Privacy policy

Privacy Notice
The data controller pursuant to applicable data protection laws is VANTOYA AG, Widenmayerstraße 16, 80538 Munich (“Firm”).

This privacy notice provides you (hereinafter also referred to as “user” or “data subject”) with general information on how we process personal data within our firm, and specifically how we process personal data when you access our website, contact us via the website contact form, by email, or by phone. We also inform you about our presence on social media platforms and your rights regarding the processing of your data.
Throughout this notice, “data processing” refers exclusively to the processing of personal data.

 

1. General Information on Data Processing

1.1 Categories of Personal Data

We process the following categories of personal data:

  • Inventory data (e.g. names, addresses, roles, organizational affiliation, etc.)
  • Contact data (e.g. email addresses, telephone/fax numbers, etc.)
  • Content data (e.g. text inputs, image files, videos, etc.)
  • Usage data (e.g. access data)
  • Meta/communication data (e.g. IP addresses)

1.2 Recipients or Categories of Recipients of Personal Data

If we disclose data to other persons or companies—such as web hosts, data processors, or third parties—within the scope of our processing, transmit it to them, or otherwise grant them access, this is done on the basis of a legal permission (e.g. if transmission is necessary for contract fulfillment under Art. 6(1)(b) GDPR), based on consent, or if legally required.

1.3 Duration of Personal Data Storage

The duration of personal data storage depends on the applicable legal retention period. After this period, the data is deleted unless it is still required for fulfilling its purpose, for contract execution, or for initiating a contract.

1.4 Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union or European Economic Area), or if this occurs through the use of third-party services or the disclosure/transmission of data to third parties, it is only done if necessary for fulfilling our (pre-)contractual obligations, based on your consent, a legal obligation, or our legitimate interests. Subject to legal or contractual permissions, data will only be processed in a third country if the conditions under Articles 44 ff. GDPR are met, such as adequacy decisions or standard contractual clauses.

2. Data Processing When Visiting Our Website

2.1 Log Files

Whenever a data subject accesses our website, general data and information are stored in the log files of our system:

  • Date and time of access (timestamp)
  • Request details and target address (protocol version, HTTP method, referer, user agent string)
  • Name of the accessed file and amount of data transferred (requested URL incl. query string, size in bytes)
  • Status of the request (HTTP status code) We do not draw any conclusions about the data subject from these general data and information. There is no personal evaluation, no marketing analysis, and no profiling. IP addresses are not stored. Legal basis for the temporary storage of data is Art. 6(1)(f) GDPR. Collecting data for website provision and storing it in log files is essential for the secure operation of our website. Therefore, there is no option to object.

2.2 Malware Detection and Log File Analysis

We collect and analyze log data automatically to detect, limit, or eliminate faults or errors in our communication technology, to defend against attacks on our IT systems, or to detect and block malware. Legal basis for temporary storage and analysis of data is Art. 6(1)(f) GDPR. These measures are essential for secure website operation, and objection is not possible.

2.3 Cookies

Our website uses so-called cookies. Cookies are small text files exchanged between web browsers and hosting servers. They are stored on the user’s computer and transmitted back to us. You can restrict or disable cookies via your web browser settings. Previously stored cookies can be deleted at any time. If cookies are disabled, some website features may not work correctly. Legal basis for processing personal data via cookies is Art. 6(1)(f) GDPR.

2.4 Hosting

Our hosting services include infrastructure and platform services, computing capacity, storage and database services, security services, and technical maintenance services needed for operating our website. We or our processors process user data (inventory, contact, content, contract, usage, meta/communication data) based on our legitimate interest in efficiently and securely providing this online service, under Art. 6(1)(f) GDPR and Art. 28 GDPR (data processing agreement).

3. Data Processing in the Context of Contacting Us

3.1 Contact via Email

You can contact our firm via the email addresses published on our website. In doing so, the data you provide (e.g. name, address), at least your email address and the content of your message, as well as other personal data, will be stored for the purpose of responding to your inquiry. The system also logs:

  • IP address of the accessing computer
  • Date and time of the email Legal basis: Art. 6(1)(b) and (f) GDPR.

3.2 Contact via Website Contact Form

When using our website contact form, your first and last name and email address are required. Without these, your message cannot be processed. Providing a postal address is optional and allows communication by mail if desired. The system also records:

  • IP address of the accessing computer
  • Date and time of submission Legal basis: Art. 6(1)(b) and (f) GDPR.

3.3 Contact via Mail and Fax

If you send us a letter or fax, the data you provide (e.g. name, address) and the content of your message will be stored for the purpose of communication and processing your concern. Legal basis: Art. 6(1)(b) and (f) GDPR.

4. Online Presence in Social Media

We maintain online profiles on LinkedIn to inform users about our services and to communicate. These can only be accessed via external links. When visiting our profiles, the terms and privacy policies of the respective platforms apply. We have no control over the data collection and further use by these networks. It is unclear how long, where, and to what extent data is stored, whether deletion obligations are met, and how the data is analyzed or shared. We process data sent to us via these platforms (e.g. comments, direct messages). Legal basis: Art. 6(1)(a) GDPR.

5. Your Rights

5.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed. If so, you may request details including:

  • processing purposes
  • categories of personal data
  • recipients or categories of recipients
  • storage period or criteria
  • existence of rights to rectification, deletion, restriction, or objection
  • right to lodge a complaint with a supervisory authority
  • source of data if not collected from you
  • existence of automated decision-making including profiling

5.2 Right to Rectification (Art. 16 GDPR)

You may request the immediate correction of inaccurate personal data or the completion of incomplete data.

5.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data under certain conditions, including:

  • no longer necessary for purposes collected
  • withdrawal of consent
  • objection to processing
  • unlawful processing
  • legal obligation to delete
  • collected from a child for online services Exceptions apply, including:
  • legal obligations
  • public interest
  • exercise of legal claims

5.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request processing to be restricted if:

  • accuracy is contested
  • processing is unlawful but deletion is opposed
  • data is no longer needed but required for legal claims
  • objection is pending verification

5.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

5.6 Right to Object (Art. 21 GDPR)

You may object at any time to the processing of personal data based on Art. 6(1)(e) or (f) GDPR, including profiling. We will cease processing unless there are compelling legitimate grounds.

5.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of prior processing.

5.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority if you believe the processing of your data violates the GDPR.

Transparent. Digital. Entrepreneurial.

  • Address

    VANTOYA AG
 Ridlerstraße 37-39
 80339 Munich

  • Contact

    info@vantoya.com
    +49 (0) 89 470 270 38

© 2025 vantoya.com

Imprint & Privacy policy

Contact