Request a demo
Request a demo

Privacy Policy

As of: 18 March 2026

This privacy policy applies to the website arvanis.de and to the domain arvanis.ai, which currently redirects to selected English-language pages on arvanis.de.

1. Controller

ARVANIS — Andreas Wöhrmann
c/o MDC Management#17
Welserstraße 3
87463 Dietmannsried
Germany
Owner: Andreas Wöhrmann
Email: datenschutz@arvanis.de
Phone: +49 156 78167322

2. General information

We process personal data only to the extent necessary to provide this website, process inquiries, and ensure security and stability.

3. Hosting and website delivery via Cloudflare (Pages/CDN)

This website is provided via Cloudflare Pages and related Cloudflare services, in particular CDN/edge network and security functions. Depending on the services used, the provider is, among others, Cloudflare, Inc. and, in the EU, Cloudflare Ireland Unlimited Company.

Which data is processed?

When this website is accessed, in particular the following data is processed for technical reasons:

  • IP address
  • date and time of access
  • requested page/file, amount of data transferred
  • browser/device information, e.g. user agent
  • referrer URL
  • technical log data for error analysis and defense against attacks

Purpose of processing

  • provision and delivery of the website
  • ensuring stability, performance and IT security, e.g. protection against misuse and attacks

Legal basis

Art. 6(1)(f) GDPR (legitimate interest in secure and efficient operation of the website).

Cookies by Cloudflare (technically necessary)

Cloudflare may set technically necessary cookies when protection mechanisms are activated, e.g. bot or attack protection. This may include cookies such as __cf_bm or cf_clearance. These serve the security and functionality of the website.

Consent is generally not required for such technically necessary cookies.

Recipients / processing on our behalf

Cloudflare processes data as a processor. The legal basis is the Cloudflare Data Processing Addendum (DPA).

International data transfer

Processing may also take place in third countries, e.g. the United States. For this, Cloudflare provides appropriate safeguards, in particular Standard Contractual Clauses, under the DPA.

Storage period

Technical log data is generally stored for 7 to 30 days, unless longer retention is required for the detection, analysis, or defense against specific security incidents or for legal reasons.

4. Contact by email, post, and business communication

You can contact us by email or by post.

Which data is processed?

In the context of contacting us, we process in particular the data you provide or transmit, e.g.:

  • Name
  • Company
  • Role / position
  • Email address
  • Phone number
  • Message
  • attachments, where applicable
  • for postal contact also sender data and other information contained in your mailing

Purpose of processing

Processing your inquiry and communicating with you.

Legal basis

Art. 6(1)(b) GDPR where the inquiry is aimed at entering into a contract; otherwise Art. 6(1)(f) GDPR (legitimate interest in handling inquiries and business communication).

Quick-check contact option (website form)

When you use the optional contact path in the IT maturity quick check, we process the submitted form fields (name, email, optional company and role), your quick-check scores, your consent confirmation, and the consent timestamp.

Purpose of this processing

Providing the requested follow-up information and contacting you regarding a demo or next steps.

Legal basis for this processing

Art. 6(1)(a) GDPR (consent).

You can withdraw your consent at any time with future effect by emailing datenschutz@arvanis.de.

If you select the "without contact" option, no contact details are submitted for follow-up from this form path.

Recipients

We use an email and business communication platform for the technical handling of business communication.

For receiving, digitizing, and forwarding incoming business mail, we also use an external service provider for business address and mail services.

Apart from this, data is not disclosed to further third parties unless this is required to process your inquiry or there is a legal obligation.

Form data from contact requests and demo requests is transmitted to HubSpot Ireland Ltd. for documentation and processing purposes (see Section 5).

Processing on our behalf

Where external service providers process personal data on our behalf, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR.

International data transfer

In connection with technical service providers used, a third-country transfer cannot be fully excluded. In this case, processing is based on the applicable data protection requirements and appropriate safeguards.

Storage period

Pure contact inquiries without follow-up business are generally deleted after 12 months unless further communication, contract initiation, or legal necessity exists.

Business correspondence with contractual or tax relevance is stored in accordance with statutory retention obligations.

5. Use of HubSpot (Website Analytics and Inquiry Processing)

We use HubSpot on this website, a service provided by HubSpot Ireland Ltd., 1 Sir John Rogerson's Quay, Dublin 2, Ireland.

Purpose of processing

CRM, lead management, business communication, optional marketing emails, and website analytics.

Form data submitted through the demo request form is transmitted to HubSpot via a server-side API after submission and stored there for documentation and processing. The direct appointment booking uses the optional HubSpot Meetings scheduling tool described below. HubSpot Ireland Ltd. acts as our data processor for the technical handling of these processes. We have entered into a Data Processing Agreement with HubSpot.

Data hosting and international transfers

Our HubSpot account data is hosted in the EU / Germany. In limited cases, processing or access may occur outside the EU/EEA, for example by sub-processors, HubSpot affiliates, support services, or the processing of usage and analytics data. For international data transfers, HubSpot relies on appropriate safeguards, in particular the EU-U.S. Data Privacy Framework and Standard Contractual Clauses, where applicable.

Sub-Processors

HubSpot engages its own sub-processors in the provision of its services, including Amazon Web Services (hosting). An up-to-date list is available at: legal.hubspot.com/de/sub-processors-page.

Legal basis

The legal basis for website analytics is Art. 6(1)(a) GDPR (consent). Processing of inquiries submitted through the demo request form is based on Art. 6(1)(b) GDPR where the inquiry is aimed at pre-contractual measures and otherwise on Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). The HubSpot Meetings booking described below is based on Art. 6(1)(a) GDPR (consent).

Optional marketing consent

The demo request form also includes an optional marketing consent checkbox for product updates and invitations. This separate consent is based on Art. 6(1)(a) GDPR. The checkbox legitimizes only additional marketing communication and is not required for processing the inquiry itself.

After granting consent, you will receive a confirmation email (double opt-in). Marketing emails are sent only after confirmation. Emails are sent via HubSpot Ireland Ltd. (data processor). HubSpot uses tracking technologies by default (open and click tracking) to measure delivery and engagement.

Consent is voluntary and can be withdrawn at any time via the unsubscribe link in any email or by emailing datenschutz@arvanis.de.

Retention period

Contact data is stored in HubSpot for as long as there is a legitimate interest in the business relationship, but no longer than 12 months after the last active contact.

Upon withdrawal of consent, your data will be immediately blocked for marketing purposes. To prevent re-contact, we store your email address on an internal suppression list until you request its deletion.

HubSpot cookies used

Depending on your consent and the concrete technical integration, HubSpot may in particular set the following analytics cookies: __hstc (13 months), hubspotutk (13 months), __hssc (30 minutes), __hssrc (session).

If HubSpot's own consent categories are technically used, __hs_cookie_cat_pref (13 months) may additionally be set as a necessary storage entry.

You may exercise your privacy rights either directly via the HubSpot Privacy Request Portal or by contacting us: https://eu1.hs-data-privacy.com/request/bmwWX0Yf7j2FYK6nSdHfzw or datenschutz@arvanis.de.

HubSpot Meetings (embedded scheduling)

On the localized contact pages of arvanis.de, we offer an optional HubSpot Meetings iframe for booking introductory calls.

The iframe is assigned to the "Functional" cookie category and is loaded only after your active consent. Before consent, no connection to HubSpot is established via this embed.

When you activate the iframe, HubSpot may process technical usage data such as your IP address, browser and device information, date and time of access, and the data you enter into the scheduling form. The legal basis is Art. 6(1)(a) GDPR (consent).

6. Cookie settings (consent management)

We use vanilla-cookieconsent to manage consent on arvanis.de. If you access arvanis.ai, you are currently redirected to selected English-language pages on arvanis.de. Your selection is stored in your browser's localStorage. The optional HubSpot Meetings iframe is assigned to the "Functional" category and is loaded only after your active consent.

We use a consent management tool to manage your choices. Your selection is stored in a local storage entry in your browser so it can be respected on future visits.

The stored entry contains only your category choices, a timestamp, and the validity period. HubSpot analytics/statistics technologies are loaded only after your active consent.

The consent preference entry is kept for up to 13 months and is then renewed on your next interaction.

You can withdraw or change your choice at any time via the "Cookie settings" link in the footer.

7. External links, in particular LinkedIn

Our website contains links to external providers, e.g. to our LinkedIn company page. Merely accessing our website does not trigger data processing at LinkedIn. Data processing at LinkedIn starts only once you click the link and are redirected to LinkedIn. There, LinkedIn privacy provisions apply.

8. Privacy information regarding our LinkedIn company page

We operate a company page on LinkedIn.

Responsible provider

For users in the EU, the provider is regularly LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Page Insights / joint controllership (Art. 26 GDPR)

LinkedIn provides page operators with Page Insights, i.e. aggregated statistics. For the creation of these statistics, LinkedIn and we are jointly responsible. The related agreement is described in the Page Insights Joint Controller Addendum.

Purpose and legal basis (our part)

Purpose: company presentation, communication, and analysis of reach and interactions in aggregated form.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication).

Data subject rights

As a rule, you can exercise your rights most effectively directly with LinkedIn, since LinkedIn controls the essential processing operations. In addition, you can contact us at any time.

International data transfer

LinkedIn may also process data in third countries. Details can be found in LinkedIn privacy information.

9. Use of Google Search Console and Bing Webmaster Tools

We use Google Search Console and Bing Webmaster Tools for technical analysis of this website's discoverability in search engines.

Purpose of processing

Monitoring the indexing status, analyzing visibility in search results, and identifying and resolving technical issues, e.g. crawling errors or indexing problems.

Technical integration

Verification is performed exclusively via a DNS TXT record. No external scripts are loaded on this website and no cookies are set. No visitor data is transmitted to the search engine providers through this integration.

Legal basis

Art. 6(1)(f) GDPR (legitimate interest in the technical maintenance and findability of the website).

International data transfer

Processing by the search engine providers in third countries cannot be fully excluded. The providers rely on appropriate safeguards, in particular Standard Contractual Clauses.

Retention period

Data is stored in the respective webmaster tools accounts for as long as the website is registered there. Deletion can be performed at any time by removing the website property.

10. Your rights

Under the GDPR, you have in particular the following rights:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing based on Art. 6(1)(f) GDPR (Art. 21)
  • Lodge a complaint with a data protection supervisory authority (Art. 77)

The competent data protection supervisory authority is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de

11. Right to object (Art. 21 GDPR)

If we process data on the basis of legitimate interests under Art. 6(1)(f) GDPR, you can object at any time on grounds relating to your particular situation.

Email: datenschutz@arvanis.de