Skip to content

Data protection policy

Person responsible

The person responsible for data processing at SPIRIT/21 within the meaning of data protection laws is

  • SPIRIT/21 GmbH, Otto-Lilienthal-Str. 36, 71034 Böblingen +49 7031 714-9600 info(at) (for Germany)
  • SPIRIT/21 IT Services & Solutions GmbH, Richard-Neutra-Gasse 10, 1210 Vienna +49 7031 714-9600 info(at) (for Austria)
  • SPIRIT/21 IT Services AG, Balsberg Balz-Zimmermannstrasse 7, CH-8058 Zurich-Airport +41 44 829 21 58 info(at) (for Switzerland)

Our data protection officer (DPO) is available for you:

  • by post at: SPIRIT/21 GmbH, Data Protection Officer, Otto-Lilienthal-Str. 36, 71034 Böblingen
  • by e-mail an: dsb(at)
  • by Fax: +49 7031 209-3316

Your rights (the rights of data subjects)

In the event that we process your personal data, you have the following rights:

  • In accordance with Art. 15 of the General Data Protection Regulation (GDPR), you may request information about your personal data processed by us. This includes, but is not limited to, information about the purposes of processing, the categories of data, the categories of recipients of your data, the intended duration of storage, the existence of a right to rectification, erasure or restriction of processing, the existence of a right to object and/or lodge a complaint.
  • In accordance with Art. 16 GDPR, you may request the immediate rectification or completion of your personal data stored by us.
  • In accordance with Art. 17 GDPR, you have the right to request the erasure of your stored personal data, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.
  • In accordance with Art. 18 GDPR, you can request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR.
  • In accordance with Art. 19 GDPR, we are obliged to inform all recipients of your personal data that you have asserted the right to rectification, erasure or restriction of processing against us. Unless the notification is impossible or involves a disproportionate effort. You also have the right to be informed about the recipients.
  • In accordance with Art. 20 GDPR, you also have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. You may also request the transfer to another controller.
  • In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent at any time, with the consequence that we may no longer continue the corresponding data processing in the future.
  • In accordance with Art. 77 GDPR, you have the right to lodge a complaint. This must be exercised with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.
  • If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation. You also have a general right to object to direct marketing in accordance with Art. 21 GDPR.

To implement your rights, please formulate your requests to the controller or our data protection officer.

Provision of the website

We are delighted that you have found your way to our website.
When you use our website, data is sent to the server of our website by the Internet browser you are using. This data is stored temporarily in the working memory and is not written or archived in log files. The data is the information listed below:

  • IP address of the device you are using,
  • the browser used by you during access
  • the operating system of your end device used by you during access
  • Date and time of access,
  • Name and URL of the file accessed,
  • the website from which the access was made (referrer URL),
    We process this data exclusively for administrative purposes such as
  • enabling and guaranteeing a proper connection to our website and ensuring its convenient use and guaranteeing system security and stability

This data is not merged with other data sources.
The purposes mentioned are legitimate interests within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR, so that your consent to this processing is not necessary. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Furthermore, cookies may be used for the analysis tool on our website, as explained in more detail in the following section.

Use of cookies and tracking tools

We use tracking technologies such as cookies on our website to measure, analyze and continuously improve the performance of our website. We also use these technologies to detect and prevent fraudulent activity to protect our users and partners.
Cookies are small text files that are used by websites to facilitate and speed up your visit to our website or that are necessary to enable you to access secure areas of the website.

There are two types of cookies, depending on their origin:

  • First-party cookies: these are created by the website operator or a contracted service and stored locally. Only the operator has access to these cookies.
  • Third-party cookies: These are generated, set and accessed by third-party providers who do not act on behalf of the website operator.

There are also two types of cookies, depending on the period of validity:

  • Transient cookies: these are automatically deleted when you close your browser, including session cookies.
  • Persistent cookies: These remain stored on your end device for a certain period of time, even after you have closed the browser.

The use of certain cookies may require the user’s consent:

  • Consent-free cookies: these are strictly necessary for the operation of the website and are explicitly requested by the user.
  • Cookies requiring consent: These are used for purposes other than those mentioned above and require the user’s consent.

If your consent is required, we will only use these cookies if you have given your prior consent. The legal basis for the processing of personal data is generally Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. When you visit our website, we display a cookie banner that you can use to give your consent to the use of cookies on the website.

We use strictly necessary cookies in the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. These cookies cannot be deactivated via the cookie banner, but can be managed and deactivated via your browser settings.

You can object to data processing at any time with effect for the future by preventing the storage of cookies in your browser settings or by changing your current settings in our Cookie Consent Manager.


Google Tag Manager

We use Google Tag Manager to organize individual tracking tools. We use Google Tag Manager to integrate sections of code from various tracking tools that we use on our website and can manage them centrally. The Tag Manager itself (which implements the tags) therefore does not create user profiles or store cookies, for example. Google only learns the IP address of the user, which is necessary to run the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy: We manage the following tracking tools via Google Tag Manager:

HubSpot Website Tracking

HubSpot evaluates visitor information to optimize the website. This includes access statistics, data such as the location of access, device data, access duration and time, navigation behavior, click behavior and IP addresses. Personal data such as name or e-mail address can also be processed.
HubSpot tracks visitors using browser cookies. Each time you visit our website, HubSpot checks the existing tracking cookies. If none exist, a cookie is linked to you and logs every page you visit on our website from then on. HubSpot tracks your user behavior on our site anonymously before you become a contact. When you fill out a form, the previous page views are linked to the contact based on the tracking cookie.
If you delete your cookies, you will be considered a new visitor and will receive a new cookie (if you agree). However, HubSpot automatically reduplicates form submissions from the same email address, even if different browser cookies are associated with it.
The use of Cookiebot (Cookie Consent Management Tool) allows you to prevent unwanted cookies in your browser until it consents to tracking.

LinkedIn Insight Tag

We use the “LinkedIn Insight Tag” conversion tool from LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2 Ireland; “LinkedIn”) on this website. This tool is used to collect the following data, among others IP address, device and browser characteristics and page events (e.g. page views). The IP addresses are shortened or hashed. All data is encrypted, anonymized within seven days and the anonymized data is deleted within 90 days. LinkedIn does not share any personal data with SPIRIT/21, but offers anonymized reports on the website target group and ad performance. LinkedIn also offers the option of retargeting via the Insight Tag. This allows SPIRIT/21 to use this data to display targeted advertising outside our website without identifying you. Further information on data protection at LinkedIn can be found in the LinkedIn privacy policy. LinkedIn members can control the use of their personal data for advertising purposes in their account settings.

Google Analytics

We use Google Analytics to analyze the use of our website. The resulting information is used to optimize our website and advertising measures.
Google Analytics is provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes the data in accordance with our instructions and has contractually agreed to take security and confidentiality measures.
During your visit to our website, various data is collected, including pages viewed, the achievement of “website goals” such as contact requests and newsletter subscriptions, your behavior on the pages (such as length of stay, clicks, scrolling behavior), approximate location (country and city), IP address (shortened for anonymity), technical information such as browser, Internet provider, end device and screen resolution, as well as the source of your visit.
Personal data such as name, address or contact details are never transmitted to Google Analytics.
The data collected is transferred to Google servers in the USA, whereby it should be noted that the same level of data protection cannot be guaranteed in the USA as in the EU.
Google Analytics uses cookies in your web browser for two years after your last visit. These cookies contain a randomly generated user ID to recognize you on future visits.
The recorded data is stored together with the randomly generated user ID, which enables the creation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months, while other data remains stored in aggregated form indefinitely.
If you wish to object to data collection, you can do so by installing the browser add-on once to deactivate Google Analytics or by rejecting cookies via our cookie settings dialog.

Google Ads

In order to place our ads in the Google advertising network (e.g. in search results, videos, websites, etc.) and display them to potential interested parties, we use the online marketing process “Google Ads”. We also monitor the conversions of the ads. We only receive anonymized overall statistics on how many users have clicked on our ads and visited a page with a so-called “conversion tracking tag”. No personal data is transmitted to us that would allow users to be identified. Our service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information can be found on the website and in the privacy policy at

Notes on the integration of videos

Videos are integrated on this website to illustrate content. We use external video providers (YouTube and Vimeo) for this purpose, as local hosting of videos is not efficient enough. In order to be able to play the content, we require your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, which you can give via the button in the area of the respective video. By clicking on the play button, you consent to your IP address being transmitted to YouTube ((YouTube, LLC 901 Cherry Ave. San Bruno, CA 94066 USA) or Vimeo (Vimeo, LLC555 West 18th Street New York, NY 10011 United States) and to the provider setting cookies in your browser. Once consent has been given, it can be revoked at any time by deleting all cookies that have been set on our site. In addition, please refer to the respective data protection notices of the providers (Data protection information from Vimeo, Data protection information from Google-YouTube).

Provision of content

We are keen to maintain a continuous connection with you and regularly present you with high-quality content and the latest information about our company. To this end, we use a variety of tools, including the use of web forms, sending email marketing messages and holding webinars via the Vimeo platform. These diverse channels enable us to keep you fully informed about relevant topics and promote an interactive exchange.

Web forms (HubSpot)

We use web forms to provide content. In order to send you the content, we process your name and e-mail address on the basis of a contract in accordance with Art. 6 para. 1 lit. b) GDPR. This enables us to contact you by telephone to inform you about SPIRIT/21 GmbH services.
If you make use of this option, the data entered in the input mask will be transmitted to us and stored. The fields marked with * are mandatory fields. In order to be able to transmit this data, you must confirm that you have taken note of the privacy policy. A revocation can be made at any time in writing via or via the unsubscribe link contained in all communications.

We use the service provider Hubspot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland for this function. Since personal data may be transferred to the USA, further protective mechanisms are required to ensure the level of data protection required by the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. We assess whether the conclusion of standard data protection clauses is sufficient or whether additional measures are required in accordance with the “Schrems II” decision of the European Court of Justice as part of an ongoing review and, if necessary, ensure an adequate level of data protection through further measures. You can find more information in HubSpot’s privacy policy at
In addition, we would like to point out that we have concluded an order processing contract with HubSpot. This contract ensures that the processing of personal data is carried out in accordance with the applicable data protection regulations and guidelines and that the security and integrity of the data is guaranteed.

Contacting us by email and newsletter

We use HubSpot services to send our newsletter, invitations to webinars and events as well as the option to download information about our company and our products (“digital services”). For this purpose, the following data is processed within the scope of the consent you have given for the purpose of advertising delivery: Surname, first name, e-mail address and/or telephone number)
Sending takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG). SPIRIT/21 GmbH processes the following data following your consent to the delivery of advertising: Last name, first name, e-mail address and/or telephone number. To confirm your request and verify your e-mail address, we use the double opt-in procedure. We send an e-mail to the address you have provided and ask you to confirm your consent. As part of this process, we record the IP address, the date and time of submission of the web form and the IP address, date and time of confirmation of the double opt-in email.

HubSpot tracks and logs emails. To track the emails, HubSpot inserts a one-pixel image into the email after it is sent. We record when you read our emails, which links you click on in them and draw conclusions about your personal interests. In addition, a copy of an email is logged in a data record in HubSpot. All attachments contained in the email are also logged in the contact’s data record. Tracking is not possible if you have deactivated the display of images in your email program by default. If you display the images manually, the above-mentioned tracking will take place.
We link the data collected to actions you take on our website. HubSpot stores the information collected in this way on its server in the European Union or the European Economic Area (EU or EEA).
If you use one of our digital services for which you have completed the registration process (for example, for our newsletter), HubSpot also supports us in analyzing your usage behavior on our website (more on this in the section “HubSpot Website Tracking”)


We use the “Vimeo” platform not only to embed videos (see section “Notes on embedding videos”) but also to hold webinars. The video portal is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA. Vimeo is a video platform that was founded in 2004 and has enabled HD video streaming since 2007. It is free to use, but there is also paid content.
When you access a page on our website that has a Vimeo video embedded, your browser connects to the Vimeo servers. This results in a data transfer. From this moment on, “Vimeo” is responsible for data processing.

Various types of data are processed when you use “Vimeo”. The scope of the data also depends on the data you provide before or when participating in a “webinar”. This data is collected via web forms (HubSpot, see section “Web forms (HubSpot)”) and transmitted to “Vimeo”. This data is collected, stored and processed on the Vimeo servers. Regardless of whether you have a Vimeo account or not, Vimeo collects data about you. This includes your IP address, technical information about your browser type, your operating system or very basic device information. In addition, Vimeo stores information about which website you use the Vimeo service and which actions (web activities) you perform on our website. These web activities include, for example, session duration, bounce rate or which button you clicked on our website with built-in Vimeo function. Vimeo can track and store these actions with the help of cookies and similar technologies.

If you are logged in to Vimeo as a registered member, more data can usually be collected, as more cookies may already have been set in your browser. In addition, your actions on our website will be directly linked to your Vimeo account. To prevent this, you must log out of Vimeo while “surfing” on our website.

If you have consented to your data being processed and stored by integrated Vimeo elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG). We only use the integrated Vimeo elements if you have given your consent.

Vimeo is headquartered in White Plains in the state of New York (USA). Your data can therefore also be stored and processed on servers in America. The data remains stored by Vimeo until the company no longer has a commercial reason for storing it. The data is then deleted or anonymized.

Vimeo uses so-called standard contractual clauses (= Art. 46. para. 2 and 3 GDPR) as the basis for data processing with recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there. Through these clauses, Vimeo undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places:
You can find more information on the standard contractual clauses at Vimeo at
You can find out more about the use of cookies at Vimeo at , information about Vimeo’s service can be found at and information about data protection at Vimeo can be found at

Collection and processing of applicant data via our career portal

The personal data that you voluntarily provide to us as part of your application - in particular your first and last name, address, email address, date of birth, place of birth, profession, CV and certificates - will be processed and stored by us. During the application process, additional data relevant to the application may be collected and also processed. The legal basis for data processing is § 26 para. 1 sentence 1 BDSG and Art. 6 para. 1 lit. a and lit. b GDPR as well as § 25 para. 1 TTDSG. Your personal data will only be processed to carry out the application process.
In the event that your application is not successful, your personal data will be deleted no later than six months after the end of the application process, unless the processing of your data is necessary for the assertion, exercise or defense of legal claims (see Art. 17 para. 3 lit. e GDPR).
Your data will only be stored and used beyond this if you have expressly consented to your data remaining stored in our database after the end of the specific application process so that you can be contacted by us at a later date in the event of vacancies. If you no longer want us to contact you, you can revoke your consent in writing (e.g. by e-mail) at any time with effect for the future. Otherwise we will delete your data after two years. If we contact you within this period regarding new positions, this period will start anew each time.
Only with your express consent will we check your application for further employment opportunities in our company and, if necessary, forward the application to other departments in our company. You can revoke your consent to this in writing at any time with effect for the future.

Collection and processing of data for business relationships

In order to prepare and execute a contract with you, it is necessary for us to process your personal data (name, address and contact details). The legal basis for data processing is Art. 6 para. 1 lit. a), b) and f) GDPR and § 25 para. 1 TTDSG. The purposes depend on the specific contract and are derived from the respective contract documents.
In general, these relate to the steps required before concluding the contract and answering related questions. In addition, the transmission of offer and project status and invoice information, communication in the context of contract fulfillment, the processing of concluded contracts and finally the support and service before, during and after the business relationship with you.
We delete your personal data when it is no longer required for the initiation and execution of a business relationship with you and no longer conflicts with statutory retention obligations.

Contact request

We offer selected employees of our customers, trade fair contacts, customers of our customers etc. the opportunity to receive information about our innovative solutions, products, offers and events from SPIRIT/21, which we tailor individually to your areas of interest. In order to be able to guarantee optimum support for your inquiries, we will enter your contact details in our CRM system after you have given your consent. Of course, you can opt out at any time by sending an informal e-mail to our DPO.
You can also contact us after submitting the contact form on our website. Consent can be revoked at any time with effect for the future, e.g. by clicking on the unsubscribe link at the end of each e-mail or by sending an e-mail to

Contacting us by telephone

In order to make our services available to other companies, we occasionally collect data from people at these companies from public sources. In the initial contact, we first determine whether there is any interest in contacting us and in our portfolio, without going into details.
When weighing up the interests, we are of the opinion that our wish to outline our portfolio by telephone outweighs your interest, as it is exclusively about specific business transactions of your company.

Your calls to our landline

In order to comply with our obligations to provide evidence of service level agreements in the Service Desk, we must retain callers and call durations to our landline numbers for 3 months. The data is deleted after 3 months. The legal basis for the processing of the data is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Your application for a project option on our website

SPIRIT/21 automatically stores all data and documents provided until revoked. The processing is carried out exclusively for information addressed to the applicant about offers from the SPIRIT/21 group of companies by e-mail or telephone call. The offers may relate to job vacancies and project offers. The data will not be passed on to third parties without consent and its storage will be regularly checked for appropriateness. I can revoke my consent (or the restriction of the use of my data) at any time with effect for the future by sending an e-mail to or the responsible resource manager.

Use of the social media platforms

We operate social media company pages to draw attention to ourselves and to stay in contact with you. We use the page insights offered by the social media platforms out of a legitimate interest (Art. 6 para. 1 lit. f) GDPR) in market research purposes. The data collected is of a statistical nature for us as the operator of the social media company page. We do not draw any conclusions about the identity of the users.
The social media platforms themselves may use cookies and process and store further usage data. This includes data generated when using our social media presence. The social media platforms use this data for their own advertising purposes (analysis, creation of personalized advertising), to create user profiles and also for market research. Therefore, if you visit us on social media platforms, please note their data protection notices and, where applicable, the agreement on joint responsibilities:

Facebook and Instagram

Meta Ireland Ltd., HARBOUR, 4, Grand Canal Quay, Grand Canal Bridge, Dublin, 2, Irland (Data protection) und Agreement on joint responsibilities


LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland (Data protection undAgreement on joint responsibilities)

X, ehemals Twitter

X Corp., One Cumberland Place, Fenian Street, Dublin 2, Ireland (Data protection)


Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (Data protection)


New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (Data protection)

Validity and changes to our privacy policy

This privacy policy is dated 4/2024 and is currently valid. We reserve the right to amend this privacy policy from time to time so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.