Privacy statement

Privacy Policy (May 25th, 2018, v2.0)

This Privacy Policy covers the collection, use and disclosure of information through our website Throughout this Privacy Policy we’ll refer to this website or subdomains that link to this Privacy Policy collectively as our 'Site'.  We operate this site in compliance with applicable laws on data privacy protection and data security.

Protecting the security and privacy of your personal data is important to us and we are committed to safeguarding and preserving your privacy when visiting our site or communicating with us. 

Sponge Compliance’s processing of personal data and privacy is in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679).

Policy Statement Version: 2.0
Last updated: 10.07.2018

1 Information on collecting personal data

(1) This Privacy Policy provides an explanation as to what happens to any personal data that you provide to us, or that we collect from you.  We describe our use of your information, where your information is stored, how long we will retain your information, our use of third party information and our policy on the sharing of information. 

We only collect information about you if we have a reason to do so – for example, to provide services or information more tailored to your needs, to communicate with you, or to improve our services.

Personal data is all data that identifies you as an individual, e.g. name, address, email address, user behaviour.

If you have any questions, comments or concerns regarding this Privacy Policy, please contact:

Sponge Germany GmbH
Hardenbergstr. 32
10623 Berlin
T +49 30 841914-0
E compliance[at]

Or you can contact our data protection officer at:

legitimis GmbH
Ball 1
51429 Bergisch Gladbach
E datenschutz-idox[at]

(2) When contacting us via email or when using a contact form, we will only use the data provided by you (e. g. email address, name, phone number) to answer your request. We will delete the data accumulated during this process if there is no legal requirement or contractual obligation to retain this data.

2 Your rights

(1) You have the following rights concerning personal data collected by us:

  • Right to receive a copy of your data
  • Right to have data corrected or erased
  • Right to restrict processing
  • Right to object against processing
  • Right to have your data transferred

(2) In addition, if you are unhappy with the way in which we process your personal information, you can raise your concerns with a data protection authority.

3 Information we collect

(1) When visiting our website, we may gather information about your computer to provide statistical information about the use of our site. Similarly, we may gather information that is technically required to display the site and guarantee stability as well as protection. Examples of statistical information we collect:

  • IP address
  • Time and date of the request
  • Time difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Request status / HTTP status code
  • Data volume transferred
  • Website the request comes from
  • Browser
  • Operating system and its user interface
  • Language and version of the browser software

(2) In addition, we collect certain information automatically when you visit our site, read our emails, or interact with us. We typically collect this information through a variety of tracking technologies including cookies and beacons. Cookies are text files that contain small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises the cookie.  Cookies can’t execute programs or transfer potentially malicious software to your computer. They only serve to improve usability and user experience of our site.

4 How we use information

(1) In addition to the use of our site as an information source, visitors may choose to access services that require the submission of additional personal data to fulfil these services which are subject to the data privacy principles mentioned above.

(2) From time to time, we may engage service providers and contractors that act on behalf and under the instructions of Sponge Compliance to perform certain business-related functions. These service providers will only be provided with appropriate and minimal information for the duties/tasks to be undertaken. Sponge Compliance requires that all such service providers endorse the principles set out under the General Data Protection Regulation (GDPR) and adopt adequate technical and organisational security measures to ensure the processing of personal data only as instructed by Sponge and for no other purposes.

(3) Occasionally, we may collaborate with third parties to enable us to offer you specific promotions, competitions, products or services. Should we present you with such an offer, we will request your permission to share your personal data with the third party.

(4) Should any personal information you provide to us be processed by Sponge Compliance staff operating outside of the EEA, or by one of our service providers, Sponge Compliance requires that all such providers endorse the principles set out under GDPR, and that they implement appropriate measures to protect and secure your personal information.

5 How long do we retain your personal information?

(1) We may retain your personal data as long as you are registered to use the site. You may close your account by either clicking on the opt-out link provided in one of our communications or by email at compliance[at]

(2) In some cases, there are legal requirements to keep personal data for a minimum period, for example if it must be retained by court or tribunal order or where Sponge is under a contractual obligation to retain it. If there is no such legal requirement, Sponge Compliance will only keep the personal data for so long as it is necessary for the purposes for which it was collected, or as expressly consented. If we no longer need your personal information, we will delete or de-identify it. Even if we delete your personal data, it may persist on backup or archival media for an additional period of time for legal, tax or regulatory reasons, or for legitimate and lawful business purposes.

6 Where information is stored

We use appropriate technical, organisational and administrative measures to protect any personal information we process about you. All personal information collected from you is stored on servers in Germany and other countries within the European Economic Area (EEA).

7 Sharing information with associated businesses

(1) We do not share or sell your personal information with any other organisation, and we won't pass on your details except when we need to do so in order to complete a transaction. There are, however, certain circumstances in which we may disclose, transfer or share your personal data with certain third parties without further notice to you, which are as follow:

  • you have consented to the transfer/sharing of data;
  • the transferring/sharing of data is necessary for the performance of a contract;
  • the transferring/sharing of data is required under a legal obligation;
  • the transferring/sharing of data is necessary to protect the vital interests of the individual;
  • the transferring/sharing of data is necessary to carry out public functions (such as the administration of justice); or
  • the transferring/sharing of data is necessary in order to pursue the legitimate interests of the company or third parties (unless it could unjustifiably prejudice the interests of the individual).

(2) We may also share your personal data within the Sponge group, including Sponge subsidiaries and/or associated companies worldwide, if answering or complying to your request makes this a necessity. Any personal data shared will be done so in compliance with GDPR and this Privacy Policy. You can learn more about the members of the Sponge group at

(3) As Sponge develops its business, Sponge might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganisation, dissolution or similar event, personal data may be part of the transferred assets. You acknowledge and agree that any successor to or acquirer of the Sponge group (or its assets) or Sponge Germany GmbH will continue to have the right to use your personal data and other information in accordance with the terms of this Privacy Policy.

8 Accessing, Correcting, Updating or Deleting Personal Information

You may at any time review or update your preferences or opt-out of any marketing mailing list on which you previously asked us to include you by sending us an email at compliance[at]

9 Our policy towards children

We do not knowingly collect personal data from children. Please do not supply any personally identifiable information for a person under the age of 13 through any of our sites. If you are under the age of 13 and believe you have already provided personally identifiable information through the site, please have your parent or guardian contact us immediately at datenschutz-idox[at] so that we can remove such information from our records.

10 Marketing communication

(1) You can opt-in to receive marketing communication from us, such as news, intelligence, events or promotions. Details of the type of communications, preferred communication methods and topics that you can opt-in to receive are described on our preference management page:

(2) When you opt-in to receive email communications from us, we will ask you to provide us with the minimum information needed to facilitate your request such as your name, email address, company, country and preferred language. We collect your name so that we can address you personally and we use country and preferred language to help us send information that is relevant to you. After registration, we retain your data for sending our marketing communication according to Article 6 no.1 (a) GDPR.

(3) At Sponge Compliance, we use the double opt-in procedure for subscribing to receive marketing communications. Following registration, an email will be send to you asking you to confirm your agreement to receive marketing communications from us. We also store your IP address, registration and confirmation timestamp, for confirming your subscription and clarification of any potential misuse of your personal data. If you do not confirm your subscription, we will delete the data you have submitted after one calendar month.

(4) You can revoke your consent to receive information by email or any other method and unsubscribe at any time. You can do this by clicking on the appropriate links in every marketing communication sent by us, by using the form at, by email to compliance[at] or with a message to the address listed here.

(5) In our email marketing communications we may use web beacons to track you IP address (until you opt-in to receive communication you remain anonymous). These web beacons are stored in our marketing automation tool ‘Force24’ to help us identify and monitor how visitors interact with our brand (website visits, email opens, social media engagement and forms you may have filled in). Once you have opted-in to receive communications, for analytical purposes, we connect the data listed in § 3 and the web-beacons with your email address and an individual ID. Links in the email messages also contain this ID. This data creates a unique user profile that helps us to tailor and send only relevant marketing communications to you.

(6) We may from time to time use personal information provided by third party providers such as Databroker (third party mailing lists). This data will be used in accordance with the provider’s data transparency policy. All email communications using third party data will reference the data source and provide a link to that provider’s privacy policy/transparency policy.

11 Recruitment Data Privacy

You are hereby informed about the processing of your personal data in accordance with the General Data Protection Regulation (GDPR) as part of the application process. Should you have any questions regarding the processing of your data, please feel free to contact us or our data protection officer at any time.

Processing purposes and legal basis 
In the application, your data will be processed by the Human Resources Department in accordance with Art. 6 Para. 1 lit. b GDPR within the framework of a pre-contractual measure, here the initiation of a possible employment relationship.

Data categories and data origin 
The data for the application process includes the following data categories: Master data, communication data and data on knowledge and skills such as certificates, CV, assessments. You provide us with the data from the above data categories by sending us your application. 

Recipient and transfer of third countries 
Your data will only be passed on to the HR employee responsible for the application. If you make it into the more detailed applicant selection, your data will also be passed on to the decision-makers in the relevant department. No data will be passed on to third parties. 

Your rights
With regard to the processing of your data, you have the rights according §2 of this privacy policy. You are also free to withdraw your given consent to the processing of your data at any time. If you would like to exercise your rights, please contact your responsible contact person in the human resources department (see job advertisement or confirmation e-mail) or contact our central contact point at compliance[at]

Duration of storage
Your personal data which you send us as part of the application process will be deleted after a period of 6 months after completion of the application process. You can obtain a detailed record of the deletion process and, if necessary, confirmation of the deletion of your data in accordance with Art. 17 GDPR.  If the data should be necessary for legal prosecution after completion of the application process, data processing can take place on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our interest then lies in the assertion or defence of claims.

No automated decision making 
No automated decision making (including profiling) is performed. 

Right to lodge a complaint with a supervisory authority
Under Article 77 of the GDPR, you have the right to complain to the supervisory authority if you believe that the processing of your personal data is not lawful. For example, you can contact the supervisory authority responsible for our company:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin
Telefon: 030/13 88 9-0
Telefax: 030/21 55 050
E-Mail: mailbox[at] 

In principle, however, you can contact any data protection supervisory authority in Germany of your choice. 

12 Cookies used on this site

(1) Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving the user experience. We also use cookies to collect information about the way you use the website, for example: the site from which you came, the pages you visit, the links you click, how frequently you access the website, whether you open emails or click the links contained in emails, whether you access the website from multiple devices, etc. We also gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our emails.

(2) This website uses the following types of cookies:

  • Transient cookies (see a)
  • Persistent cookies (see b)

a) Transient cookies or session cookies are automatically erased, when you close the browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from the user’s computer.

b) Persistent cookies or permanent cookies are stored on a user’s hard drive until it expires (persistent cookies are set with expiration dates) or until the user deletes the cookie.  Persistent cookies are used to collect identifying information about the user, such as web surfing behavior or user preferences for a specific website. Persistant cookies used on this site:

  • EU_OPTIN (necessary cookie)
  • _ga (analytical cookie)
  • _gat (analytical cookie)
  • _gid (analytical cookie)
  • IDE (marketing cookie)
  • wp19117 (marketing cookie)

(3) You have the right to decide whether to accept or reject cookies. You can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our sites, though your access to some functionality and areas of our sites may be restricted. As how you can refuse cookies through your web browser controls vary from browser to browser, you should visit your browser's help menu for more information. For more information about cookies, including how to see what cookies have been set and how to manage and delete them, visit or

13 Google Analytics

(1) This website uses Google Analytics, a web analytics service provided by Google, Inc. (‘Google’). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how visitors use the site. The information generated by the cookie about your use of the website (including your IP address) will usually be transmitted to and stored by Google on servers in the United States. Where IP anonymization is activated on this website, your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement of the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website for evaluating your use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage.

(2) The IP address that your browser conveys within the scope of Google Analytics will not be associated with any other data held by Google.

(3) You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  If you wish to prevent Google from collecting and processing personal data provided by that cookie and related to your use of our website, you may install Google Analytics Opt-out Browser Addon for your current web browser:

(4) This website uses Google Analytics with the setting ‘_anonymizeIp()’. Only truncated IP addresses will be processed, which eliminates any reference to an individual person.

(5) We use Google Analytics to analyse the use of our website and to improve it on a regular basis. With the statistical data we can refine our offering and make it more interesting to you as a user. In exceptional cases, where personal data is transmitted in the USA, Google is subject to the EU-US Privacy Shield. For further information see:

(6) Third party supplier information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Terms of service:
Privacy overview:, as well as the privacy policy:

14 Social Media

We have our own presence in various social media to present ourselves, provide information, get in touch with the respective users and to communicate with them. For our share and follow functions, we don’t use social media plug-ins that actively communicate with these services. Instead, we use simple passive links to the profiles on Twitter, Google+, XING, Facebook, YouTube and LinkedIn. This means that only after clicking on the relevant link are you are redirected to the social media website – no data is transmitted to it beforehand.

Data processing by social networks

We operate open public profiles in social networks. The social networks we use in detail can be found below. Social networks such as Facebook, Twitter, etc. can generally analyze your user behavior extensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). A visit to our social media presences initiates numerous data protection-relevant processing operations.

In detail: If you are logged in to your social media account and visit our social media presence, the operator of the social media portal can match this visit to your user account. Your personal data may also be collected even if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address. With the so collected data, the operators of the social media portals can create user profiles, in which your preferences and interests are stored. In this way, interest-based advertising can be displayed within and outside the respective social media presence. If you have a account with the relevant social network, the interest-based advertisement can be displayed on all devices on which you are or were logged in.

Please also note that we cannot reproduce all the processes on the social media portals. Therefore, depending on the provider, further processing may be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policy of the respective social media portals..

Legal base

Our social media appearances are supposed to ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analytical processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

Controller and claiming of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the provider of the social media platform for the data processing operations caused by this visit. You can basically exercise your rights (information, correction, deletion, restriction of processing, data transferability and complaints) both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options depend largely on the corporate policy of the respective provider.

Storage Period

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for storing them no longer applies, you request us to delete them, revoke your consent to storage or the purpose for storing the data no longer applies. Any cookies stored remain on your terminal device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the providers of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Our presences in overview:

  • LinkedIn: We have a presence at LinkedIn. Provider is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn use advertising cookies. If you want deactivate LinkedIn Advertising cookies, use this link. Details on how they handle your personal data can be found in the privacy policy of LinkedIn.
  • Twitter: We use the short message service Twitter. Provider is the Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You can customize your Twitter privacy settings independently in your user account. Please click on this link and log in. Details be found in the privacy policy of Twitter.
  • XING: We have a presence at XING. Provider is the New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. Details on how they handle your personal data can be found in the privacy policy of XING.
  • YouTube: We own a channel at YouTube. Provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Details on how they handle your personal data can be found in the privacy policy of Google.

15 Embedded YouTube videos

(1) Our website uses embedded YouTube videos,which are stored at All such videos are embedded using the ‘enhanced data privacy’ mode. Only after playing one of these videos may your data be transferred to YouTube. We have no control over this transfer.

(2) More information about the purpose and scope of data collection and processing by YouTube can be found in their data privacy policy. This policy also provides information about your rights and settings concerning your privacy: Google also processes personal data in the USA and is subject to the EU-US-Privacy-Shield:

16 Google Maps

(1) This website uses Google Maps.

(2) More information about the purpose and scope of data collection and processing by Google can be found in their data privacy policy. This policy also provides information about your rights and settings concerning your privacy: Google also processes personal data in the USA and is subject to the EU-US-Privacy-Shield:

17 Google AdWords Conversion

(1) Our website uses Google AdWords to attract interest by means of advertising media (so called Google AdWords) on external websites. This allows us to analyse the success of individual marketing measures compared to the advertising campaign. We aim to show you only those ads that are relevant to you.

(2) These ads are delivered by Google, using so called ‘ad servers’. We use ad server cookies, which we use to measure certain success indicators, such as ad impressions or clicks by users. If you visit our website by clicking on a Google ad, Google AdWords will place a cookie on your computer. These cookies are usually valid for 30 days and are not intended to identify you personally. Certain analytical values are saved together with the cookie, such as unique cookie ID, number of ad impressions per position (frequency), last impression (relevant for post view conversions) and opt-out information (a marker indicating a user does not want to see the ad anymore).

(3) These cookies enable Google to recognize your internet browser. When a user visits website pages of an AdWords client and the cookie is still valid, Google and the client recognize that the user clicked on an ad and was redirected to this page. A different cookie is allocated to each AdWords client. Therefore, cookies cannot be tracked back by an AdWords client’s website. Within these advertising campaigns, we don’t collect or process personal data. Google only provides accumulated data, which allows us to understand which advertising media was most effective. No further data from these ads is transferred to us, and it is not possible for us to identify individual users.

(4) Given the nature of these marketing tools, your browser establishes a direct connection with the Google servers. We have no control over the scope and further use of the data that is collected from Google by using this tool. Therefore, we can only provide the information available to us: By embedding AdWords conversion tracking Google receives the information that you visited the specific part of our website or clicked on one of our ads. If you are registered and logged in to a Google service, Google can allocate the visit to your profile. Even if you are not registered or logged in, Google may record and save your IP address.

(5) You can prevent being tracked in such a way by these means:

a) by configuring your browser software, in particular the prohibition of third party cookies, that will prevent ads from third parties being shown to you;

b) by deactivating the conversion tracking cookies, when you configure your browser in such way that cookies from the domain ‘’ are blocked,, keeping in mind that these settings will be deleted if you delete your cookies;

c) by deactivating targeted ads from members of the self-regulation campaign ‘about ads’, keeping in mind that these settings will be deleted if you delete your cookies;

d) by permanently deactivating AdWords in Firefox, Internet Explorer or Google Chrome browsers at Please note that in this case you might not be able to use all functions of our website properly.

(6) More information on privacy by Google can be found here:  and You can visit the website of the Network Advertising Initiative (NAI) at Google is subject to the EU-US-Privacy-Shield:

18 Remarketing

Besides AdWord Conversion, this website uses Google Remarketing. This is a method which allows us to repeatedly address users. Remarketing may result in seeing our ads on other pages after visiting our website. This is achieved by using browser cookies, that allow Google to track and analyse your visits to different websites. This enables Google to recognize your previous visits to our website. Data collected through remarketing is anonymized.

19 ‘Force24’ Marketing Automation

20 Customer Portal

(1) Within the scope of our services or their initiation, a personal profile with individual login data may be created for you to grant you access to our customer portal. The portal provides you with the opportunity to test our solutions and to exchange project-related data, e.g. scripts, programme versions or project information.

(2) This profile is created exclusively based on the information you provided. In addition to your email address as the only mandatory field, the profile may contain your first and last name, academic title, company, position and telephone number.

(3) The length your data is stored for will depend on the project or test time. If you are inactive for a long period of time, your profile will be deleted along with the information provided.

(4) The customer portal does not use any tracking tools via cookies or other analytical tools. The CMS only logs your most recent login (date and time) for the purpose of detecting longer periods of inactivity.

21 Use of video conference systems

We use the "Microsoft Teams" tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter referred to as "online meetings"). "Microsoft Teams" is a service of Microsoft Corporation.

Note: If you access the "Microsoft Teams" website, the provider of "Microsoft Teams" is responsible for data processing. Accessing the Internet site is only necessary for the use of "Microsoft Teams" to download the software for the use of "Microsoft Teams".

If you do not want to or cannot use the "Microsoft Teams" app, you can also use "Microsoft Teams" via your browser. In this case, the service will also be provided via the "Microsoft Teams" website.

Processing of personal data

When using "Microsoft Teams", different types of data are processed. The scope of the data also depends on the information you provide before or during participation in an "online meeting".

The following personal data are subject to processing:

  • User information: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
  • Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
  • Text, audio and video data: You may be able to use the chat function in an "online meeting". To this extent, the text entries you make are processed in order to display them in the "online meeting". In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the "Microsoft Teams" applications.

Scope of data processing

We use "Microsoft Teams" to conduct "online meetings". If we want to record "online meetings", we will inform you transparently in advance and - if necessary - ask for your consent.

If it is necessary for the purpose of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case.

An automated decision process in the sense of Art. 22 GDPR is not used.

Legal basis

If personal data of employees of IDOX Germany GmbH are processed, § 26 BDSG is the legal basis for data processing. If, in the context of the use of "Microsoft Teams", personal data are not required for the establishment, conduct or termination of the employment relationship, but are nevertheless an elementary component of the use of "Microsoft Teams", Art. 6 para. 1 letter f) GDPR is the legal basis for data processing. In these cases, we are interested in the effective conduct of "online meetings".

In addition, the legal basis for data processing in the case of "online meetings" is Art. 6 para. 1 lit. b) GDPR, insofar as the meetings are held within the framework of contractual relationships.

If no contractual relationship exists, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here too, we are interested in the effective implementation of "online meetings".

Recipient / transfer of data

Personal data that is processed in connection with participation in "online meetings" is generally not passed on to third parties, unless it is specifically intended to be passed on. Please note that content from "online meetings" as well as personal meetings often serves the purpose of communicating information with customers, interested parties or third parties and is therefore intended for disclosure.

Other recipients: The provider of "Microsoft Teams" necessarily obtains knowledge of the above-mentioned data to the extent that this is provided for in our date processing agreement with "Microsoft Teams".

Data processing outside the European Union

Data processing outside the European Union (EU) is generally not carried out, as we have limited our data storage location to data centers in the European Union. However, we cannot exclude the possibility that data is routed via Internet servers located outside the EU. This may be the case if participants in "online meetings" are in a third country.

The data is, however, encrypted during transport over the Internet and thus protected against unauthorized access by third parties.

Your rights as data subject

You have the right to be informed about the personal data regarding you. You can contact us for information at any time.

In the case of a request for information that is not made in writing, we ask for your understanding that we may require you to provide evidence that proves that you are the person you claim to be.

Furthermore, you have the right to correction or deletion or to restriction of processing, as far as you are legally entitled to do so.

Finally, you have the right to object to the processing within the scope of the statutory provisions.

You also have a right to data transferability within the framework of the data protection regulations.

Deletion of data

As a matter of principle, we delete personal data when there is no need for further storage. A requirement can exist in particular if the data is still needed to fulfil contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations, deletion only comes into consideration after expiry of the respective storage obligation.

Right of complaint to a supervisory authority

You have the right to complain about the processing of personal data by us to a data protection supervisory authority.

22 Links to other sites

This site contains links to other sites. We do not control the information collection of sites that can be reached through links from our sites. If you have questions about the data collection procedures of linked sites, please contact those companies directly.

23 Changes to this statement

We may change this Privacy Statement from time to time. If we make any changes, we will post these on this page and change the ‘Last Updated’ date below. We encourage you to check this Privacy Statement frequently to stay informed of the latest modifications.

Responsible party according to article 4 (7) EU-GDPR

Sponge Germany GmbH
Hardenbergstr. 32
10623 Berlin, Germany
T +49 30 841914-0
E compliance[at]

You can reach our data protection officer at

legitimis GmbH
Ball 1
51429 Bergisch Gladbach, Germany
E datenschutz-idox[at]