Privacy Policy | Blue-Zone GmbH

Controller (Art. 13(1)(a) GDPR)

The controller responsible for the processing of personal data in connection with the use of this website is:

blue-zone GmbH
Am Oberfeld 1
83026 Rosenheim
Germany

Phone: +49 8031 61929-00
Email: info@blue-zone.io
Website: www.blue-zone.io

Managing Director: Robert Thiele

blue-zone GmbH is the entity that alone or jointly with others determines the purposes and means of the processing of personal data and is therefore the “controller” within the meaning of the General Data Protection Regulation (GDPR).

Data Protection Officer (Art. 13(1)(b) GDPR)

The controller responsible for the processing of personal data in connection with the use of this website is:

blue-zone GmbH
Am Oberfeld 1
83026 Rosenheim
Germany

Phone: +49 8031 61929-00
Email: info@blue-zone.io
Website: www.blue-zone.io

Managing Director: Robert Thiele

General Information on Data Processing

As a general rule, we process personal data of visitors to our website only to the extent necessary to provide a functional website and our content and services, or where you have given us your consent.

Personal data means any information relating to an identified or identifiable natural person, such as name, contact details or online identifiers like IP addresses, provided a personal reference can be established.

Your data is processed in accordance with the GDPR, the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TTDSG).

The provision of certain data may be required to use specific functions of our website or may be legally mandatory. Mandatory fields are marked as such in forms. Where consent is required (in particular for form-based interactions with subsequent tracking), we obtain this separately.

Categories of Personal Data

Depending on how you use our website and which functions you make use of, we process in particular the following categories of personal data:

We process master data such as your first and last name and the company name you provide. We also process contact data, in particular your business email address and, where applicable, your telephone number if you provide these via forms or other communication channels.

When you use our website, usage and log data is also collected. This includes, in particular, your IP address, the date and time of access, pages visited, technical information about your browser and operating system, and the referrer URL (i.e. the previously visited website).

If you communicate with us, for example via contact forms, when requesting information or booking appointments, we also process communication data. This includes in particular the content of your messages, subject lines, selected topics, requested content and metadata of such communications.

In addition, where you have given your consent, we process marketing and tracking data. This includes information about which pages you visit, which content you view, which links you click, whether and when you open emails and which elements you click within emails. This information is stored in our CRM system (HubSpot) as CRM data and linked, for example, with lead status, campaign assignments and an interaction history.

Legal Bases for Data Processing

The processing of your personal data is based on various legal grounds under the GDPR and the TTDSG.

For all processing operations on our website triggered by the completion and submission of forms and involving subsequent assignment to our CRM system and tracking of interactions, we generally rely on your consent pursuant to Art. 6(1)(a) GDPR. This includes, in particular, the storage of your data in the CRM system, subsequent contact regarding the topic you selected, and the evaluation of your user behavior within the scope of your consent. Where the use of certain cookies or similar technologies requires access to your device, this is also based on Section 25(1) TTDSG.

If such contact subsequently leads to the initiation of an offer or the conclusion of a contract, we additionally process your personal data on the basis of Art. 6(1)(b) GDPR, as the processing is necessary for the performance of a contract or for pre-contractual measures.

For certain processing operations, in particular in connection with the technical provision of the website, hosting, delivery via content delivery networks, server log files, and ensuring stability and security, we rely on Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring a secure, stable and efficient operation of our online services.

Where we are subject to legal obligations to process personal data (e.g. commercial and tax retention obligations, documentation obligations for consents), processing is also carried out on the basis of Art. 6(1)(c) GDPR.

With regard to cookies and similar technologies on your device, the TTDSG applies in addition. Technically non-essential cookies (e.g. for analytics and marketing purposes) are used only with your consent pursuant to Section 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. Technically essential cookies required for the operation of the website are used pursuant to Section 25(2) TTDSG without your consent; the subsequent processing of personal data is then based on Art. 6(1)(f) GDPR.

Hosting, Infrastructure & Security Architecture

Our website is operated entirely using the infrastructure of HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany. HubSpot provides us with the content management system, hosting environment, SSL certificates, form functions, CRM system, and various analytics and marketing features. For certain processing operations, the affiliated company HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA, is also involved.

As part of hosting and operating the website, personal data – in particular usage and communication data – is processed on servers operated predominantly within the European Union. HubSpot also uses additional infrastructure service providers, including Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA, and Amazon Web Services, Inc. (AWS), 410 Terry Ave North, Seattle, WA 98109, USA. These providers deliver services for infrastructure security, load balancing, fast delivery of static content via content delivery networks, and protection against DDoS attacks.

In this context, IP addresses, technical connection data, requested content and log data are processed. This processing is necessary to provide the website globally in a performant, secure and stable manner.

The legal basis for this processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR in the professional, secure and efficient operation of our online services.

Data processing agreements pursuant to Art. 28 GDPR have been concluded with HubSpot and the infrastructure service providers used by HubSpot. Where data is transferred to third countries, in particular the USA, this is carried out using appropriate safeguards within the meaning of Art. 44 et seq. GDPR, in particular the standard contractual clauses adopted by the European Commission.

Server Log files

When you access our website, our systems automatically collect and store various information in so-called server log files. This includes in particular:

the browser type and version used,
the operating system used,
the referrer URL,
the host name of the accessing device,
the time of the server request, and
the IP address of the accessing device.

We do not combine this data with other data sources. The log files are used exclusively to ensure the technical operation of the website, to analyze malfunctions, to enhance system security, and to enable traceability in the event of attacks or misuse.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the technically error-free, stable and secure provision of our website.

The retention period of server log files varies depending on the log category (e.g. access, security, error or system logs) and the infrastructure used. Log data is generally stored for a few weeks. Certain log types, particularly for security and stability purposes, may be retained for up to 90 days or up to 6 months. The data is then deleted or anonymized unless further retention is required in individual cases.

Cookie Management via CookiePro

To manage your consents for the use of cookies and similar technologies in a legally compliant manner, we use the consent management tool CookiePro by OneTrust Technology Ltd., 82 St John Street, Farringdon, London EC1M 4JN, United Kingdom.

When you first visit our website, a cookie banner is displayed allowing you to decide whether you wish to allow cookies for statistical and marketing purposes in addition to technically necessary cookies. CookiePro records your selection, documents granted or denied consents, and controls the execution of the relevant scripts. Cookies requiring consent are only set after you have expressly agreed.

CookiePro processes in particular your IP address (in truncated form), information about your browser and device, the time of your selection, a pseudonymous consent ID and the selected settings (e.g. consent to “Statistics” and “Marketing” or rejection of all optional categories). This information is required to technically implement your choice, display it during future visits and fulfil our documentation obligations under Art. 7 GDPR.

Processing is carried out on the basis of Art. 6(1)(c) GDPR (compliance with legal obligations relating to the collection and documentation of consent) and Art. 6(1)(f) GDPR (legitimate interest in user-friendly and legally compliant consent management). Where cookies requiring consent are controlled and set, the legal basis is also your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.

You may change or withdraw your consent at any time by accessing the cookie settings via the button provided in the footer (e.g. “Cookie Settings”).

Use of HubSpot as CRM, Marketing and Automation System

We use HubSpot as a central platform for customer relationship management (CRM), email and campaign management, and the automation of marketing and sales processes. All processing operations on our website triggered by the completion and submission of forms are closely linked to the use of HubSpot and are generally based on your consent.

9.1 Data Processed

Through HubSpot, we process in particular the following personal data:

master data provided by you in forms, such as name, company and, where applicable, position,

contact data (in particular business email address and telephone number),

content, interests and topics communicated in forms,

information about scheduled or conducted appointments and conversations,

electronic communication data (e.g. email sending times, responses, contact attempts),

usage and tracking data relating to interaction with our website (e.g. pages visited, returning visits, timestamps, clicks),

interactions with our emails (e.g. whether a newsletter was opened and which links were clicked).

This information is consolidated in a contact or lead profile to provide a complete overview of the interaction history with you.

9.2 Purposes

HubSpot is used for several purposes. It enables us to record and process inquiries in a structured manner, to manage prospects and customers in a targeted way, to organize content and events (e.g. web sessions) efficiently, and to analyze the effectiveness of our marketing and sales activities. At the same time, HubSpot helps us tailor our communication to you by primarily providing information that matches your stated interests.

9.3 Legal Basis

All processing operations triggered by the completion and submission of a form on our website and involving the storage of your data in HubSpot, assignment to a contact profile, subsequent contact and tracking of interactions are generally carried out on the basis of your consent pursuant to Art. 6(1)(a) GDPR. This consent is an integral part of the respective form and is actively granted by you, for example by checking a box before submitting the form.

Without your consent, the data collected via the form will not be stored in HubSpot as a contact profile and no related tracking will take place. Only after consent has been given are we permitted to assign the data provided via the form and subsequent interactions (e.g. email opens and clicks, website visits) to your profile and use it for the stated purposes.

If consent-based contact subsequently leads to the initiation or conclusion of a contract, we additionally process your data on the basis of Art. 6(1)(b) GDPR insofar as this is necessary for the preparation, performance or termination of the contractual relationship.

Technically necessary processing in connection with hosting and provision of the website by HubSpot (see section 6) is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR and must be distinguished from consent-based processing.

9.4 Transfer to the USA

Where personal data is transferred to HubSpot Inc. in the USA as part of the use of HubSpot, this is carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular the standard contractual clauses adopted by the European Commission. HubSpot has committed to ensuring a level of data protection appropriate to European standards. Nevertheless, it cannot be entirely ruled out that US authorities may access data in individual cases without effective legal remedies for affected persons. We therefore continuously assess whether additional technical and organizational measures (e.g. encryption) can be implemented to further protect the data.

Forms, Downloads and Appointment Bookings

Our website offers various forms through which you can contact us, request information, register for web sessions and other formats, or book consultation appointments and product demos.

Depending on the specific form, we collect in particular:

your salutation and name,
your company name and, where applicable, your role,
your business email address and, where applicable, your telephone number,
the topic selected by you or your area of interest,
the content of your message or other free-text entries,
details of desired appointments (date/time) or events for which you register.

Mandatory fields are marked accordingly and must be completed in order to submit the form. All other information is voluntary.

The data you provide is stored in our CRM system (HubSpot), assigned to a contact profile and used to process your request, provide requested content, invite you to web sessions or appointments, and contact you regarding the selected topic.

The legal basis for all processing operations triggered via these forms is your consent pursuant to Art. 6(1)(a) GDPR. This consent includes the collection and storage of the data entered, assignment to a contact profile, use of your contact details for communication and subsequent tracking of interactions within the respective purpose.

The consent is part of the respective form. Without your consent, use of the form is not possible, as we carry out the associated processing (in particular CRM and tracking) as a unified process.

If a concrete contractual relationship subsequently arises (e.g. an engagement or participation in paid services), the data required for this purpose is additionally processed on the basis of Art. 6(1)(b) GDPR.

You may withdraw your consent at any time with effect for the future. Withdrawal may be made, for example, by email to our general contact details or to the data protection officer. The lawfulness of processing carried out up to the time of withdrawal remains unaffected.

10.1 Mandatory Consent to Marketing Communication

For certain forms, in particular when requesting free content (e.g. whitepapers, use cases), registering for web sessions or other services, part of the offering is that we may subsequently provide you with further thematically relevant information.

By submitting these forms, you agree that we may:

contact you by email and, where applicable, by telephone regarding the topics, products, services or events you selected,
analyze your interactions with our emails (e.g. opens, clicks),
store this interaction data in your HubSpot contact profile, and
align our further communication to a reasonable extent with the content that appears relevant to you.

This consent to marketing communication is required to provide certain free content or services; without it, use of the respective offerings may not be possible.

The legal basis for this further processing and promotional communication is Art. 6(1)(a) GDPR in conjunction with Section 7 of the German Act Against Unfair Competition (UWG). You may withdraw your consent at any time with effect for the future, for example via an unsubscribe link in emails or by sending us an informal message.

Disclosure to Selected Sales Partners

In certain cases, it may be useful to process your inquiry jointly with one of our sales partners, for example where specific regional, technical or industry-related requirements apply.

Personal data is disclosed to such sales partners only if:
this is necessary or appropriate for processing your specific inquiry or for carrying out a joint project, and
you have given us your explicit consent in advance.
In such cases, we generally transmit your name, contact details (e.g. email address, telephone number), company name and the essential content of your inquiry to the selected partner.
The legal basis for disclosure to sales partners is Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. In this case, we will not transmit any further data to the respective partner; the lawfulness of disclosures already made prior to withdrawal remains unaffected.

Newsletter & Double-Opt-In

We offer you the opportunity to subscribe to our newsletter and other email formats in order to receive regular information about products, services, events and other content relating to blue-zone. Distribution is carried out via HubSpot.

At a minimum, we require your email address to register. Additional information (e.g. name, company role, areas of interest) may be provided voluntarily and is used to personalize content.

Registration is carried out using the double opt-in procedure. After entering your data and submitting the registration form, you will receive an email at the address provided asking you to confirm your subscription by clicking a confirmation link. Only after this confirmation is your subscription completed.

As part of this procedure, we document the time of registration and confirmation, your IP address and the content of the consent declaration. This documentation serves as evidence for supervisory authorities.

In connection with newsletter distribution, we also evaluate whether and when you open an email and which links you click. This information is stored in your HubSpot profile and helps us improve our content and provide you with information that is as relevant as possible.

The legal basis for newsletter distribution, the associated storage of your data and tracking is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 7 UWG. You may withdraw your consent at any time with effect for the future by using the unsubscribe link provided in every email or by contacting us directly.

After unsubscribing, your email address is removed from the active mailing list. We may, however, store it in a suppression list (“blacklist”) to ensure that you do not receive further emails; this is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in complying with your unsubscribe request.

Use of Google Services

We use various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Where personal data is transferred to the USA, the recipient is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

These services are generally used only after you have given your prior consent via our cookie banner.

13.1 Google Analytics

We use Google Analytics to statistically evaluate the use of our website and improve our online services. Google Analytics uses cookies and similar technologies to collect information about visitor behavior. This includes, in particular, data on pages accessed, duration of visits, devices and browsers used, and approximate geographic origin.

IP anonymization is activated on our website. Your IP address is shortened by Google within EU member states or other EEA states before being transmitted to a Google server in the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

Google uses this information on our behalf to evaluate website usage, compile reports on website activity and provide other services related to website usage.

The legal basis for the use of Google Analytics and the setting of cookies is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG. You may withdraw your consent at any time via our cookie banner. Google also offers a browser plugin that allows you to permanently prevent data collection by Google Analytics.

13.2 Google Ads / Conversion Tracking

We use Google Ads to advertise our offerings in Google search results and within Google’s advertising network. In this context, we use conversion tracking. When you click on an ad placed by Google, a conversion tracking cookie is set. If you subsequently visit certain pages on our website, Google and we can recognize that you clicked on the ad and were redirected to that page.

We receive only anonymous statistics from Google, such as the number of users who clicked on our ads and which pages were subsequently accessed. We are not able to directly identify individual users based on these statistics.

The legal basis for the use of Google Ads and conversion tracking is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG. You may withdraw your consent at any time via our cookie banner or adjust settings in your Google account.

13.3 Google Tag Manager

Google Tag Manager is used to manage tracking and analytics scripts on our website. The Tag Manager itself does not set cookies, create user profiles or perform independent analyses. It merely loads other tools that may themselves process data (e.g. Google Analytics or Google Ads). However, Google Tag Manager may collect your IP address, as it establishes a connection to Google servers to deliver scripts.

The legal basis for the use of Google Tag Manager is our legitimate interest pursuant to Art. 6(1)(f) GDPR in the efficient and technically stable management of the tracking tools we use. Where consent-based tools are loaded via the Tag Manager, they are executed only after you have given your consent.

13.4 Google Search Console

We use Google Search Console to obtain technical analyses of our website’s visibility in Google search results and to identify technical errors. No personal data of website visitors is evaluated by us in this context. We receive only aggregated data on search queries, clicks and positions.

The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR in the technical optimization of our website.

YouTube (Two-Click-Solution)

Videos from the YouTube service may be embedded on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

To protect your privacy, we use a privacy-friendly integration (“two-click solution”). This means that initially only a placeholder for the video is displayed and no connection to YouTube is established until you actively click on the video. Only when you choose to play the video and confirm this by clicking is a connection established to YouTube’s servers. At this point, YouTube is informed which of our pages you have visited. If you are logged into YouTube or another Google service, YouTube may associate your browsing behavior with your profile.

After a video has been started, cookies or similar technologies may also be set through which YouTube collects information about visitors to our website (e.g. for statistics, service improvement or advertising purposes). We have no influence over this processing by YouTube.

The legal basis for loading YouTube content and setting the associated cookies is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG. You grant this consent by actively selecting and playing the video. You may withdraw your consent at any time with effect for the future via our cookie settings.

Data Retention Periods

We generally store personal data only for as long as necessary for the respective purposes or as long as we are legally obliged to retain it.

In practice, this generally means:

Form and CRM data: Typically stored for approximately 24 months after the last documented interaction. If no further interaction occurs during this period, we assess whether deletion or anonymization is possible, provided no statutory retention obligations apply.

Newsletter and marketing data: Stored as long as your consent to marketing communication exists. After withdrawal or newsletter unsubscribe, your address is removed from active mailing lists and may be stored in a suppression list to prevent further mailings.

Tracking and analytics data: Deleted or anonymized according to the retention periods configured in the respective tools (e.g. Google Analytics, HubSpot).

Server log files / technical log data: Stored for varying periods depending on log category and infrastructure used. Typically retained for a few weeks; depending on log type (e.g. security, error or system logs), data may be retained for up to 90 days or up to 6 months before being deleted or anonymized, unless longer retention is required for investigation or evidence purposes.

Contract-related data (e.g. invoices, contractual correspondence): Retained in accordance with statutory requirements, in particular commercial and tax law retention periods, typically for 6 to 10 years.

If data is no longer required for the stated purposes or due to legal obligations, it is deleted or appropriately anonymized.

Your Rights under Arts. 12–23 GDPR

As a data subject, you have various rights in connection with the processing of your personal data, which you may exercise at any time.

You have the right of access (Art. 15 GDPR). This means you may request confirmation as to whether we process personal data concerning you and, if so, receive information about that data and further details of the processing (e.g. purposes, categories, recipients, retention periods).

You also have the right to rectification (Art. 16 GDPR) if personal data processed by us is inaccurate or incomplete.

You further have the right to erasure (Art. 17 GDPR), also known as the “right to be forgotten”. You may request deletion of your personal data, for example if the data is no longer necessary for the purposes for which it was collected, if you withdraw consent, or if the data has been processed unlawfully. This right may be restricted where statutory retention obligations or other overriding reasons prevent immediate deletion.

In certain cases, you have the right to restriction of processing (Art. 18 GDPR), for example if you contest the accuracy of the data, if the processing is unlawful but you request restriction instead of deletion, or if we no longer need the data but you require it for the establishment, exercise or defense of legal claims.

You also have the right to data portability (Art. 20 GDPR). This means you may receive the data you have provided to us and which we process on the basis of consent or for contract performance in a structured, commonly used and machine-readable format. Where technically feasible, you may also request direct transmission to another controller.

Where we process your personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object (Art. 21 GDPR) for reasons arising from your particular situation. We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

If your data is processed for direct marketing purposes, you have the right to object at any time without giving reasons. In this case, your data will no longer be processed for direct marketing.

Finally, you have the right to withdraw any consent you have given pursuant to Art. 7(3) GDPR at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.

To exercise your rights, you may contact us at any time or contact our data protection officer directly (see section 2).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR) if you believe that the processing of your personal data violates the GDPR. You may in particular contact the supervisory authority of your habitual residence, place of work or the place of the alleged infringement.

Data Security

We implement a wide range of technical and organizational measures to protect your personal data against loss, misuse, unauthorized access, unauthorized disclosure, alteration or destruction.

This includes in particular the use of modern encryption methods (TLS/SSL) for data transmission between your browser and our servers. An active encrypted connection is usually indicated by “https://” in your browser’s address bar and a lock symbol.

In addition, firewalls, DDoS protection mechanisms and a role-based access control concept ensure that access to systems and data is controlled and traceable where necessary. Our systems are regularly updated and provided with security patches to address known vulnerabilities.

We host our systems with professional service providers that apply high security standards and operate certified data centers. We also regularly train our employees in handling personal data and information security.

Despite all measures taken, absolute protection against attacks and unauthorized access on the internet cannot be guaranteed. We continuously review and improve our security measures to ensure an appropriate level of protection.

No Automated Decision-Making

We do not use solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Although we analyze usage and interaction data to a certain extent (e.g. in the context of marketing analyses and CRM segmentation), these evaluations are used exclusively to improve our communication and do not result in automated decisions of the above-mentioned significance.

Changes to This Privacy Policy

We reserve the right to amend this privacy policy in the future if this becomes necessary due to changes in legal requirements, new or modified processing operations, or new services used.

The current version of this privacy policy is always available on our website at www.blue-zone.io. Older versions are not automatically archived; however, we will be happy to provide a previous version upon request, where available.

As of: November 30, 2025 Data protection declaration