Last updated: June 2021


XOM Materials Operations Inc. (“XOM”) operates a marketplace platform under the domain and an eProcurement Software as a Service solution (“the eProcurement service”) under the domain (both together: “Platform” or “Site”), via which XOM enables commercial third parties (“Partners”) to distribute products solely to registered entrepreneurs, legal entities under public law and special funds under public law (“Customers”) or to procure products from their suppliers.

1. Identity of the controller and contact details of our Data Protection Officer

The controller is the

XOM Materials GmbH
Ackerstraße 14-15
10115 Berlin

Our DPO is available under the following addresses:

XOM Materials GmbH
- Datenschutzbeauftragter -
Ackerstraße 14-15
10115 Berlin

2. When, how and why we process personal data

2.1 Personal data

Pursuant to the General Data Protection Regulation (“GDPR“), personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 Which kind of data we process and how we collect it

2.2.1 General use of the Site

Insofar as you do not actively make personal data available to us, we do not store personal data while you use our Site except that our web server(s) register all connections to the Site automatically and collects the following technical information about your visit:

  • Date and time of access,
  • Type and setup of your internet browser,
  • Operating system used,
  • The website you came from,
  • your IP address.
  • Pages you visit

2.2.2 Registering for a user account and purchasing or offering products

You may register for a user account on our Site. You need a user account in order to purchase or offer products or services on our Platform.

Our marketplace is open for all commercial users who wish to register. However, for setting up a user account and for offering products on our eProcurement service, you require an invitation from the company that performs the procurement. This company will give us the name and email address of the relevant contacts and we will send you the invitation email on their behalf as a data processor. You can create the user account by clicking on the link in the email. 

  • Company Name
  • Street
  • House No.
  • Additional address (optional)
  • Postal code
  • City
  • Country
  • Company VAT
  • Company registration number (optional)
  • Name
  • Username
  • Email address
  • Password

Additionally, we collect contact data from you:

  • Salutation
  • First Name
  • Last Name
  • Email (for login)
  • Password
  • Phone Number
  • Fax

If you buy a product from a vendor on the marketplace or offer a product on the eProcurement service, we process the data mentioned above. In such case, we also process transaction-related data, for example information on purchases or sales you make when placing an order or offering a product, the time and price of the transaction, and, if applicable, financial information as well as shipping and billing information. 

Moreover, we process the information related to an order on the amount and type of purchased products in aggregated form. For example, we store product and pricing information from a successful order process and aggregate that data to evaluate the use of our Industrial Platform.

If you register your company for the first time on the marketplace or the eProcurement Service as a Software, we will process the company data and with it in some cases also personal data during our “Know Your Customer” process. This means that we or a service provider selected by us will check your company data, such as legal form, field of business, tax ID, commercial register entry, address, management, ownership and management structure as well as the key (expected) financial indicators for validity and whether conducting business with you is subject to restrictions due to statutory regulations. In addition, we or a service provider selected by us will also process the contact data of the person registering in order to be able to verify whether they are actually connected with the registered company.

2.2.3 Contact

If you contact us by writing an email, we collect your email address and all information that is included in the email.

If you use the chat function on our website, we process all data provided to us through it.

2.2.4 E-Mail newsletter

You can register for an e-mail newsletter on our website. We will then process your e-mail address and any other analysis and usage data, e.g. whether you clicked on links and which links you clicked on.

2.2.5 Whitepaper download

We offer Whitepapers on several topics to our users. In order to get access to them, you have to provide us with your e-mail address, if you decide so, you may  also register for our newsletter. We will then send you an e-mail with a download and newsletter activation link. 

2.2.6 Surveys

From time to time we conduct surveys on our website. Insofar as we collect and process personal data in the survey, we will inform you in advance of the purpose of the processing. Prior to the survey, we explicitly ask for your consent to data processing procedures that are necessary for the implementation and evaluation of the surveys. In any case, the required data includes the information submitted in the course of participation. Participation in surveys is voluntary. Your consent will be logged. You can revoke this at any time by sending an email to
For the creation and implementation of surveys to improve our services, we use "Google Forms". The provider is Google Inc.1600 Amphitheatre Parkway Mountain View, CA 94043, USA. You can obtain Google's privacy policy from the following links: and The data collected with a Google Forms form is stored on cloud storage provided for us by Google, "Google Drive". For more information about data processing in connection with Google Forms and Google Drive, please refer to Google's privacy policy:

2.3 Why and on which legal basis do we do that

We process your IP address only to allow your device to establish a connection to our web server over the Internet. By storing log files we ensure security and integrity of our IT systems. This processing is based on Art. 6 par. 1 lit. f) GDPR.

If you register a user account with us, we process this data to create your user account and manage all related operations, for example for the purchase of products or services. The legal basis is Art. 6 part. 1 lit. b) GDPR. If you purchase products or services on our platform, we process the collected data for the purposes of performance and conclusion of contract. The legal basis is Art. 6 par. 1 lit. b) GDPR. Additionally, we are legally obliged to store certain data, which is included in contracts and invoices as well as in business letters or other documents relevant for taxation or accounting. The legal basis is Art. 6 par. 1 lit. c) GDPR and Sec. 147 AO and Sec. 257 HGB.

We process personal data during the “Know Your Customer” process to meet statutory requirements regarding the prevention of money laundering, economic crime and/or terrorism and to be able to comply with foreign trade law, the EU’s dual-use regulation, embargos or similar provisions. The legal basis for such processing is Art. 6 par. 1 lit. c) GDPR in connection with Sec. 18 AWG (German foreign trade law) as well as Art. 6 par. 1 lit. f) GDPR. The legitimate interest we pursue is to be able to have and retain the necessary facts to comply with the aforementioned requirements and provisions and be able to prove compliance.

Some of our vendors perform their own compliance checks in addition to our checks before activating their shop for customers. To this end, we transfer certain types of company data to these vendors. As a rule, and in the majority of cases, this data does not contain any personal references as it relates exclusively to the company. In individual cases, e.g. if the company name is also the name of a natural person, a personal reference can also exist here. In these cases, transmission is made in order to safeguard the legitimate interest of the respective vendor in being able to carry out compliance reviews (Art. 6(1) (f)) GDPR). The respective vendor will inform you separately about the processing that takes place in their case.

If you contact us by email or by using a contact form, the processing is based on Art. 6 par. 1 lit. f) GDPR. The purpose as well as our legitimate interest is to answer your inquiry.

If you subscribe to an e-mail newsletter, we will process your data in order to send you the e-mail newsletter. This processing takes place on the basis of your consent to receive the newsletter (Art. 6(1) (a) GDPR). The analysis data is processed on the basis of our legitimate interest in evaluating the use of our newsletter and thus being able to improve it, if necessary. The legal basis for this is Art. 6(1) (f) GDPR. If you object to the processing of the usage data, you can unsubscribe from the newsletter at any time with future effect.

3. Who receives personal data from us and when it is transferred to third countries

Within our company, the data is processed by the responsible department. Externally, we pass on your data to the respective vendor from whom you have purchased or have the option to purchase the products or services or who, in the exceptional cases described above, carries out a check before activating the shop. In certain cases we carry out a Know Your Customer process for which we use external service providers. We also use external IT service providers to offer our services. Should we use service providers in countries outside the EU and where these countries do not already offer an adequate level of protection on the basis of a Commission Decision, we have concluded standard European Commission contractual clauses with the respective service providers. You can view the standard documents used at

4. Period for which personal data will be stored

Our log files are stored for seven day.

The data processed in relation to your user account is stored until you terminate your user account. After termination, we delete your data immediately.

We store the data about your purchases as long as you have a user account with us. However, if personal data is relevant for our contracts or invoices, we store it until the end of the eleventh year after conclusion of contract. If personal data is stored in business letters or other documents relevant for taxation or accounting, we store it until the end of the seventh year after conclusion of contract.

We retain the personal data collected for and processed during the “Know Your Customer” process as long as you have an account with XOM and for an additional period of 5 years starting with the end of the year in that the account is terminated. We use your data in this period only to make or defend against claims as well as to assist or exonerate ourselves in official investigations.

Your emails will be stored for the time needed to answer your inquiry and for three more years, if you refer to us again.

5. Your rights as a data subject

If the respective requirements are met, the GDPR grants you certain rights as a data subject.

Art. 15 GDPR – Right of access: You shall have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information.

Art. 16 GDPR – Right to rectification: You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Art. 17 GDPR – Right to erasure: You shall have the right to obtain from us the erasure of personal data concerning you without undue delay.

Art. 18 GDPR – Right to restriction of processing: You shall have the right to obtain from us the restriction of processing.

Art. 20 GDPR – Right to data portability: You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you shall have the right to transmit those data to another controller without hindrance from us. You shall also have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

Art. 77 GDPR – Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Specifically: the right of objection and revocation of consent

Art. 21 GDPR – Right to object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on legitimate interests or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or where the processing is necessary for the establishment, exercise or defence of legal claims.
Revocation of consent: If the processing is based on your consent, you have the right to revoke your consent at any time. The previously carried out processing operations shall not be affected thereby. To revoke your consent, please send a message to

6. Your obligation to provide us with personal data

You have no statutory or contractual obligation to provide us with any personal data. However, we may not be able to provide you with our services if you decide not to do so.

7. Existence of automated decision-making, including profiling

We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.

8. Internet specific processing or use of personal data

8.1 Cookies

For providing you the services of the Site we may use cookies. Cookies are small text files, which are transferred from the Site and stored on your device. Cookies cannot execute programs or infect your device with computer viruses. We use cookies to provide certain technical features to you, such as a shopping basket. The legal basis for this is Art. 6 par. 1 lit. f) GDPR. Our legitimate interest is to provide you with the respective features.

If you wish to prevent us from storing cookies on your device, your web browser or device may provide you with certain settings to do so. Most web browsers accept cookies by default. However, you may change these default settings in order to prevent any kind of storage or only allow storage after an explicit request. You may find an instruction on how to change your settings in the help section of your browser or device. Alternatively, please use our consent management platform mentioned in the next paragraph  The respective settings only apply to the device you are currently using. If you use another device, change your web browser or reinstall your browser you may have to change the respective settings again. Please, be aware that not accepting cookies may lead to you not being able to fully use the Site. In particular, ordering products through the Site may not be possible without cookies. Our usage of cookies finds its legal basis in Art. 6 par. 1 lit. f) GDPR. Additionally, we may use cookies for purposes such as analyzing your behavior on our Site or targeted advertising. Such cookies will only be used with your consent (Art. 6 par. 1 lit. a) GDPR). 

You can change your preferences and/or withdraw your consent regarding these purposes at any time via our consent management platform:

8.2 Google Analytics including the Audiences Function

This website uses Google Analytics, a web analysis service of Google LLC ("Google"). Google Analytics uses cookies. The information generated by the cookie regarding your use of this website is normally transferred to a Google server in the USA and stored there. However, in case of activation of IP anonymization on this website, your IP address will be abbreviated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be transferred to a Google server in the USA and abbreviated there. Google will use this information on our behalf to evaluate your use of the website, to compile reports on website activities and to provide us with other services relating to website use and internet use. The IP address transferred from your browser in the course of Google Analytics will not be combined with other data of Google.

We also use Google Analytics to inform you of target-group-specific advertising via the Google advertising network. For this purpose, we may transfer data to Google concerning the offers you have viewed or related features (e.g. interest in specific topics or products which can be identified based on the websites visited). Google uses such data to show you target-group-specific advertising when visiting our website or our advertising on other websites of the Google network (so-called “remarketing” or “Google Analytics Audiences”). With the aid of Remarketing Audiences we seek to ensure that our advertising complies with potential interest of the respective user.

We use Google Analytics only with your consent (Art. 6 par. 1 lit. a) GDPR). Data are stored for 1 year.

More information on terms of use and data protection is available at or at

8.3 Google Tag Manager

Our website uses Google Tag Manager. This service allows website tags to be managed through a single interface. Google Tag Manager only implements tags. No cookies are used and no personal data is collected by the tool. The Google Tag Manager only triggers tags, which in turn may capture data (for example, via Google Analytics). However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.

8.4 Salesforce Pardot

To ensure the quality of our online services, we use the Pardot analysis tool from Salesforce. Pardot tracks visitor and prospect activities on our website and landing pages by setting cookies in the browsers. Cookies are set to remember preferences (like form field values) when a visitor returns to our site. Pardot also sets a cookie for logged-in users to maintain the session and remember table filters.

Pardot cookies don’t store personally identifying information, only a unique identifier.

9. Data Security

We use technical and organizational security measures to protect data that is collected and processed, in particular against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

10. Used Cookies

COPPA regulates the collection of personal information online from children under the age of 13. This site is not intended or designed to attract users under the age of 13 or to collect personal information from such users. We do not collect personally identifiable data from any person we know to be under the age of 13 and those under 13 should not submit any personal information through this site. If we learn that we have inadvertently collected personal information from a child under the age of 13 we will remove the information from our files.