Privacy Notice

I. GENERAL PURPOSE

This Privacy Notice outlines how Hubject GmbH ("Hubject", "we","us", or "our") collects, uses, discloses, and safeguards personal data across our websites, platforms, and applications, in compliance with the General Data Protection Regulation (GDPR), EU Data Act, EU Data Protection Directive (and national implementations such as the BDSG), ISO/IEC 27001:2022, and our Standard Data Processing Agreement (DPA) for B2B customers (Partners).

‍

• Hubject acts as a data processor for Partners (data controllers) under Art. 28 GDPR, as specified in the Data Processing Agreement with them, and according to number 8 detailed below. When doing so, the private data collected is data from "End Users” (e.g. is an individual who ultimately uses or benefits from a product or service offered by a Partner or Strategic Partner.) and Contact Persons of the Partner (individuals acting on behalf of Hubject’s business customers).
• Hubject acts as a data controller with respect to the personal data of the following categories of data subjects, also referred to in this Privacy Notice as "Direct Users":  
  •  Hubject's website visitors
  • "Job Applicant" (individual who submits personal information to Hubject (such as a resume, application form, or related documents) to be considered for employment, or who other wise expresses interest in a job position.
  • "LinkedIn contacts": business professionals and potential partners contacted via LinkedIn, specifically and only when the individual is part of the employee’s existing professional network.
  • intercharge network conference (icnc) Attendees.
  • Contact Persons of the Suppliers (individuals acting on behalf of Hubject’s business suppliers).

All together referred in this Notice as "Data Subjects".

‍

1. SUMMARY

• We process personal data only to provide our services, meet legal obligations, or  based on consent or legitimate interests, in line with applicable laws.
• If you are an End-User, we process your data on behalf of our partners (e.g., your mobility provider) and recommend you contact them to exercise your data rights.
• We do not use your data for profiling or automated decision-making without prior notice.
• Your data is protected using encryption, access controls, and data minimization principles.
• We use cookies only where necessary or based on your consent.
• Under the GDPR, you have the right to access, correct, delete, or object to the processing of your personal data.

‍

Contact information

Data Controller (for data collected on behalf of Hubject or where Hubject is controller):

Hubject GmbH

EUREF-Campus 22, 10829 Berlin, Germany

Email: dataprotection@hubject.com

Data Protection Officer (DPO):

Dr. Katharina Vera Boesche

Boesche Rechtsanwälte PartGmbB

Ohmstr. 7, 10179 Berlin

Email: datenschutz@hubject.com

‍

2. GENERAL DATA PROCESSING PRINCIPLES

We process personal data lawfully, fairly, and transparently. The following legal bases under Art. 6 GDPR apply:

• Consent
• Contractual necessity
• Legal obligation
• Legitimate interests

We adhere to principles of data minimization, accuracy, storage limitation, and integrity and confidentiality, and guarantee data subject rights under Art. 12–22 GDPR.

Hubject acts in accordance with the obligations set out in our Data Protection Policy and Data Retention Policy. These policies govern our internal handling of your personal data as Data Subject, whether we act as Controller or Processor (as described in Number 1 above).

Security measures such as encryption, access controls, pseudonymization, and secure deletion are applied across all processing activities. Details are found 6 (Retention), 11 (Third-Party Sharing), and 12 (Breach Response).

‍

3. DATA SUBJECT RIGHTS

You- as data subject - may exercise the following rights by contacting us at dataprotection@hubject.com :

• Access to personal data
• Rectification or erasure
• Restriction of processing
• Objection to processing
• Data portability
• Complaint with supervisory authority

Please note: If you are an End-User of a service provided by one of our Partners (e.g., EMPs or CPOs), Hubject acts solely as a data processor and cannot directly identify you without information from the Partner. In such cases, you must exercise your rights through the Partner who acts as the data controller for your personal data. This ensures compliance with Article 12(2) GDPR and our obligations under Art. 28 and 29 GDPR as a data processor.

We do not perform any automated decision-making or profiling as defined under Article 22 GDPR.

‍

4. DATA RETENTION AND PHASE-OUT

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by legal obligations:

• End-user data: Pseudonymized and retained only in production environments per Art. 5(1)(c) GDPR
• User accounts and platform metadata:up to 10 years post deactivation (per Data Retention Policy)
• Hubject's website visitors: for the duration of the business relationship + 2 years (as per Data Retention Policy)
• Partner representative personal data: deleted 1 year after termination of business relationship unless required by legal retention
• Job Applicant personal data: 6 months
• intercharge network conference (icnc) Attendees:  1 year
• Marketing data: consent withdrawn

Secure deletion and audit logging of disposal events is enforced in accordance with ISO27001:2022 controls

4.1. RETENTION PRACTICES

• Personal data is stored in secure systems and backups in accordance with our Data Retention Policy.
• Backups are retained for a maximum of two years, after which they are securely deleted or destroyed in line with ISO27001:2022 and GDPR requirements.
• We ensure data minimization in our backups and operational systems, only storing what is strictly necessary.

4.2. HANDLING ERASURE REQUESTS

• If you request deletion of your data under Article 17 GDPR, it is promptly removed from our active systems, if there is no legitimate reason to keep your personal data. As stated above, if you arean End User, it may be necessary to address your request directly to the Partners (data controller).
• Data that exists in backups cannot be deleted immediately but is flagged for erasure and will be permanently deleted upon the expiration of the backup retention period.
• If a backup is restored, any data previously flagged for deletion will be removed during the recovery process.

4.3. AUDIT, MONITORING, AND SUPPLIER COMPLIANCE

• We maintain audit logs of backup access, erasure requests, and restoration processes.
• Our processors and IT vendors arecontractually obligated to comply with our retention and deletion requirements.
• Secure deletion methods are applied in accordance with best practices and our internal policies.
• You may request further details about our data retention or deletion procedures by contacting: dataprotection@hubject.com

‍

5. HUBJECT'S WEBSITE AND GENERAL USAGE

5.1. DATA COLLECTED

• IP address, browser info, operating system, time and date of access
• Contact form data (if submitted)
• Newsletter sign-up (email, verification)

5.2. TOOLS USED

• Google Analytics with IP anonymization
• Google Tag Manager
• Pardot/Salesforce (only upon opt-in)

5.3. COOKIE USAGE

Below is a summary of the cookies and trackers used across Hubject websites and platforms:

‍

• Session cookies required for technical delivery
• Optional tracking cookies (opt-in via cookie banner

5.4. LEGAL BASIS

• Art. 6(1)(f) GDPR for necessary cookies and analytics (legitimate interest)
• Art. 6(1)(a) GDPR for marketing tools (based on consent

‍

6. PRODUCT SPECIFIC SECTIONS

6.1. HUBJECT BROKERING SYSTEM (HBS) PORTAL

‍

‍

‍

‍

‍

7. APP STORE / PLAY STORE LINKS

Privacy Notice and imprint links must be embedded in:

• Google Play Console: Add under appinfo > privacy Notice URL
• Apple App Store: Under "App Information"
• In-App: Integrated in "Settings" or "About"

‍

8. INTERNATIONAL TRANSFERS

All international data transfers are protected by Standard Contractual Clauses (SCCs) if necessary, in line with Hubject's DPA Annex I (Processor Details), and Annex II (Technical and Organizational Measures). No transfers occur without prior authorization from the Partner (controller).

8.1. DATA SHARING AND THIRD PARTIES

Hubject only shares personal data with third parties when necessary to fulfill our services or legal obligations, and always in accordance with the principles of data minimization, purpose limitation, and transparency.

8.2. PURPOSE OF DATA SHARING

We only share personal data:

• With trusted service providers to support our platform operations, customer support, hosting, marketing (e.g., Salesforce, Pardot), and security.
• In line with a specific, legitimate purpose that is made clear to the data subject.
• Based on one of the lawful bases under GDPR (e.g., contract, consent, or legitimate interest).

8.3. DATA SHARING SAFEGUARDS

To ensure data protection when engaging third-party processors:

• We conduct risk-based assessments before selecting service providers.
• We enter into Data Processing Agreements (DPAs) that define clear obligations on confidentiality, security, and breach response.
• We maintain a centralized register of recipients, updated and reviewed regularly.
• We apply encryption and access controls to safeguard shared data.
• Only the minimum amount of data required for the specific purpose is shared.

8.4. INTERNATIONAL TRANSFERS

For transfers outside the EU/EEA, see Section 10.

8.5. LOGGING AND MONITORING

Hubject maintains audit logs of data access by service providers and reviews them regularly for anomalies or unauthorized use.

8.6. DATA RETENTION AND DELETION

• Personal data shared with service providers is retained only for as long as necessary for the processing purpose.
• Once no longer needed, data is either securely deleted or anonymized in accordance with our Data Retention Policy.

9. DATA BREACH PREVENTION, REPONSE AND NOTIFICATION

Hubject maintains a robust and ISO 27001:2022-aligned Data Breach Response Plan to detect, contain, and respond to personal data breaches.

In the event of a breach involving personal data, we follow these steps:

• Detection and Verification: We use advanced monitoring systems to detect and verify unauthorized access or misuse of data.
• Containment and Eradication: Affected systems are isolated, root causes are investigated, and vulnerabilities are patched.
• Notification: If a personal data breach meets the criteria under Article 33 or 34 GDPR, wewill notify the appropriate supervisory authority within 72 hours and affected individuals when required.
  • End Users (Processor Role):
    • If Hubject is acting as a data processor (e.g., for OEM/EMPs/CPOs using our platforms), we will notify the respective Partner (data controller) without undue delay in line with Article 33(2) GDPR. It is the responsibility of the controller to notify data subjects and supervisory authorities.
  • Direct Users (Controller Role):
    • If Hubject is acting as controller (e.g., for website users or icnc app registrants), and the breach involves your personal data, Hubject will notify affected individuals and the supervisory authority in accordance with Articles 33 and 34 GDPR.
• Recovery and Monitoring: We restore operations using clean backups, verify data integrity, and increase post-incident monitoring.
• Post-Incident Analysis: We analyze the incident to improve systems, policies, and response protocols.

We maintain an internal Incident Response Team (IRT) comprising IT security, legal, compliance, and management. Regular training, testing (e.g., table top exercises), and updates to our incident response procedures are conducted to  ensure continuous improvement.

For questions regarding our breach response or security practices, please contact dataprotection@hubject.com.

‍

II. SPECIFIC PRIVACY NOTICES

This section supplements Section I by outlining specific provisions applicable to certain categories of data subjects. All general principles and requirements described in Section I remain applicable wherever relevant.

1. PRIVACY NOTICE FOR CONTACT PERSON OF SUPPLIERS

This section applies to Contact Persons of the Suppliers

Controller

Hubject GmbH

EUREF-Campus 22, 10829 Berlin, Germany

Email: dataprotection@hubject.com

Purpose of Processing

We  process Contact Persons of the Suppliers data to:

• Communicate and manage the contractual relationship
• Grant access to our platforms (e.g., HBS Portal, Admin Portal)
• Provide support and business-relevant information
• Send marketing communications, if consent is provided

Legal Bases

Art.6(1)(b) GDPR – For performing a contract with the represented organization

Art.6(1)(f) GDPR – Legitimate interest in B2B operational communication

Art.6(1)(a) GDPR – Consent (only for optional marketing emails)

Data Categories

• Name, email, phone number, job title, employer
• Account and login information (if applicable)
• Correspondence and support data

Recipients (Data sharing)

• Internal departments (e.g., sales, operations)
• External processors (e.g., Salesforce, Pardot, hosting providers) operating under contracts and SCCs if outside the EU

Retention

Stored for the duration of the contract and deleted 1 year after termination, unless longer retention is legally required.

Your Rights

You may contact us at dataprotection@hubject.com to exercise your rights:

• Access, rectification, erasure, objection, portability, and withdrawal of consent (if applicable)

2. PRIVACY NOTICE FOR JOB APPLICANTS

This section applies to Job Applicants

Controller

Hubject GmbH

EUREF-Campus 22, 10829 Berlin, Germany

Email: dataprotection@hubject.com

Purpose of Processing

Your personal data is processed for:

• Evaluating your application and suitability for the role.
• Communicating with you during the recruitment process.
• Complying with legal and regulatory obligations.

Legal Bases

Art.6(1)(b) GDPR – For contractual reasons - to take a step at tour request prior entering a employment contract.

Art.6 (1)(c) GDPR - For legal obligations to comply with employment and labor laws

Art.6(1)(f) GDPR – Legitimate interest to manage recruitment process efficiently

Art.6(1)(a) GDPR – Consent

Data Categories

We may collect the following information

• Identification details: Name, contact information (email, phone), address.
• Application details: CV/resume, cover letter, employment history, education,     qualifications.
• Assessment data: Interview notes, test results, references.
• Legal compliance data: Right-to-work documentation, background checks (where permitted by law).

Recipients (Data Sharing)

Internal departments (e.g., HR, managers)

External providers (e.g., recruitment platforms, background check agencies)

Data Retention

6 months unless consent is provided for talent pool.

Your Rights

You may contact us at dataprotection@hubject.com to exercise your rights:

• Access, rectification, erasure, objection, portability, and withdrawal of consent (if applicable)

3. PRIVACY NOTICE FOR DATA COLLECTED FOR MARKETING PURPOSES

We use the information we collect to market our services and connect with you through various channels, including social media platforms like LinkedIn.

Controller

Hubject GmbH

EUREF-Campus 22, 10829 Berlin, Germany

Email: dataprotection@hubject.com

Use of LinkedIn for networking and client outreach

Purpose and Justification

This outreach supports networking, event participation (e.g., icnc), and maintaining business relationships. These are personalized one-to-one communications, not mass marketing.

Information We Share: Use of LinkedIn Matched Audiences

We share limited personal information with third-party advertising partners to deliver more relevant advertising ("Targeted Advertising" or "Retargeting"). We use features like LinkedIn Matched Audiences, which allow us to target advertisements for our existing customers and contacts on the LinkedIn platform.

Your Choices and Opt-Outs:
We respect your privacy preferences. Before any data is uploaded to LinkedIn for retargeting purposes, we filter our audience lists to exclude individuals who have exercised their right to opt out of marketing communications or data sharing for advertising purposes. This ensures that your preferences are honored in our targeted advertising practices.

Publicly Viewable Content and General Communications

Please note that communications made through Organic LinkedIn Posts (posts made directly on our company page feed) and General Advertising Campaigns (ads notusing uploaded customer lists) are publicly viewable by anyone with access to the platform. These activities are broad in scope, are not targeted using your specific profile data from our internal databases and are designed for general public awareness.

Legal Basis

UnderArt. 6(1)(f) GDPR (legitimate interest), Hubject has a business interest in  engaging with professionals in a relevant context. Outreach respects platform norms and user expectations.

Data Categories

• Name, email, phone number, job title, employer

Recipients (Data Sharing)

Internal departments (e.g. sales, marketing)

External providers (e.g. communications platforms, analytical tools)

Data Retention

Until consent is withdrawn.

Your Rights

• Access, rectification, erasure, objection, portability, and withdrawal of consent (if applicable). If you do not wish to be contacted via LinkedIn, you may object via LinkedIn's messaging settings or by emailing dataprotection@hubject.com.

If you would like to review any policy referenced in this document, please contact Hubject Compliance Manager at dataprotection@hubject.com, and we will provide a copy upon request.

‍