1 General information

Responsible for the processing of personal data is: agradblue GmbH, Poststraße 9a, 20354 Hamburg, Germany, contactable at info@agradblue.com.
Our data protection officer can be contacted at datenschutz@westbridge-advisory.com.
This privacy policy applies to the processing of personal data where reference is made to this policy in the relevant context.

Data subjects have, insofar as they fulfill the legal requirements, the right to

• Information about their data in accordance with Art. 15 GDPR
• Correction of incorrect data in accordance with Art. 16 GDPR
• Erasure of their data in accordance with Art. 17 GDPR
• Restriction of processing in accordance with Art. 18 GDPR
• Objection to certain processing in accordance with Art. 21 GDPR
• Withdrawal of consent granted in accordance with Art. 7 para. 3 GDPR
• Complaint to a data protection supervisory authority in accordance with Art. 77 GDPR

1.3.1 Order processing (Art. 28 GDPR)

For certain technical and organizational tasks, we use service providers who process personal data on our behalf. These so-called processors are contractually obliged to process data exclusively in accordance with the documented instructions, to take appropriate security measures and not to pass on any data to unauthorized third parties. Examples of this are hosting service providers, IT support or providers of form and communication services.

1.3.2 Affiliated companies

If data is passed on to a company within our affiliated group of companies, this is only done if it is necessary to achieve the respective purpose - for example, to process an inquiry from an interested party.

The following companies belong to the Westbridge Group:

agradblue GmbH
Poststrasse 9a
20354 Hamburg
T +49 40 890 60060
E info@agradblue.com

Westbridge Advisory GmbH
Barckhausstrasse 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Westbridge Advisory International AG
Bahnhofstrasse 10
8001 Zurich
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Westbridge Energy GmbH
Barckhausstrasse 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Quantrefy GmbH
Barckhausstrasse 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Magnolia Consulting GmbH
Barckhausstrasse 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

The controller for data processing in the context of communication processes is the company with which contact or a contract exists. Sections 3-6 of this privacy policy apply to this company accordingly.

1.3.3 Transfer to third parties (e.g. authorities, courts)

In certain cases, disclosure to third parties may be necessary, for example

• if this is necessary to carry out contractual measures or is in our legitimate interest.
• to fulfill legal obligations (Art. 6 para. 1 lit. c GDPR),
• in the context of administrative or legal proceedings,
• in response to requests from other supervisory authorities or public bodies.
  Recipients may also be bodies against which a request or complaint is directed.

1.3.4 Data transfer to third countries (outside the EU/EEA)

If personal data is transferred to bodies in so-called third countries, this only takes place in compliance with the requirements of Art. 44 et seq. GDPR. As a rule, EU standard contractual clauses are used for this or there is an adequacy decision by the European Commission. In exceptional cases, data may also be transferred on the basis of express consent.

We store personal data within the scope of the statutory provisions or your consent. We store the personal data until the purposes for which it was collected cease to apply (e.g. upon termination of a contractual relationship or through the last activity, if there is no continuing obligation, or in the event of revocation of your consent for the specific data processing).
Data will only be stored beyond this if

• there are statutory retention obligations (e.g. according to AO and HGB);
• the data is still required to assert and exercise legal claims or to defend against legal claims, e.g. due to technological and forensic requirements to defend against attacks on our web servers and their prosecution;
• erasure would conflict with the legitimate interests of the data subjects; or
• another exception pursuant to Art. 17 para. 3 GDPR applies.

If the processing of personal data is based on consent (Art. 6 para. 1 lit. a GDPR), this consent is documented and stored.
In order to fulfill the accountability obligation pursuant to Art. 5 para. 2 GDPR, the consent is stored for a period of up to three additional years after it expires. This serves as proof that the processing was lawful. After this period has expired, the consent will be deleted, provided there are no other statutory retention obligations.

The provision of certain personal data is required by law or contract or is necessary for the conclusion or performance of a contract. Without this data, it is not possible to fulfill the respective obligation or execute the contract. Which data is required in individual cases is determined by the respective legal requirements or contractual regulations.

When this website is accessed, certain technical information is automatically processed in order to provide the website and ensure stable and secure operation. This includes, for example, IP address, date and time of access, browser type, operating system and pages accessed. This data is stored by the web server in log files. Processing is carried out on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, in particular to ensure functionality, to analyze errors and to defend against attacks. The stored information is kept for a period of 30 days and then deleted, provided that there are no legal retention obligations to the contrary or longer storage is required to clarify security-relevant incidents. We use one or more external hosting providers to make this website available.

Our website stores information in the terminal equipment of visitors (e.g. through cookies) or accesses information that is already stored there (e.g. IP addresses). Which information is affected in detail can be found in the following sections of this privacy policy.

This storage and access takes place on the basis of the following legal provisions:

• Absolutely necessary processes: Insofar as storage or access is absolutely necessary to provide an expressly requested telemedia service - for example to use a chatbot or to ensure IT security - processing is carried out in accordance with Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG).
• Processes requiring consent: In all other cases, storage or access only takes place with the consent of the data subject in accordance with Section 25 (1) TDDDG.
  The subsequent processing of the data collected in this way is governed by the provisions of the GDPR, as explained in more detail in the following sections.
  The following table lists details of the cookies used.

Information on data processing in connection with the contact form can be found in section 3.

When contacting us by email, telephone, post or via a contact form, the personal data transmitted will be processed in order to process and respond to the inquiry. Depending on the communication channel, this may include in particular the name, contact details, content of the message and technical metadata (e.g. IP address, time of the request).

The processing is carried out to carry out pre-contractual measures or to fulfill a contract in accordance with Art. 6 para. 1 lit. b GDPR or on the basis of a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, for example for the efficient processing of inquiries and to maintain customer relationships.

For the provision and technical processing of contact inquiries, we commission service providers as part of order processing in accordance with Art. 28 GDPR. These service providers are contractually obliged to comply with the applicable data protection regulations and to process the transmitted data exclusively in accordance with our instructions.

The data will only be stored for as long as is necessary to process the request and then deleted, provided there are no statutory retention obligations. Business communications are generally subject to a retention period of six years in accordance with the applicable commercial and tax regulations.

In the context of business communication, we process personal data, in particular for conducting video conferences, online meetings, for coordination via chat or calendar function and in the context of e-mail communication.

The processing is carried out for the initiation and execution of contractual relationships in accordance with Art. 6 para. 1 lit. b GDPR or on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, for example for efficient communication and cooperation with business partners, customers and interested parties.
We use service providers as processors in accordance with Art. 28 GDPR for the provision and technical processing of digital communication services. They are contractually obliged to comply with data protection regulations and to process the data exclusively in accordance with our instructions.

Personal data is only stored for as long as is necessary to fulfill the respective purpose. Insofar as statutory retention obligations exist, the storage period is based on these requirements. Business communications are generally subject to a retention period of six years in accordance with the applicable commercial and tax regulations.

As part of existing or initiated business relationships, we process personal data of contact persons and authorized signatories of our business customers. This includes, in particular, contact data (e.g. name, business e-mail address, telephone number), company affiliation, position, contract content and invoice content.

The processing is carried out to carry out pre-contractual measures and to fulfill contractual obligations in accordance with Art. 6 para. 1 lit. b GDPR. If the data subject is not a party to the contract, the processing is carried out on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, for example to initiate, implement or process the contractual relationship.

We use service providers as processors in accordance with Art. 28 GDPR to manage and document the documents. These are contractually obliged to comply with the data protection regulations and to process the data exclusively in accordance with our instructions.

Contractual documents are generally stored for 6 years. Contracts with tax relevance or accounting documents are subject to a 10-year retention period. The period begins at the end of the calendar year in which the last relevant action took place.

More information on handling applications can be found at https://westbridge-group.jobs.personio.de/privacy-policy?language=de.

We operate publicly accessible profiles in social networks. The operators of these networks regularly process personal data for advertising purposes or to analyze user behavior. This may result in data being processed outside the European Union, which may entail risks for data subjects - for example with regard to the enforceability of rights or access by government agencies.
When communicating via our social media profiles (e.g. through comments, messages or reactions), we process the personal data transmitted to process inquiries or for communication purposes. The legal basis for this is generally Art. 6 para. 1 lit. f GDPR (legitimate interest). If the communication is aimed at concluding or implementing a contract (e.g. in the case of inquiries about our services or applications), the processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR.
There is no complete influence on data processing by the respective platform operators. Further information on data processing by the platform operators and on rights and setting options to protect privacy can be found in the data protection declarations of the respective providers. Details on individual providers will follow subsequently.

We operate a page on LinkedIn, a social network of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, D02 FX04, Ireland.

In the context of this presence, there is joint responsibility pursuant to Art. 26 GDPR with the platform operator LinkedIn.
The corresponding agreement is available at the following link: https://legal.linkedin.com/pages-joint-controller-addendum.

LinkedIn provides additional information on joint responsibility, in particular on the roles and obligations of the parties involved, at the following link: https://www.linkedin.com/help/linkedin/answer/a1342680/gemeinsame-kontrolle?lang=de-DE.
Otherwise, LinkedIn itself is responsible for data processing on the platform. LinkedIn's privacy policy is available here: https://de.linkedin.com/legal/privacy-policy?.