Data privacy

Privacy Policy of zentor GmbH

As of: 31 May 2026

We are pleased about your visit to one of our online services. Protecting your personal data is important to us. In this privacy policy, we inform you about the nature, scope and purpose of the processing of personal data carried out in connection with our online services, as well as your rights as a data subject.

Scope

This privacy policy applies uniformly to all online services of zentor GmbH:

  • zentor.de (with redirect from zentor.me) — main website with information about us, blog and online shop
  • academy.zentor.de — learning platform with online courses and diagnostic modules
  • analytics.zentor.de — internal analytics tool (currently in development; will be supplemented at go-live with the functionalities actually active by then)

Where a processing activity only concerns a particular subdomain, we explicitly point this out in the respective section.

1 Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other data protection regulations is:

zentor GmbH represented by managing director Dr. Valentin Schellhaas Reifenstuelstraße 4 80469 Munich Germany

Phone: +49 (89) 32405287 Email: datenschutz@zentor.de Website: https://zentor.de

Data Protection Officer

zentor GmbH has not appointed a Data Protection Officer. The statutory conditions requiring such an appointment (in particular § 38 BDSG: regular employment of at least 20 persons engaged in the automated processing of personal data; Art. 37(1) GDPR: no extensive processing of special categories of personal data as a core activity) are not met. Please direct data protection inquiries to the email address listed above.

2 General Information on Data Processing

2.1 Scope of Personal Data Processing

We process personal data of our users only insofar as this is necessary to provide a functional website and to provide our content and services. The processing of personal data is regularly carried out only with the user’s consent or on another suitable legal basis.

2.2 Legal Bases for the Processing of Personal Data

Where we obtain consent for processing operations, Art. 6(1)(a) GDPR serves as the legal basis.

For processing necessary for the performance of a contract to which the data subject is a party, as well as for taking pre-contractual steps, Art. 6(1)(b) GDPR serves as the legal basis.

Where processing is necessary to comply with a legal obligation (e.g. commercial or tax-related retention obligations), Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override that legitimate interest, Art. 6(1)(f) GDPR serves as the legal basis.

2.3 Data Erasure and Storage Duration

Personal data are erased or blocked as soon as the purpose of storage no longer applies. Longer storage may take place if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the controller is subject (e.g. commercial retention periods of 6 years, tax-related periods of 10 years). Blocking or erasure of the data also takes place when a storage period prescribed by the aforementioned norms expires, unless further storage of the data is necessary for the conclusion or performance of a contract.

2.4 Definitions

In this privacy policy, we use the terms defined in Art. 4 GDPR (e.g. “personal data”, “processing”, “controller”, “processor”, “consent”).

3 Provision of the Websites and Creation of Log Files

3.1 Description and Scope of Data Processing

With every access to one of our online services, our system automatically collects data and information from the computer system of the accessing device. The following data are collected:

  • Information about the browser type and version used
  • The user’s operating system
  • The user’s internet service provider
  • The user’s IP address (truncated/anonymised after log file processing)
  • Date and time of access
  • Websites from which the user’s system reaches our site (referrer)
  • Websites accessed by the user’s system via our service

The data are stored in the log files of our system. Storage of these data together with other personal data of the user does not take place.

3.2 Hosting

Our online services run on the following infrastructure:

  • zentor.deanalytics.zentor.de, and a backup server for the academy are hosted by netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, in a German data centre (location Nuremberg). No third-country transfer occurs in the course of hosting.
  • academy.zentor.de is hosted on cloud infrastructure operated by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (parent company: Amazon Web Services, Inc., USA). Processing takes place in the AWS region Europe-Frankfurt (eu-central-1).

With both providers, we have concluded data processing agreements pursuant to Art. 28 GDPR. In the case of AWS, the EU Standard Contractual Clauses pursuant to Art. 46 GDPR are also part of the contract, and AWS is certified under the EU-US Data Privacy Framework.

3.3 Legal Basis and Purpose

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR. The temporary storage of the IP address by the system is necessary in order to enable the website to be delivered to the user’s computer. Storage in log files takes place to ensure the functionality of the website, to optimise the websites, and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.

3.4 Duration of Storage

Log file data are erased or anonymised after a maximum of 30 days.

3.5 Right to Object and to Have Data Removed

The collection of data for the provision of the websites and the storage of the data in log files are essential for the operation of the websites. Consequently, the user has no right to object.

4 Use of Cookies

4.1 Description and Scope of Data Processing

Our online services use cookies. Cookies are text files stored by the internet browser on the user’s computer system. When a user calls up our pages, a cookie may be stored on the user’s device. These contain characteristic strings that allow the browser to be uniquely identified when the website is accessed again.

We use technically necessary cookies to make our websites user-friendly. Optional cookies (e.g. for embedded third-party content or external services that set a cookie) are only set after the user’s explicit consent via our cookie banner.

4.2 Legal Basis

The legal basis for technically necessary cookies is § 25(2) no. 2 TDDDG (the German Telecommunications-Digital-Services Data Protection Act) in conjunction with Art. 6(1)(f) GDPR. For optional cookies, § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (consent) applies.

4.3 Purpose and Duration

Technically necessary cookies serve the functionality of the website (e.g. language settings, login state). They are usually deleted at the end of the browser session. Optional cookies serve the purpose required by the respective function; their storage duration is indicated in the cookie banner.

4.4 Right to Object and to Have Data Removed

You can revoke or adjust your consent to cookies at any time via the cookie banner. You can additionally disable cookies in your browser settings. If cookies are disabled for our websites, some functions may no longer be fully usable.

5 Online Shop and Ordering Process

This processing concerns zentor.de.

5.1 Description and Scope

On our main website, we operate an online shop. In the context of an order, we collect the following data:

  • Salutation, first and last name
  • Billing and, where applicable, shipping address
  • Email address, phone number (optional)
  • Ordered items and order details
  • Payment information (via the payment service providers listed in §6)
  • Date and time of the order
  • IP address and browser information at the time of the order

5.2 Legal Basis

The legal basis is Art. 6(1)(b) GDPR (contract initiation and performance). Where commercial and tax-related retention obligations apply, Art. 6(1)(c) GDPR serves as an additional legal basis.

5.3 Purpose and Duration of Storage

The data are stored for the purpose of fulfilling the contract and for compliance with statutory retention obligations. Order data are retained for 6 or 10 years in accordance with § 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code) and then deleted.

5.4 Recipients / Disclosure

Data are transmitted to the payment service providers mentioned in §6 and, where applicable, to shipping providers (where necessary for delivery). Where statutory retention and reporting obligations apply, we disclose relevant order data to our tax advisor in the context of our mandate; our tax advisor is an independent controller and is subject to their own professional obligations (in particular § 203 StGB, German Criminal Code).

6 Payment Processing

This processing concerns zentor.de.

6.1 Stripe (Credit Card and SEPA Payments)

For the processing of payments by credit card and SEPA direct debit, we use the payment service provider Stripe Payments Europe Limited, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland (parent company: Stripe, Inc., USA). Stripe is predominantly an independent controller (in particular for obligations relating to anti-money laundering and fraud prevention). To the extent that Stripe processes personal data on our behalf, a data processing agreement is in place with integrated Standard Contractual Clauses and a Data Transfers Addendum covering all three SCC modules.

Payment and identification data are transmitted to Stripe. The legal basis is Art. 6(1)(b) GDPR. Further information on processing at Stripe: https://stripe.com/de/privacy.

6.2 PayPal

If you choose PayPal as your payment method, your payment data will be transmitted to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal is an independent controller under the GDPR. The legal basis is Art. 6(1)(b) GDPR. Further information: https://www.paypal.com/de/legalhub/privacy-full.

7 Newsletter Distribution

This processing concerns zentor.de.

7.1 Description and Scope

You can register for our newsletter via the newsletter registration area on our main website. We use the Mailchimpservice provided by Intuit Inc. / The Rocket Science Group LLC, 405 N. Angier Avenue NE, Atlanta, GA 30308, USA, for newsletter distribution. At sign-up, we collect:

  • Email address
  • Date and time of sign-up and of confirmation (double opt-in)
  • IP address at the time of sign-up

During the course of newsletter distribution, additional reaction data (open rates, clicks, device information, approximate geolocation) may be collected in order to optimise content.

7.2 Legal Basis and Purpose

The legal basis is Art. 6(1)(a) GDPR (consent). Sign-up takes place via the double opt-in procedure — you receive a confirmation email after registration and must confirm your sign-up via a link. You can withdraw your consent at any time, for example via the unsubscribe link at the end of every newsletter.

7.3 Data Processing and Third-Country Transfer

A data processing agreement is in place with Mailchimp, integrated by way of click-through acceptance of the Mailchimp Standard Terms of Use (Art. 28(9) GDPR permits this electronic form). Mailchimp is certified under the EU-US Data Privacy Framework as a subsidiary of Intuit. The Mailchimp DPA additionally contains the EU Standard Contractual Clauses under Art. 46 GDPR.

8 Login Area and Member Accounts

This processing concerns academy.zentor.de and (at go-live) analytics.zentor.de.

8.1 Description

Certain areas of our online services are only accessible after successful login with an email address and password. During registration and at login, we collect:

  • Email address
  • Hashed (encrypted) password
  • First and last name (if provided by you)
  • IP address and device information at the time of registration and logins
  • Date and time of actions
  • Login history and activity log in closed areas

8.2 Legal Basis and Purpose

The legal basis is Art. 6(1)(b) GDPR (usage contract relationship) and additionally Art. 6(1)(f) GDPR (security of the login function).

8.3 Duration of Storage

User account data are stored for as long as your account exists. Upon cancellation, the account is deleted within a reasonable period, provided no retention obligations stand in the way. Login logs are anonymised or deleted after a maximum of 90 days.

9 Learning Management System

This processing concerns academy.zentor.de.

For the provision of our online courses and associated content, we operate a Learning Management System (LMS)on our own hosting (AWS Frankfurt). In the context of your course participation, your user account, course progress, quiz results, certificates and time stamps of course interactions are stored. The data are processed exclusively on our hosting — no third-country transfer occurs in the course of LMS use.

The legal basis is Art. 6(1)(b) GDPR (provision of the contractually owed learning offering).

10 Diagnostic Modules and Psychometric Questionnaires

This processing concerns academy.zentor.de.

10.1 Description and Scope

As part of our academy content, we offer diagnostic modules in which you can voluntarily answer questionnaires on personality, values and professional orientation. We collect:

  • Your answers to the questionnaires
  • Derived analyses and insights
  • Your association with the respective course module

The data are processed exclusively on our own hosting (AWS Frankfurt).

10.2 Heightened Protection — Voluntary Treatment as Art. 9 GDPR Data

These diagnostic data do not, on their own, have a clinical character and do not constitute a medical or psychological health diagnosis. Out of an abundance of caution, and in order to honour your trust, we voluntarily treat these data as special categories of personal data within the meaning of Art. 9 GDPR. This means:

  • We obtain your explicit consent within the meaning of Art. 9(2)(a) GDPR before processing.
  • We apply heightened technical and organisational protective measures (encryption, restrictive access controls, separate authorisations).
  • You can withdraw the processing at any time and request the deletion of the diagnostic data.

10.3 Recipients

The diagnostic data are not transmitted to any third party — unless you have explicitly instructed us, for example, to share them with a coach or within the context of a B2B customer contract.

11 AI-Powered Features

This processing concerns academy.zentor.de.

In parts of our academy, we offer AI-powered features (e.g. interactive learning assistance). When you use such a feature, the text of your query is transmitted via an API to our processor OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, Ireland (parent company: OpenAI OpCo, LLC, USA), and processed there in order to generate the response.

signed Data Processing Agreement (DPA) dated 3 May 2026 is in place with OpenAI Ireland Ltd., with integrated Standard Contractual Clauses (Module 2 and Module 3). OpenAI is, as a US group, certified under the EU-US Data Privacy Framework. OpenAI does not use API inputs to train its models (default for API customers).

The legal basis is Art. 6(1)(a) GDPR (consent via the cookie banner) or Art. 6(1)(b) GDPR for contractually owed AI features.

12 Embedded Videos (YouTube and Vimeo)

This processing concerns our online services where videos are embedded (typically on zentor.de in the blog/knowledge area and on academy.zentor.de in course content).

12.1 Description and Scope

At individual points, we embed videos from the platforms YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, USA) and Vimeo (Vimeo.com, Inc., 330 West 34th Street, 5th Floor, New York, NY 10001, USA).

Video embedding only occurs after your explicit consent via our cookie banner. As long as you have not given this consent, videos are not loaded and no data are transmitted to YouTube or Vimeo.

Once you activate an embedded video, the following data are transmitted to the respective platform in particular:

  • IP address
  • Information about browser, operating system and device
  • Date and time of the access
  • Accessed video URL
  • Where applicable, platform-owned cookies or tracking identifiers

12.2 Legal Basis and Purpose

The legal basis is Art. 6(1)(a) GDPR (consent). The purpose is the provision of audiovisual content as part of our learning and information offerings.

12.3 Third-Country Transfer

Both YouTube (via parent company Google LLC) and Vimeo process data in the USA. Both providers are certified under the EU-US Data Privacy Framework.

12.4 Withdrawal

You can withdraw your consent at any time via the cookie banner. Videos that have already been loaded remain visible in the current browser session; on a subsequent visit without consent, the videos will not be loaded again.

13 CDN and DDoS Protection

This processing concerns zentor.de.

To accelerate and protect our main website, we use the Content Delivery Network and DDoS protection of QUIC.cloud / LiteSpeed Technologies Inc., 4885 Riverbend Road, Boulder, CO 80301, USA. When our pages are accessed, traffic is routed through Quic.cloud servers. In doing so, IP addresses of users, HTTP request data and, where applicable, cookie information are processed in order to deliver content faster and to defend against attacks on our website.

A data processing agreement with integrated protective safeguards is in place with Quic.cloud (click-through DPA, valid from 10 May 2024). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in fast and secure delivery of the website).

14 Web Analytics

This processing concerns all of our online services.

For the statistical analysis of website visits, we use the self-hosted open-source analytics tool Matomo, operated on our own server in Nuremberg, Germany. Matomo is operated in a cookieless mode (disableCookies()), with anonymised IP address (anonymizeIP) and respecting the Do-Not-Track header (respectDoNotTrack).

Since Matomo does not set any cookies, no consent under § 25 TDDDG is required. Processing takes place on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in a privacy-friendly reach measurement. No personal data are transmitted to third parties; processing takes place exclusively on our own infrastructure in Germany.

15 Business Communication and Back Office

This processing concerns data directed to us in the context of the business relationship via zentor.de and academy.zentor.de.

For our business communication, we use services provided by Microsoft Ireland Operations Limited (Microsoft 365: Exchange Online, Teams, OneDrive, SharePoint). The data residency of our tenant is configured to Germany; additionally, the EU Data Boundary is active for the services in use. A data processing agreement (Microsoft Products and Services Data Protection Addendum) with integrated Standard Contractual Clauses is in place with Microsoft. The legal basis is Art. 6(1)(b) GDPR (contractual communication) or Art. 6(1)(f) GDPR (other business communication).

16 Third-Country Transfers

Where personal data are transmitted to recipients in third countries (in particular the USA), this takes place on the basis of appropriate safeguards pursuant to Art. 46 GDPR. Specifically, we rely on:

  • EU-US Data Privacy Framework (DPF) adequacy decision — where the respective provider is certified (e.g. AWS, OpenAI, Mailchimp, Stripe).
  • Standard Contractual Clauses (SCC) of the European Commission pursuant to Implementing Decision (EU) 2021/914 — as a fall-back rule or additional safeguard.

The respective mechanisms are specifically identified in the third-party provider sections above.

17 Rights of the Data Subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

Right of Access (Art. 15 GDPR)

You may request confirmation from the controller as to whether personal data concerning you are being processed by us. If such processing exists, you may request information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed, the envisaged storage duration, the existence of rights to rectification, erasure, restriction, objection and complaint, the origin of the data (if not collected from you), the existence of automated decision-making including profiling, as well as any third-country transfers.

Right to Rectification (Art. 16 GDPR)

You have a right to rectification and/or completion vis-à-vis the controller, provided that the processed personal data concerning you are inaccurate or incomplete. The controller must carry out the rectification without delay.

Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing under certain conditions, for example if you contest the accuracy of the data, if the processing is unlawful and you object to erasure and request restriction of use instead, or if the controller no longer needs the data but you require it for the establishment, exercise or defence of legal claims.

Right to Erasure (Art. 17 GDPR)

You may request the controller to erase personal data concerning you without undue delay if one of the grounds listed in Art. 17(1) GDPR applies (data are no longer needed for the purposes; consent withdrawn in the absence of another legal basis; successful objection pursuant to Art. 21 GDPR; unlawful processing; legal erasure obligation; collection in the context of information society services offered to children). The right does not exist where processing is necessary for the exercise of the right to freedom of expression, for compliance with legal obligations, for reasons of public interest, or for the establishment, exercise or defence of legal claims.

Right to Notification (Art. 19 GDPR)

If you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, provided that the processing is based on consent or a contract and is carried out by automated means. You additionally have the right to transmit those data to another controller without hindrance.

Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time; this also applies to profiling to the extent that it is connected with such direct marketing.

Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your data protection consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to its withdrawal.

Automated Individual Decision-Making Including Profiling (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you. Such automated decision-making does not take place on our online services.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority competent for zentor GmbH is:

Bavarian State Office for Data Protection Supervision (BayLDA) Promenade 18 91522 Ansbach, Germany Phone: +49 (0) 981 53 1300 Email: poststelle@lda.bayern.de Website: https://www.lda.bayern.de

18 Currency of This Privacy Policy

This privacy policy has the date stated at the beginning of the document. Due to the further development of our online services or due to changed legal or regulatory requirements, it may become necessary to adapt this privacy policy. The respective current version can be accessed and printed at any time on our online services.