Privacy Policy

1. Data Controller

nimbicon GmbH
Münchner Str. 20
85774 Unterföhring
Germany

Managing Director: Alexander Weise

Phone: +49 (89) 21 54 43 51
Email: info@nimbicon.de

2. General Information on Data Processing

The protection of your personal data is important to us. We process personal data only to the extent necessary and in accordance with legal requirements (GDPR, BDSG, TDDDG). This privacy policy informs you about the nature, scope, and purpose of the processing of personal data on our website and in the customer portal.

3. Hosting and Content Delivery

This website is provided via Amazon Web Services (AWS). A Content Delivery Network (CDN) is used to deliver content through globally distributed servers to ensure fast loading times.

For more information on data processing by AWS as a processor, please refer to Section 11 (Processors and Third-Country Transfers).

4. Access Logs (Server Logs)

Data processed: When you access our website, technical information is automatically recorded in access logs:

• Date and time of access
• Page or resource accessed
• HTTP status code and amount of data transferred
• Browser type and version (user agent)
• Referrer URL (previously visited page, if transmitted by the browser)
• Country of access
• Network identifier of the internet service provider (ASN)

We do not store IP addresses. The determination of country and network identifier is performed by our CDN provider in real time; the IP address itself is not logged.

Purpose and legal basis: The processing serves to ensure system security, detect and prevent attacks, and support error analysis and capacity planning. In the event of attacks, the data may be used to implement geographic access restrictions. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in maintaining the security and availability of our website.

Retention period: Access logs are automatically deleted after 30 days.

5. Contact

Data processed: When you contact us by email or phone, we process the data you provide (e.g., name, email address, content of your inquiry).

Purpose and legal basis: The processing serves to handle your inquiry. The legal basis is Art. 6(1)(b) GDPR, insofar as the inquiry is directed at concluding a contract, or Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in responding to inquiries directed to us.

Retention period: Your data will be deleted as soon as it is no longer required for processing, but no later than the expiry of statutory retention periods (e.g., commercial and tax law retention obligations of up to 10 years).

6. Customer Portal

a) Authentication and Access

Data processed: When using the customer portal, we process your email address (as username), passkey registrations (WebAuthn credentials), and timestamps of your logins. Authentication is handled via AWS Cognito Managed Login (hosted at auth.nimbicon.de). Only passwordless methods are used: Passkey (WebAuthn) and email one-time password (OTP). We do not store any passwords.

Local browser storage:

• localStorage: Authentication tokens (ID token, access token, refresh token) for session persistence – deleted upon logout
• sessionStorage: Temporary security parameters during the login process – automatically deleted upon completion
• On the authentication page (auth.nimbicon.de), AWS Cognito sets technically necessary session cookies
• No tracking cookies are used; a cookie banner is not required

Invitation and authentication emails are sent via AWS SES (sender domain: portal.nimbicon.de).

Purpose and legal basis: The processing serves to provide a protected customer portal. Access is granted by invitation only. The legal basis is Art. 6(1)(b) GDPR (performance of a contract), insofar as access is part of the contractual service, and Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in protecting the customer portal from unauthorized access.

Retention period:

• Account data: As long as access exists; deletion upon request or at the end of the business relationship
• Authentication tokens in the browser: ID/access token max. 1 hour, refresh token max. 30 days
• Cognito session cookies: session duration

b) Master Data and Business Data

Data processed: The customer portal is used to maintain master data required for contract processing. This includes company information (e.g. name, address, VAT ID), contact details of designated contacts (e.g. name, email address, phone number), and billing information (e.g. invoicing method, billing email). Data is entered by the users themselves and can be viewed and modified at any time.

Purpose and legal basis: The processing serves to maintain and manage customer master data. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). The master data is required for the performance of the contractual relationship, in particular for invoicing and communication with your designated contacts.

Storage location: AWS data center in Frankfurt. Data is stored in encrypted form.

Retention period: During the business relationship and beyond in accordance with statutory retention periods (up to 10 years under commercial and tax law).

Deletion and Contact

You may request deletion of your customer portal access and associated data at any time. Please contact privacy@nimbicon.de. For more information on your rights, see Section 9 (Your Rights). For information on the processors we use, see Section 11 (Processors and Third-Country Transfers).

7. External Links and Social Media

Our website contains links to external websites, including in particular to LinkedIn. When you click on these links, you will be redirected to the respective external website. The respective operators are solely responsible for data processing on these websites.

Please note that social networks such as LinkedIn may collect extensive data about their users. For more information, please refer to LinkedIn’s privacy policy at linkedin.com/legal/privacy-policy.

We have no influence over the privacy practices of external providers and assume no liability for their content.

8. SSL/TLS Encryption

This website uses SSL/TLS encryption for the secure transmission of data. You can recognize an encrypted connection by the “https://” protocol in the address bar of your browser.

9. Your Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR): You may request information about your data stored by us.
• Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Erasure (Art. 17 GDPR): Under certain conditions, you may request deletion of your data.
• Restriction of processing (Art. 18 GDPR): You may request restriction of processing.
• Data portability (Art. 20 GDPR): You may receive your data in a structured, commonly used format.
• Objection (Art. 21 GDPR): You may object to the processing of your data at any time for reasons arising from your particular situation.

To exercise your rights, please contact: privacy@nimbicon.de

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
www.lda.bayern.de

11. Processors and Third-Country Transfers

We use service providers who process personal data on our behalf (processors) to operate this website and the customer portal. We have concluded data processing agreements with these service providers in accordance with Art. 28 GDPR.

Amazon Web Services (AWS)

For operating this website and the customer portal, we use services from Amazon Web Services EMEA SARL (Luxembourg) and Amazon Web Services, Inc. (USA). Primary data processing takes place in data centers within the European Union (region Frankfurt).

The following functions are provided via AWS:

• Website hosting and delivery
• Authentication and user management for the customer portal
• Storage and processing of customer master data
• Delivery of invitation and authentication emails

If access from the USA may occur in the context of support or operational processes, this is based on the following:

• EU-US Data Privacy Framework (DPF): AWS is certified under the EU-US Data Privacy Framework (adequacy decision of the EU Commission pursuant to Art. 45 GDPR).
• Standard Contractual Clauses (SCC): In addition, the Standard Contractual Clauses approved by the EU Commission pursuant to Art. 46(2)(c) GDPR are part of the contract with AWS.

For more information on data protection at AWS: aws.amazon.com/privacy

12. Updates to this Privacy Policy

Last updated: February 2026

We reserve the right to update this privacy policy as needed to comply with changed legal requirements or changes to our services. The current version can always be found on this page.