Data protection policy

1. Principles

Data protection and data security for our contractual partners as well as for consumers have always been a high priority for our company. The protection of your personal data during our entire business processes is very important to us and a special concern. Respecting this personal right is a matter of course for us. In general, it is not necessary for you to provide personal data in order to use our website. However, we may need your personal data in order for us to be able to provide certain services. In doing so, we collect, process and use personal data insofar as this is legally permissible, is necessary, and you have consented for us to do so.

2. Name and contact details of the controller and the company data protection officer

As the responsible body, we, finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, take all legally required measures to protect your personal data. Our company data protection officer can be reached at the data protection department at the above address, or by e-mail at

3. Purposes of data processing, legal basis and legitimate interests pursued by finAPI GmbH as well as categories of personal data and categories of data recipients

3.1 Calling up our website

When you access our website, the browser used on your device automatically sends information to the server of our website where it is temporarily stored in a so-called log file. We have no influence on this. The following information is collected without your intervention and stored until automatic deletion:

The IP address of your device and the other data listed above are used by us for the following purposes:

The data is stored for a period of 28 days and then automatically deleted. Furthermore, we use so-called cookies and tracking tools for our website. The exact procedures involved and how your data is used for this purpose are explained in more detail below (see 7).

3.2 Data processing when using the contact forms for interested companies & contact forms in the context of marketing campaigns

Personal data is collected, processed and used by us to the extent necessary to process your request and to transfer it to our CRM systems.


The data processing serves the purpose of establishing contact and initiating a contract. The processing is based on Art. 6 (1) (b) of the EU General Data Protection Regulation (GDPR).

3.3 Data processing of media contacts

Personal data is collected, processed and used by us insofar as this is necessary to provide the information published by our company or to contact you as requested. We also use your data to inform you about company news by mail or telephone, for example, to send press releases. When we contact you, we are guided by the relevance of our message and the thematic focus of your journalistic work.

3.4 Data processing of applicant data (e.g. when using our applicant form or at career fairs, etc.)

Personal data is collected, processed and used by us to the extent necessary to process your application and to contact you as requested. We pass on your personal data within our company only to persons who require this data to fulfill contractual and legal obligations or to implement our legitimate interests. To optimize our applicant management, we work with the software solution of Coveto ATS GmbH, to which we transfer data that is necessary and legally permissible for the applicant process in accordance with Art. 28 GPDR. You can find more information about Coveto’s data protection at

3.5 Data processing for advertising purposes and market and opinion research

3.5.1 Advertising purposes of finAPI

Insofar as you have concluded a contract with us, or we manage you as an interested party, we process your address data and criteria of advertising selection on the basis of Art. 6 (1) (a) and (f) of the GDPR in order to send you such information and offers from us and other companies. The newsletter may be sent by means of a shipping service provider. If you do not want this, you can object to the use of your data for advertising purposes at any time.

3.5.2 Data use for market and opinion research

We also process your data for market and opinion research. We use this exclusively in anonymized form for statistical purposes and only for finAPI. Your answers in surveys are not passed on to third parties or published. We do not store the answers from our surveys together with your e-mail address or other personal data. You can object to the use of data for market and opinion research at any time, either in full or for specific measures, without incurring any costs other than the transmission costs of your message to us. A notification in text form (e.g. e-mail, letter) to finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich or to is sufficient for this purpose. Of course, you will also find an unsubscribe link in every survey e-mail.

3.5.3 Right of objection

You may object to the use of your personal data for advertising purposes at any time, either in whole or in part, without incurring any costs other than the transmission costs of your message to us. A notification in text form to finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich or to is sufficient for this purpose.

If you object, the contact address concerned will be blocked from further data processing for advertising purposes. We would like to point out that in exceptional cases, advertising material may still be sent temporarily after receipt of your objection. This is due to the lead time necessary for advertising campaigns, especially via post, and does not mean that we will not implement your objection. Thank you for your understanding.

4. Legal basis

finAPI processes personal data on the basis of the provisions of the GPDR (also with the help of service providers). The processing is carried out on the basis of consents pursuant to Art. 6 (1) (a) GPDR as well as on the basis of Art. 6 (1) (b) as well as (f) GPDR, insofar as the processing is necessary for the completion of a contract to which the data subject is a party; or for the implementation of pre-contractual measures; or insofar as the processing is necessary for the protection of our legitimate interests or those of a third party or the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, are not overridden. Data processing operations carried out by finAPI in the context of a legal obligation are carried out on the basis of Art. 6 (1) (c) GPDR. On the basis of Art. 6 (1) (f) GPDR, we process your address data and advertising selection criteria in order to send you information and offers from us and other companies. If you do not wish this, you can object to the use of your data for advertising purposes with us at any time. Consents can be revoked at any time vis-à-vis finAPI. This also applies to consents that were already given before the GPDR came into force. The revocation of consent does not affect the lawfulness of the personal data processed until the revocation.

5. Categories of personal data

Personal data, for example surname, first name, date of birth, place of birth, address as well as communication data and identification data.

Personal data, for example surname, first name, date of birth, place of birth, address as well as communication data and identification data.

5.2 Within the scope of data processing when using the contact forms for interested companies and contact forms within the scope of marketing campaigns, we process the data required for this purpose. This includes the following categories:

5.3 Within the scope of applicant management, we process the following data:

5.4 In the context of media contacts, we process the following data:

6. Categories of recipients of the personal data

Any information you provide to us by entering it on these web pages will be stored on a server located in a country in the European Union and forwarded only to the appropriate parties within the company to process your inquiries and requests.

Service providers we use may also receive data from us in order to fulfill the prescribed purposes. These may, for example, be companies in the categories of IT services, printing services, marketing, sales or telecommunications.

7. Online presence and website optimization

7.1 Tracking Tools and Cookies - General Information

Cookies are small files that are automatically created by your browser and stored on your device (laptop, tablet, smartphone or similar) when you visit our site. Cookies do not cause any damage to your device, do not contain viruses, Trojans or other malware. In the cookie, information is stored in connection with the specific end device used.


The use of cookies can be consent-free and consent-requiring. Cookies that do not require consent are those that are necessary to make use of our online offer or that serve IT security (necessary cookies). The legal basis for data processing is Article 6(1)(f) GPDR.

Cookies requiring consent help to make the use of our offer smoother for you (preference cookies). For example, we use cookies to recognize that you have already visited individual pages of our website or that you are already logged into your customer account. In addition, we also use temporary cookies for the purpose of user-friendliness, which are stored on your terminal device for a certain specified period of time. If you visit our site again to use our services, it is automatically recognized that you have already been with us and what entries and settings you have made so that you do not have to enter them again. We also use cookies to statistically record how our website is used and to evaluate it for the purpose of optimizing our offer for you, as well as to display information tailored specifically to you (marketing and statistics cookies).


The legal basis of data processing for cookies requiring consent is Article 6(1)(a) GPDR. This data includes, but is not limited to, page views, length of stay, country, etc. We analyze these statistical data to improve our offer and to check the acceptance of individual web pages. Invisible GIFs are only used to position elements on the website. No other functions are associated with the invisible GIFs used. These cookies are stored by your browser and are usually deleted when you close the browser. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a notice always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website. The storage period of cookies depends on their purpose and differs.


We recommend that for shared computers that are set to accept cookies, you always log out completely when finished.


Which cookies are currently used by us is explained in more detail in the following section. You can manage the cookies independently – HERE – quickly and easily and change your settings at any time.

7.2 Cookie consent with Consent Manager provider

Our website uses the cookie consent technology of a Consent Manager Provider to obtain your consent to the storage of certain cookies on your terminal device and to document this in accordance with data protection law. The provider of this technology is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark, website: (hereinafter “the Consent Manager Provider”).


When you visit our website a connection is established to the servers of the Consent Manager Provider in order to obtain your consents and other declarations regarding cookie use. Subsequently, the Consent Manager Provider stores a cookie in your browser in order to be able record your consent or non-consent for non-essential cookies. The data collected in this way are stored until you request us to delete them, you delete the Consent Manager Provider cookie yourself, or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.


The Consent Manager Provider is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 (1) (c) GPDR.

7.3 Tracking for web analysis

With your consent, we use the web analysis tool Matomo to analyze and statistically evaluate the use of the website. Cookies are used for this purpose. The information about website usage obtained in this way is transmitted exclusively to our servers and summarized in pseudonymous usage profiles. We use the data to evaluate the use of the website. The data collected will not be passed on to third parties.
The IP addresses are anonymized (IP masking), so that an assignment to individual users is not possible.
The processing of the data is based on Art. 6 para. 1 p. 1 lit. a GDPR. We thereby pursue our legitimate interest in optimizing our website for our public image.
You can revoke your consent at any time by deleting the cookies in your browser or changing your privacy settings.

8. Newsletter and communication via e-mail automation (e-mail services)

On our website, we offer you the option of subscribing to our newsletter or registering for e-mail automation lists, e.g. for communication in the context with test accounts or orders. We use the so-called double opt-in procedure to register for these e-mail services. This means that after you have registered, we will send you an e-mail to the e-mail address you have provided, in which we ask you to confirm your registration. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

You can revoke your consent to the sending and unsubscribe from the e-mail services at any time. You can declare the cancellation by clicking on the unsubscribe link provided in each e-mail, by e-mail to or by sending a message to the contact details given in the imprint. Your data for the e-mail service will be deleted within 3 months after unsubscribing, except if there are legal obligations to keep records.

We use Sendinblue GmbH (Brevo), Köpenicker Str. 126, 10179 Berlin (hereinafter: Sendinblue) to send the email services. Sendinblue processes your data on our behalf on the basis of an agreement pursuant to Art. 28 GDPR. The email addresses of the recipients of our messages as well as other data communicated to us by the recipient are located on Sendinblue’s servers in data centers in Germany and are subject to the data protection laws applicable there. Sendinblue uses this information to send and evaluate the messages on our behalf. In addition, Sendinblue may use this data to optimize or improve its own services, e.g. to technically optimize the sending and display of targeted messages. However, Sendinblue does not use the data of the recipients of our messages to write to them itself or to pass them on to third parties. For more information about data processing within the scope of Sendinblue’s service and the privacy policy, please visit:

9. Duration of data storage

We generally only store your data for as long as is necessary for the respective purpose of the data processing (e.g. processing your request or legal retention periods).


We store the data collected for the processing of the contract until the expiry of the statutory or possible contractual warranty and guarantee rights. After the expiry of this period, we retain the information of the contractual relationship required by commercial and tax law for the periods determined by law. For this period (generally ten years from the conclusion of the contract), the data is processed again solely in the event of an audit by the tax authorities.


The duration of data storage for advertising purposes does not follow any rigid principles and is based on the question of whether storage is necessary for the advertising approach. In addition, we follow the principle of deleting data for advertising use 4 years after the end of the contract or 4 years after the end of any marketing contacts. Advertising objections are not deleted.


We store the data we process as part of the recruitment process for up to 6 months after the application process has been completed.


In particular justified cases we also store data for longer periods, such as if a public authority requires this or if the data is needed for legal reasons, e.g., to provide evidence in a court case.

10. Recipients outside the EU

If we use service providers outside the EU or the European Economic Area (EEA), we take appropriate and suitable safeguards in accordance with Art. 44 ff. GDPR (conclusion of EU standard contracts, additional technical and organizational measures such as encryption or anonymization etc.) to ensure an adequate level of data protection for the transfer of personal data. Please note that despite careful selection of a service provider, the service provider may process data outside the EU or EEA or may be subject to a different jurisdiction due to its registered office and thus may not provide an adequate level of data protection.

11. Your rights

11.1 Overview

In addition to the right to revoke the consent you have given to us you have the following additional rights if the respective legal requirements are met:

You can address your respective concerns in writing to finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany, or by e-mail to In addition, you have the option of contacting the supervisory authority responsible for finAPI, the Bavarian State Office for Data Protection (BayLDA).

11.2 Right of objection

Under the conditions of Art. 21 (1) GPDR, all processing of your data may be objected to for reasons arising from the particular situation of the data subject. This objection should be addressed to finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich.

The above general right to object applies to all processing purposes described in this data protection policy that are processed on the basis of Article 6(1)(f) GDPR. Unlike the specific right of objection to data processing for advertising purposes, we are only obliged under the GDPR to implement such a general right of objection if you provide us with reasons of overriding importance for doing so (e.g. a possible risk to life or health). In addition, you have the option of contacting the supervisory authority responsible for finAPI, the Bavarian State Office for Data Protection Supervision (BayLDA).

12. Data security

All data transmitted by you personally will be transferred with the generally used and secure standard SSL (Secure Socket Layer). SSL is a secure and proven standard that is also used, for example, in online banking. You can recognize a secure SSL connection, among other things, by the appended s at the http (i.e. https://…) in the address bar of your browser or by the lock symbol in the lower area of your browser.