Privacy policy

Information under Art. 13 and Art. 14 GDPR.

Last updated: 13 May 2026

This privacy policy explains how CONCEDUS GmbH ("we", "us", "Concedus") processes personal data when you visit our website, contact us, or otherwise interact with our services. It is provided pursuant to Art. 13 and Art. 14 of the EU General Data Protection Regulation (GDPR).

1. Controller and contact details

The data controller within the meaning of GDPR is:

Controller
CONCEDUS GmbH
Ostendstraße 100, 90482 Nürnberg, Germany
Phone
+49 911 7439 400 0
Email
[email protected]
Data Protection Officer
Audit GmbH Karlsruhe Stuttgart Wirtschaftsprüfungsgesellschaft
Heilbronner Straße 41, 70191 Stuttgart, Germany
Email: [email protected]

2. Scope of this policy

This policy covers personal data processing connected to our website www.concedus.com, our contact channels (forms, email, phone), and the institutional client lifecycle where the data subject is a natural person.

Data processing performed under our regulated activities — onboarding, KYC, classification, transactional records — is governed by separate processing notices issued at the point of collection. This document does not replace those notices.

3. Data we collect and why

Server logs

When you visit our website, our system automatically records the following information from your accessing device:

  • Browser type and version
  • Operating system
  • IP address
  • Date and time of access
  • Pages visited and request status
  • Referring URL (where applicable)

Purpose: providing and operating the website, security monitoring, error analysis, and ensuring information security. This data is stored in server log files and is not combined with other personal data. Storage duration: typically session-bound, with security-relevant entries retained for a limited period (max 90 days) before deletion.

Contact forms

Information you provide in our contact forms. The following data is collected and stored at the time you submit a form:

  • First name and last name
  • Email address
  • Company and/or organization (where applicable)
  • Phone number (optional)
  • Subject and content of your inquiry
  • IP address of the accessing device
  • Date and time of submission

Purpose: responding to your inquiry and, where applicable, initiating or executing pre-contractual measures. Retention: form submissions are stored for 90 days in an EU-hosted system and then automatically deleted, unless a longer retention is required to handle a specific inquiry or to comply with a statutory obligation.

4. Legal bases for processing

  • Art. 6(1)(b) GDPR — Performance of a contract or pre-contractual measures (contact-form inquiries, onboarding).
  • Art. 6(1)(c) GDPR — Compliance with a legal obligation, in particular regulatory record-keeping under § 83 WpHG, § 24c KWG, AML obligations under § 8 GwG, and commercial retention requirements under § 257 HGB and § 147 AO.
  • Art. 6(1)(f) GDPR — Legitimate interests (operating and securing the website, error analysis, and anti-spam measures on contact forms).

5. Recipients and transfers

Personal data is accessed only by authorized Concedus personnel and by contracted processors that require it for the purposes described above. Categories of recipients include:

  • Hosting and infrastructure providers (EU-based)
  • Email delivery providers (EU/Frankfurt region)
  • IT operations and security service providers
  • External auditors and our data protection officer
  • Tax and legal advisors where required

Each external recipient is engaged under a data processing agreement pursuant to Art. 28 GDPR. Personal data is not sold, rented, or made available for marketing purposes.

6. International transfers

By default, processing takes place within the European Economic Area. Where a transfer to a third country occurs, it is performed only on the basis of an adequacy decision, EU Standard Contractual Clauses, or another appropriate safeguard under Chapter V GDPR.

7. Storage duration and deletion

We store personal data only as long as necessary for the purpose it was collected for, or as long as required by applicable retention obligations. Key retention periods include:

  • Contact-form submissions: 90 days (auto-deletion)
  • Server logs: up to 90 days for security-relevant entries
  • Commercial records: 6–10 years (§ 257 HGB)
  • Tax-relevant records: 10 years (§ 147 AO)
  • Investment services records: 5 years (§ 83 WpHG), or up to 7 years upon BaFin request
  • AML records: 5 years following the termination of the business relationship (§ 8 GwG)

After applicable retention periods expire, personal data is deleted or, where deletion is technically not possible, anonymized.

8. Your rights under GDPR

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

Requests can be sent to [email protected]. We respond within the deadlines set by Art. 12(3) GDPR.

9. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority — for us, the Bavarian State Office for Data Protection Supervision (BayLDA): www.lda.bayern.de.

10. No tracking cookies

This website does not set any tracking, analytics, or marketing cookies. We do not use a cookie banner because no consent is required for the technologies in use:

  • Strictly necessary — a single session token may be set by our anti-spam mechanism (Cloudflare Turnstile) to distinguish humans from bots on form submissions. This is required under § 25(2) Nr. 2 TDDDG and does not need consent.
  • No analytics cookies — see section 11.
  • No marketing cookies — we do not embed any third-party advertising, retargeting, or social media tracking scripts.

Fonts are self-hosted from our own server; no requests are made to Google Fonts or any other third-party font CDN.

11. Cookieless web analytics

We use Cloudflare Web Analytics, a privacy-first, cookieless analytics tool. It measures aggregate traffic volumes (page views per URL, browser type, country at country-level only) without setting any cookie, without using a client-side fingerprint, and without recording IP addresses. No personal data is processed under Art. 4 Nr. 1 GDPR, so no consent is required.

12. Contact forms

Information submitted via contact forms is transmitted over TLS and stored in an EU-hosted system. Access is limited to authorized personnel. Submissions are retained for 90 days, then automatically deleted, unless a longer retention is needed to handle a specific inquiry or to comply with a statutory obligation.

For deletion requests before the 90-day period expires, write to [email protected].

13. Social media plugins

This website does not embed social media plugins that load third-party tracking. External links to social profiles are plain hyperlinks; no data is transmitted until you click.

14. Security measures

We employ technical and organizational measures appropriate to the risk of processing — TLS encryption in transit, access control, encryption at rest where applicable, regular security reviews, and incident response procedures aligned with DORA and BAIT.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our processing activities or legal requirements. The latest version is always available at this URL. The date at the top of the page indicates the last revision.