Privacy Statement

Welcome to Tubulis GmbH (referred to as “Tubulis”, “we”, “us” or “our” throughout this Privacy Notice). We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for Tubulis.

1. PURPOSE OF THIS PRIVACY NOTICE

We take our Data Protection obligations very seriously and are committed to protecting and respecting your privacy and personal data. This Privacy Notice explains what types of personal information we collect about you when you use our website, what we do with that personal information, the legal basis for our processing of your personal information, what rights you have in relation to your personal information and how you can exercise those rights. It also explains how we keep your personal information safe and secure.

Tubulis services are not intended for children under aged 13 and we do not knowingly collect data relating to children.

It is important that you read this Privacy Notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements other privacy notices and is not intended to override them.

2. CONTROLLER AND CONTACT DETAILS

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Tubulis GmbH
Address: Am Klopferspitz 19 a, 82152 Planegg-Martinsried, Germany
Phone: +49 89 3564764-0
Email: info@tubulis.com
Website: www.tubulis.com

Tubulis has appointed the following Data Protection Officer (DPO):
Name: The DPO Centre
Address: Vijzelstraat 68-78, 1017 HL, Amsterdam, The Netherlands
Phone: +31 20 209 1510
Email: data.protection@tubulis.com

If you are in the UK, you may also contact our UK Representative:
Name: The DPO Centre
Address: 50 Liverpool Street, London, EC2M 7PR, United Kingdom
Phone: +44 (0) 203 797 1289
Email: data.protection@tubulis.com

If you are in Switzerland, you may also contact our Swiss entity:
Name: Tubulis Sarl
Address: Lausanne (Switzerland)
Route de la Corniche 4, 1066, Epalinges, CH
Email: info@tubulis.com
Website: www.tubulis.com

If you are in the U.S., you may also contact our U.S. entity:
Name: Tubulis Inc.
Address: Boston (USA)
14th Floor One Broadway, Cambridge, US, 02142
Email: info@tubulis.com
Website: www.tubulis.com

You have the right to make a complaint at any time to the supervisory data protection authority:

  • If you are in the EU or EEA, you can find the relevant supervisory authority here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
  • If you are in the UK, you have the right to lodge a complaint at any time to the Information Commissioner’s Office (ICO) https://ico.org.uk/, the UK supervisory authority for data protection.
  • If you are in Switzerland, you have the right to lodge a complaint at any time to Swiss Federal Data Protection and Information Commissioner (FDPIC) https://www.edoeb.admin.ch/en, the Swiss supervisory authority for data protection.
  • If you are in another country, please contact us to receive information about the local supervisory authority responsible for data protection, if any.

We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance. Please do so via the contact info above.

3. THE DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:

  • a. Identity Data – Your first name and last name.
  • b. Contact Data –Data shared when you contact us via our contact page. This included your email address, phone number and data included in your message.
  • c. Technical Data –Data includes your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. Where cookies are included, please refer to our Cookie Notice.
  • d. Social Media Data – Data we receive when you engage with our social media pages (e.g. LinkedIn and X), including your username, user ID, and demographic information, subject to your settings and privacy practices of the relevant platform.

Please note the above list is not exhaustive but gives an indication of the data we collect.

IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to provide you with our services. In this case, we may have to cancel the services you have with us, but we will notify you if this is the case at the time.

4. SOURCE OF THE PERSONAL DATA

We use different methods to collect data from and about you including through:

DIRECT INTERACTIONS

  • You may give us your Identity Data and Contact Data on our website or by corresponding with us via our contact form, by post, phone or email, or otherwise. If you message us via one of our social media pages, this may also contain certain Social Media Data.

THIRD PARTIES OR PUBLICLY AVAILABLE SOURCES
We may receive personal data about you from various third parties as set out below:
Technical Data from the following parties:

  • Cookie providers, in line with our Cookie Notice (see below);
  • IT providers, if this is part of their IT services to us;
  • Social Media Platforms (including but not limited to LinkedIn and X) when your engagement with our social media pages causes the Social Media Platform to share this data with us. In addition, the Social Media Platforms may provide us with aggregated statistics and insights (for example, information about profile visits). This information does not usually identify you directly. For more information, please see the privacy policies of the respective Social Media Platforms. Please keep in mind that the operators of the Social Media Platforms also gather information about your use of the Digital Services and their features and tools. We are not responsible for their practices. In relation to Social Media Platforms, we only process personal data which you have already shared with the world.

5. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We have set out below a description of the ways we use your personal data, and which of the legal bases for processing we generally rely on to do so. Please note this is not an exhaustive list but gives an indication of the purposes for our processing.

Identity Data, Contact Data, Social Media Data

Lawful Basis
Our Legitimate Interest in communicating with you

Purpose
Communication: For communication purposes, including, but not limited to:

  • Responding to messages
  • Providing information and support
  • Managing website feedback and e.g. improving website experience
  • Ensuring effective communication
Technical Data, Social Media Data (aggregated insights)

Lawful Basis
Our Legitimate Interest in website management
Consent, if this is required for a specific cookie. Please refer to our cookie notice for more information.

Purpose
Website and Social Media management: For website management purposes, including, but not limited to:

  • Website security
  • Website functionality
  • Performance optimisation
  • Content optimisation

CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

In the unlikely event that we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. RECIPIENTS OF YOUR PERSONAL DATA

We do not sell any of your personal information to third parties. We do not disclose your personal information to third parties for marketing purposes.

We minimise the amount of personal information we disclose to what is directly relevant and necessary, and so we may disclose your personal information to authorised third party service providers who help us to provide our services such as:

  • Professional service providers who help us run our business, such as website management, data hosts, IT services, and analytics.
  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
  • Third party sites approved by you, such as Social Media Platforms (if you choose to link your accounts to us). We encourage you to review the privacy policies of the Social Media Platforms that you engage with to understand their privacy practices, which we do not control.
  • If we were to be acquired by another company or decided to sell any parts of our business, we may also need to share your personal data with the buyer of those parts of the business. In those circumstances, we will make sure that any new buyer agrees to follow this Privacy Notice with respect to your personal information and will promptly give you details of how they will use your personal data, and your options for changing that.

Apart from the above, we will not share your personal data without your prior consent. A list of third parties who we may share your data with can be obtained via the contact details mentioned above. Please note this list is not exhaustive but gives an indication of the data we share with third parties.

7. INTERNATIONAL TRANSFERS

Our data is typically processed within the EEA, there may however be some contracted technical service providers that process data outside of the EEA. Where these transfers and any other transfers that may occur in the future are concerned, we ensure that there is a legal basis for the transfer and a lawful transfer mechanism in place prior to any transfers in place, in accordance with Data Protection legislation. More information can be obtained by contacting us via the contact information above.

8. RECRUITMENT

You may apply for a job via our website on the careers page. IF you do so, personal data regarding your application will be processed. For more information about this processing, please refer to out Candidate Privacy Notice: https://tubulis-gmbh.jobs.personio.com/privacy-policy?language=en.

9. COOKIES

As you interact with our website, we will automatically collect certain technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies or similar technologies. You can set your browser to refuse all or some browser cookies, however if you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

Further information can be found in our Cookie Notice.

10. AUTOMATED DECISION-MAKING

As a responsible company, we do not make decisions that have a significant impact on you based solely on automatic decision-making.

11. HOW LONG WE KEEP YOUR PERSONAL DATA

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Please contact our DPO for further information about retention and our schedule.

12. HOW WE PROTECT YOUR PERSONAL DATA

We take the security of your information very seriously. We have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties to those who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

13. YOUR LEGAL RIGHTS

Under certain circumstances and with some limitations in place, by law you have the following rights regarding our processing of your personal data:

  • Right to be informed by the provision of a privacy notice when your personal information is processed.
  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure (“right to be forgotten”) of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
  • Request the transfer of your personal information to another party (“data portability”).
  • Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Right to withdraw consent insofar the processing of your personal data is based on your consent. This does not affect the relevant processing before the consent withdrawal.

Generally, you will not have to pay a fee to exercise any of your legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from you to confirm your identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask you for additional information to help us respond to your request. We will try to respond to your request within one month but, if the request is very complex or if you have made a number of requests, we are legally able to extend the request by an additional two months. In such circumstances, we will explain to you why it will take longer to respond and we will keep you updated.

If you want to exercise any of your rights, please contact us via the contact details mentioned at the top of this Privacy Notice.

United States General Data Protection Legislation
In the United States of America (“USA”), Data Protection Legislation refers to any federal, state, sectoral, or case laws and regulations governing the privacy and security of personal data. This includes applicable state privacy legislation, including, but not limited to, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), New York’s Shield Act and Delaware’s Online Privacy and Protection Act (DOPPA), as well as other relevant state and federal regulations. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

United States General Data Subject Rights

United States – California
California Data Protection Legislation
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”) requires that we provide you with a privacy policy of our online and offline information practices and your rights under this law regarding your personal information.

We currently collect, share, disclose, and use your personal information. In the 12 months prior to the last updated date of this Privacy Notice, we have collected, shared, disclosed the personal information set out in the Your Information section above. We may collect personal information directly from California and other USA state residents, credit reporting agencies, and/or our third-party service providers. We do not collect all categories of personal information from each source.

California Resident Rights
California residents are afforded the following rights:

  • to delete your personal information, unless we:
    • can prove this to be impossible;
    • it involves disproportionate effort;
    • it is reasonably necessary for us to maintain records in order to fulfil the transaction(s) for which the personal information was collected;
  • to correct inaccurate personal information held about you;
  • to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice);
  • to request specific pieces of information from us;
  • to opt out of the sale or sharing of your personal information;
  • to limit use and disclosure of sensitive personal data;
  • to no retaliation following opt-out or exercise of other rights.

If you would like to contact us regarding this right, please Contact Us as set out below. Please note that we may need to verify your identity before processing your request. Rights requests shall be reviewed to see if an exemption allows us to retain the information. We may deny your deletion request if an exemption applies and/or if retaining the information is necessary for us or our Service Provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify or limit the scope of personal information not subject to an exemption from our records and will direct our Service Providers to take similar action.

United States – Other Data Protection Legislation
Other USA Data Protection Legislation
If you are a USA resident, we process your personal data in accordance with applicable USA state data privacy laws, including the CCPA/CPRA described above. This section of our Privacy Notice contains information required by other USA state data privacy laws and supplements the above section on CCPA/CPRA.

Several USA states have enacted comprehensive privacy statutes, including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These laws include provisions aimed at safeguarding consumer rights and outlining business obligations. If you have relevant rights under these laws, you can exercise them by contacting us using the details provided in the Contact Us section as set out below
Our practices are designed to adhere to the highest standards set forth by these laws, ensuring that we respect the privacy rights of all individuals. As the USA privacy laws continue to evolve, we will monitor these changes, adjust our privacy practices, and update our Privacy Notice(s), accordingly.

We Do Not Sell Your Personal Information
You have the right to know whether your personal information is being sold. Your personal information is “sold” when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other USA state data privacy laws.
Please note a “sale” does not include when we disclose your personal information at your direction, or when otherwise permitted under law.

We May Share Your Personal Information
We may “share” your personal data, as defined under California and other applicable USA state laws, for personalised advertising purposes and/or for any other purposes outlined in this Privacy Notice.

Do Not Track
Due to varying practices among browser providers and the lack of a market standard, we do not respond to Do Not Track signals at this time.

Non-Discrimination
USA state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying goods or services, providing a different level or quality of service, or charging different prices.
The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

14. CHANGES

From time to time, we may revise this Privacy Notice. Any such changes will be reflected on this page. Tubulis recommends that you review this Privacy Notice regularly for any updates.

15. GLOSSARY

Personal data: any information relating to an identified or identifiable natural person (“data subject”).

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, for example: collection, storage, alteration, retrieval, consultation, use, disclosure, making available, restriction, erasure or destruction.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Controller: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent:the freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her.