Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
Privacy

Privacy policy.

§ 1Data protection at a glance

General notes

The following notes provide a simple overview of what happens to your personal data when you visit our website or use our platform. Personal data is any data with which you can be personally identified. For detailed information on data protection, please refer to the privacy policy set out below.

Data collection on our website

Data processing on this website is carried out by the website operator. You can find the operator's contact details in the legal notice of this website. Some data is collected because you provide it to us (e.g. by completing a contact form). Other data is collected automatically or with your consent when you visit the website (e.g. technical data such as internet browser, operating system or time of page access).

§ 2General notes and mandatory information

Controller

The controller for data processing on this website and within the CIVAC platform within the meaning of Art. 4 no. 7 GDPR is:

CITO GmbH
Jungfrauenthal 8
20149 Hamburg, Germany
Email: info@civac.de

Data Protection Officer (statutory)

We have appointed an external Data Protection Officer for our company. You can reach them directly, confidentially and exclusively at:

CITO GmbH - Data Protection Officer
Email: datenschutz@civac.de

Note: this inbox is monitored exclusively by the Data Protection Officer.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The lawfulness of the processing carried out prior to revocation remains unaffected by the revocation.

Right to lodge a complaint with the competent supervisory authority

In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged breach. This right exists without prejudice to any other administrative or judicial remedy.

The supervisory authority primarily responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, HmbBfDI).

§ 3Data subject rights

Within the framework of the applicable statutory provisions, you have the right to:

  • Information (Art. 15 GDPR): You may request information about the personal data that we process about you.
  • Rectification (Art. 16 GDPR): You may request the immediate rectification of inaccurate data or the completion of data stored about you.
  • Erasure (Art. 17 GDPR): You may request the deletion of data stored about you, unless processing is necessary for the exercise of the right to freedom of expression, for the fulfilment of a legal obligation (e.g. statutory retention periods), or for the establishment, exercise or defence of legal claims.
  • Restriction of processing (Art. 18 GDPR): You may request the restriction of the processing of your data.
  • Data portability (Art. 20 GDPR): You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract, or to have it transferred to a third party, in a commonly used, machine-readable format.

Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right at any time to object to the processing of your personal data on grounds relating to your particular situation. The respective legal basis is set out in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, or the processing serves the establishment, exercise or defence of legal claims.

§ 4Data collection and retention periods on our website & platform

Hosting and Content Delivery Networks (CDN)

We host the content of our website with the following provider:

Recipient: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.

Legal basis: The use of the hosting provider is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in a technically reliable, secure and fast provision of our online offering). A data processing agreement (DPA) has been concluded with the provider.

Overview of processing purposes and exact retention periods

Purpose of processingCategories of personal dataLegal basisExact retention / deletion period
Provision of the website (server log files)IP address, browser type, operating system, referrer URL, time of access.Art. 6 para. 1 lit. f GDPR (legitimate interest)Automatic deletion after no more than 7 days.
Contact requests (form / email)Name, email address, phone number, content of the message.Art. 6 para. 1 lit. b GDPR (pre-contractual measures / contract)For the duration of processing your enquiry. For commercial correspondence: 6 years (§ 257 HGB).
Customer relationship & platform use (CRM, contract management)Master data, contact data, contract data, billing data, access credentials.Art. 6 para. 1 lit. b GDPR (performance of a contract)For the duration of the active contractual relationship. After termination, restricted and retained for 6 years (commercial correspondence, § 257 HGB) or 10 years (accounting records / tax data, § 147 AO).

§ 5Use of Artificial Intelligence (AI) and LLM inference

To optimise our processes, to automate the analysis of compliance requirements, and to draft documents for our B2B customers, we use AI-supported functions (Large Language Models).

Purpose of processing: Provision of intelligent assistance systems to generate text and document drafts within the CIVAC workspace.

Legal basis: Processing is carried out for the performance of our contract with your company or employer pursuant to Art. 6 para. 1 lit. b GDPR, or on the basis of our legitimate interest in an efficient, AI-supported service delivery pursuant to Art. 6 para. 1 lit. f GDPR.

Sub-processors used (AI infrastructure)

The data you enter (prompts) is forwarded for inference to the following service providers:

Google Ireland Limited (Gemini, Vertex AI) - provision of the AI infrastructure. A legally valid data processing agreement (DPA) compliant with the requirements of the GDPR has been concluded.

Legal basis: Processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR in conjunction with Art. 28 GDPR.

No training on customer data

We have contractually agreed with our AI infrastructure partners that the data and inputs transmitted will not be used to train the underlying AI models.

Transfer to third countries

Insofar as data is transferred to the United States, this is carried out on the basis of the EU-US Data Privacy Framework or on the basis of the EU Commission's Standard Contractual Clauses.

§ 6Cookies and tracking technologies (transparency under TDDDG & GDPR)

When you visit our website, cookies and comparable technologies are used. For the use of tools that are not strictly technically necessary, we obtain your express consent in advance via our consent management tool (§ 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a GDPR).

Technically necessary cookies

These cookies are strictly necessary for the operation of the website and its functions. The legal basis is § 25 para. 2 no. 2 TDDDG.

Analytics and marketing tools (consent-based)

We use the following services of third-party providers on our website, provided that you have given us your consent:

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Purpose: Analysis of user behaviour to optimise our online offering.
Legal basis: § 25 para. 1 TDDDG (consent for the setting of the cookie) and Art. 6 para. 1 lit. a GDPR (consent for the subsequent processing of the data).
Retention period: Up to 14 months or until you revoke your consent.
Transfer to third countries: A transfer to the United States cannot be excluded. Google is certified under the EU-US Data Privacy Framework.

§ 7No automated decision-making (Art. 22 GDPR)

On the basis of the data you provide, we do not carry out any purely automated decision-making or profiling that produces legal effects concerning you or significantly affects you in a similar way. All work outputs and document drafts generated by our systems or AI components serve exclusively as decision support. Every final review, approval, legal assessment or decision is carried out without exception by a natural person (a qualified employee or the appointed officer in charge). A data subject right under Art. 22 GDPR therefore does not arise from our systems.

Last updated: May 2026.