Privacy Policy
1. Controller and Contact Details
The controller responsible for processing is the company Biallo & Team GmbH (hereinafter "Controller") and processes the data provided by the data subject in accordance with the provisions of the European General Data Protection Regulation (hereinafter "GDPR"). The contact details of the Controller are:
Address:
Achselschwanger Straße 5
86919 Utting, Germany
Phone: 08806 33384 0
Fax: 08806 33384 19
Email: datenschutz (at) biallo.info
2. Data Protection Officer
The contact details of the Data Protection Officer are:
Address: ISiCO GmbH, Am Hamburger Bahnhof 4, 10557 Berlin, Germany
Email: datenschutz (at) biallo.info
We expressly point out that when using the aforementioned email address, the contents are not exclusively read by our Data Protection Officer. If you wish to exchange confidential information, we therefore ask you to first request direct contact via this email address.
3. Legal Bases, Purposes, and Data Processed
We process personal data only insofar as there is a legal basis for doing so. Below we present the legal bases and assign the respective purposes and data to them.
3.1 Consent – Art. 6(1)(a) GDPR
Insofar as you grant us consent, we process your personal data on the basis of Art. 6(1)(a) GDPR. You may withdraw consent once given at any time with effect for the future.
On this basis, we process personal data in particular for the following purposes:
- Sending newsletters and other marketing emails;
- Personalized performance measurement of marketing emails, in particular evaluation of opens, clicks, and interactions;
- Evaluation of entries in linked online forms;
- Lead scoring and marketing automation based on marketing interaction data, insofar as the consent covers this evaluation.
The following are processed in particular:
- Email address;
- Consent status;
- Time of registration and confirmation;
- Technical proof data regarding the double opt-in;
- Optionally first and last name;
- Industry, insofar as requested in the respective form;
- Open, click, and interaction data;
- Form entries;
- Lead information or lead scores derived therefrom.
For registration to newsletters and marketing emails, we generally use a double opt-in procedure. After registration, you will receive an email with which you can confirm your registration. Registration and confirmation are documented in order to provide proof of consent.
3.2 Performance of a Contract and Pre-Contractual Measures – Art. 6(1)(b) GDPR
Insofar as processing is necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures carried out at the request of the data subject, we process personal data on the basis of Art. 6(1)(b) GDPR.
On this basis, we process personal data in particular for the following purposes:
- Handling contact requests;
- Initiation, conclusion, and execution of B2B business relationships, including preparation of offers, contract processing, and ongoing customer support using our CRM system Brevo;
- Sending transactional emails via Brevo for the delivery of content or confirmations requested by the data subject, e.g., download of a whitepaper.
The following are processed in particular:
Name;
- Contact details;
- Communication data;
- Requested content;
- Offer and contract data;
- Technical dispatch and delivery data.
In B2B business relationships, the contractual partner is often a company and not the individual contact person. We therefore regularly base the processing of contact person data for corporate customers, prospects, or business partners on Art. 6(1)(f) GDPR.
3.3 Compliance with a Legal Obligation – Art. 6(1)(c) GDPR
Insofar as we are legally obligated to process personal data, processing takes place on the basis of Art. 6(1)(c) GDPR.
On this basis, we process personal data in particular for the following purposes:
- Handling and responding to requests for the exercise of data subject rights under Art. 12 et seq. GDPR;
- Verification of the identity of requesting persons, insofar as this is necessary;
- Documentation of data protection requests and our responses to fulfill statutory proof and accountability obligations;
- Fulfillment of commercial, tax, and other statutory retention and documentation obligations;
- Fulfillment of legally mandatory disclosure, cooperation, or surrender obligations vis-à-vis authorities or courts.
The following are processed in particular:
- Name;
- Contact details;
- Content of the request;
- Verification data;
- Communication data;
- Technical proof data regarding the double opt-in;
- Contract and business data;
- Documentation data.
3.4 Safeguarding Legitimate Interests – Art. 6(1)(f) GDPR
We also process personal data insofar as this is necessary to safeguard our legitimate interests or the legitimate interests of a third party, and no overriding interests or fundamental rights and freedoms of the data subject prevail.
This includes in particular the following purposes:
- Provision of the website and ensuring security;
- Limited aggregated reach measurement for optimizing the website through Matomo;
- Detecting, containing, and eliminating disruptions, bots, or errors on the website, e.g., with entries in online forms;
- Lead management and maintenance of existing B2B business relationships in the CRM system Brevo, both with customers, in particular banks and financial service providers, and with other business partners such as media partners, associations, and agencies;
- Telephone contact to business phone numbers in the B2B sector, insofar as a presumed consent under Sec. 7(2)(1) UWG can be assumed in the respective individual case;
- Internal prioritization of leads in sales based on non-automated CRM information such as the status or potential of the contact.
When accessing our website, the following technical data in particular may be processed:
- IP address;
- Date and time of access;
- Page or file accessed;
- Referrer URL;
- Browser type and browser version;
- Operating system;
- HTTP headers;
- Volume of data transferred;
- Status codes;
- User agent.
Within the scope of the CRM system and lead management, the following data in particular may be processed:
- Name;
- Company;
- Function or position;
- Business email address;
- Business phone number;
- Industry;
- Internal customer segments;
- Status of a contact;
- Offer and contract data;
- Communication history;
- Internal sales notes;
- Assessments of the business potential of a contact.
Our legitimate interest lies in particular in the secure and reliable provision of our website, the proper management and maintenance of business relationships, efficient sales, customer, and business partner communication, as well as the needs-based optimization of our online offerings.
The Controller points out the data subject's right to object. Further information can be found in point 11 of this declaration.
4. Recipients
Disclosure of the data we collect generally only takes place if a legal basis under data protection law exists in the specific case, in particular if:
Disclosure is necessary under Art. 6(1)(f) GDPR to assert, exercise, or defend legal claims, and there is no reason to assume that the data subject has an overriding legitimate interest in the non-disclosure of their data;
The Controller is legally obligated to disclose under Art. 6(1)(c) GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court orders, and legal proceedings;
This is legally permissible and necessary under Art. 6(1)(b) GDPR for the execution of contractual relationships or for the implementation of pre-contractual measures carried out at the request of the data subject.
Part of the data processing may be carried out by service providers commissioned by the Controller. The personal data transmitted to the Controller may, depending on the processing activity, be made accessible in particular to the following recipients:
Shipping service providers:
Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany, or DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany;
Communication service providers:
Email service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland;
Telephone and fax provider:
Cisco Systems GmbH, Lothringer Straße 56, 50677 Köln, Germany;
Web hosting service provider:
punkt.de GmbH, Sophienstraße 187, 76185 Karlsruhe, Germany;
External Data Protection Officer:
ISiCO GmbH, Am Hamburger Bahnhof 4, 10557 Berlin.
Integrated services:
Website analytics provider: InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand.
CRM and email marketing provider:
Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany (brand name "Brevo").
CRM implementation and configuration partner:
webit! Gesellschaft für neue Medien mbH, Bärensteiner Straße 30, 01277 Dresden, Germany.
5. Data Transfer to Third Countries
Where applicable, the Controller uses services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or transfer personal data there, i.e., countries whose level of data protection does not correspond to that of the European Union.
If an adequacy decision of the European Commission (Art. 45 GDPR) exists for these countries, the Controller bases the data transfer on this. This concerns, for example, transfers to Switzerland, the United Kingdom, Canada, or New Zealand. In the case of the USA, this applies only insofar as the US recipient has certified for the EU-US Data Privacy Framework.
Insofar as no adequacy decision has been issued for the respective country, the Controller has taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among other things, the standard contractual clauses of the European Union or binding internal data protection rules (Art. 46 GDPR).
Where this is not possible, the Controller bases the data transfer on the derogations of Art. 49 GDPR, in particular the explicit consent of the data subject or the necessity of the transfer for the performance of a contract or the implementation of pre-contractual measures.
Insofar as a transfer to third countries is intended and no adequacy decision or suitable safeguards exist, it is possible, and there is a risk, that authorities in the respective third country (e.g., intelligence services) may gain access to the transmitted data in order to capture and analyze it, and that the enforceability of data subject rights cannot be guaranteed. In the event that explicit consent of the data subject is obtained, the data subject will also be informed of this.
6. Reading and Storing Information on the End Device
6.1 Technologies Used
This website uses exclusively technically necessary technologies as well as cookieless web analysis through Matomo. When visiting the website, no cookies and no comparable storage technologies (such as local storage or session storage) are used on the user's end device.
7. Further Information on Individual Processing Operations
7.1 Website Analysis through Matomo
This website uses Matomo, an analysis software from InnoCraft Ltd., for statistical evaluation of website usage.
In doing so, personal data is processed exclusively to collect limited aggregated statistical information about website usage. The purpose of the processing is the optimization of the website.
The following are processed in particular:
- Pages accessed,
- Time spent on individual pages,
- General usage interactions,
- Truncated or anonymized IP address,
- Technical information about the browser and operating system used.
No information is stored on the user's end device. Matomo is configured such that the following privacy-friendly settings in particular are active:
- Complete deactivation of cookies,
- IP anonymization before processing,
- Processing and storage of usage data exclusively on the basis of the anonymized IP address,
- Anonymization of the referrer URL,
- Automatic deletion or time limitation of the storage period,
- Consideration of the browser's "Do Not Track" setting,
- Deactivation of heatmaps, session recordings, visit logs, and visitor profiles.
The creation of user profiles, cross-website recognition, and processing for advertising, marketing, or affiliate purposes does not take place.
Further information on data processing by Matomo can be found in the provider's privacy policy: https://matomo.org/matomo-cloud-privacy-policy/.
7.2 Customer Relationship Management and Email Marketing via Brevo
The Controller uses the CRM and email marketing system "Brevo" from Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
Brevo is used in particular for the following areas:
- Sending newsletters and other marketing emails;
- Sending transactional emails, e.g., for the provision of requested content or confirmations;
- Maintenance of B2B business relationships;
- Lead management and internal sales control;
- Documentation of consents and unsubscriptions.
The relevant purposes, legal bases, and categories of personal data in connection with Brevo arise from point 3 of this privacy policy. This concerns in particular the statements there regarding newsletters and marketing emails, transactional emails, CRM, lead management, B2B business relationships, and internal lead prioritization.
According to the provider, processing takes place on servers in Germany and France and thus within the European Union. A data processing agreement pursuant to Art. 28 GDPR exists with the provider. The provider's privacy policy is available at https://www.brevo.com/de/legal/privacypolicy/.
Information on the contractual documents is available at https://www.brevo.com/legal/termsofuse/.
Registration for the newsletter takes place using the double opt-in procedure. The registration process, including confirmation, is documented. For marketing emails sent via Brevo, opens, clicks, and interactions with linked online forms may be evaluated on a recipient-specific basis, insofar as corresponding consent has been granted. This evaluation may be used for qualifying prospects, for lead scoring, and for controlling marketing automation.
In sales, an internal, non-automated prioritization of leads may also take place on the basis of CRM information, e.g., based on the status or business potential of a contact. Automated individual decision-making with legal effect or similarly significant impairment within the meaning of Art. 22 GDPR does not take place in this regard.
Personal data is stored in Brevo only for as long as necessary to fulfill the respective purpose or as long as statutory retention periods exist. Data of newsletter recipients is generally stored until consent is withdrawn. Data of business customers is processed for the duration of the business relationship and subsequently retained in accordance with statutory retention and documentation obligations, in particular from the Commercial Code and the Fiscal Code, for a period of usually six to ten years. During this period, further use of the data is restricted. Data of leads with whom no contract is concluded is deleted in accordance with our internal deletion concept.
Disclosure of the data processed in Brevo to third parties outside the processing relationship and the contractually bound sub-processors used by the provider does not take place.
7.3 Implementation and Configuration of the CRM System by webit
We have outsourced the initial setup of the CRM and email marketing system Brevo described in point 7.2, the migration of existing data, and ongoing configuration support to webit! Gesellschaft für neue Medien mbH, Bärensteiner Straße 30, 01277 Dresden, Germany (hereinafter "webit").
In this function, webit acts exclusively as a processor within the meaning of Art. 28 GDPR and processes the personal data only on the documented instructions of the Controller. A corresponding data processing agreement exists with the provider. Processing takes place exclusively within a member state of the European Union or in a contracting state of the Agreement on the European Economic Area. A transfer to third countries is not intended. The use of sub-processors requires the prior consent of the Controller.
8. Social Media Platforms
The Controller maintains company profiles on social media platforms in order to, among other things, communicate with users and prospects and provide information about products and services.
8.1 Processing by the Social Media Platform Providers
The data is generally processed by the relevant social media platforms for market research and advertising purposes. Thus, usage profiles can be created based on the interests of the data subjects. For this purpose, cookies and other identifiers are stored on the data subjects' end devices. On the basis of these usage profiles, advertisements are then displayed, e.g., within the social media platforms, but also on third-party websites.
Users should refer to the privacy notices of the respective social media platform for the legal basis of the data processing carried out by the social media platforms under their own responsibility. Under the links below, users will also find further information on the respective data processing as well as the options to object.
8.2 Processing for Statistical Purposes
In the course of operating the company profiles, it is possible that the Controller may access information such as statistics on the use of the company profiles provided by the social media platforms. These statistics are aggregated and may in particular contain demographic information (e.g., age, gender, region, country) as well as data on interaction with the company profile (e.g., likes, subscriptions, sharing, viewing of images and videos) and the posts and content distributed through it. These may also provide information about users' interests and which content and topics are particularly relevant to them. This information may also be used by the Controller to adapt and optimize the design as well as the activities and content on the company profile for the audience. For details and links to the data of the social media platforms that the Controller, as operator of the company profiles, can access, users should refer to the list below. The collection and use of these statistics is generally subject to joint controllership. Insofar as this applies, the corresponding agreement is listed below.
The legal basis for the data processing is Art. 6(1)(f) GDPR, based on the legitimate interest in effective information and communication with users and prospects, or Art. 6(1)(b) GDPR, in order to stay in contact with and inform users as well as for the implementation of pre-contractual measures with prospects.
8.3 Data Protection Rights
Data protection requests can most efficiently be asserted with the respective provider of the social media platform, since only these providers have access to the data and can directly take appropriate measures. Users can of course also turn to the Controller with their concern. In this case, the Controller will process the user's request and forward it to the provider of the social media platform.
8.4 Social Media Platforms Used
Below is a list with information on the social media platforms on which the Controller operates company profiles:
Facebook (Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland)
Agreement on joint processing of personal data: https://www.facebook.com/legal/terms/page_controller_addendum
Information on the data processed and contact options in the event of data protection requests: https://www.facebook.com/legal/terms/information_about_page_insights_data
Privacy policy: https://www.facebook.com/privacy/policy/
Opt-out: https://www.facebook.com/settings?tab=ads
Instagram (Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland)
Agreement on joint processing of personal data: https://www.facebook.com/legal/terms/page_controller_addendum
Information on the data processed and contact options in the event of data protection requests: https://www.facebook.com/legal/terms/information_about_page_insights_data
Privacy policy: https://privacycenter.instagram.com/policy/
Opt-out (declaration): de.facebook.com/help/instagram/2885653514995517?locale=de_DE
YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
Privacy policy: https://policies.google.com/privacy
Opt-out: https://www.google.com/settings/ads
X (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
Privacy policy: https://twitter.com/de/privacy
Opt-out: https://twitter.com/personalization
TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland)
Agreement on joint processing of personal data: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms
Information on the data processed: https://www.tiktok.com/legal/page/global/information-about-tiktok-analytics/en
Contact option in the event of data protection requests: https://www.tiktok.com/legal/report/privacy
Privacy policy: https://www.tiktok.com/legal/page/global/partner-privacy-policy/de
Opt-out: https://support.tiktok.com/de/account-and-privacy
LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
Agreement on joint processing of personal data: https://legal.linkedin.com/pages-joint-controller-addendum
Information on the data processed and contact options in the event of data protection requests: https://legal.linkedin.com/pages-joint-controller-addendum
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
9. Storage Period
In principle, the Controller stores personal data only for as long as necessary to fulfill the purposes for which the Controller collected the data. Thereafter, the Controller deletes the data without delay, unless the Controller still needs the data until the expiry of the statutory limitation period, for evidentiary purposes for civil law claims, due to statutory retention obligations, or there is another legal basis under data protection law for the continued processing of the data in the specific individual case. If retention is legally required, the data is blocked for this period and is no longer available for further processing. After expiry of the retention period, this blocked data is deleted.
The data is stored, for example, for the following period:
- Communication data: for the duration of processing the request;
- End device and usage data within the scope of detecting, containing, and eliminating disruptions and errors: 14 days.
The Controller is subject to various retention and documentation obligations arising, among other things, from the Commercial Code (HGB) and the Fiscal Code (AO). The periods specified there for retention or documentation are two to ten years. Finally, the storage period is also determined by the statutory limitation periods, which, for example, under Sec. 195 et seq. of the German Civil Code (BGB) are generally three years, but in certain cases can also be up to thirty years.
10. Data Protection Rights
Every data subject has, where the respective legal requirements are met, the right to information under Art. 15 GDPR, the right to rectification of inaccurate or incomplete data under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art. 21 GDPR, the right to withdraw consent under Art. 7(3) GDPR, as well as the right to data portability under Art. 20 GDPR. Corresponding concerns should be directed to the address listed under point 1 or to datenschutz (at) biallo.info. Insofar as the respective legal requirements are met, the Controller will comply with the data subject's data protection request. Requests for the exercise of data protection rights and the responses thereto are retained for documentation purposes.
In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR): Every data subject has, without prejudice to any other administrative or judicial remedy, the right to lodge a complaint with a supervisory authority, in particular in the member state of their residence, place of work, or place of the alleged infringement, if the data subject believes that the processing of personal data concerning them violates this Regulation.
11. Right to Object and Right to Withdraw
If the data subject has given their consent to the processing of personal data concerning them for one or more specific purposes, the data subject has the option of withdrawing consent with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
Insofar as the Controller processes data on the basis of legitimate interests, the data subject has the right to object at any time to the processing of their data on grounds relating to the particular situation of the data subject. The Controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests of the data subject.
Furthermore, the data subject has the right to object at any time without giving reasons to the processing of personal data for the purposes of direct marketing.
To exercise the data subject's right to object or right to withdraw, an informal notification by email to datenschutz (at) biallo.info or to the address listed under point 1 is sufficient.
12. Obligation to Provide Data
Insofar as the provision of data is necessary for the use of a particular service or function, or for making contact, corresponding input fields are marked as mandatory information (generally by an asterisk (*)).
Without this information, the specific service cannot be provided or the function cannot be used. If the mandatory information required for the performance of a contract is not provided, no contract will be concluded.
Other information not marked as mandatory fields is, however, voluntary and not necessary for the provision of the service or use of the function.
13. Automated Decision-Making
Automated decision-making, including profiling, pursuant to Art. 22 GDPR does not take place. Insofar as lead scoring takes place in our CRM system (Brevo) based on interaction with marketing emails (opens, clicks, form-fills), this serves exclusively internal sales and marketing control and has no legal effect on the data subjects within the meaning of Art. 22 GDPR.
Last updated: June 18, 2026