How we handle your data.
Information pursuant to Art. 13 and 14 of the EU General Data Protection Regulation (GDPR) regarding the processing of personal data by CITO GmbH in connection with the CIVAC service and website.
§ 1Controller
The controller within the meaning of Art. 4 no. 7 GDPR for the processing of personal data via the CIVAC website and platform is:
CITO GmbH
Jungfrauenthal 8
20149 Hamburg, Germany
Email: info@civac.de
CIVAC is a brand of CITO Holding Gruppe GmbH. Further company details are available in the Legal Notice.
§ 2Data protection officer
Our external data protection officer has been appointed in accordance with Art. 37 GDPR. You may contact the data protection officer in writing at the postal address above (marked “attn. Data Protection Officer”) or by email at info@civac.de (please mark “attn. Data Protection Officer”).
§ 3Roles and responsibility
CIVAC acts in two distinct capacities, depending on the processing activity:
- Controller: with respect to personal data processed through the public website, marketing activities, sales communications, account creation, billing and the administration of our business relationship with customers, prospects and partners.
- Processor: with respect to personal data that our customers upload or generate within the CIVAC platform while using the service (e.g. officer records, training progress, compliance documentation, uploaded files). For this data, the customer remains the controller and a separate data processing agreement pursuant to Art. 28 GDPR governs our processing.
§ 4Categories of data we collect
4.1 Data you provide to us
Account and contact details (name, business email, phone, employer, role), content you enter into the platform (officer assignments, tasks, training results, uploaded documents), payment and billing details, and all correspondence you send us.
4.2 Data collected automatically
Technical access data generated when you use our website or platform: anonymised IP address, operating system, device type, country of origin, date and time of the request, requested page or filename, volume of data transferred and success/error status. This data is stored in server log files for the purposes of operating, securing and improving the service.
4.3 Data from third parties
Where legally permitted, we may receive data from our affiliates, our customers (e.g. where your employer has added you as a user) or from service providers involved in onboarding, payment processing or identity verification.
4.4 Publicly available data
Business contact data from publicly available sources (e.g. company websites, commercial register, professional networks) which we use on the legal basis of our legitimate interest in targeted B2B outreach in accordance with Art. 6(1)(f) GDPR.
4.5 Aggregated and anonymised data
We use aggregated and anonymised statistics (for example, usage metrics) to operate, analyse and improve the service. Such data does not permit identification of an individual and is therefore not subject to the GDPR.
4.6 Cookies and similar technologies
When you visit our website, the following information may be stored: anonymised IP address, operating system, device, country of origin, date and time, requested page or filename, volume of data transferred and a success/error message. We use three categories of cookies:
- Strictly necessary: required to deliver the service (e.g. authentication, load balancing, security); legal basis Art. 6(1)(b) and (f) GDPR in conjunction with § 25 para. 2 no. 2 TDDDG.
- Statistics: used to understand aggregate usage; set only with your consent pursuant to § 25 para. 1 TDDDG and Art. 6(1)(a) GDPR.
- Personalisation: used to tailor content and remember preferences; set only with your consent pursuant to § 25 para. 1 TDDDG and Art. 6(1)(a) GDPR.
You may withdraw your cookie consent at any time with effect for the future via the cookie settings on our website.
§ 5Purposes and legal bases
We process personal data on the following legal bases of Art. 6 GDPR and for the retention periods set out below:
| Purpose | Legal basis | Retention |
|---|---|---|
| Customer relationship management (CRM, contract execution) | Art. 6(1)(b) GDPR | Until the end of the contractual relationship |
| Customer satisfaction surveys | Art. 6(1)(f) GDPR | Until the end of the contractual relationship |
| Network and information security | Art. 6(1)(f) GDPR | For the duration of use |
| Service analysis and product development | Art. 6(1)(f) GDPR | For the duration of use |
| Usage-based billing calculation | Art. 6(1)(b) and (f) GDPR | 6 months after termination of use |
| Identity verification | Art. 6(1)(b) GDPR | For the duration of the contract |
| Marketing (business contacts) | Art. 6(1)(f) GDPR | Until opt-out |
| Direct marketing (newsletter) | Art. 6(1)(a) GDPR | Until consent is withdrawn |
| Establishment, exercise or defence of legal claims | Art. 6(1)(f) GDPR | Statutory retention periods |
§ 6Recipients of personal data
Personal data is disclosed only where necessary and on an appropriate legal basis. Potential recipients include:
- affiliates of CITO GmbH, where the processing purpose warrants this;
- sub-processors engaged on behalf of our customers for the provision of the platform (hosting, email delivery, analytics, support tooling, AI inference providers). An up-to-date list is available on request and, for the platform, via the customer workspace;
- other platform users of the same customer workspace, where collaboration features make this necessary (e.g. shared tasks, assignments, documents);
- payment providers, professional advisors (auditors, tax consultants, lawyers) bound by professional secrecy;
- competent courts, authorities and public bodies, where we are legally obliged or entitled to disclose.
§ 7International transfers
We primarily process personal data within the European Union and the European Economic Area. Where personal data is transferred to third countries, we ensure an appropriate level of protection in accordance with Chapter V GDPR, in particular by relying on:
- an adequacy decision of the European Commission (Art. 45 GDPR);
- the EU standard contractual clauses (Art. 46(2)(c) GDPR), supplemented by technical and organisational measures where required;
- the EU-U.S. Data Privacy Framework for certified US recipients.
You may request a copy of the relevant safeguards from the contact address above.
§ 8Retention periods
We retain personal data only for as long as necessary to achieve the purposes for which it was collected and in accordance with statutory retention obligations, in particular:
- ten years for tax-relevant documents pursuant to § 147 of the German Fiscal Code (AO);
- six years for commercial letters and other business records pursuant to § 257 of the German Commercial Code (HGB);
- three months after the purpose has ceased for data without a statutory retention obligation, after which the data is deleted or anonymised.
§ 9Your rights
Subject to the statutory conditions, you have the following rights in relation to personal data we process about you:
- right of access (Art. 15 GDPR);
- right to rectification (Art. 16 GDPR);
- right to erasure (Art. 17 GDPR);
- right to restriction of processing (Art. 18 GDPR);
- right to data portability (Art. 20 GDPR);
- right to object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR);
- right to withdraw consent at any time, with effect for the future (Art. 7(3) GDPR);
- right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
The supervisory authority responsible for CITO GmbH is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22
20459 Hamburg, Germany
You are of course free to contact the supervisory authority of your place of residence, place of work or the place of the alleged infringement.
§ 10Automated decision-making (Art. 22 GDPR)
CIVAC uses AI-assisted features to support compliance work (in particular, AI-assisted drafting of documents, suggestions and recommendations). These features generate drafts and recommendations only; they do not render automated decisions that produce legal effects concerning data subjects or similarly significantly affect them within the meaning of Art. 22(1) GDPR. Any decision having legal effect is taken by the responsible officer or the management of our customer.
You retain, at all times, the right to human intervention on the part of the controller, the right to express your point of view and the right to contest a decision.
§ 11Data security
We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access (Art. 32 GDPR). Measures include transport encryption (TLS), encryption at rest, role-based access controls, logging and a dedicated information-security programme. Further details are available in our separate Security Policy, which supplements this privacy policy.
§ 12Updates to this privacy policy
We may update this privacy policy from time to time to reflect changes to the service, our processing activities or applicable law. The current version is always available on this page. Where the changes are material, we will inform you in an appropriate manner, for example by email or through a notice in the platform.
§ 13Contact
For any question regarding this privacy policy or the processing of your personal data, please contact us at info@civac.de.
Last updated: April 21, 2026.
Privacy contact: info@civac.de.