Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the course of providing our services and in particular on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).
 The terms used are not gender-specific.

Status: 15 September 2025

Table of Contents

  • Preamble

  • Controller

  • Overview of Processing Activities

  • Applicable Legal Bases

  • Security Measures

  • Disclosure of Personal Data

  • International Data Transfers

  • General Information on Data Retention and Erasure

  • Rights of Data Subjects

  • Provision of the Online Offering and Web Hosting

  • Use of Cookies

  • Contact and Enquiry Management

  • Amendments and Updates

  • Definitions of Terms

Controller

Compass & Spine GmbH, Dr. Alexander Hedderich, Französische Straße 12, 10117 Berlin
 Authorised Representative: Kathrin Jungehülsing
 Email: alexander.hedderich@compassandspine.de
 Imprint: www.compassandspine.com

Overview of Processing Activities

The following summary outlines the types of data processed, the purposes of processing, and the categories of data subjects.

Types of Data Processed

  • Inventory data

  • Contact data

  • Content data

  • Usage data

  • Meta, communication and procedural data

  • Log data

Categories of Data Subjects

  • Communication partners

  • Users

Purposes of Processing

  • Communication

  • Security measures

  • Organisational and administrative procedures

  • Feedback

  • Provision of our online offering and user-friendliness

  • Information technology infrastructure

Applicable Legal Bases

Relevant legal bases under the GDPR: The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or incorporation. Where more specific legal bases are relevant in individual cases, we will inform you of these within this Privacy Policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

  • Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the GDPR, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) applies. It contains specific provisions regarding the right of access, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. Furthermore, state data protection laws of the German federal states may apply.

Security Measures

We implement appropriate technical and organisational measures in accordance with the law, taking into account the state of the art, implementation costs, and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access, access to the data itself, input, disclosure, availability, and separation. In addition, we have established procedures to ensure the exercise of data subjects’ rights, data deletion, and responses to data security risks. We also take data protection into account in the development or selection of hardware, software and processes, in line with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorised access. TLS, the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. A website secured by an SSL/TLS certificate is indicated by the display of HTTPS in the URL, signalling to users that their data is transmitted securely and in encrypted form.

Disclosure of Personal Data

In the course of processing personal data, it may happen that such data is transmitted to other entities, companies, legally independent organisational units or individuals, or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosure/transfer of data to other individuals, entities or companies (which may be apparent from the provider’s postal address or if the Privacy Policy explicitly refers to a transfer to third countries), this is always done in compliance with legal requirements.

For transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by the European Commission’s adequacy decision of 10 July 2023. Additionally, we have entered into Standard Contractual Clauses (SCCs) with the respective providers, which comply with the European Commission’s requirements and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary layer of protection, while the SCCs serve as an additional safeguard. Should changes occur in the DPF framework, the SCCs act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether SCCs are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce: https://www.dataprivacyframework.gov/ (in English).

For transfers to other third countries, equivalent safeguards apply, in particular SCCs, explicit consent, or transfers required by law. Information on third-country transfers and adequacy decisions can be found on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=en.

General Information on Data Retention and Erasure

We erase personal data we process in accordance with legal provisions once the underlying consents are withdrawn or there are no other legal bases for processing. This applies where the original purpose of processing ceases to apply or the data is no longer required. Exceptions exist where legal obligations or special interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal enforcement or to protect the rights of other natural or legal persons, must be archived accordingly.

Our Privacy Policy contains additional information on retention and deletion specifically relating to certain processing activities.

Where multiple retention or deletion periods are specified for data, the longest period always applies. Data retained for reasons other than the original purpose is only processed for those reasons justifying its retention.

Retention and erasure periods under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as work instructions and other organisational documents required for understanding them (§ 147(1)(1) in conjunction with (3) AO, § 14b(1) UStG, § 257(1)(1) in conjunction with (4) HGB).

  • 8 years – Accounting records such as invoices and cost receipts (§ 147(1)(4, 4a) in conjunction with (3)(1) AO, § 257(1)(4) in conjunction with (4) HGB).

  • 6 years – Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, other documents relevant for taxation, such as timesheets, cost accounting sheets, calculation documents, price labelling, but also payroll records where they are not accounting documents, and till receipts (§ 147(1)(2,3,5) in conjunction with (3) AO, § 257(1)(2,3) in conjunction with (4) HGB).

  • 3 years – Data required to take account of potential warranty and compensation claims or similar contractual claims and rights, including related enquiries, are retained for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Commencement of periods at year-end: Unless a period expressly starts on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, where data is stored, the triggering event is the effective termination or other conclusion of the legal relationship.

Rights of Data Subjects

As a data subject under the GDPR, you have the following rights (Arts. 15–21 GDPR):

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing, including profiling to the extent it is related to such direct marketing.

  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.

  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data and further information as provided by law.

  • Right to rectification: You have the right to request the completion or rectification of inaccurate data concerning you.

  • Right to erasure and restriction of processing: You have the right, under the conditions provided by law, to request the erasure of data concerning you without undue delay or alternatively to request restriction of processing.

  • Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit those data to another controller.

  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process users’ IP addresses, which are necessary to transmit the content and functions of our online services to their browser or device.

Data processed:

  • Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features)

  • Meta, communication and procedural data (e.g. IP addresses, timestamps, identifiers, parties involved)

  • Log data (e.g. logfiles concerning logins, retrieval of data, access times)

Data subjects: Users (e.g. website visitors, users of online services)

Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of IT systems and devices); security measures.

Retention and erasure: As set out under “General Information on Data Retention and Erasure”.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information:

  • Hosting of the online offering on rented servers: For the provision of our online offering we use storage space, computing capacity and software that we rent or otherwise obtain from a server provider (also referred to as “web host”); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

  • Collection of access data and log files: Access to our online offering is logged in the form of “server logfiles”. These may include the address and name of retrieved websites and files, date and time of access, transferred data volumes, success messages, browser type and version, user’s operating system, referrer URL (the previously visited page) and usually IP addresses and the requesting provider. Logfiles may be used for security purposes (e.g. to prevent server overload, especially in the event of abusive attacks such as DDoS attacks) and for ensuring server stability and performance. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Deletion: Logfile information is retained for up to 30 days and then deleted or anonymised. Data required for evidential purposes is exempted from deletion until the incident is finally resolved.

Use of Cookies

The term “cookies” refers to functions that store information on users’ devices and retrieve it from them. Cookies may be used for various purposes, such as functionality, security, convenience of online offerings, and analysis of visitor flows.

We use cookies in compliance with legal requirements. Where necessary, we obtain prior consent from users. Where consent is not required, we rely on our legitimate interests (e.g. where storage/retrieval of information is strictly necessary to provide expressly requested services). Consent can be withdrawn at any time.

Retention periods of cookies:

  • Temporary cookies (session cookies): Automatically deleted when the user leaves the online offering and closes their device (browser or app).

  • Permanent cookies: Remain stored even after closing the device. For example, login status may be saved or preferred content displayed immediately when the user revisits a site. Unless otherwise specified, cookies may remain stored for up to two years.

General information on withdrawal and objection (opt-out): Users may withdraw consents at any time and object to processing in accordance with the law, including via browser privacy settings.

Data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identifiers, parties involved).
 Data subjects: Users.
 Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further information:

  • Processing of cookie data on the basis of consent: We use a consent management solution to obtain, log, manage and revoke users’ consents regarding the use of cookies and comparable technologies. This process records users’ consents for specific cookies, technologies and providers, and allows users to manage and withdraw consent. Consent records are stored server-side and/or in a cookie (opt-in cookie) or similar technology, linked to a pseudonymous user identifier, timestamp, scope of consent, and information about browser, system and device. Unless otherwise specified, consents are stored for up to two years. Legal basis: Consent (Art. 6(1)(a) GDPR).

Contact and Enquiry Management

When contacting us (e.g. by post, contact form, email, telephone, or social media) and within existing user and business relationships, we process the details provided by the enquirer as far as necessary to respond to the enquiry and any requested measures.

Data processed:

  • Inventory data (e.g. full name, postal address, contact details, customer number)

  • Contact data (e.g. postal and email addresses, phone numbers)

  • Content data (e.g. text or image-based messages and contributions, including author information and creation timestamps)

  • Usage data (e.g. page views, dwell time, click paths, device types, interactions with content and features)

  • Meta, communication and procedural data (e.g. IP addresses, timestamps, identifiers, parties involved)

Data subjects: Communication partners
 Purposes: Communication; organisational and administrative procedures; feedback collection (e.g. via online forms); provision of online offering and user-friendliness
 Retention and erasure: As described in “General Information on Data Retention and Erasure”
 Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Further information:

  • Contact form: When contacting us via the contact form, email, or other communication channels, we process the personal data provided to handle the enquiry. This usually includes details such as name, contact information, and further data necessary to respond appropriately. These are used solely for the stated purpose of communication. Legal bases: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Amendments and Updates

We kindly ask you to regularly check the content of our Privacy Policy. We will update the Privacy Policy whenever changes in our data processing activities make this necessary. We will inform you if such changes require your cooperation (e.g. renewed consent) or individual notification.

Where we provide addresses and contact details of companies and organisations in this Privacy Policy, please note that these may change over time and kindly verify them before contacting.

Definitions of Terms

In this section, you will find an overview of the terms used in this Privacy Policy. Where terms are defined by law, their legal definitions apply. The following explanations are intended to aid understanding.

  • Inventory data: Essential information for identifying and managing contractual partners, user accounts, profiles and similar allocations. May include personal and demographic details such as names, contact details, dates of birth and specific identifiers.

  • Content data: Information generated in the creation, editing and publication of content of all kinds, including texts, images, videos, audio files, and related metadata (tags, author details, publishing dates).

  • Contact data: Essential information enabling communication with individuals or organisations, including phone numbers, postal and email addresses, social media handles and messaging identifiers.

  • Meta, communication and procedural data: Information describing how data is

processed, transmitted and managed, such as metadata (creation date, file size, author), communication records (emails, call logs, chats), and procedural logs (transaction records, audit trails).

  • Usage data: Information about how users interact with digital products, services or platforms (e.g. frequency of use, time spent, navigation paths, IP addresses, device information).

  • Personal data: Any information relating to an identified or identifiable natural person.

  • Log data: Information on events or activities recorded in a system, such as timestamps, IP addresses, user actions, error messages.

  • Controller: The natural or legal person, authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means (e.g. collection, storage, evaluation, transmission, deletion).