Privacy Policy

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you can be personally identified. For detailed information on the subject of data protection, please refer to our privacy policy listed below this text.

Data Collection on this Website

Who is responsible for data collection on this website?

The data processing on this website is carried out by the website operator. You can find their contact details in the section "Information on the Responsible Entity" in this privacy policy.

How do we collect your data?

Your data is collected on the one hand by you communicating it to us. This can be, for example, data that you enter in a contact form.

Other data is collected automatically or after your consent by our IT systems when you visit the website. This is primarily technical data (e.g., internet browser, operating system, or time of page view). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. Insofar as contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other order inquiries.

What rights do you have regarding your data?

You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have a right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

For this purpose and for further questions on the subject of data protection, you can contact us at any time.

Our stance on cookies and tracking

You will notice that our website does not display a cookie consent banner. We are committed to transparency and protecting your privacy. Therefore, we do not use intrusive third-party tracking cookies, and we do not sell browsing data. We collect and process only the data that is strictly necessary for the operation and provision of our services.

2. Hosting

We host the content of our website with the following provider:

Hetzner

The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter "Hetzner"). Details can be found in Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy/

The use of Hetzner is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website. If a corresponding consent was requested, processing takes place exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data Processing Agreement (DPA)

We have concluded a data processing agreement (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that they process the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

3. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data are collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission over the Internet (e.g., in communication by email) can have security gaps. A complete protection of data against access by third parties is not possible.

Information on the Responsible Entity

The entity responsible for data processing on this website is:

Trusq GmbH i.G.
Lohestraße 31
90425 Nürnberg
Germany

Phone: +49 15228994275
Email: privacy@trusq.de

The responsible entity (controller) is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

Storage Duration

We process and store your personal data only for as long as is necessary to fulfill the purpose for which it was collected, or as required by statutory retention obligations. Once the relevant purpose ceases to apply or the applicable retention period expires, your data is routinely blocked or securely deleted in accordance with the applicable regulations.

General retention periods:

• Account and contract data: Retained for the duration of the contractual relationship and thereafter for up to 10 years, in accordance with German commercial and tax law (§ 147 AO, § 257 HGB).
• Billing and invoice data: Retained for 10 years from the end of the calendar year in which the invoice was issued, as required by tax law.
• Server logs: Automatically deleted after 7 days, unless longer retention is required for security incidents.
• Marketing data: Retained until consent is withdrawn.
• Audit logs: Retained for at least 2 years for compliance purposes.
• System Backups: Retained for 30 days in line with our two-phase deletion window.
• Suppression lists: Retained after deletion in accordance with the ePrivacy directive to respect previous opt-out requests and prevent re-contact.

Workspace-configurable retention (ticket and contact data):
Within the Trusq platform, administrators can configure retention periods for resolved and closed tickets. A minimum retention period of 30 days applies, with a default value of 365 days. These settings are applied per workspace.

Deletion process (two-phase):

When data reaches the end of its retention period or you exercise your right to erasure (Art. 17 GDPR), deletion occurs in two phases:

1. Soft-deletion: Personal identifiers and contact details are immediately anonymized (replaced with pseudonymized placeholders), while the structural record is maintained for internal reporting integrity.
2. Hard-deletion: After a maximum of 30 days from soft-deletion, all remaining data — including associated tickets and messages — is permanently and irreversibly removed by an automated process.

Unless a more specific storage period is mentioned within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies or statutory retention periods expire.

General Information on the Legal Bases for Data Processing

Insofar as you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, if special categories of data according to Art. 9(1) GDPR are processed. In the case of express consent to the transfer of personal data to third countries, data processing is also based on Art. 49(1)(a) GDPR. Insofar as you have consented to the storage of cookies or to the access to information in your terminal device (e.g., via device fingerprinting), the data processing will additionally take place on the basis of § 25(1) TDDDG. Consent can be revoked at any time. If your data is required to fulfill a contract or to carry out pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if it is necessary to fulfill a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be based on our legitimate interest according to Art. 6(1)(f) GDPR. Information on the legal bases relevant in each individual case is provided in the following paragraphs of this privacy policy.

Recipients of Personal Data

In the course of our business, we work with various external entities. In some cases, the transmission of personal data to these external entities is also necessary. We only pass on personal data to external entities if this is necessary within the framework of contract fulfillment, if we are legally obliged to do so (e.g., passing on data to tax authorities), if we have a legitimate interest according to Art. 6(1)(f) GDPR in the transfer, or if another legal basis allows the data transfer.

Specifically, we share your data with the following categories of recipients:

• IT Infrastructure & Hosting Providers: Providers who host our platform and databases (e.g., Hetzner), acting on the basis of data processing agreements (Art. 28 GDPR).
• Payment Providers: Third parties who process payments on our behalf (e.g., Mollie or banks).
• Customer Support & Communication Tools: Software providers for managing support inquiries and customer communication (e.g., Mistral, WhatsApp).
• Analytics & Monitoring Tools: Providers for internal performance monitoring and error tracking of the website.
• Legal, Tax, and Accounting Advisors: Professional secrecy holders who are bound by confidentiality.
• Public Entities: Courts, tax authorities, or supervisory authorities, provided there is a legal obligation to pass it on.

When using processors, we only pass on personal data of our customers on the basis of a valid data processing agreement. In the case of joint processing, a joint controller agreement is concluded.

Withdrawal of your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke a consent already given at any time.

• Form: Withdrawal can be made informally, for example by email to privacy@trusq.de.
• Effect: The legality of the data processing carried out until the revocation remains unaffected. After receiving your revocation, we will no longer process the affected data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

Right to Object to Data Collection in Special Cases and to Direct Marketing (Art. 21 GDPR)

CASE-SPECIFIC OBJECTION (Art. 21(1) GDPR)
IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO SUCH PROCESSING ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OUTWEIGH YOUR INTERESTS, RIGHTS, AND FREEDOMS OR THE PROCESSING SERVES TO ASSERT, EXERCISE, OR DEFEND LEGAL CLAIMS.

OBJECTION TO DIRECT MARKETING (Art. 21(2) GDPR)
IF YOUR PERSONAL DATA ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING.

To exercise your right to object to direct marketing, you can use the following methods:

• Unsubscribe Link: Click the "Unsubscribe" link at the end of any marketing email.
• Account Settings: Deactivate marketing notifications directly in your profile settings at trusq.ai/settings.
• Contact: Send us an email with the subject "Objection to Marketing" to privacy@trusq.de.

Right to Lodge a Complaint with a Supervisory Authority

In the event of infringements of the GDPR, you have a right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR). The right to lodge a complaint is without prejudice to other administrative or judicial remedies.

The authority responsible for Trusq GmbH i.G. with headquarters in Nürnberg is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Website: https://www.lda.bayern.de

Right to Data Portability

According to Art. 20 GDPR, you have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format.

• Prerequisites: The right applies to data that you have provided to us and that are processed using automated procedures.
• Scope at Trusq: This specifically includes your profile information, account settings, and the history of your ticket interactions and messages.
• Formats: We provide this data by default in JSON or CSV formats to ensure interoperability with other systems.
• Deadline: We commit to processing such data portability requests within 30 days of receipt and verification of your identity.

Insofar as you request the direct transmission of the data to another controller, this will only take place insofar as it is technically feasible.

Information, Rectification and Erasure

Within the framework of the applicable legal provisions (Art. 15–17 GDPR), you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing. If necessary, you also have the right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time.

Many of these rights can also be exercised directly by you in your Trusq profile settings.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data (Art. 18 GDPR). For this, you can contact us at any time. The right to restriction of processing exists in the following cases:

• If you contest the accuracy of your personal data stored with us, we usually need time to check this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
• If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
• If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
• If you have lodged an objection according to Art. 21(1) GDPR, a balance must be struck between your interests and our interests. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data — apart from their storage — may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

SSL or TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries you send to us as the site operator. You can recognize an encrypted connection by the address line of the browser changing from "http://" to "https://" and by the lock symbol in your browser line.

Encrypted Payment Transactions on this Website

If there is an obligation to transmit your payment data (e.g., account number for SEPA authorization) to us after the conclusion of a cost-based contract, these data are required for payment processing.

Payment transactions via common means of payment (Visa/MasterCard, SEPA) are carried out exclusively via a secured SSL or TLS connection. In the case of encrypted communication, your payment data that you transmit to us cannot be read by third parties.

Mollie (Payment Processing)

We use the service provider Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands (hereinafter "Mollie"), for payment processing.

Details on data processing by Mollie can be found here: https://www.mollie.com/privacy

The use of Mollie is based on Art. 6(1)(b) GDPR (Contract fulfillment).

Right to Object to Promotional Emails

The use of contact data published as part of the imprint obligation for the purpose of sending unsolicited advertising and information materials is hereby prohibited. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited sending of promotional information, such as spam emails.

4. Data Collection on this Website

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and browser version
• Operating system in use
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address

A merge of this data with other data sources is not performed.

The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website — for this purpose, the server log files must be recorded.

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and for follow-up questions. We do not pass this data on without your consent.

The processing of these data takes place on the basis of Art. 6(1)(b) GDPR, if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after processing your inquiry has been completed). Mandatory statutory provisions — in particular retention periods — remain unaffected.

Use of Artificial Intelligence (AI) for Processing Customer Inquiries

We use AI-assisted software to process and answer customer inquiries more efficiently. In this context, our AI processes all contents of your message (e.g., names, email addresses, and contents).

• Legitimate Interest: The use is based on our legitimate interest in fast and efficient customer communication and support (Art. 6(1)(f) GDPR).
• Mistral: We use technology from Mistral (15 Rue des Halles, 75001 Paris, France) for our customer communication. We have concluded a data processing agreement (AVV) with Mistral.

Inquiries by Email, Telephone or Fax

If you contact us via email, telephone or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for handling your request. We do not pass this data on without your consent.

The processing of these data takes place on the basis of Art. 6(1)(b) GDPR, if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time.

Communication via WhatsApp

We use WhatsApp Business (WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) for communication.

WhatsApp uses end-to-end encryption, but receives access to metadata (e.g., sender, recipient, time). The use is based on our legitimate interest in the fastest and most efficient communication with customers (Art. 6(1)(f) GDPR). If a corresponding consent has been requested, processing takes place exclusively on the basis of the consent; it can be revoked at any time.

5. Social Media

Instagram

Functions of the Instagram service are integrated on this website. These functions are offered by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

When the social media element is active, a direct connection is established between your terminal device and the Instagram server. The use of this service is based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

Information on data processing by Instagram can be found in their privacy policy: https://instagram.com/about/legal/privacy/

6. eCommerce and Payment Providers

Processing of Customer and Contract Data

We collect, process, and use personal customer and contract data to establish, draft the content of, and modify our contractual relationships. We collect, process, and use personal data about the use of this website (usage data) only to the extent necessary to enable the user to use the service or to bill them. This is based on Art. 6(1)(b) GDPR.

Data Transmission upon Conclusion of Contract for Services and Digital Content

We transmit personal data to third parties only if this is necessary within the framework of contract execution, for example to the credit institution commissioned with payment processing.

Further transmission of data does not take place unless you have expressly consented to the transmission. A passing on of your data to third parties without express consent, for example for advertising purposes, does not take place.

The basis for data processing is Art. 6(1)(b) GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.