Data Protection

Privacy Policy

Introduction.

Data protection is an important concern for NFON AG. To protect your personal data, which may be collected when visiting our website or provided by you, we act in accordance with applicable legal data protection regulations.

1. Data Controller and Data Protection Officer

The entity responsible for processing your personal data in connection with our website and services, in accordance with the GDPR and national data protection laws of EU member states, is:

NFON AG
Zielstattstraße 36
81379 Munich
(hereinafter referred to as "NFON", "we", "us").

Our Data Protection Officer at NFON AG, Claudia Standke, can be contacted by post at the above address, Attn: Data Protection Officer, or via email at: datenschutz@nfon.com.

2. Purpose and Legal Basis for Data Processing

2.1. Fulfilment of contractual obligations, Art. 6 (1) (b) GDPR

The primary purpose of data processing is to establish, execute, and terminate our business relationship. This includes in particular:

· Processing of product orders

· Handling service requests as part of our support services

· Responding to product-related enquiries

2.2. Consent, Art. 6 (1) (a) GDPR

Certain data processing activities are based on your explicit consent, including:

· Event registration

· Receiving targeted information (e.g., NFON Status Notification Service) and offers

· Personalised use of the website

You can withdraw your consent at any time with effect for the future.

2.3. Legal obligations, Art. 6(1) (c) GDPR

We are subject to various legal obligations, including:

· Compliance with telecommunications laws, such as processing traffic data for billing purposes

· Commercial and tax law retention obligations

2.4. Legitimate interests, Art. 6(1) (f) GDPR

Where necessary, we process your data for the purposes of our legitimate interests, including:

· Monitoring, optimising, and developing services and products

· Preventing, investigating, and resolving criminal offences

· Credit checks

· Enforcing legal claims and defending against legal disputes

· Auditing

· Ensuring the security and operational functionality of our IT systems

· Direct marketing

3. When Do We Collect Your Data?

3.1. Website Access

Each time you visit our website, we collect technical access data in server log files, which your browser automatically transmits to enable website use. These include:

· IP address of the requesting device

· Browser type, browser version, and operating system

· Online identifiers (e.g. device identifiers)

· Requested file name

· Date and time of access

· Transferred data volume

· Requesting provider

· Referrer URL

· TLS version

Data is stored for 14 months. Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest consists exclusively in ensuring the trouble-free operation of the website, guaranteeing the security of our systems and analysing them to improve our offer. The information stored in the log files does not allow direct identification of your person.

3.2. Contacting Us

You can contact us via various forms or email. We process your data solely for communication purposes. In the context of communication with prospective customers, the legal basis is our legitimate interest in accordance with Art. 6 (1) (f) GDPR and insofar as data processing is necessary for the implementation of pre-contractual measures or for the fulfilment of a contract, Art. 6 (1) (b) GDPR is relevant. In the context of support enquiries, we may forward your data to our support department for support purposes.

The data collected by us when using the contact forms will be automatically deleted after your enquiry has been fully processed, unless we still need your data to fulfil contractual or legal obligations.

We have integrated the following contact forms on our website:

· Contact form for interested parties and existing customers

· Porting form

· Partnership form

· Cloudya enquiry form

Which mandatory data is collected in detail can be seen in the respective input forms. This includes in particular:

· Name

· Business e-mail address

· Business telephone number

· company name

· postcode

· Industry

· Request

3.3. NFON Status

You can register on the NFON status page to receive status updates by e-mail or SMS. We work together with the following processors for this purpose:

· E.M. StatusPal UG (data protection notice) for the operation of the status page.

· Twilio Inc. (data protection notice) for the notification service via SMS.

· T3CH.com LLC (data protection notice) for the notification service via e-mail.

Your data, e-mail address or telephone number, will only be processed for the purpose of status transmission via the respective channel and forwarded to our processors. The processing is based on your consent in accordance with Art. 6 para. 1 lit. a) GDPR.

3.4. Advertising to existing customers and partners

If you have already concluded a contractual relationship with us, e.g. by purchasing one of our products, we will record your registration and contact details in our database and list you as an existing customer and/ or existing partner. If you have provided us with your e-mail address as part of a registration or contract, we will use it to send you advertising for our own or similar goods and services. The legal basis for this processing of your data is Art. 6 (1) (f) GDPR based on our interest in direct marketing advertising.

You can object to data processing for the aforementioned purposes at any time free of charge and with effect for the future. All you need to do is unsubscribe via the link in the respective email or send an email or letter to the above-mentioned contact details. based on our interest in conducting direct marketing to our existing customers and/ or partners.

You can object to data processing for the aforementioned purposes at any time, free of charge and with effect for the future. All you need to do is unsubscribe via the link in the respective email or send an email or letter to the contact details above.

3.5. Surveys

From time to time we send invitations via e-mail to our partners and customers to participate in surveys in which you are given the opportunity to evaluate our product and/or service. In this context, we process your data exclusively for the purpose of improving our products and services. The invitation is sent within the scope of our legitimate interest according to Art. 6 (1) (f) GDPR.

If you participate in the survey, we process the data on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. The processed data includes

· e-mail address

· First name and surname

· IP address

· Usage data (answers to the questions in the survey)

The surveys are mostly conducted anonymously, so that the answers do not allow any conclusions to be drawn about you personally. In cases where it is not an anonymous survey, we explicitly state this and use the data to contact you on specific topics. However, we will only do this if you have consented to this in the survey.

The usage data is stored in anonymised form for statistical purposes.

We have engaged various service providers to conduct the surveys, with each of which we have concluded a data processing agreement in accordance with Art. 28 GDPR. These include HubSpot Germany GmbH; SurveyMonkey Europe UC; Maze.Design INC.

3.6. Telephone marketing

We process the following personal data for the purpose of acquiring new customers:

· Prospect data (first name, surname, position, company, address data, business telephone number, business e-mail address)

In detail, the following processes are concerned:

· Initial telephone contact for the purpose of determining requirements on the basis of your consent pursuant to Art. 6 (1) (a) GDPR or on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR

· Transfer of your data to our partners for the purpose of contract negotiations and conclusion in accordance with Art. 6 (1) (b) GDPR

· Adding to our CRM system for the purpose of contacting you again if there is currently no need, but there is still interest. The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

We receive the contact data via service providers to whom you have given your consent to share your data for the purpose of contacting you by telephone, as well as via service providers who provide us with your contact data without your consent.

In the latter case, contact will only be made by telephone. Contact is made on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR

Our legitimate interest consists in maintaining and expanding business relationships, presenting our services and presenting our company.

We ensure that the processing of your data in the context of contacting you does not disproportionately interfere with your rights and freedoms.

However, if you do not wish to be contacted by us, you can object to the use of your contact data for this purpose at any time.

Please address your objection to the contact information provided above.

We share your data with our partners to initiate and conclude contracts.

We delete your personal data as soon as it is no longer required for the above-mentioned purposes. Your data will only be stored further if you have consented to the further use of your data or if we reserve the right to use data beyond this, which is permitted by law.

3.7. Customer relationship management system (CRM)

We use various management systems to manage and maintain our customer and partner data and to process your enquiries efficiently. The legal basis for the processing of your personal data is Art. 6 (1) (b) GDPR in order to fulfil our obligation arising from the contractual relationship with you. We also have a legitimate interest within the meaning of Art. 6 (1) (f) GDPR in the use of such systems for the purpose of properly structuring and storing our customer and partner data.

3.8. Chatbot "Nia"

NFON provides a chatbot ("Nia"). This is an automated, text-based dialogue system that delivers information on all topics covered on our website through text analysis and machine learning.

The input and processing of personal data are neither necessary nor required for the use of the chatbot. The chatbot cannot retrieve personal data from internal systems. Furthermore, no legally binding declarations can be made via the chatbot.

Purpose of Data Processing and Legal Basis

The processing of chat data is carried out to provide automated responses and to continuously optimise the chatbot system. The use of the chatbot is voluntary and generally anonymous, provided that no personal data is entered. If you enter personal data (e.g., name, customer number) in the chat field, the processing is based on your consent according to Article 6(1)(a) GDPR. Additionally, there is a legitimate interest according to Article 6(1)(f) GDPR in improving service quality.

By using the chatbot, you agree that the transmitted data will be used to respond to your enquiries and to optimise chatbot responses.

The system only stores:

· The conversation history you have had with the chatbot

· A session ID for quality assurance purposes

· The date and time of access

No further user data is collected, meaning that direct identification of your person is largely excluded.

Additionally, there is an option of providing us with feedback on the chatbot via a button in the chatbot window. In this context, we process the session ID and the content of the feedback in order to improve service quality. Any additional details, such as your name, are optional and, if provided, will be processed based on your consent according to Article 6 (1) (a) GDPR.

Storage Period

Chat histories are stored for a period of 30 days and then automatically deleted. This is solely for the continuous improvement of the chatbot.

Recipients of the data

NFON uses the chatbot system provided by botario GmbH. Through an interface connection to a large language model operated by OpenAI, OpCo, LLC, 3180 18th Street, San Francisco, CA, USA, responses are generated. The original chat input is transmitted only in an aggregated form. The data is not used for OpenAI's training purposes. There is no transfer of data to additional third parties, nor is the data used for any other purposes.

Withdrawal of Consent

You may withdraw your consent to the processing of your personal data at any time. The withdrawal can be made informally by contacting us via the contact details provided in Section 1. Processing carried out prior to the withdrawal remains unaffected.

4. Cookies

We use cookies on our website. These are text files that are stored on your device. We also use similar technologies such as tracking URLs and pixel tags (hereinafter ‘cookies’). Some of the cookies we use are deleted at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us to recognise your browser on your next visit (persistent cookies). You can set your browser in such a way that you are informed about the setting of cookies and decide individually to accept them or to exclude the acceptance of cookies for certain cases or in general. If you do not accept cookies, the functionality of our website may be limited.

Most web browsers (see Help function in the menu bar of your browser) can be set by you so that they do not accept new cookies, so that you receive a message, that a new cookie has been placed or so that all cookies received are switched off. For smartphones, tablets and other mobile and stationary devices, you can find the necessary settings in the respective operating instructions.

We recommend that you leave the cookie functions switched on completely, as only with cookies is it possible to further improve our website for your needs. Our cookies do not store any sensitive data such as user names, passwords or similar. They do not cause any damage to your end device and do not contain any viruses.

When you visit our website for the first time, a pop-up window, the so-called Cookie Consent Manager, opens automatically. In this Consent Manager, you can select which category of cookies you accept. You can change your selection at any time by clicking on the ‘Cookie Settings’ link at the bottom of the website.

To manage your consent preferences, we use the cookie consent management tool provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. This tool is used to obtain and document your consent to the storage of certain cookies on your device and the use of specific technologies. In this context, personal data such as your IP address, device information, browser data, the date of your visit, and your selection within the consent banner are processed. The processing is carried out on the basis of Art. 6 (1) (c) GDPR to fulfill the legal obligation to provide proof of consent in accordance with Art. 7 (1) GDPR. The recipient of the data is Usercentrics GmbH, which acts as a processor pursuant to Art. 28 GDPR. A cookie is stored in your browser in order to recognize your preferences on future visits. Further information on data processing by Usercentrics can be found at: https://usercentrics.com/privacy-policy/.

Find out which cookies we integrate on the site in detail here.

4.1. Technically necessary cookies

Cookies that are required to manage the website and perform the electronic communication process or to provide certain functions you have requested (e.g. language settings) are stored on the basis of Art. 6 (1) (f) GDPR. We have a legitimate interest in the storage of cookies for the technically error-free and optimised provision of our services. These cookies cannot be deactivated but can be deleted if they are displayed to you.

4.2. Marketing cookies and statistics cookies

If you consent to the setting of marketing cookies and/or statistics and tracking cookies, the collection, storage and analysis of the data is based on Art. 6 (1) (a) GDPR. The purposes we pursue with this include

· Monitoring data traffic and optimising the user-friendliness of our website

· Analysing how our website is used

· Analysing user interests in order to offer personalised content

· Online advertising, advertising in social networks

· Exchange of data with advertising and social media partners via their external cookies

The following data is collected in the process

· URL accessed,

· referral URL,

· Device and browser properties,

· timestamp,

· IP address,

· page views.

You can withdraw your consent at any time via the Cookie Settings.

5. Social Media

5.1. Social Media Plug-Ins

We provide you with the option of using so-called ‘social media buttons’ on our website. These buttons are only integrated on the website as a graphic that contains a link to the corresponding website of the respective button provider. By clicking on the graphic, you will be redirected to the services of the respective provider. Only then will your data be sent to the respective provider. Among other data, the provider receives the information that you have visited our website with your IP address. If you are logged into your respective social media account, the respective provider can associate your visit to our website with your user account. If you do not wish this to happen, please log out of your social media account. If you do not click on the graphic, there will be no exchange between you and the providers of the social media buttons. Information about the collection and use of your data in the social networks can be found in the respective terms of use of the corresponding providers.

We have integrated the social media buttons of the following companies on our website:

· Twitter Inc. (1355 Market Street, Suite 900, San Francisco, CA 94103, USA) for Twitter

· LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2 Irland) for LinkedIn

· Meta Platforms Ireland Limited (Merrion Road, Dublin 4, D04 X2K5, Irland) for Facebook

· Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Irland) for YouTube

· Vimeo.com, Inc. (330 West 34th Street, 5th Floor, New York, New York 10001, USA) for Vimeo

5.2. Social Media Profiles

Information on the processing of your personal data in connection with the operation of our social media profiles can be found in our separate privacy policy ‘Social Media Seiten’.

6. Transfer of Data

The data collected by us will only be transferred if:

· you have given your express consent in accordance with Art. 6 (1) (a) GDPR,

· the disclosure is based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not sharing your data,

· we are legally obliged to transfer your data in accordance with Art. 6 (1) (c) GDPR or this is legally permissible and

· it is necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures in accordance with Art. 6 (1) (b) GDPR.

Within our company, only those persons and departments (e.g. financial accounting, purchasing, sales, customer service) that require your personal data to fulfil our contractual and legal obligations will have access to it.

If external service providers are used to operate the website or to provide services, they may only use your data to fulfil their obligations. The service providers are carefully selected and engaged by us. They are contractually bound by our instructions and have suitable technical and organisational measures in place to protect the rights of the data subjects. Data processing by our processors takes place predominantly in Germany or within the European Economic Area.

If a service provider processes your data outside the European Economic Area, we ensure that the respective service providers contractually (e.g. by concluding standard contractual clauses in accordance with Commission Decision (EU) 2021/914 of 4 June 2021) or otherwise guarantee a level of data protection equivalent to that in the European Union in accordance with Chapter 5 of the GDPR.

Furthermore, data may be transferred in connection with official investigations, court orders or legal proceedings if this is necessary for the assertion, exercise or defence of legal claims.

The data processed about you will be transferred to the following recipients, among others:

Recipient Categories	Purpose	Transfer to a Third Country
Digital Agency	Operation of the Website	No
Provider of Analytics Tools	Usage Analysis	Yes, see section 4.
Advertising Agency	Development, Design and Marketing	No
Marketing Automation Tool Provider (CRM)	Marketing, Newsletters	Yes, USA, see section 3.7
Social Media	Marketing	Yes, USA, see section 5.
Survey Tools	Conducting Surveys	Yes, USA, see section 3.5

If your data is forwarded to recipients other than those named, you will be informed of this prior to processing and may have to consent to this.

7. Data Retention

As a general principle, we store personal data only for as long as is necessary to fulfil contractual or legal obligations. Once a contract has been fully executed, your data will be restricted from further use and deleted upon expiry of commercial and tax law retention periods. Unless we require the data until the end of the statutory limitation period for evidentiary purposes in civil claims, or you have explicitly consented to further use of your data.

8. Obligation to provide your data

As part of our business relationship, you must provide the personal data that is necessary for the conclusion, fulfilment and termination of the contractual relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will not be able to conduct our business relationship with you.

9. Your Rights

You can exercise your rights as a data subject at any time by contacting NFON AG using the contact details provided in Section 1. Under the applicable legal requirements, you have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). You also have the right to complain to a data protection supervisory authority (Art. 77 GDPR).

Right of objection

If we process your data on the basis of a legitimate interest, you can object to the processing. If you object, your data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

Right of withdrawal

You may withdraw your consent at any time by contacting us. Upon withdrawal, we will delete, anonymise, or restrict processing of your data. Processing before the withdrawal remains lawful.

10. Updates to This Privacy Policy

We occasionally update our privacy policy. This includes adjustments based on the further development of our services and/or through the implementation of new technologies or services within our website as well as adjustments due to legal or regulatory requirements. We will publish updates to the privacy policy on this page.

Effective Date: May 2025