Last updated: 20.09.2023

PRIVACY POLICY

The XOM Privacy Policy is drawn up in English and in German language versions. In case of any dispute, the German language version shall prevail (https://www.xom-materials.com/europe-de/datenschutzerklarung). XOM Materials GmbH (hereinafter referred to as "XOM Materials or "we") operates the eProcurement Software as a Service solution available at procurement.xom-materials.com ("the eProcurement Service") together with the respective associated subdirectories (hereinafter referred to as: "the Platform" or "the Website"). With this privacy policy statement, we would like to explain to you which data is processed and in what form when you visit our website. At the same time, we hereby fulfill our duty to inform you in accordance with Art. 13 of the General Data Protection Regulation (DS-GVO).

1. Person responsible and contact details of the data protection officer

The person responsible under data protection law for the data processing that takes place on our website is

XOM Materials GmbH
Ackerstraße 14-15
10115 Berlin
E-Mail: info@xom-materials.com

Our data protection officer can be reached at:

XOM Materials GmbH
- Datenschutzbeauftragter -
Ackerstraße 14-15
10115 Berlin
E-Mail: datenschutz@xom-materials.com

2. Personal data, purposes and legal basis of data processing

2.1 Personal data

According to the GDPR, personal data is "any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

2.2 Which personal data we process, on which legal basis and for how long

2.2.1 GENERAL USE OF THE WEBSITE

Purposes: We generally only process personal data if you actively provide us with this data. Notwithstanding the foregoing, however, the web server of our hoster automatically registers accesses to the website and collects the following information in the process:

  • Date and time of access to one of our web pages,
  • Type and settings of the Internet browser you are using,
  • Operating system used,
  • The website you last visited,
  • Your IP address,
  • Pages visited.

The processing of your IP address during the connection is done so that we can provide you with our website. The storage of log files serves to ensure the security and integrity of our systems. 

Recipients and Third Party Transfers: We use the services of Google Ireland Ltd. to operate and host our website, which acts as our data processor. In principle, the data processing takes place on European systems.If a transfer to a third country occurs in this context, the conclusion of standard contractual clauses of the European Commission ensures that an appropriate level of data protection exists. A copy of the clauses can be downloaded at https://cloud.google.com/terms/eu-model-contract-clause

Legal basis: The processing is based on Art. 6 para. 1 lit. f) DS-GVO. Our legitimate interest lies in the stated purpose. 

Storage period: Our log files are stored for seven days.

2.2.2 REGISTRATION OF A USER ACCOUNT

Purpose: In order to use our eProcurement service, you need to have a user account. We will request the following information from you and create an account for you:  

  • Company name
  • Street
  • House number
  • Address suffix (optional)
  • Zip code
  • City
  • Country
  • VAT ID No.
  • Commercial register number (optional)
  • Username
  • E-mail address
  • Password

As well as contact details:

  • Salutation
  • First name
  • Last name
  • E-mail for login
  • Password
  • Phone
  • Fax

When you register a company for an eProcurement Service account for the first time, we process company data and therefore also certain personal data, if applicable, as part of a "Know Your Customer process". This means that we or a service provider selected by us will check your company data, such as type of company, activity, tax number, commercial register entry, address, management, ownership and management structure as well as the most important (expected) financial key figures to check their validity and whether trading with you is subject to restrictions due to legal regulations. In addition, we or a service provider selected by us also process the contact details of the person registering in order to be able to check whether they are actually connected with the registered company.

Users of the own company as well as suppliers and buyers for the company can then be invited via the created user account. For this purpose, the procuring and supplying company will inform us in each case of an e-mail address and the associated company and we will send an invitation e-mail in the role of processor. 

Suppliers become, when they register, part of our supplier network. This means we can suggest them to buyers, which then can ask them to supply quotes (see further details under "Tendering").

To create a user account as an invited person, the link in the email must be followed and additional information may need to be provided to open the user account. 

Recipients and Third Party Transfers: We use the services of The Rocket Science Group LLC, 675 Ponce de Leon Ave, Suite 5000, Atlanta, GA 30308, United States, which acts as our processor, to send onboarding emails. It is ensured by the conclusion of standard contractual clauses of the European Commission that an adequate level of data protection exists. A copy of the clauses can be downloaded at https://mailchimp.com/legal/data-processing-addendum. 

For access management, we use the services of Cloud-IAM Société par Actions Simplifiée, 37 Boulevard Solférino, Immeuble Eurosquare, 35000, Rennes, France, which acts as our processor.

Legal basis: If you open a user account, we use your data to create this account for you and to carry out all related processes, such as the purchase of products or services. The legal basis for this is Art. 6 para. 1 lit. b) DS-GVO or Art. 6 para. 1 lit. f) DS-GVO as far as it concerns the data of employees of the companies. 

The Know Your Customer process is carried out in order to comply with the legal requirements for the prevention of money laundering, white-collar crime and/or terrorism and in order to be able to comply with prohibitions of foreign trade law, the Dual-Use Regulation, embargoes or similar requirements. The legal basis is Art. 6 para. 1 lit. c) DS-GVO in conjunction with. § 18 AWG (Foreign Trade and Payments Act) as well as Art. 6 (1) f) DS-GVO, whereby our legitimate interest is to create and maintain the necessary factual basis to implement and fulfill the above-mentioned obligations and to be able to prove this.

Storage period: We store your data processed within the scope of a user account until you cancel your user account. After that, your data will be deleted. Data about your purchased products and related processes are generally stored for the same length of time as your user account. To the extent that personal data is relevant to our contracts or invoices, we store it for a period of at least eleven years, beginning at the end of the year in which you purchased the product. As far as personal data are included in business letters or other documents, we store them for seven years from the end of the year in which the contract was concluded.

We store the personal data of the Know Your Customer process for the defense and assertion of legal claims as well as for support or assistance in the event of an official investigation as long as you have a user account with us and thereafter for a period of five years with the end of the year in which the contractual relationship was terminated.

2.2.3 TENDERING

Purpose: Through the eProcurement service, procuring entities can submit requirements to selected suppliers for bidding. Next to the suppliers which the procuring entity chose itself, we are suggesting to the procuring entity suppliers from our supplier network, which we find suitable. Suppliers can bid on the requirement and negotiate the price or other parameters with the procuring company. If an agreement is reached, the procuring company can create and send a purchase order. In this context, we process all transaction-related data that is generated in this process.  

Furthermore, we process the information on the number and type of purchased products in the orders and make that information transparent to the procuring company and the supplier in the user account. We also use these analyses for our own market research purposes and for product improvement.

Finally, with regard to personal data in invoices and contracts as well as business letters and other accounting or tax-related documents, we are subject to statutory storage obligations for the purposes of which we process the documents and the information contained therein. 

Recipients and Third Party Transfers: We use the services of Tableau Software LLC North Edge 1621 N 34th St. Seattle, WA 98103, United States, which acts as our processor, for analysis. It is ensured by the conclusion of standard contractual clauses of the European Commission that an adequate level of data protection exists. A copy of the clauses can be downloaded at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf. 

Legal basis: We process the data in order to provide our services and to initiate the contract between the procuring company and the suppliers. The legal basis for this is Art. 6 para. 1 lit. b) DS-GVO or Art. 6 para. 1 lit. f) DS-GVO as far as it concerns the data employees of the companies. The use of the analyses is based on our legitimate interest in using the findings to improve our products (Art. 6 para. 1 lit. f) DSGVO). The storage for this purpose is based on Art. 6 para. 1 lit. c) DS-GVO in conjunction with. § 147 AO and § 257 HGB.

Storage period: The aforementioned data and information are generally stored as long as the respective associated user account is not deleted. The storage period for documents subject to retention depends on the respective statutory periods from §§ 147 AO and 257 HGB and is generally either 6 or 10 years from the end of the year in which the respective documents were created.

2.2.4 STORAGE AND USE OF INPUT DATA

Purposes: When you enter data on our platform (e.g., searches, product requests, log-ins, placing orders, negotiation results), we store this information in both individual and aggregate form. We store this information both on a per-user (buy-side and sell-side) and aggregate level in order to provide customer support when needed. 

We also use this information to analyze the use of our services and to improve product features based on data.

Legal basis: Processing for support purposes serves to fulfill the usage agreement concluded with your company. It therefore serves our legitimate interest in being able to offer these services. Product improvement is also in our legitimate interest (Art. 6 para. 1 lit. f) DSGVO). 

Storage period: The aforementioned data and information will be stored as long as the contractual relationship exists and then deleted.

2.2.5 CONTACT

Purposes: If you contact us at the e-mail address provided on our website, you will at least provide us with your e-mail address, as well as any other information you may disclose in your e-mail. If you use the chat function on our website, we process all the data provided to us there.

Legal basis: The processing in the context of contacting us takes place so that we can process and respond to your request. The legal basis is Art. 6 para. 1 lit. f) DS-GVO. Our legitimate interest lies in the purpose just mentioned.

Storage period: We store your e-mails and contacts for as long as is necessary to process your inquiry and then store them for a period of three years if you contact us again with reference to your original inquiry.

2.2.6 E-MAIL NEWSLETTER AND WHITEPAPER DOWNLOAD

Purposes: As a customer, you will automatically receive information about software updates and/or other product news from us after registration. In addition, you have the option of registering for an e-mail newsletter on our site. In doing so, we process your e-mail address and, if applicable, further analysis and usage data, e.g., whether andand what links you have clicked on.. 

We offer our users white papers on various topics. To gain access to these, you must provide us with your e-mail address. If you choose to do so, you can also sign up for our newsletter. We will then send you an email with a link to download and activate the newsletter.

Legal basis: If you as a customer receive the newsletter on product innovations, this is done on the basis of our legitimate interest in direct advertising. The legal basis for this is Art. 6 para. 1 lit. f) DSGVO. Otherwise, if you have subscribed to an email newsletter, we process your data to send you the email newsletter. This processing is based on your consent to receive the newsletter (Art. 6 para. 1 lit. a DS-GVO). The processing of the analysis data is based on our legitimate interest in evaluating the use of our newsletter and thus being able to improve it if necessary. The legal basis for this is Art. 6 para. 1 lit. f) DS-GVO. 

Right of revocation/right to object: You can revoke your consent at any time with effect for the future or object to the sending of the newsletter. Please contact one of the contact addresses known to you. Also, if you do not agree to the processing of usage data, you can unsubscribe from the newsletter at any time with effect for the future. 

Storage period: Your data will be deleted immediately after revocation of consent.

2.2.7 SURVEYS AND SUPPORT

Purposes: From time to time, we conduct surveys on our website. To the extent that we collect and process personal data in the survey, we will inform you in advance of the purpose of the processing. Prior to the survey, we specifically ask for your consent to data processing operations that are necessary to conduct and analyze the surveys. In any case, the required data includes the information submitted in the course of participation. 

We also process your data in order to provide you with assistance, convey information and obtain user feedback. In addition, information on the use of the functions is also collected. We also use the information collected in this way to improve our products and services. 

Recipients and Third Party Transfers: We also use the tool Productfruits, of Product Fruits s.r.o., Rozdelovska 1999/7, 169 00 Praha 6, Czech Republic. In this context, connections to non-European servers may also be established and data processed there. Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, standard contractual clauses of the European Union have been concluded by us as suitable guarantees for the export of data in order to create an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at https://productfruits.com/gdpr-dpa.pdf.

Legal basis: Participation in surveys is based on your consent. Your consent will be logged. 

Right of withdrawal: You can withdraw your consent at any time by sending an e-mail with future effect to accountmanagement@xom-materials.com. 

Storage period: Your data will be deleted immediately after revocation of consent.

3. Who receives personal data from us and when data is transferred to third countries

Within our company, data is processed by the respective responsible department. In addition, we use external IT service providers to offer our services.  In certain cases, we conduct a Know Your Customer process for which we use external service providers. 

Some of the service providers we use process data in third countries. If this happens, we inform you at the appropriate place in this Privacy Policy. For example, for internal communications and support services, we use the products of Atlassian Pty Ltd, Level 6, 341 George Street Sydney NSW 2000 Australia and Slack Technologies Ltd, One Park Place, 4th floor, Hatch Street Upper, Saint Kevin's, Dublin 2, Ireland, each of which may perform data processing in third countries. We have entered into standard contractual clauses as appropriate safeguards to establish an adequate level of data protection, which you can download at https://slack.com/intl/de-de/terms-of-service/data-processing and https://www.atlassian.com/de/legal/data-processing-addendum. 

Insofar as we use service providers in other countries and these countries do not offer an adequate level of protection anyway due to a Commission decision, we have concluded standard contractual clauses of the European Commission with the respective service providers. You can view these standard documents used at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_de.

4. Data subject rights

The General Data Protection Regulation guarantees you certain rights that you can assert against us - insofar as the legal requirements are met.

Art. 15 DS-GVO - Data subject's right to information: You have the right to request confirmation from us as to whether personal data relating to you are being processed and, if so, what these are and the more detailed circumstances of the data processing.

Art. 16 DS-GVO - Right to rectification: You have the right to demand that we rectify any inaccurate personal data relating to you without undue delay. In this context, taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

Art. 17 DS-GVO - Right to erasure: You have the right to demand that we delete personal data concerning you without delay. Please note the exception described under point II. 4 here.

Art. 18 DS-GVO - Right to restriction of processing: You have the right to demand that we restrict processing.

Art. 20 DS-GVO - Right to data portability: You have the right, in the event of processing based on consent or for the performance of a contract, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and to transfer this data to another controller without hindrance from us, or to have the data transferred directly to the other controller, insofar as this is technically feasible.

Art. 77 DS-GVO in conjunction with § 19 BDSG - Right to complain to a supervisory authority: You have the right to lodge a complaint with a supervisory authority at any time, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates applicable law.

In particular: Right to object and withdraw consent.

Art. 21 DS-GVO - Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary for legitimate interests on our part or for the performance of a task carried out in the public interest, or which is carried out in the exercise of official authority. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims. Insofar as we process your personal data for the purpose of direct marketing, you have the right to object to the processing at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

Withdrawal of consent: If the processing is based on your consent, you have the right to withdraw your consent at any time. This will not affect any processing that has previously taken place. To send us your revocation, please send us a message to kundendienst@xom-materials.com.

5. Obligation to provide data

You have no contractual, or legal obligation to provide us with personal data. However, we are not able to offer you our services without the data you provide.

6. Existence of automated decision-making (including profiling)

We do not use automated decision-making that has legal effects on you or affects you.

7. Internet specific data processing

7.1 Google Tag Manager

On our website we use the Google Tag Manager. We use the Google Tag Manager to be able to load additional tools directly from the Google Tag Manager when you visit our website, this includes our consent management so that the Google Tag Manager is used in any case when you visit our site. Google Tag Manager is a tag management system provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). The Google Tag Manager uses cookies that enable a preset playout of the tools selected by us. When a connection is established, your IP address is collected and transmitted to a Google server - possibly also in the USA - and processed.

On our behalf, Google will use your IP address to transfer cookies for the playout of the preset tools to your end device. Connections to non-European servers of Google may also be established in this context. Insofar as data is processed outside the EU/EEA and a level of data protection corresponding to the European standard does not exist, standard contractual clauses of the European Union have been concluded by the respective exporting company as suitable guarantees for the export of data in order to create an appropriate level of data protection. 

7.2 Storage of and access to information on your terminal device

When you use our websites, we store information on your terminal device and access information stored there, e.g. by using cookies. Cookies are small text files that are stored on your terminal device. They cannot execute programs or infect your end device with malicious code. We use cookies to provide you with technical functionalities, e.g. a log-in function. 

If you wish to prevent the use of cookies or similar technologies, your browser offers the option of preventing the acceptance and storage of new cookies. However, the respective settings always apply only to the specific device and the specific browser that you are currently using. If you use a different device or browser or reinstall your browser, you may have to make the settings again. To find out how this works for the browser you are using, you can use the help function of your browser or contact the manufacturer. Alternatively, you can use the Consent Management Platform described in the following paragraph. Please note that in the event that you disable cookies, you may not be able to use all the features of our website.

We also use cookies and similar technologies for other purposes, for example, to analyze your use of our site or to display targeted advertising to you. In each case, this is only done with your express consent (Section 25 (1) TTDSG in conjunction with Article 6 (1) a) DS-GVO), which we obtain from you via our Privacy Preference Center. You can change your preferences there at any time or revoke the consent you have given. You can reach our Privacy Preference Center at the following link: 

www.xom-materials.com/europe

There you will also find specific information about the individual cookies used, their purpose and storage period.

7.3 Services used on the basis of your consent

The services used on the basis of consent are the following:

7.3.1 Google Analytics incl. the Audiences function

This website uses Google Analytics, a web analytics service provided by Google Ireland Ltd ("Google"). Google Analytics uses cookies. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.

We also use Google Analytics to show you target group-specific advertising via the Google advertising network. For this purpose, we may transmit data to Google about the offers you have viewed or certain related characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited). Google uses this data to serve you targeted advertisements when you visit our site or our advertisements on other sites in the Google network (so-called "Remarketing Audiences", or "Google Analytics Audiences"). With the help of Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of users.

The data is stored for 1 year.

For more information on terms of use and data protection, please visit www.google.com/analytics/terms/de.html or www.google.de/intl/de/policies/.

7.3.2 Smartlook

If you have a user account, we use the tracking tool Smartlook of Smartsupp.com, s.r.o. Lidicka 20, Brno, 602 00, Czech Republic ("Smartlook") in the login area of our platform to record randomly selected individual visits with an anonymousIP address only. An anonymized video of your usage is created. The video records, among other things, the pages called up, mouse movements and mouse clicks, and similar interactions. Interactions. The entries themselves are not stored via Smartlook. The tracking tool allows the use of cookies to evaluate how you use the website (eg which content is clicked). For this purpose, a usage profile is created and visually displayed. We use this information to improve our offers and services. The data is stored for a period of 30 days.

7.3.3 SalesViewer

This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of your consent in order to collect and save data on marketing, market research and optimization purposes.

In order to do this, a javascript based code, which serves to capture company-related data and according website usage. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personally.

The data stored by Salesviewer will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.

The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on https://www.salesviewer.com/opt-out in order to prevent SalesViewer® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.

8. Data security

We use technical and organizational security measures to protect accrued and collected data, in particular against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. Our security measures are continuously improved in line with technological developments.