TEST SYSTEM
Sign in Information
Privacy
(Version of April 2025)

Data Protection Statement – Xolvis GmbH

1. Controller and Contact Details

This privacy notice applies to the processing of personal data by:

Controller
Xolvis GmbH
Im Thal 2
82377 Penzberg
Germany

Represented by: Martin Jacker (CEO)
E-mail: [email protected]
Phone: +49 89 413 2945 10

Data Protection Officer
E-mail: [email protected]

2. Nature and Purpose of Data Processing

a) Customer Data (Controller Role)

Xolvis processes personal data of its customers and their employees to manage contracts, provide services, and maintain communication.

Categories of data:
  • Contact information (name, address, e-mail, phone number)
  • Communication content
Legal basis: Art. 6 (1) lit. b GDPR (contract performance)
Retention: Until contract termination and expiry of statutory retention periods (e.g., tax or commercial law).

b) Data Processed on Behalf of Customers (Processor Role)

As a SaaS provider, Xolvis processes personal data exclusively on behalf of its business customers as a data processor under Art. 28 GDPR.

Categories of data:
  • Names, addresses, contact details
  • License plate numbers
  • Invoice data
Legal basis: Art. 6 (1) lit. b, Art. 28 GDPR
Retention: Data is stored until deleted by the customer or as required by law.

3. Use of Sub-Processors and International Data Transfers

To ensure secure and efficient services, Xolvis engages sub-processors under Art. 28 GDPR, ensuring compliance through Data Processing Agreements (DPAs) and security safeguards.

a) Cloud Infrastructure & Hosting

Amazon Web Services (AWS)
  • Primary hosting: European Union
  • Secondary hosting (regional setup as required): USA, LATAM (e.g., São Paulo)
  • Safeguards: Standard Contractual Clauses (SCCs), data residency options available upon request.

b) Web Application Security & Optimization

Cloudflare, Inc. (101 Townsend Street, San Francisco, CA, USA)
  • Purpose: Web security, performance optimization, bot protection, encrypted data transmission.
  • Data processed: IP address, request metadata, browser/device info, behavioral analytics for security.
  • Legal basis:
    • Art. 6 (1) lit. f GDPR (legitimate interest in security and reliability).
    • Art. 6 (1) lit. a GDPR (for services requiring consent, e.g., bot detection via Turnstile).
  • Safeguards: SCCs, EU-first routing where feasible, encryption in transit.

c) Other Data Disclosures

Xolvis does not sell or share personal data for advertising.

Data may be disclosed only:

  • With explicit consent (Art. 6 (1) lit. a GDPR).
  • If legally required (Art. 6 (1) lit. c GDPR).
  • For contract performance (Art. 6 (1) lit. b GDPR).
  • To establish, exercise, or defend legal claims (Art. 6 (1) lit. f GDPR).

4. Data Subject Rights

Under GDPR, you have the right to:

  • Access (Art. 15) – Request details on processed personal data.
  • Rectification (Art. 16) – Correct inaccurate data.
  • Erasure (Art. 17) – Request deletion where legally applicable.
  • Restriction (Art. 18) – Limit processing in specific cases.
  • Data Portability (Art. 20) – Receive data in a structured format.
  • Withdraw Consent (Art. 7 (3)) – Revoke previously given consent.
  • Lodge a Complaint (Art. 77) – Contact a supervisory authority (e.g., BayLDA in Bavaria).

To exercise these rights, contact: [email protected]

5. Right to Object

You may object to data processing under Art. 6 (1) lit. f GDPR if based on legitimate interests, particularly for direct marketing, where no justification is required.

To object or withdraw consent, e-mail: [email protected]