As of December 2025

Table of contents

This document summarises the data protection information for all data subjects of IP Customs Solutions GmbH:

• Part A: Common provisions (for all data subjects)
• Part B: Private individuals (website visitors)
• Part C: Business partners
• Part D: Applicants
• Part E: Your rights as a data subject (for all data subjects)

PART A: COMMON PROVISIONS

Data controller

The data controller within the meaning of Art. 4 No. 7 GDPR is:

IP Customs Solutions GmbH

Matthias-Claudius-Straße 10

23909 Ratzeburg

Germany

Telephone: +49 40 333976-0

Email: contact@ip-cs.com

Managing Directors: Florian Ledeboer and Hendrik Ledeboer

Data protection officer

If you have any questions about data protection or exercising your rights, please contact our external data protection officer:

DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany

Telephone: +49 89 7400 45840
Email: info@dataguard.de

Website: www.dataguard.de

General legal basis for data processing

Your personal data is processed on the basis of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Depending on the purpose of processing, we rely on the following legal bases:

• 6 (1) (a) GDPR – Consent
• 6 (1) (b) GDPR – Performance of a contract/pre-contractual measures
• 6 (1) (c) GDPR – Legal obligation
• 6 (1) (f) GDPR – Legitimate interest

Data transfer to third countries

As a matter of principle, we process your data within the European Union (EU) or the European Economic Area (EEA). If, in individual cases, a transfer to a third country is necessary, this will only take place in compliance with the legal requirements:

• If there is an adequacy decision by the EU Commission (Art. 45 GDPR)
• On the basis of appropriate safeguards, in particular EU standard contractual clauses (Art. 46 GDPR)
• With your express consent (Art. 49(1)(a) GDPR)
• Certification under the EU-US Data Privacy Framework (DPF)

SSL/TLS encryption

For security reasons, our website and all online portals use SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from http:// to https:// and by the lock symbol in your browser line.

PART B: PRIVATE INDIVIDUALS (WEBSITE VISITORS)

Note: The services offered by IP Customs Solutions GmbH are aimed exclusively at entrepreneurs (Section 14 BGB). Consumers (Section 13 BGB) are requested to refrain from using or placing orders.

Data collection on our website

Server log files

When you visit our website, the following data is automatically collected:

• IP address of the accessing computer
• Date and time of access
• Name and URL of the page accessed
• Browser type and version, operating system
• Referrer URL (previously visited page)

Legal basis:
Art. 6 (1) lit. f GDPR (legitimate interest in technically error-free display)

Storage period:
7 days

Cookies

Our website uses cookies – small text files that are stored on your device. We distinguish between:

• Technically necessary cookies (Art. 6(1)(f) GDPR) – required for basic functions
• Convenience and statistics cookies (Art. 6(1)(a) GDPR) – only with your consent

You can adjust your cookie settings at any time via our cookie banner or in your browser settings.

Consent management (Usercentrics)

We use Usercentrics to obtain and document your cookie consent.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to obtain consent)

Hosting and external services

Website hosting

Our website is hosted externally by HubSpot, Inc. (25 First Street, Cambridge, MA 02141 USA). A data processing agreement has been concluded.

Link: https://legal.hubspot.com/privacy-policy

CRM system (HubSpot)

We use HubSpot CRM to manage customer interactions and analyse user behaviour.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in efficient customer management)

Place of processing:
EU, UK, US

Contact

Contact form and email

For enquiries via our contact form or by email, we store your details for processing and for any follow-up questions.

Legal basis:
Art. 6 (1) (b) GDPR (performance of a contract) or Art. 6 (1) (f) GDPR (legitimate interest)

Storage period:
Until the purpose ceases to apply or revocation, in compliance with statutory retention periods

WhatsApp

We use WhatsApp Business for customer communication. Communication is end-to-end encrypted.

Provider:
WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Link:
https://www.facebook.com/privacy/policy/

Appointment booking (Microsoft Bookings)

We use Microsoft Bookings for online appointment bookings. The data entered is used for planning and carrying out appointments.

Microsoft

Description of services:

Microsoft 365 (Outlook, Microsoft Office) Communication and recordings
Microsoft Teams – video conferences and meetings (calls may be recorded to take notes for training purposes)

Processed data, including personal data:

• Names
• Email address
• Job title
• IP address
• Phone number

Place of processing:
EU, UK

Legal basis for processing:
Legitimate interest Art. 6(1)(f) GDPR

Link:
https://privacy.microsoft.com/de-de/privacystatement

Analysis tools

Matomo

We use Matomo for web analysis. The tool is hosted on our own servers, so all analysis data remains with us.

Legal basis:
Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest)

Google Tag Manager

Google Tag Manager is used to manage tracking tools on our website. Tag Manager itself does not store any cookies and does not create user profiles.

LinkedIn Insight Tag

We use LinkedIn Insight Tag for conversion measurement and targeted advertising. You can object to its use at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Social media

Our website contains links to our social media presences. These are implemented as simple links – no data is transmitted to social media providers when you simply visit our website.

We operate accounts on: LinkedIn, Xing, Facebook, Instagram, TicTok

We are jointly responsible with the platform operators for data processing on these platforms (Art. 26 GDPR).

Link to LinkedIn's privacy policy
https://de.linkedin.com/legal/privacy-policy

Link to Instagram's privacy policy
https://privacycenter.instagram.com/policy/

Link to Facebook's privacy policy
https://de-de.facebook.com/privacy/policy/

Link to Xing's privacy policy
https://privacy.xing.com/de/datenschutzerklaerung

Link to TikTok's privacy policy
https://www.tiktok.com/legal/page/eea/privacy-policy/de

Newsletter

We use Rapidmail (rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg) to send our newsletter. The servers are located in Germany.

Legal basis:
Art. 6(1)(a) GDPR (consent)

Revocation:
Possible at any time via the unsubscribe link in each newsletter

Link:
https://www.rapidmail.de/dsgvo-konformes-email-marketing

Plugins and tools

YouTube (extended data protection mode)

Embedded YouTube videos are embedded in extended data protection mode. Data is only transferred to YouTube when the video is played.

Google Maps / Bing Maps

We use Google Maps and/or Bing Maps for map integration. When activated, your IP address is transmitted to the respective provider.

Google reCAPTCHA

We use Google reCAPTCHA to protect against automated abuse.

PART C: BUSINESS PARTNERS

This information applies to natural persons who are in contact with us as representatives, employees or contact persons of our business partners, suppliers, service providers or other contractual partners.

Origin of the data

We collect your personal data:

• Directly from you (conversations, emails, contract negotiations)
• From your employer or the company you represent
• From publicly available sources (commercial registers, company websites, LinkedIn, XING)
• From authorities (customs authorities, tax offices)
• From credit agencies for credit checks

Categories of data processed

Contact and master data

• Name
• function/position
• business contact details (address, email, telephone)
• company name

Legitimation and identification data

• Commercial register extracts
• business registrations
• EORI number
• customs numbers and approvals

Contract and business data

• Contract documents
• offers
• invoice data
• bank details
• payment information

Customs related data

• Customs declarations
• descriptions of goods
• customs tariff numbers
• delivery notes
• proofs of preference
• import/export and transit documents
• additional order documents

Creditworthiness and risk data

• Credit reports
• payment history
• information on economic situation

Purposes and legal bases

Contract initiation and fulfilment (Art. 6(1)(b) GDPR)

• Communication regarding requests for quotations and contract negotiations
• Processing of orders (customs clearance, foreign trade, logistics)
• Preparation of customs declarations and official documents
• Invoicing and payment processing

Legal obligations (Art. 6(1)(c) GDPR)

• Commercial and tax law retention obligations (6-10 years)
• Customs documentation (at least 7 years in accordance with Section 22 UZK-DA)
• Foreign trade obligations (export control, embargo checks)
• Money laundering prevention

Legitimate interests (Art. 6(1)(f) GDPR)

• Business partner management and supplier evaluation
• Risk management and credit checks
• IT security and access controls
• Assertion and defence of legal claims

Recipients of your data

Authorities

• Customs authorities
• tax offices
• statistical authorities
• and, in the case of legal obligations, law enforcement authorities

Processors

• IT service providers
• data centres
• email services (with processing agreements in accordance with Art. 28 GDPR)

Business partners and service providers

• Freight forwarders
• banks
• credit agencies
• insurance companies, solicitors, tax advisors

Storage periods

Type of data and Storage period

Commercial law documents: 6 or 10 years (Section 257 of the German Commercial Code (HGB))

Tax law documents: 6 or 10 years (Section 147 of the German Fiscal Code (AO))

Customs law documents: At least 7 years (Section 22 of the UCC-DA)

Foreign trade documents: 5 years

Website log data: 7 days

Digital contract signing

For digital contracts (e.g. via DocuSign, Adobe Sign), we process:

• Email address
• IP address
• Time stamp of contract processing
• Status information.

Legal basis:
Art. 6(1)(b) and (f) GDPR

PART D: APPLICANTS

This information applies to individuals who apply to us via our applicant portal (jobs.ip-cs.com), by email or by post.

Online application system (Personio)

We use the Personio recruiting software to manage our application processes.

Processor:
Personio SE & Co. KG, Rundfunkplatz 4, 80335 Munich

Data storage:
Servers in the European Union (Germany). No transfer to third countries.

Link:
https://www.personio.de/datenschutzerklaerung/

Categories of data processed

Master data

First and last name, contact details (address, email, telephone), date and place of birth, nationality

Application documents

Cover letter, CV, references, certificates, employment references, photo (if provided)

Procedural data

Information on the desired position, salary expectations, availability, notes from interviews.

System data

User profile, LinkedIn profile (optional), email communication, appointment scheduling.

Purposes and legal bases

Main legal basis: Art. 6(1)(b) GDPR, Section 26(1) BDSG (implementation of pre-contractual measures).

Purposes

• Applicant selection and recruitment
• Communication during the application process
• Review of qualifications for the advertised position
• Organisation of interviews
• Defence against AGG claims (Art. 6(1)(f) GDPR)

Application process

1. Job selection – Select a suitable job advertisement
2. Enter data – Fill out the application form and upload documents
3. Submit application – After review, submit binding application
4. Confirmation – You will receive an automatic confirmation of receipt by email

Recipients of your data

Internal recipients

Human resources department, department of the advertised position, management (if necessary)

Access is based on the need-to-know principle.

External recipients

Personio SE & Co. KG (recruiting software), IT service providers (with data processing agreement)

Storage periods

Situation and Storage period

Unsuccessful application: 6 months after receipt of the rejection letter

Talent pool: 12 months of inactivity or upon revocation

Consent documentation: 3 years (accountability)

Successful application: Transfer of the application to the personnel file

Special programmes

Talent pool

With your consent, we can consider your profile for future job vacancies and inform you about suitable offers.

Legal basis:
Art. 6 (1) (a) GDPR in conjunction with § 26 (2) BDSG (consent)

Revocation:
By email to willkommen@ip-cs.com or in writing by post

Internships and taster days

We process your data for the purpose of organising and conducting internships or taster days. The storage period is 6 months after acceptance or rejection.

PART E: YOUR RIGHTS

The following rights apply equally to all data subjects, regardless of whether you are a private individual, business partner or applicant.

Right of access (Art. 15 GDPR)

You have the right to obtain information free of charge about the data stored about you, in particular about: the purposes of processing, categories of data processed, recipients, planned storage period, origin of the data and the existence of automated decision-making.

Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data.

Right to erasure (Art. 17 GDPR)

You have the right to have your personal data erased if the data is no longer required for the purposes for which it was collected, you have withdrawn your consent, you have objected to the processing, the data has been processed unlawfully or there is a legal obligation to erase it.

Note:
The right to erasure does not apply if statutory retention obligations prevent erasure.

Right to restriction of processing (Art. 18 GDPR)

You may request the restriction of processing if: the accuracy of the data is disputed, the processing is unlawful, we no longer need the data (but you need it for legal claims) or you have objected to the processing.

Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format or to request its transfer to another controller, provided that the processing is based on consent or a contract.

Right to object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR.

We will then no longer process your data unless we can demonstrate compelling legitimate grounds that outweigh your interests or the processing serves to assert legal claims.

In the case of direct marketing:
You can object at any time without giving reasons.

Withdrawal of consent (Art. 7(3) GDPR)

If the processing is based on consent, you can withdraw this at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority.

Responsible for Schleswig-Holstein:

Independent Centre for Data Protection Schleswig-Holstein
Holstenstraße 98, 24103 Kiel
Telephone: 0431 988-1200

Email: mail@datenschutzzentrum.de
Website: www.datenschutzzentrum.de

Exercising your rights

To exercise your rights, please contact:

IP Customs Solutions GmbH
Attn: Data Protection Officer
Matthias-Claudius-Straße 10
23909 Ratzeburg

Email: datenschutz@ip-cs.com

Note:
For your security, we must verify your identity before we can comply with your request.

Updates and changes to the privacy policy

Due to the further development of our services or changes in legal or regulatory requirements, it may be necessary to amend this privacy policy. The current version can be found on our website or obtained on request.

IP Customs Solutions GmbH
Managing Directors: Florian Ledeboer and Hendrik Ledeboer