responsible for their content and data protection practices. Please inform yourself there in the respective privacy policies.