This English version is a courtesy translation. The legally binding version is the German original.
1. Data controller
The controller in the sense of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other data protection legislation is:
Vortanix · A service of NTFS GmbH & Co. KG
Legal entity: NTFS GmbH & Co. KG
Hainbachstraße 77
76829 Landau in der Pfalz
Germany
Email: info@vortanix.com
Referred to in the following as “we”, “us” or “Vortanix”.
2. General information on data processing
The protection of your personal data is important to us. We process personal data exclusively within the framework of statutory provisions, in particular the GDPR and the BDSG.
This privacy policy informs you about which personal data we process when you visit and use our website, for what purposes, on which legal basis the processing is carried out, and what rights you have.
Personal data is any information relating to an identified or identifiable natural person. This includes, for example, name, email address, IP address, technical access data and other online identifiers.
3. Processing principles
We process personal data according to the following principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, manipulation, disclosure or destruction.
4. Website access and server log files
When you access our website, the hosting provider and upstream security, network and protection systems automatically process technical information.
This may include in particular:
- IP address of the requesting device
- Date and time of the request
- Requested URL, file or resource
- Referrer URL
- HTTP method
- HTTP status code
- Amount of data transferred
- Browser type and version
- Operating system
- Device information
- Language settings
- Hostname of the accessing system
- Technical header information
- Connection, routing and security metadata
This data is processed in order to:
- provide the website technically,
- ensure stability and availability,
- detect attacks, abuse and technical disruptions,
- defend against DDoS attacks, bot access and automated abuse,
- trace security-relevant events,
- improve the performance and resilience of the infrastructure.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, performant and abuse-resistant provision of our website and infrastructure.
This data is not merged with other data sources, unless required to investigate security incidents, to prevent abuse or to assert legal claims.
5. Hosting, infrastructure and technical operation
Our website is operated on technical infrastructure designed for secure, scalable and highly available provision. Depending on the configuration, hosting, networking, CDN, reverse-proxy, firewall, monitoring and DDoS protection components may be used.
As part of technical operation, personal data — in particular IP addresses and technical access data — may be processed by the infrastructure components involved.
The purposes of this processing include in particular:
- Delivery of website content
- Load balancing
- Defence against attacks
- DDoS mitigation
- Bot and abuse detection
- Network optimisation
- Error analysis
- Logging of security-relevant events
- Ensuring availability and integrity
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, resilient and scalable operation of our online services.
6. Use of Cloudflare
We use services of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, or affiliated Cloudflare entities, to protect our website against attacks, to optimise loading times and to enable highly available delivery of our content.
Cloudflare may in particular be used as a Content Delivery Network, reverse proxy, Web Application Firewall, DDoS protection system, DNS provider, bot-management system and security service.
When you visit our website, requests may initially be routed through the Cloudflare network. In doing so, the following data in particular may be processed:
- IP address
- Requested URLs and resources
- Date and time of the request
- Browser and device information
- HTTP headers
- Referrer
- TLS / connection information
- Security and firewall events
- Bot and risk indicators
- Network and performance metadata
The processing is carried out for the following purposes:
- Protection against DDoS attacks
- Protection against automated attacks and bots
- Defence against abusive access
- Detection and blocking of suspicious requests
- Load balancing and performance optimisation
- Caching of static content
- DNS and network stability
- Ensuring the availability of our website
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, fast and highly available provision of our website, as well as in the protection of our systems, users and data against attacks and abuse.
Insofar as Cloudflare processes personal data on our behalf, this is done on the basis of a data-processing agreement pursuant to Art. 28 GDPR. Cloudflare provides a Data Processing Addendum for this purpose.
As Cloudflare is an internationally operating provider, processing of personal data may also take place outside the European Union or European Economic Area. Cloudflare publishes information on its GDPR compliance and international data protection mechanisms, including details of the EU–US Data Privacy Framework.
Further information can be found in Cloudflare’s privacy policy.
7. Use of NetEye Shield for DDoS protection
In addition, we use the NetEye Shield service to defend against DDoS attacks, automated abuse, suspicious network traffic and security-relevant access patterns.
NetEye Shield is a private security and DDoS protection project by Yannik Göltz. The service protects our systems, services and network infrastructure against overload attacks, automated access, abusive behaviour and other security-relevant threats.
When NetEye Shield is used, the following data in particular may be processed:
- IP address
- Date and time of the request
- Target domain or target system
- Requested resources
- HTTP method
- HTTP headers
- User agent
- Referrer
- Connection information
- Packet, flow or request metadata
- Firewall decisions
- Rate-limit information
- Blocking or challenge events
- Security classifications
- Technical detection signatures of attack patterns
The processing is carried out in particular for the following purposes:
- Detection and defence against DDoS attacks
- Filtering of malicious or suspicious requests
- Detection of automated access
- Protection against Layer 3, Layer 4 and Layer 7 attacks
- Rate limiting
- Traffic analysis for security purposes
- Detection of attack signatures
- Protection of the availability of our services
- Prevention of abuse of our infrastructure
- Analysis and tracking of security-relevant events
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in maintaining the availability, integrity, resilience and security of our technical infrastructure.
Insofar as NetEye Shield processes personal data on our behalf, the processing is carried out on the basis of a data-processing agreement pursuant to Art. 28 GDPR or a comparable data-protection arrangement, to the extent required.
Further information on data processing by Yannik Göltz can be found in the privacy policy at:
8. Multi-layer security and DDoS protection concept
Our website may be protected by several technical protection layers. These include in particular:
- Hosting and network security measures
- Firewalls
- Web Application Firewall rules
- DDoS mitigation
- Bot detection
- Rate limiting
- CAPTCHA mechanisms
- Anomaly detection
- Log evaluation
- Network and request filtering
- Abuse prevention
- Access restrictions
- Monitoring and alerting
In doing so, technical access data may be processed across several protection layers, insofar as this is required to detect, defend against or analyse attacks.
This processing is not carried out for advertising profiling, but exclusively for the technical security, stability and availability of our systems.
The legal basis is Art. 6(1)(f) GDPR.
9. Contact requests
If you contact us via a contact form, by email or by any other means, we process the personal data you submit.
This may include in particular:
- Name
- Email address
- Phone number, if provided
- Company, if provided
- Content of your message
- Time of contact
- Technical metadata of the transmission
- IP address, where technically required
The processing is carried out for the purpose of handling your request, communicating with you and documenting the request.
The legal basis, depending on the content of the request, is:
- Art. 6(1)(b) GDPR, where the request is connected with pre-contractual measures or an existing contractual relationship,
- Art. 6(1)(f) GDPR, where our legitimate interest lies in processing and answering your request,
- Art. 6(1)(c) GDPR, where statutory retention or documentation obligations apply.
The data submitted will not be passed on to third parties without your consent, unless this is necessary to handle your request or required by law.
The data will be deleted as soon as it is no longer required for processing and no statutory retention obligations apply.
10. Use of hCaptcha
To protect our forms and services against spam, bots and automated abuse, we use hCaptcha, a service provided by Intuition Machines, Inc., USA.
hCaptcha is used to check whether input on our website is made by a natural person or automatically by a program. For this purpose, hCaptcha may process various information, in particular:
- IP address
- Browser and device information
- Operating system
- Date and time of access
- Mouse movements, keystrokes or interaction data
- Dwell time and user behaviour within the widget
- Technical signals for bot detection
- Any cookies or comparable technologies that may be set
The processing is carried out for the purpose of protecting our website, forms, services and systems against spam, automated attacks, credential stuffing, scraping, abuse and other security-relevant access.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in protecting our website against automated abuse and ensuring the integrity of our communication channels.
Insofar as hCaptcha processes personal data on our behalf, this is done on the basis of a data-processing agreement pursuant to Art. 28 GDPR, to the extent required.
hCaptcha publishes its own data protection and GDPR information.
Further information can be found in the hCaptcha privacy policy.
11. Cookies, local storage and comparable technologies
Our website may use cookies, local storage, session storage or comparable technologies, insofar as this is required for technical operation, security, abuse prevention or the provision of individual features.
Technically required storage technologies may be used in particular for:
- Session management
- Security checks
- DDoS and bot protection
- CAPTCHA functionality
- Load balancing
- Firewall and challenge mechanisms
- Storing technical preferences
- Protection against repeated abuse
The legal basis for technically required storage is § 25(2) TTDSG (the German act implementing the ePrivacy Directive) or the respective successor provision, as well as Art. 6(1)(f) GDPR.
Where non-essential cookies or comparable technologies are used, this is done only on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG, where such consent is legally required.
12. Security monitoring and abuse detection
To ensure the integrity, availability and resilience of our systems, we may process technical security data.
This may include:
- IP addresses
- Access patterns
- Request rates
- Error rates
- HTTP status codes
- Firewall events
- Authentication and challenge events
- Suspicious requests
- Bot and abuse indicators
- System and network events
The processing is carried out for the following purposes:
- Detection of attacks
- Prevention of abuse
- Analysis of technical disruptions
- Protection of critical infrastructure components
- Optimisation of firewall and protection rules
- Incident response
- Forensic analysis of security incidents
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the security of our systems and the defence against unlawful or harmful access.
13. Retention periods
We store personal data only for as long as is required for the respective purposes or as required by statutory retention periods.
Technical log data is generally stored only for a limited period. Longer storage may take place where this is required for:
- investigation of security incidents,
- defence against ongoing attacks,
- tracking of abusive access,
- asserting, exercising or defending legal claims,
- fulfilment of statutory obligations.
Contact requests are deleted as soon as they have been conclusively processed and no statutory retention obligations apply.
14. Recipients of personal data
Personal data may, where necessary, be transmitted to the following categories of recipients:
- Hosting providers
- Network and infrastructure providers
- CDN and DDoS protection providers
- Security service providers
- CAPTCHA providers
- IT service providers
- Email and communication service providers
- Legal or tax advisors
- Authorities, where legally required
Disclosure takes place only where a legal basis exists, where required for the performance of a contract, where we are legally obliged, or where a legitimate interest exists.
15. Data processors
Insofar as we engage external service providers who process personal data on our behalf, we conclude data-processing agreements with these service providers pursuant to Art. 28 GDPR, where legally required.
Service providers may process personal data only on our instructions and only for the contractually defined purposes.
16. Transfers to third countries
When using certain services, in particular internationally operating providers such as Cloudflare or hCaptcha, personal data may be transferred to countries outside the European Union or the European Economic Area.
Such transfers take place only where the requirements of Art. 44 et seq. GDPR are met. This may in particular be on the basis of:
- an adequacy decision by the European Commission,
- Standard Contractual Clauses of the European Commission,
- additional technical and organisational protective measures,
- contractual guarantees,
- or a statutory exception.
For US providers, where applicable, certification under the EU–US Data Privacy Framework may additionally be considered.
17. Encryption and transport security
Our website uses transport encryption via TLS/SSL. This protects data you transmit to us against unauthorised interception by third parties.
You can usually recognise an encrypted connection in the address bar of your browser, in particular by the “https://” prefix and the padlock symbol.
We also implement further technical and organisational measures to guarantee the security of processing.
18. No automated decision-making
Automated decision-making within the meaning of Art. 22 GDPR does not take place.
Security, firewall, CAPTCHA, bot and DDoS protection systems may, however, make automated technical decisions — for example blocking, delaying, challenging or filtering individual requests. These measures serve exclusively for technical security and abuse prevention.
19. No advertising profiling
We do not use the data processed in the course of website operation, security measures, DDoS protection or CAPTCHA checks for advertising profiling.
Processing for marketing purposes only takes place where a separate legal basis exists, in particular consent.
20. Your rights
Within the statutory requirements, you have the following rights:
20.1 Right of access
You have the right pursuant to Art. 15 GDPR to obtain information about the personal data we process.
20.2 Right to rectification
You have the right pursuant to Art. 16 GDPR to request the correction of inaccurate personal data or the completion of incomplete personal data.
20.3 Right to erasure
You have the right pursuant to Art. 17 GDPR to request the erasure of your personal data, unless statutory retention obligations or other legal grounds preclude this.
20.4 Right to restriction of processing
You have the right pursuant to Art. 18 GDPR to request the restriction of the processing of your personal data.
20.5 Right to data portability
You have the right pursuant to Art. 20 GDPR to receive the personal data concerning you in a structured, commonly used and machine-readable format.
20.6 Right to object
You have the right pursuant to Art. 21 GDPR, on grounds relating to your particular situation, to object at any time to the processing of personal data carried out on the basis of Art. 6(1)(e) or (f) GDPR.
20.7 Right to withdraw consent
Insofar as processing is based on your consent, you may withdraw it at any time with effect for the future, pursuant to Art. 7(3) GDPR.
To exercise your rights, you can contact us at any time:
21. Right to lodge a complaint with a supervisory authority
You have the right pursuant to Art. 77 GDPR to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes data protection law.
You may in particular contact the supervisory authority responsible for us:
State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate
(Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz)
Hintere Bleiche 34
55116 Mainz
Germany
22. Changes to this privacy policy
We reserve the right to adapt this privacy policy if legal, technical or organisational changes occur.
The current version is available on our website at any time.
23. Note on legal effect
This privacy policy serves to provide transparent information about the processing of personal data in connection with our website and the security, infrastructure and protection services we use. The applicable law as in force and the technical configuration actually deployed remain decisive in each case.