Privacy Policy

1. Controller and Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection provisions is:

Nova Soft GmbH
Torweg 1
04435 Schkeuditz
Germany

Managing Director: Benny Höll
Registering court: Amtsgericht Leipzig, HRB 45469
VAT identification number: Coming Soon

Contact: phone +49 (0) 341 126 933 94
Mobile: +49 (0) 177 86 62 269
Email: info@novasoft.gmbh

If you have any questions about the collection, processing or use of your personal data, about information, correction, restriction or deletion of data, or about the withdrawal of consents granted or objections to a specific use of data, please contact us directly using the contact details above.

2. Data Protection Officer

Nova Soft GmbH is not legally obliged to appoint a data protection officer within the meaning of Art. 37 GDPR in conjunction with Section 38 of the German Federal Data Protection Act (BDSG). Nevertheless, we take the protection of your personal data very seriously. For all data protection inquiries, the management is available via the contact details provided above.

3. General Principles of Data Processing

We generally process personal data of our users only to the extent that this is necessary to provide a functional website as well as our content and services. The processing of personal data of our users is regularly carried out only with the user's consent or on another legally permissible basis.

Legal bases for the processing of personal data include in particular: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures), Art. 6(1)(c) GDPR (compliance with a legal obligation) and Art. 6(1)(f) GDPR (legitimate interests).

We comply with the principles of data processing pursuant to Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

4. Provision of the Website and Creation of Log Files

Each time our website is accessed, our self-hosted Node.js server automatically collects data and information from the computer system of the accessing device. The following data is collected:

IP address of the requesting device, date and time of the request, URL accessed or name of the file retrieved, time zone difference to Greenwich Mean Time (GMT), HTTP status code and amount of data transferred, referrer URL (previously visited page), browser used including version, operating system used, browser language settings.

The data is stored in the log files of our server. This data is not stored together with other personal data of the user.

Legal basis for the temporary storage of the data is Art. 6(1)(f) GDPR. Our legitimate interest lies in delivering the website, ensuring a smooth connection setup, a convenient use of the website, evaluating system security and stability, and for further administrative purposes.

Retention period: Log files are automatically deleted after no later than 14 days. Any storage beyond this period only takes place in the event of security-related incidents (e.g. attempted attacks), in which case IP addresses remain stored until the respective incident has been conclusively clarified.

5. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content such as inquiries you send to us as the site operator, this website uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the browser's address line changes from http:// to https:// and by the lock symbol in your browser line.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

6. Cookies and Consent Management

Our website uses cookies. Cookies are small text files that are stored on your device when you visit a website. They do no harm to your device, contain no viruses, trojans or other malware.

We distinguish between technically necessary cookies, which are essential for the operation of the website, and non-essential cookies (e.g. for analysis or marketing), which are only set with your express consent.

When you first visit our website, a cookie banner appears, via which you can grant, reject or granularly configure your consent to the use of non-essential cookies. Your settings are stored in a technically necessary cookie so that the banner does not have to be displayed again on every page visit.

Legal bases: For technically necessary cookies, this is Section 25(2) no. 2 TDDDG in conjunction with Art. 6(1)(f) GDPR. For all other cookies, this is your consent pursuant to Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

You can withdraw your consent at any time with effect for the future by calling up the cookie settings again via the corresponding link in the footer of our website and adjusting them.

7. Contact Form and Contact by Email

We provide a contact form on our website through which you can contact us electronically. In this context, we collect the following data: name, email address, subject and the content of your message. In addition, the date and time of submission are recorded for technical reasons.

Your message is transmitted to us via SMTP using the Nodemailer software over a transport-encrypted channel. The message is stored in our email inbox and processed there.

Purpose of processing: We use the data exclusively to respond to your inquiry and for any subsequent communication.

Legal bases: If your inquiry is aimed at concluding or performing a contract, the legal basis is Art. 6(1)(b) GDPR. In all other cases, the legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient handling of contact inquiries).

Retention period: Your data will be deleted as soon as your inquiry has been finally processed and the matter has been clarified, usually after six months at the latest. For inquiry-related matters that relate to a business relationship, statutory retention periods apply (e.g. according to Section 257 HGB and Section 147 AO of up to ten years).

Providing the data is voluntary; however, without providing the mandatory fields (name, email, message) we cannot respond to your inquiry.

8. Email Delivery via SMTP (Nodemailer)

To send transactional emails (e.g. in response to your contact inquiry) we use an SMTP server in conjunction with the Node.js library Nodemailer. The data required for delivery (sender and recipient address, subject, message content, technical headers) is processed for this purpose.

Communication with the SMTP server is transport-encrypted (TLS). The legal basis is, depending on the context, Art. 6(1)(b) or (f) GDPR.

9. Google Analytics 4 (Consent Mode v2)

On this website, provided you have given your express consent, we use the web analytics service Google Analytics 4 (GA4). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter Google).

Google Analytics uses so-called cookies and comparable technologies (e.g. web storage, pixels) that enable an analysis of your use of our website. The information generated by these technologies about your use of the website is generally transmitted to a Google server in the USA and stored there.

Cookies used and storage periods:
_ga (storage period: 2 years, purpose: distinguishing individual users via a unique Client ID),
_ga_<container-id> (storage period: 2 years, purpose: maintaining session state),
_gid (storage period: 24 hours, where enabled, purpose: distinguishing users),
_gat_gtag_<property-id> (storage period: 1 minute, purpose: throttling the request rate).

Google Consent Mode v2: We use Google Consent Mode v2. Depending on your consent, the signal parameters analytics_storage, ad_storage, ad_user_data and ad_personalization are set to the status granted or denied. Without your consent, either no signals are transmitted to Google or only cookieless, aggregated and non-identifiable signals are transmitted.

IP anonymisation: In Google Analytics 4, IP anonymisation is enabled by default. IP addresses are not permanently stored or logged. Google uses IP addresses solely to roughly derive location and then discards them.

Data retention: We have limited the retention period for user- and event-related data in Google Analytics to 2 months (alternatively a maximum of 14 months). After that, the data is automatically deleted.

Google Signals and cross-device reports: Where activated, Google Signals enable cross-device reports and remarketing. You will be informed about this separately in the cookie banner; use takes place only with your consent.

Data transfer to third countries (USA): Google LLC (parent company, USA) is certified under the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023). In addition, we have concluded the EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR with Google Ireland Limited. A data processing agreement pursuant to Art. 28 GDPR exists with Google.

Legal basis: Use takes place exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG. You can withdraw your consent at any time with effect for the future via the cookie settings.

Further information on the handling of user data by Google Analytics can be found in the Google privacy policy: https://policies.google.com/privacy and at https://support.google.com/analytics/answer/6004245.

10. Self-Hosted Analytics with GeoIP Lookup (MaxMind GeoLite2)

In addition, we operate our own self-hosted analytics solution to evaluate the use of our website. This runs exclusively on our server and does not transmit any data to third parties.

To determine the approximate geographic location (country and, where applicable, region/city) based on the IP address, we use the locally installed MaxMind GeoLite2 database. The IP address is queried exclusively locally on our server. No transmission of the IP address to MaxMind or other third parties takes place.

Data processed: IP address (truncated or hashed immediately after evaluation), derived country and derived region, date and time of access, page accessed, referrer, user agent.

Purpose: Statistical evaluation of the use of our website, optimisation of our offering and display of aggregated metrics in an internal admin dashboard.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the needs-based design and statistical evaluation of our website. Identification of individual users is neither intended nor technically provided for.

Retention period: Raw data is deleted or irreversibly anonymised after 30 days at the latest. Aggregated, non-personal metrics are retained indefinitely.

Pursuant to Art. 21(1) GDPR, you have the right to object at any time to this processing on grounds relating to your particular situation.

11. Recipients and Processors

Within our company, only those persons and units have access to your data who need it to fulfil the purposes described above.

Transmission to external recipients only takes place to the extent necessary. Recipient categories include in particular: hosting and infrastructure providers, SMTP/email providers, with corresponding consent Google Ireland Limited or Google LLC (Google Analytics 4), as well as authorities and public bodies, insofar as there is a legal obligation to disclose.

We have concluded data processing agreements pursuant to Art. 28 GDPR with all external processors, where necessary.

12. Data Transfer to Third Countries

A transfer of personal data to countries outside the European Economic Area (third countries) generally only takes place if this is necessary for the performance of a contract, required by law or if you have given us your consent.

In individual cases, in particular when using Google Analytics 4, data may be transmitted to servers in the USA. The transfer takes place on the basis of the adequacy decision of the European Commission of 10 July 2023 (EU-US Data Privacy Framework) or, supplementarily, on the basis of the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

13. Retention Periods and Deletion Concept

We only store personal data for as long as is necessary to achieve the respective processing purposes or as long as statutory retention obligations exist.

Specifically, the following retention periods apply: server log files no later than 14 days; contact form data until final processing of the inquiry, at the latest 6 months if no business relationship arises; for business-relevant matters up to 6 or 10 years pursuant to Section 257 HGB and Section 147 AO; internal analytics raw data no later than 30 days; Google Analytics 4 user and event data a maximum of 14 months, configured by us to 2 months.

After expiry of the periods, the corresponding data is routinely deleted or irreversibly anonymised.

14. Your Rights as a Data Subject

You have the following rights with regard to the processing of your personal data:

Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether personal data concerning you is being processed, as well as a right to information about this data and to the information specified in more detail in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR): You have the right to request without undue delay the rectification of inaccurate personal data concerning you and the completion of incomplete personal data.

Right to erasure (Art. 17 GDPR): You have the right to request the erasure of personal data concerning you, provided that the legal requirements are met and no exclusionary ground (e.g. statutory retention obligation) applies.

Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data under the conditions set out in Art. 18 GDPR.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to have it transmitted to another controller.

Right to withdraw consent (Art. 7(3) GDPR): You have the right to withdraw a consent granted at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent up to the withdrawal remains unaffected.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement.

To exercise your rights, an informal notification to the contact details mentioned in Section 1 is sufficient.

15. Right to Object pursuant to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (objection pursuant to Art. 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes (objection pursuant to Art. 21(2) GDPR).

The objection can be made informally and should preferably be directed to the contact details mentioned in Section 1.

16. Competent Supervisory Authority

The supervisory authority responsible for us is:

Die Sächsische Datenschutz- und Transparenzbeauftragte (Saxon Data Protection and Transparency Officer)
Maternistraße 17
01067 Dresden, Germany
Postal address: Postfach 11 01 32, 01330 Dresden
Phone: +49 351 85471-101
Email: post@sdtb.sachsen.de
Website: https://www.datenschutz.sachsen.de

Irrespective of this, you can also contact any other data protection supervisory authority in the European Economic Area.

17. Data Security

We take appropriate technical and organisational security measures pursuant to Art. 32 GDPR to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

These include in particular TLS transport encryption, access restrictions, logging of administrator access, regular security updates and a documented authorisation concept.

18. No Automated Decision-Making

Automated decision-making, including profiling pursuant to Art. 22(1) and (4) GDPR, does not take place.

19. Validity and Amendment of this Privacy Policy

This privacy policy is currently valid and has the status of 30th April, 2026. Due to the further development of our website and offers or due to changed statutory or official requirements, it may become necessary to amend this privacy policy.

The current privacy policy can be accessed and printed at any time on our website.