Privacy Policy

Quipu GmbH is committed to safeguarding your personal information. We handle all personal data in strict accordance with the European Union General Data Protection Regulation (GDPR) and relevant national data protection laws, ensuring that processing is lawful, fair, and transparent (as required by Article 5 GDPR). In practice, this means we only collect and use your data for legitimate purposes and with a valid legal basis – such as your consent or our legitimate interests – in compliance with GDPR Article 6.

We dedicate ourselves to protecting the security of your data and maintaining your privacy rights at every step. This Privacy Policy explains how we use your personal data, what information we collect through our website and services, why we collect it, and what rights you have regarding your data. 

This Privacy Policy applies to Quipu GmbH. It does not cover the services that Quipu provides to our customers, which are governed by their own privacy policies, nor does it apply to online services of third parties.

1. Contact

The responsible party for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union, and other provisions related to data protection is:

Controller

Quipu GmbH

Königsberger Str. 1

60487 Frankfurt

Germany

Phone: +49 69 50 69 90-0

Email: quipu@quipu.de

Website: www.quipu.de

Data Protection Officer

Name: Jacqueline Neiazy

Company: ISiCO GmbH

Address: Am Hamburger Bahnhof 4, 10557 Berlin

Date of appointment: 01.02.2024

If you have any questions about data protection, please contact our data protection officer:  dpo@quipu.de.

2. Data Processing on our website

Personal data provided by you are processed and used by us exclusively for the purposes specified. These include, in particular:

2.1. Automatically collected data

Whenever you access our website, your browser automatically transmits connection data that we collect to enable your visit. We collect technical information such as your browser type and version, device details, and operating system (user agent); the URL you requested; the domain name of the website you visited immediately before accessing our site (referrer URL); the date and time of your visit (timestamp); your IP address; and other similar data that may be used to detect or investigate website security incidents.

Processing this data is strictly necessary to facilitate your website visit, ensure the long-term functionality and security of our systems, and maintain the administrative operation of our website. For these purposes, connection data is also temporarily stored in internal log files, limited to what is necessary—for example, to investigate repeated or suspicious activity that could threaten the stability and security of our website.

The legal basis for this processing is Article 6(1)(b) GDPR when the page view relates to the initiation or performance of a contract, and otherwise Article 6(1)(f) GDPR, reflecting our legitimate interest in enabling website access and maintaining the ongoing functionality and security of our systems. In these cases, accessing and storing information on your device is strictly necessary and based on the implementation laws of the EU ePrivacy Directive, specifically § 25 (2) No. 2 TDDDG in Germany.

Temporary storage of the IP address is necessary for the purpose of delivering the content of our website, and to protect Quipu’s interest in ensuring secure operations and protection against website attacks. The retention period for the log files and IP address is stored for 90 days.

 In the event of a cyber-attack or other indications of unlawful usage, we reserve the right to disclose the data to law enforcement authorities for criminal prosecution. In such an event, we store data for a period of up to three years and, in individual cases, for a longer period if there are grounds for the enforcement, exercise or defense of legal claims.

2.2. Email contact

Our website allows you to contact us via the provided email address. If you use this option, the personal data transmitted with the email will be stored and used solely for the purpose of handling and responding to your inquiry. The legal basis for processing data is Art. 6 para. (1) f. GDPR, for the purpose of handling your inquiry, where we have a legitimate interest in ensuring effective communication with third parties. The retention period for personal data sent by email and the subsequent communication is up to six (6) years, per our legal obligation to archive commercial letters per Handelsgesetzbuch § 257. There is no disclosure of data to third parties. If you do not provide your data, we will unfortunately be unable to process your request. Automated decision-making does not take place. Among the rights highlighted in section 3, you have the right to object to the processing of your personal data. In such cases, the conversation cannot be continued.

2.3. Job applications

The personal data you provide for the purposes of the application process will be collected, processed, and used to decide on establishing an employment relationship in accordance with Section 26 (1) of the German Federal Data Protection Act (BDSG). Providing your personal data is necessary for processing your application. If you do not provide your data, we cannot consider you for the advertised position. Automated decision-making does not occur. 

For more information on how we process your data as a job applicant, please visit our privacy policy here: https://www.quipu.de/wp-content/uploads/2025/04/Quipu-Privacy-Policy-for-Job-Applicants-V.5.pdf

2.4. Tender, Supplier and Contract Management:

We process your personal data as a contact person or representative of a company working with or collaborating with Quipu. This is to communicate with you during the tender process and to manage our business relationships and contracts. Your personal data is used mainly for communication purposes (primarily emails), including when sending purchase orders, conclusion of commercial agreements, and in connection with invoices, accounting ect. We also process your personal data for due diligence purposes, to identify and evaluate your business as a supplier in areas like ESG, third-party risk, or data protection (primarily through OneTrust questionnaires).

We process your contact information (name, job title, work email address, work address, and work phone number), and personal data necessary for signing documents (signature, certificates, and authorizations) on the following legal basis:

• Art. 6(1) lit. c GDPR (Legal Obligation): Compliance with bookkeeping legislation, which sets out the rules on storing accounting records.
• Art. 6(1) lit. f GDPR (Legitimate Interests): To communicate effectively through the tender process and managing daily operations, due diligence processes, and contracts.

External service providers, such as AdobeSign, OneTrust, Microsoft, and ELO system may also receive your data in accordance with Art. 28 GDPR, with appropriate data processing agreements in place. Additionally, your data may be shared with our group enterprises – see the list of ProCredit Institutions. Your personal information might be transferred outside the European Economic Area to Quipu subsidiaries. We have implemented security measures and legal protections for personal data in these third countries, including data transfer agreements based on Standard Contractual Clauses approved by the European Commission. To request a copy of these safeguards, please email us at dpo@quipu.de.

We keep your personal data: 

• Per our legal obligation to archive commercial letters for a period up to six (6) years per the Handelsgesetzbuch § 257. This applies to all email communication.
• Invoices for a period for up to ten (10) years per the Handelsgesetzbuch § 257.
• Contract data and contracts as long as we have an ongoing business relationship, or for a period up to six (6) or ten (10) years after the business relationship is terminated per the Handelsgesetzbuch § 257. 
• As necessary to meet our legitimate business needs (such as reporting, due diligence records in OneTrust, follow-up, etc.).

Automated decision-making does not take place. If you do not provide your data, we will unfortunately be unable to enter into a business relationship with you or the company you are representing. Among the rights highlighted in section 3, you have the right to object to the processing of your personal data. In such cases, the business relationship with the company you work for cannot be continued.

2.5 Cookies

Our website uses cookies, which are small text files placed on your device to make our site work and to improve your experience. Each cookie contains a unique identifier (a “cookie ID”) that allows us to recognize your browser when you return. For example, cookies help us remember your preferences and understand how you interact with our site.

We only activate non-essential cookies, such as those used for analytics or marketing, if you have given your consent. This approach complies with the EU ePrivacy Directive and, in Germany, with § 25(1) of the Telecommunications and Telemedia Data Protection Act (TDDDG). The legal basis for processing optional cookies is your consent under Article 6(1)(a) of the General Data Protection Regulation (GDPR).

You can manage or withdraw your cookie preferences at any time by visiting our cookie policy page: https://www.quipu.de/privacy-policy/. You may also configure your browser to block or delete cookies, either automatically or manually. Please note that disabling optional cookies may affect the availability or performance of certain features on our website.

As described in Section 3 of this policy, you have the right to withdraw your consent at any time. We do not use cookie data for automated decision-making.

2.6. Web analysis and Integrations

To continuously optimize functionality and incorporate content and services, our website uses the web analysis services and intergrations of third-party providers.

2.6.1 Google Analytics

If you have provided your consent, this website uses Google Analytics 4, a web analytics platform operated by Google LLC. For users located in the EU, EEA, or Switzerland, the responsible entity is Google Ireland Limited, located at Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (“Google”).

Google Analytics relies on cookies stored on your device to collect and evaluate usage data. During your visit, various interactions – referred to as “events” – are recorded. These may include page views, session starts, navigation paths, clicks on internal or external links, scroll depth (e.g., reaching 90% of a page), search queries, video plays, file downloads, ad interactions, and language preferences. Additional data such as your approximate geographic region, visit timestamp, truncated IP address, browser and device specifications (e.g., screen resolution, language settings), internet service provider, and the referring website or campaign source may also be processed.

Google Analytics is configured with IP anonymization enabled by default. This means your IP address is shortened before being stored or processed. In rare cases, the full IP address may be transmitted to Google servers in the United States and truncated there. According to Google, IP addresses collected through Analytics are not combined with other Google data.

The legal basis for this processing is your consent in accordance with Article 6(1)(a) GDPR and § 25(1) TDDDG. The purpose is to analyze website usage and generate reports on user activity. Data associated with cookies is automatically deleted after two months. Google may receive this data, and it is typically stored on servers in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework. To ensure adequate protection for any potential transfers to other countries (e.g., Singapore), we have entered into EU Standard Contractual Clauses with Google.

As outlined in Section 3 of this policy, you may withdraw your consent at any time with future effect by adjusting your preferences in our cookie settings: https://www.quipu.de/privacy-policy/. Withdrawal does not affect the lawfulness of processing carried out prior to revocation (Article 7(3) GDPR). You may also opt out of Google Analytics by installing the browser add-on available here.

For further details, please consult Google’s Analytics Terms of Service at https://marketingplatform.google.com/about/analytics/terms/us/ and Google’s Privacy Policy at https://policies.google.com/?hl=en.

2.6.2. Bootstrap CDN

To ensure fast and reliable delivery of website content, we utilize the Bootstrap Content Delivery Network (CDN), operated by Volentio JSD Limited, Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB (“Volentio”). This service enables the efficient loading of static assets such as stylesheets and scripts.

When you access our website, your browser connects to Volentio’s servers (e.g., fonts.gstatic.com) to retrieve the necessary files. In doing so, technical data such as your IP address, browser type and version, referrer URL, and the time and location of access may be transmitted. This information is processed exclusively for the purpose of delivering the requested content, maintaining service availability, and resolving technical issues.

The legal basis for this processing is our legitimate interest in providing a secure and optimized website experience, pursuant to Article 6(1)(f) GDPR. Volentio is based in the United Kingdom, which benefits from an adequacy decision by the European Commission. We have entered into a data processing agreement with Volentio to ensure appropriate safeguards are in place. As this connection is essential for the technical operation of the website, users cannot opt out of this processing. No automated decision-making occurs.

For more information, please refer to Volentio’s privacy policy: https://www.jsdelivr.com/terms/privacy-policy

2.6.3. Cookiefirst

We use the CookieFirst platform, provided by Digital Data Solutions BV, Plantage Middenlaan 42A, Amsterdam, the Netherlands, to manage cookie consent on our website. This tool detects cookies in use and ensures that they are deployed in accordance with your preferences.

When you interact with our cookie banner or modify your consent settings, a connection is established with CookieFirst’s servers. During this interaction, data such as your anonymized IP address, browser and device information, operating system, and timestamp of your visit may be collected. CookieFirst also stores your consent choices in a cookie on your device.

This processing is necessary to fulfill our legal obligations under the GDPR and the German Telecommunications and Telemedia Data Protection Act (TDDDG), in accordance with Article 6(1)(c) GDPR. The data is retained only as long as required to document your consent status. We have concluded a data processing agreement with CookieFirst to ensure compliance with applicable data protection laws.

No automated decision-making takes place. While you have rights under the GDPR, please note that certain limitations may apply depending on the legal context. You can review the data processing agreement here: https://cookiefirst.com/legal/sign-data-processing-agreement/

2.6.4. Link11

To safeguard our website against Distributed Denial of Service (DDoS) attacks and ensure secure operation, we use a protection service provided by Link11 GmbH, Lindleystr. 12, 60314 Frankfurt am Main, Germany.

As part of this service, access logs are collected and analyzed. These logs may include your IP address, the date and time of access, the requested URL, browser and device details, referrer information, and any personal data contained in the URL. This data is processed solely for the purposes of threat detection, incident response, and maintaining website security.

The legal basis for this processing is our legitimate interest in protecting our digital infrastructure, as outlined in Article 6(1)(f) GDPR. Access logs are retained only for as long as necessary to fulfill these purposes, typically between 32 days and one year. In the event of a security incident or suspected misuse, we may retain the data for up to three years or longer if required for legal proceedings. We have entered into a data processing agreement with Link11 to ensure compliance with data protection standards.

No automated decision-making is involved in this process. Where necessary, and in accordance with applicable law, we may share relevant data with law enforcement authorities for the purpose of investigating and prosecuting cybercrime.

2.6.5. Google fonts

To ensure consistent and visually appealing typography across our website, we utilize fonts provided by Google Fonts, a service operated by Google Ireland Limited (Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland).

When you visit our website, your browser automatically connects to Google’s font servers (typically fonts.gstatic.com) to retrieve the necessary font files. In doing so, certain technical information—such as your IP address, browser type, screen resolution, and language preferences—may be transmitted to Google. According to Google, these font requests are processed independently of any personal data associated with your Google account and are not combined with other Google services.

This data processing is based on our legitimate interest in delivering a consistent and optimized website experience, as outlined in Article 6(1)(f) of the GDPR. Google may receive this data, and in some cases, it may be transferred to servers located outside the European Union. Google LLC is certified under the EU-U.S. Data Privacy Framework, which ensures an adequate level of data protection for such transfers. Additionally, the Google Fonts API is designed to limit data collection: CSS requests are retained for 24 hours, while font files are cached for up to one year to improve loading performance.

Please note that any data exchanged with Google in the context of Google Fonts is managed automatically by Google and cannot be manually deleted by us. For more details on how Google handles data in this context, please refer to the Google Fonts FAQ at https://developers.google.com/fonts/faq and Google’s Privacy Policy at https://www.google.com/intl/en/policies/privacy/.

2.7. Social media presence

Quipu operates official profiles on several social media platforms. Our website does not embed social media plugins; instead, we include direct links—either as text or icons—that lead to our external profiles. No data is transmitted to the respective platforms until you actively click on one of these links.

When you access or engage with our social media pages, the respective platform may begin processing your personal data. As administrators of these company pages, we receive aggregated, anonymized analytics—referred to as “Page Insights”—from the platforms. These insights provide statistical information about how users interact with our content and help us better understand audience engagement. This processing is carried out under a joint controllership arrangement between Quipu and the platform provider, in accordance with Article 26 of the GDPR. However, we do not have access to data that can identify individual visitors.

Please note that social media platforms may also collect and process personal data for their own purposes, including the use of cookies or similar tracking technologies. For detailed information on how each platform handles your data, including your rights and available privacy settings, we recommend reviewing the privacy policies of the respective providers.

2.7.1    Facebook and Instagram

When you visit our Facebook or Instagram pages, certain personal data may be processed. This processing is primarily carried out under the responsibility of Meta Platforms Ireland Limited (“Meta”), located at 6 Serpentine Avenue, Dublin, D04 H0C9, Ireland. Meta acts as the sole data controller for this activity. For detailed information on how Meta handles personal data, please refer to its privacy policy: https://www.facebook.com/privacy/explanation. You can also manage your preferences and object to specific types of data processing via Meta’s settings: https://www.facebook.com/settings?tab=ads.

In cases where Meta provides us with aggregated, anonymized statistics—referred to as “Page Insights”—we and Meta act as joint controllers under Article 26 of the GDPR. These insights help us understand how users interact with our content and support our legitimate interest in improving our online presence. The legal basis for this processing is Article 6(1)(f) GDPR. We have entered into a joint controller agreement with Meta that outlines the respective responsibilities for data protection. You can find more information about this agreement and the processing of Page Insights data here: https://www.facebook.com/legal/terms/information_about_page_insights_data.

You may exercise your rights as a data subject directly with Meta. Additional details are available in Meta’s privacy policy: https://www.facebook.com/privacy/explanation.

Please be aware that, according to Meta, personal data may be transferred to the United States or other countries outside the European Economic Area. Such transfers are made either to countries recognized by the European Commission as providing adequate data protection or are safeguarded through appropriate mechanisms in accordance with Article 46 GDPR.

2.7.2. LinkedIn

Our LinkedIn company page is hosted on the platform operated by LinkedIn Ireland Unlimited Company, located at Wilton Plaza, Wilton Place, Dublin 2, Ireland. When you visit or interact with our LinkedIn page, LinkedIn acts as the primary controller for the processing of your personal data. For more information about how LinkedIn handles personal data, please refer to their privacy policy: https://www.linkedin.com/legal/privacy-policy.

When you follow or engage with our page, LinkedIn processes your personal data to generate aggregated statistics—referred to as “Page Insights”—which provide us with anonymized information about user interactions. This processing is carried out under a joint controllership arrangement between LinkedIn and us, based on our legitimate interest in analyzing and improving our presence on the platform (Article 6(1)(f) GDPR). The joint controller agreement, which outlines the respective responsibilities of LinkedIn and Quipu, is available at: https://legal.linkedin.com/pages-joint-controller-addendum.

Under this agreement, LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn directly via https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or reach their Data Protection Officer at https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You may also contact us, and we will forward your request to LinkedIn.

The Irish Data Protection Commission serves as the lead supervisory authority for Page Insights-related processing. You have the right to file a complaint with this authority (https://www.dataprotection.ie) or with any other competent data protection authority.

Please note that, according to LinkedIn’s privacy policy, personal data may be transferred to the United States or other countries outside the European Economic Area. Such transfers are made either to jurisdictions with an adequacy decision by the European Commission or are safeguarded through appropriate mechanisms in accordance with Article 46 GDPR.

2.7.3. Youtube

When you visit our YouTube channel or view embedded videos, personal data such as your IP address, account information, comments, or other identifiers may be collected and processed by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), which operates YouTube in the EU. This processing may occur regardless of whether you are logged into a Google account.

For more information on how Google processes personal data and uses cookies, please consult their privacy and cookie policies:

• https://policies.google.com/privacy?hl=de&gl=de
• https://policies.google.com/technologies/cookies?hl=de&gl=de

If you contact us via YouTube—for example, by commenting on a video—we process your message and associated profile data solely to respond to your inquiry, based on our legitimate interest (Article 6(1)(f) GDPR). You may delete your own comments at any time.

We also receive anonymized analytics from YouTube (e.g., device type, browser, age group, gender, and watch time), but we do not have access to the underlying personal data. For more information on YouTube Analytics and privacy settings, visit:

• https://support.google.com/youtube/answer/9315727?hl=de&ref_topic=9386940
• https://support.google.com/youtube/topic/9257532?hl=de&ref_topic=9257610

Please note that YouTube and Google do not currently offer a joint controller agreement under Article 26(1) GDPR. We have no influence over how, where, or for how long your data is stored, nor over any profiling or data sharing practices. If you prefer not to have your data processed by YouTube or Google, we recommend contacting us through alternative channels.

2.7.4. X (Formerly Twitter)

You can also reach us via our official X (formerly Twitter) account. When you interact with us on X—such as by replying, retweeting, or mentioning our handle—your personal data may be processed. This includes any information you share publicly or in direct messages.

X Corp. is responsible for the operation of the platform and the associated data processing. This applies regardless of whether you are logged in or have an account. X may also provide us with anonymized usage statistics (e.g., likes, impressions, or engagement metrics) through Twitter Analytics. We do not control or influence how this data is collected or processed.

If you engage with us on X, we process your data solely to respond to your communication, based on our legitimate interest in maintaining public engagement (Article 6(1)(f) GDPR). You can manage your privacy settings directly in your X account.

To exercise your data protection rights related to X, please contact the platform directly. As we do not control the technical infrastructure or data processing, we are limited in our ability to act independently. However, we will support you in asserting your rights and, where appropriate, forward your request to X.

For more information on how X handles personal data, please refer to their privacy policy: https://twitter.com/de/privacy.

3. Information on your rights

Under the GDPR, you have the following rights regarding your personal data: 

• Right of Access (GDPR Art. 15): You can ask us to confirm if we are processing your personal data. If we are, you have the right to request a copy of the data we hold about you, as well as to obtain information on how we use it. 
• Right to Rectification (Art. 16 GDPR): If any personal data we have is incorrect or incomplete, you have the right to have it corrected or updated without undue delay. 
• Right to Erasure (Art. 17 GDPR): You have the right to request deletion of your personal data in certain circumstances – for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to continue processing. This is sometimes called the “right to be forgotten.” 
• Right to Restrict Processing (Art. 18 GDPR): You can ask us to limit how we process your data in certain situations. This might apply if you contest the accuracy of your data (while we verify it), or if you object to our processing and we are considering your request. When processing is restricted, we will store your data but not use it until the issue is resolved (aside from keeping necessary records). 
• Right to Data Portability (Art. 20 GDPR): When our processing of your data is based on your consent or a contract with you and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format. You also have the right to have that data transmitted to another controller (for example, another service provider), where technically feasible. 
• Right to Object (Art. 21 GDPR): You may object to us processing your personal data if we are doing so under a legitimate interest basis or for direct marketing purposes. If you object, we will stop processing your data unless we have compelling legitimate grounds that override your interests, or if the processing is needed for legal claims. You always have the right to object to personal data use for direct marketing, and if you do so, we will cease such marketing. 
• Right to Withdraw Consent (Art. 7(3) GDPR): If we rely on your consent for any part of our data processing, you are entitled to withdraw that consent at any time. If you withdraw consent, we will stop the processing that was based on it. (Please note that withdrawing consent does not affect the lawfulness of any processing we carried out before your withdrawal.) 

We respect all of these rights and have procedures in place to help you exercise them. To make a request regarding any of these rights, please contact us at our Data Protection Officer at dpo@quipu.de. the contact details provided in this Privacy Policy. We will respond to your request as soon as possible, and at latest within the timeframe required by law (generally one month under GDPR, with extensions if necessary).

Requests you submit to exercise your data subject rights, along with our responses, will be retained for documentation purposes for up to three years. In specific cases, this period may be extended if necessary for the establishment, exercise, or defense of legal claims. The legal basis for this retention is Article 6(1)(f) GDPR, reflecting our legitimate interest in defending against potential civil claims under Article 82 GDPR, preventing fines under Article 83 GDPR, and fulfilling our accountability obligations under Article 5(2) GDPR.

Furthermore, you have the right to lodge a complaint with a supervisory authority regarding the processing of your data (Art. 77 GDPR). If you believe that the processing of your personal data does not comply with data protection laws, we kindly ask you to first contact our Data Protection Officer. The data protection authority responsible for the territory in which Quipu’s head office is located is:

Der Hessische Datenschutzbeauftragte,

Web page: https://datenschutz.hessen.de/

Email address: Poststelle@datenschutz.hessen.de

Tel.: +49 611 1408 – 0

4. Reservation of Changes

We reserve the right to modify the measures and provisions outlined here in accordance with applicable legal regulations. Such amendments may be necessary due to new technological developments, changes in case law, or adjustments in our business operations.

Please ensure you always refer to the most recent version of this privacy policy.

Version: March 2026

Please also read our Legal Notice.