Privacy Policy

The protection of your privacy is very important to us and we want you to feel safe on our website.

This Privacy Policy applies to all website visitors, applicants, interested parties and customers whose personal data is provided to us in connection with the website visit, an application (via the website or otherwise) or the execution or initiation of a business relationship, as well as to all users of our platform services, insofar as we process personal data processed there for our own purposes. We are the controller in relation to the processing of the personal data listed in this Privacy Policy.

The aforementioned personal data is information that relates to an identified or identifiable natural person (hereinafter "data subject"). This includes in particular your name and your e-mail address, but also data about your use of our website (e.g. your IP address), etc.

Below we inform you about the type, scope and purpose of the personal data processed by us and inform you about the rights to which you are entitled as a data subject.

1. Name and address of the responsible party

The responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

CS Company Shield GmbH
Max-Urich-Straße 3, AI Campus
13355 Berlin
Germany

Managing Directors: Tom-Christopher Müller, Julius Muth
Email: info@company-shield.de
Phone: +49 152 2473 4131


2. Name and address of data protection officer

The data protection officer of the controller is:

Tom-Christopher Müller
CS Company Shield GmbH
Max-Urich-Straße 3, AI Campus
13355 Berlin
Germany
Email: datenschutz@company-shield.de


3. Type of personal data, purposes of processing, legal basis (in the case of processing by us via the website and outside the website)

a. Website visit for informational purposes

If you visit our website for information purposes only, without actively providing personal data, we only store access data in so-called server log files. This includes:

  • the name of the requested file,

  • date and time of the request,

  • the amount of data transferred,

  • browser used,

  • operating system used,

  • IP address,

  • requested URL,

  • referrer URL (URL that you visited immediately before) and

  • the requesting provider.

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to enable you to access our website.

The personal data listed is automatically collected by our IT systems when you visit our website. Without the processing of personal data (in particular the IP address) for the duration of the session, the website may not be displayed or may only be displayed to a limited extent.

b. Contact form

On our website, we provide information that enables you to contact us quickly by electronic means and to communicate with us directly. This primarily includes our contact forms. If you contact us by email or using the contact form, the personal data you provide will be stored automatically.

In doing so, we generally process the following personal data from you:

  • First and last name,

  • E-mail address,

  • Company/employer,

  • Telephone number, if applicable, and

  • Personal data contained in your individual contact message.

We use the personal data you provide exclusively for processing your specific inquiry. Your information may be stored in a customer relationship management system (so-called CRM system) or another organizational tool for customer data.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the respective conversation with you has ended or a concluded contract is terminated and the data is no longer required.

The legal basis depends in this respect on the information that you provide to us when contacting us in the course of sending an email, the contact form or a message. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR. If contact is made for other purposes, the legal basis is Art. 6 para. 1 lit. f GDPR.

c. Data collection and use for contract processing

In order to initiate or execute the contractual relationship with you, the processing of certain personal data is unavoidable. In connection with the execution of the contract, including any registration within the scope of our awareness building services, we process the following personal data in particular:

  • Name,

  • Company name,

  • Business address,

  • E-mail address,

  • Telephone number and

  • Documents or texts sent by you that contain personal data

and all data necessary for the processing of payments and for the prevention of fraud, in particular

  • Credit card or debit card numbers,

  • any security codes and

  • other billing information.

Insofar as we use this personal data (i) to coordinate the planning, execution, control and administration of your contractual relationship with us, (ii) to provide you with information about your registration or how to make changes in our system or (iii) to carry out payment transactions, the legal basis for these processing operations is Art. 6 (1) lit. b GDPR.

If, on the other hand, the personal data is used for the settlement of disputes, the enforcement of the contractual agreement and the establishment, exercise or defense of legal claims, the legal basis for this processing is Art. 6 para. 1 lit. b or f GDPR, depending on the claims.

If you have submitted your data for the purpose of initiating a contractual relationship, we may pass it on to our sales partners if they are suitable for your segment. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.

We collect personal data in connection with the performance of the contract directly from you by you providing the personal data yourself when ordering/registering.

After complete processing of the contract, your data will be blocked for further use and deleted after expiry of the statutory retention periods, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you below. 

d. Interviews for product research and development

Users of our platform services can voluntarily participate in interviews. We use the data collected during interviews for internal purposes in order to further improve our products and services. We may group the results with the answers of other participants in order to share interview results internally. Video recordings and/or audio recordings will only be made if you have consented to this. We delete video recordings after 12 months and all other personal interview data after two (2) years.

The legal basis for storing data in the context of videos is your consent pursuant to Art. 6 (1) lit. a GDPR.

e. Google Ads Lead Form Extensions

We use the Google Ads lead form extension service to give you the opportunity to contact us directly via our ads placed on Google Ads. If you provide personal data, this will be stored by Google for 30 days.

The legal basis here is primarily your consent pursuant to Art. 6 (1) lit. a GDPR. If your contact is aimed at concluding a contract, the legal basis for the processing is Art. 6 (1) lit. b GDPR.

f. Participation in the Phish Your Family Game

If you participate in our Phish Your Family Game, we may process the following personal data to conduct simulated phishing exercises:

  • Name, email address, and phone number of the Initiator.

  • Names, email addresses, and phone numbers of the family members above the age of 16, as provided by the Initiator.

  • Consent confirmations (where applicable) pursuant to Art. 6 (1) lit. a GDPR.

The purpose of this data collection is to enhance cybersecurity awareness in a playful and engaging manner by providing our product as free educational test version. The legal basis for this processing is Art. 6(1) lit. f GDPR (the initiators’ legitimate interest to educate their family members about potential threads, and Company Shield’s legitimate interest in providing cybersecurity education). Your data is stored only for the duration necessary to complete the training and provide relevant feedback. You may opt out of this program at any time by contacting us at datenschutz@company-shield.de.

We process personal data to:

  • Conduct the cybersecurity training simulation as a free test version of our product offering.

  • Inform the Initiator about the results of the simulation to raise awareness of cybersecurity risks.

  • Comply with our legal obligations, including GDPR transparency requirements.

We implement strict measures to avoid processing sensitive personal data (as defined in Art. 9 GDPR, e.g., data concerning health, political opinions, religious beliefs, etc.) during the execution of the Phish Your Family program. We collect only the data strictly necessary to conduct the simulation and deliver feedback. Personal data used for simulations is automatically deleted after completing the program and providing feedback.

As part of the Phish Your Family program, the deepfake AI voice call simulation does not involve the recording or storage of any voice data. The AI-generated voice used during the call is created in real-time for the purpose of the simulation. No audio content from the participants or recipients of the call is captured, stored, or processed. This ensures that your privacy and the privacy of your family members are fully protected during the simulation.


4. Use of cookies

In order to make visiting our website more attractive and to enable the use of certain functions, we use so-called “cookies” on our website. These are small text files that are stored on your terminal device.

Cookies enable us, for example, to track and determine your preferences and to identify you individually during a visit to our website. At the end of the browser session, most of the cookies we use are deleted again ("session cookies"). Persistent cookies, on the other hand, remain on your device and enable us, for example, to recognize you on your next visit or to analyze your usage behavior.


5. Data deletion and storage period

Unless otherwise specified in the individual sections, the stored personal data will be deleted if you revoke your consent to storage or if knowledge of this data is no longer required to fulfill the purpose for which it was stored. Furthermore, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject.

We regularly check whether the purpose for which the data was stored is still valid and delete your data immediately if this is no longer the case. However, with regard to the relevant data, the deletion will only take place after the expiry of the deadlines of the tax and commercial law regulations.

For the Phish Your Family program, personal data collected for the simulation is deleted immediately after the training is completed and the results are shared, unless otherwise required by legal obligations or explicitly consented to by the participants.


6. Disclosure of personal data and recipients

We will not disclose personal data without your express consent, unless there is a legal reason for permission, e.g. if we are legally obliged to disclose data (information to law enforcement agencies and courts; information to public bodies that receive data based on legal regulations, e.g. social insurance agencies, tax authorities, etc.) or if we involve third parties bound to professional secrecy to enforce our claims. We share your personal data with the following recipients:

  • We use processors to process personal data for the above-mentioned purposes, who process the personal data on our behalf. We always retain control over the respective personal data and remain the data controller.

  • For payment processing in the course of orders, we transmit payment details to banks and payment service providers if required by the payment method.

  • We transmit personal data in individual cases to courts, law enforcement agencies, supervisory authorities, other authorities, tax advisors and lawyers, insofar as this is legally permissible and necessary.


7. Your rights

You have the following rights:

a. Right to information

Pursuant to Art. 15 GDPR, you have the right to request information about your personal data stored by us free of charge. This also allows you to obtain a copy of the personal data we process about you and to verify whether we are processing it in a lawful manner.

b. Right to rectification

In the event of incorrect data, you have the right to rectification in accordance with Art. 16 GDPR. We are obliged to make the correction without delay.

c. Right to restriction of processing

You have the right under Article 18 of the GDPR to request that we restrict processing. This allows you to request the suspension of the processing of your personal information, for example, if you want us to determine its accuracy or the basis for processing.

d. Right to deletion

Pursuant to Art. 17 GDPR, you have the right to demand that we delete the personal data concerning you without undue delay if the data is no longer required for the purposes for which it was collected or, if the processing is based on your consent, you have revoked your consent. In this case, we must stop processing your personal data and remove it from our IT systems and databases. A right to deletion does not exist insofar as

  • the personal data may not be deleted or must be processed due to a legal obligation; or

  • the data processing is necessary for the assertion, exercise or defense of legal claims.

e. Right to data portability

Pursuant to Art. 20 GDPR, you have the right under certain circumstances to have the personal data concerning you, which you have provided to us, transferred to another controller in a structured, common and machine-readable format.

f. Right of objection

You have the right to object to the processing of your personal data insofar as the processing is based on our legitimate interests (or those of a third party) and there are grounds arising from your particular situation on the basis of which you wish to object to the processing on said basis. In particular, you have the right to object if we process your data for direct marketing purposes.

g. Right to revoke consent under data protection law

You have the right to revoke your consent to the processing of personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

h. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.


8. Contact

If you have any questions about the collection, processing or use of your personal data, for information, correction, blocking or deletion of data or general questions and suggestions on the subject of data protection, please contact us directly (see 2. Name and address of the data protection officer).


9. Mandatory information according to Article 13 GDPR

In the event of initial contact, we are obliged pursuant to Art. 12, 13 GDPR to provide you with the following mandatory data protection information:

If you contact us by e-mail, we will only process your personal data if there is a legitimate interest in the processing (Art. 6 (1) (f) GDPR), you have consented to the data processing (Art. 6 (1) (a) GDPR), the processing is necessary for the initiation, establishment, content or amendment of a legal relationship between you and us (Art. 6 (1) (b) GDPR) or another legal norm permits the processing. Your personal data will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions – in particular retention periods under tax and commercial law – remain unaffected. You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have the right to object, to data portability and the right to complain to the competent supervisory authority. Furthermore, you can request the correction, deletion and, under certain circumstances, the restriction of the processing of your personal data. For details, please refer to our privacy policy above.

Status as of November 2024