Labskills Privacy

Labskills Privacy Policy

Privacy Policy

Last updated: April 2026

1. CONTROLLER

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

LabSkills GmbH

Landaubogen 3

81373 Munich, Germany

Phone: +49 89 356479-38

Email: info@labskills.ai

Website: www.labskills.ai

Managing Directors: Philipp Terhorst, Shahab Houshangi

Commercial Register Number: HRB 243854

VAT Identification Number pursuant to § 27a German VAT Act: DE320377445

For data protection inquiries, please contact: info@labskills.ai

2. GENERAL INFORMATION ON DATA PROCESSING

2.1 Principle

We generally process personal data of our users only to the extent necessary to provide a functional website and platform, as well as our content and services. Personal data is processed regularly only with the user’s consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing is permitted by statutory provisions.

2.2 What is Personal Data?

According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person. This includes, for example, name, address, customer number, telephone number, and also the IP address. In short: all information relating to natural persons that makes them directly or indirectly identifiable is considered personal data.

2.3 Legal Bases for Processing

Where we obtain consent for processing operations, Art. 6(1)(a) GDPR serves as the legal basis.

For processing necessary for the performance of a contract, Art. 6(1)(b) GDPR applies.

For compliance with a legal obligation, Art. 6(1)(c) GDPR applies. For the protection of legitimate interests, Art. 6(1)(f) GDPR applies.

2.4 Data Deletion and Storage Duration

Personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Further storage may occur if required by statutory retention obligations (e.g., commercial or tax retention periods pursuant to § 147 AO or § 257 HGB). In such cases, the data will be deleted after the respective period expires.

3. DATA COLLECTION WHEN VISITING OUR WEBSITE

3.1 Server Access Data and Log Files

Each time you access our website, our system automatically collects data and information from your device. The following data is collected: the user’s IP address (anonymized by truncation so that individual identification is not possible), browser type and version, operating system used, date and time of access, amount of data transferred, and the previously visited website (referrer URL).

This data is stored in log files on our servers. It is not combined with other personal data of the user. The anonymized data is used for statistical purposes and to analyze user behavior in order to continuously improve our services. The servers on which this website is operated are located in Germany. We have concluded a data processing agreement with the server provider in accordance with Article 28 of the GDPR. Legal basis: Article 6(1)(f) GDPR (legitimate interest in the secure and smooth operation of the website).

Storage period: Log files are deleted after 30 days at the latest.

3.2 Hosting

Our website and platform are hosted on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All data processed in connection with the operation of our website is stored on servers in Germany. We have concluded a data processing agreement with Hetzner in accordance with Art. 28 GDPR.

Legal basis: Art. 6(1)(f) GDPR

4. COOKIES

4.1 Technically Necessary Cookies

Our website uses cookies. Cookies are small text files stored in the user’s internet browser or on their device. When our website is visited again, the browser can be recognized via a unique identifier, allowing us to improve usability based on visitor preferences.

Technically necessary cookies (e.g., session cookies for login) are set based on Art. 6(1)(f) GDPR and are automatically deleted at the end of the browser session or after a defined period.

4.2 Optional Cookies

If we use additional cookies for analysis or marketing purposes, this is done exclusively on the basis of your consent in accordance with Art. 6(1)(a) GDPR. You can adjust your settings at any time via the “Cookie Settings” button on our website and withdraw your consent with effect for the future.

4.3 Use Without Cookies

You can configure your browser to reject cookies generally or to notify you before a cookie is set. Please note that fully disabling cookies may limit the functionality of our website.

5.CONTACT AND EMAIL

5.1 Contact Form and Email
You can contact us via the email address provided on our website. In this case, the personal data transmitted with the email will be stored. This data will be used exclusively to process your request and for any follow-up questions. Our online forms allow you to submit requests in encrypted form. Legal basis: Art. 6 para. 1 lit. f GDPR.

Storage period: Your data will be deleted as soon as it is no longer required for the purpose for which it was collected. Emails are generally stored on our servers for up to 10 years, unless statutory retention obligations apply. If you wish to have your data deleted earlier, please contact us.

5.2 Email Dispatch via Microsoft
For sending transactional emails (e.g., registration confirmations, password resets, system messages), we use the Microsoft 365 / Azure Communication Services service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. In this process, the email address and message content are transmitted to Microsoft. We have concluded a data processing agreement with Microsoft in accordance with Article 28 of the GDPR. Data transfers to third countries are based on Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework. Legal basis: Article 6(1)(b) GDPR (performance of a contract).

6. NEWSLETTER
You have the option to subscribe to our free newsletter with a valid email address to receive current information and offers.

To prevent misuse, we collect your email address, IP address, and the date and time of registration. You will then receive a confirmation email with an activation link (double opt-in procedure). By clicking this link, you give us your consent to receive the newsletter in accordance with Art. 6 Para. 1 lit. a GDPR. Your data will be used exclusively for sending the newsletter and will not be shared with third parties. You can unsubscribe at any time. You will find a corresponding unsubscribe link at the end of every newsletter email.

7. APPLICATION PROCESS
As part of your online application, we collect the personal data you provide (e.g., name, contact details, resume, qualifications). The transmission is encrypted. This data is processed exclusively by the responsible HR staff and solely within the scope of the application process. Legal basis: Section 26 of the German Federal Data Protection Act (BDSG), Article 6(1)(b) and Article 6(1)(f) of the GDPR. Retention period: After completion of the application process, your documents will be deleted within 4 months, unless a statutory retention obligation pursuant to Article 6(1)(c) of the GDPR applies.

8. USE OF PLATFORM SERVICES

8.1 ALL ONE
For certain platform functions (in particular CRM, communication automation, and marketing processes), we use the SaaS platform ALL ONE (www.all-one.io). Personal data such as name and email address may be transmitted to ALL ONE. We have concluded a data processing agreement with ALL ONE in accordance with Article 28 GDPR. Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Further information can be found at: www.all-one.io/datenschutz

8.2 OpenAI

For certain AI-powered features of our platform (e.g., text analysis, natural language processing, automated evaluations), we use services provided by OpenAI Ireland Ltd., One Canal Park, Dublin 2, Ireland. In this context, personal data (e.g., information contained in user inputs) may be transmitted to OpenAI. We have entered into a data processing agreement with OpenAI in accordance with Art. 28 GDPR (Data Processing Addendum, signed on May 4, 2026). Since OpenAI also processes data on servers in the United States, the transfer is based on EU Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. OpenAI Ireland Ltd. is the responsible party for the processing of data from the European Economic Area. Legal basis: Article 6(1)(b) of the GDPR (performance of a contract) and Article 6(1)(f) of the GDPR (legitimate interest in providing AI-powered platform features). Further information on OpenAI’s data protection practices and sub-processors: https://openai.com/privacy and https://platform.openai.com/subprocessors

9. SOCIAL MEDIA AND EXTERNAL SERVICES

9.1 Facebook Pixel
We use the Facebook Pixel of the social network Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to display interest-based advertising to our website visitors on social networks. The visitor’s browser establishes a connection to Meta’s servers, which informs Meta that the user has visited our website. Legal basis: Art. 6 para. 1 lit. a GDPR (consent). Consent is obtained immediately after the first visit to our website. You can object to this processing at any time by adjusting the cookie settings on our website or by using the opt-out option at facebook.com/settings/?tab=ads.

9.2 YouTube and Vimeo (video embeds)
We embed videos from YouTube, a service of Google LLC / YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, on our website and our social media pages. When you access a page with an embedded YouTube video or play it, data (in particular your IP address, pages visited, browser information) is stored on YouTube’s servers in the USA. If you are logged into your YouTube account, YouTube can associate your browsing behavior with your personal profile. We recommend logging out of your YouTube account before visiting our website if you do not wish to have your data collected. Legal basis: Article 6(1)(f) GDPR. Data transfers to the USA are based on Standard Contractual Clauses (SCCs). Further information can be found in Google’s Privacy Policy: Google Privacy Policy – Privacy & Terms – Google

10. SECURITY

We have implemented comprehensive technical and organizational measures (TOMs) to protect your personal data against loss, destruction, manipulation, and unauthorized access. Data transmission on our website is exclusively encrypted via the HTTPS protocol (TLS), recognizable by “https://” in your browser’s address bar. Our employees and service providers are contractually obligated to comply with applicable data protection regulations.

11. TRANSFER OF DATA TO THIRD PARTIES AND DATA PROCESSORS
Your personal data will not be transferred to third parties for purposes other than those stated in this privacy policy. We use the following data processors, with whom we have concluded a data processing agreement in accordance with Article 28 GDPR:

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany – Purpose: Hosting and server infrastructure, Data location: Germany

Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland – Purpose: Transactional email delivery, Guarantees for third-country transfers: SCCs, EU-U.S. Data Privacy Framework

ALL ONE (www.all-one.io) – Purpose: CRM and platform functions
Legal basis for the use of all data processors: Art. 6 para. 1 lit. b and lit. f GDPR.

12. DATA TRANSFER TO THIRD COUNTRIES
Insofar as we use service providers that process data outside the European Union or the European Economic Area (in particular in the USA), this is done exclusively on the basis of suitable guarantees pursuant to Art. 46 GDPR (in particular EU Standard Contractual Clauses) or an adequacy decision of the EU Commission (e.g. EU-U.S. Data Privacy Framework). Upon request, we will provide you with copies of the relevant guarantees.

13. RIGHTS OF DATA SUBJECTS
As a data subject, you have the following rights vis-à-vis the controller:
Right of access (Art. 15 GDPR): You can request information about the personal data we process, its origin, recipients, and purpose.

Right to rectification (Art. 16 GDPR): You can request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.

Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data, provided there are no legal retention obligations to the contrary.

Right to restriction of processing (Art. 18 GDPR): You can request the restriction of the processing of your personal data under certain conditions.

Right to data portability (Art. 20 GDPR): You can request to receive your personal data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.

Right to object (Art. 21 GDPR): If the data processing is based on Art. 6 para. 1 lit. e or f GDPR, you have the right to object at any time on grounds relating to your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests.

Right to withdraw consent (Art. 7 para. 3 GDPR): You can withdraw your consent at any time with effect for the future, without affecting the lawfulness of the processing carried out before the withdrawal.

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. The responsible supervisory authority for LabSkills GmbH is:
Bavarian State Office for Data Protection Supervision (BayLDA) Promenade 18 91522 Ansbach https://www.lda.bayern.de/de/beschwerde.html

To assert your rights, please contact: info@labskills.ai

14. CHANGES TO THIS PRIVACY POLICY

We reserve the right to amend and supplement this privacy policy as needed, should this become necessary due to new technologies, changes in legal requirements, or other reasons. The current version is always available on our website. We recommend that you read this privacy policy regularly.