Privacy Policy
This is an English translation of our privacy policy provided for your convenience. The legally binding version is the German original.
Last updated: 17.03.2026
1. Data Controller
OnChainSystems UG (haftungsbeschränkt)
Teckstr. 60
73207 Plochingen
Germany
E-Mail: info@onchain-systems.com
(Note: A data protection officer is only mandatory in certain cases. If appointed, please add contact details.)
2. General Information on Data Processing
2.1 Scope of Personal Data Processing
We generally process personal data only to the extent necessary to:
- provide a functional website,
- respond to enquiries,
- offer services and initiate or fulfil contracts,
- ensure security, stability and protection against misuse,
- and – with consent – provide analytics and marketing features (e.g. advertising).
2.2 Legal Bases
Depending on the processing activity, we rely on:
- Art. 6(1)(a) GDPR (consent)
- Art. 6(1)(b) GDPR (contract / pre-contractual measures)
- Art. 6(1)(c) GDPR (legal obligation)
- Art. 6(1)(f) GDPR (legitimate interest, e.g. IT security, website operation)
Where cookies or similar technologies are stored on or read from your device, the TDDDG (German Telecommunications Digital Services Data Protection Act) also applies:
- § 25(2) TDDDG (technically necessary cookies)
- § 25(1) TDDDG (optional cookies/tracking only with consent)
2.3 Data Deletion and Retention
We delete or block personal data as soon as the purpose for storage ceases to apply, unless statutory retention obligations (e.g. commercial or tax law) require otherwise. Consent may be revoked at any time with effect for the future.
3. Hosting, Web Server and Log Files
3.1 Hosting / Operations
Our website is hosted by Hetzner (Germany). It is operated via a web server configuration using nginx (reverse proxy and TLS/HTTPS).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable website operation).
Data processing agreement: Where required, a data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider.
3.2 Website Delivery and Log Files
Each time you access our website, our system automatically processes data and information transmitted by your browser. This includes in particular:
- IP address
- Date and time of access
- Pages/files accessed
- Referrer URL
- Browser type/version
- Operating system
- HTTP status code
- Amount of data transferred
Purpose: Website delivery, ensuring functionality, error analysis, attack prevention, IT security.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Log files are stored for 14 days and then deleted or anonymised, unless a security-relevant event necessitates longer retention for investigation purposes.
4. Cookies & Consent Management
4.1 Cookies
Cookies are small text files that your browser stores on your device. We use:
- technically necessary cookies to provide basic functionality (e.g. language settings, security features),
- optional cookies/tracking technologies (e.g. advertising/analytics) that are only used with your consent.
4.2 Consent Management (Cookie Banner)
We use a consent management tool to obtain, manage and document consent for optional cookies/tracking (e.g. marketing/ads/analytics).
Consent tool: Custom cookie consent banner (client-side, no external service).
Processed data: Consent status per category (necessary, functional, analytics, marketing), timestamp of consent. The data is stored as a cookie in your browser (retention: 6 months).
Legal basis:
- Consent for optional cookies/tracking: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG
- Documentation/proof: Art. 6(1)(c) GDPR or Art. 6(1)(f) GDPR
Note: Optional services (e.g. Google Analytics, advertising) are only activated after consent.
4.3 Revocation / Cookie Settings
You may revoke or change your consent at any time via the cookie banner. You can also delete or block cookies through your browser settings. Disabling cookies may limit certain functionality.
5. Contact Form & E-Mail Contact
5.1 Description, Purpose and Scope
When you contact us via the contact form or e-mail, we process the data you provide, e.g.:
- Name
- E-mail address
- Phone number (if provided)
- Company (if provided)
- Content of your message / enquiry
Additionally, technical data (e.g. timestamp, IP address) may be processed for abuse prevention and system security, particularly when forms are used.
5.2 Legal Basis
- Art. 6(1)(b) GDPR (pre-contractual measures / contract), if your enquiry is directed towards this
- Art. 6(1)(f) GDPR (legitimate interest in communication, abuse prevention, IT security)
- where applicable Art. 6(1)(a) GDPR, if consent is requested in the form
5.3 Retention Period
We delete enquiries after processing is complete, unless statutory retention obligations apply.
6. AI Chatbot (OpenAI)
6.1 Description and Purpose
We offer an AI-based chatbot on our website that answers questions about our services and offerings. The chatbot uses the OpenAI API to generate responses. Use of the chatbot is voluntary and requires your prior consent.
6.2 Processed Data
The following data is processed when using the chatbot:
- Your entered messages (chat history of the current session)
- IP address (for rate limiting and abuse protection)
- Technical metadata of the request (e.g. timestamp)
Chat messages are transmitted to OpenAI servers to generate a response. No personal data is permanently stored. The chat history exists only during the active session.
6.3 Provider
OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.
OpenAI privacy policy: https://openai.com/policies/privacy-policy
6.4 Legal Basis
Art. 6(1)(a) GDPR (consent). You consent to data processing before using the chatbot. You may revoke your consent at any time by closing the chat and discontinuing use.
6.5 Third-Country Transfer
When using the chatbot, data is transferred to OpenAI in the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.
6.6 Notice
Please do not enter any sensitive personal data in the chat (e.g. health data, financial data, passwords). The chatbot's responses do not constitute legal, tax or financial advice.
7. Web Analytics: Google Analytics 4
7.1 Description and Purpose
We use Google Analytics 4 (GA4) to analyse the use of our website, provided you have consented via our cookie banner. GA4 uses cookies and similar technologies to collect information about your usage behaviour (e.g. pages visited, time on site, device type, approximate location).
7.2 Provider
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
7.3 Google Consent Mode v2
We use Google Consent Mode v2. This means Google Analytics only fully collects data after your consent. Without consent, no analytics cookies are set and no personal data is transmitted to Google.
7.4 Legal Basis
Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent).
7.5 Third-Country Transfer
Data may be transferred to Google servers in the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC).
7.6 Revocation
You may revoke your consent at any time via the cookie banner. Data already collected remains unaffected.
8. Advertising / Tracking (if applicable)
The following services are currently not active but may be used in the future. If so, they will only be activated after consent via the cookie banner.
8.1 Google Ads / Conversion Tracking
If we use Google Ads and conversion tracking, cookies may be set to measure the success of advertising campaigns.
Provider: Google Ireland Limited, Dublin, Ireland.
Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG).
Third-country transfer: possible (USA), based on the EU-US DPF and/or SCC.
8.2 Google AdSense
If we use Google AdSense to display advertisements, cookies/identifiers may be used to serve, personalise and measure the effectiveness of ads.
Provider: Google Ireland Limited, Dublin, Ireland.
Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG).
Third-country transfer: possible (USA), based on the EU-US DPF and/or SCC.
9. Social Media (LinkedIn, X, Instagram) and Embeds
We maintain company profiles on the following platforms:
- LinkedIn – Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
- X (formerly Twitter) – Provider: X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
- Instagram – Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
When you visit one of our social media profiles, we are jointly responsible with the respective platform operator for the data processing triggered (Art. 26 GDPR). We have no influence over the data collected via the platforms and their processing. Further information:
- LinkedIn Privacy: linkedin.com/legal/privacy-policy
- X Privacy: x.com/de/privacy
- Instagram/Meta Privacy: privacycenter.instagram.com/policy
9.1 Links
When you click our social media links, you will be redirected to the respective platform. Data processing by us only takes place when you interact with the respective profile. The privacy policies of the respective provider apply.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication).
9.2 Embeds
When we embed content from LinkedIn, X or Instagram on our website (e.g. post/feed widgets), data may be transmitted to the respective provider when the page loads (e.g. IP address, device/browser data, referrer). Where possible, we load such embeds only after your consent via our consent tool.
Legal basis: Art. 6(1)(a) GDPR (consent).
9.3 Third-Country Transfer
When using X and Instagram/Meta, data may be transferred to the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC).
10. Third-Country Transfers
When using certain services (e.g. OpenAI, Google Analytics, possibly Google Ads), personal data may be transferred to countries outside the EU/EEA (particularly the USA). This only occurs under the conditions of the GDPR:
- EU-US Data Privacy Framework (DPF): Google LLC and OpenAI are certified under the DPF (adequacy decision of the EU Commission pursuant to Art. 45 GDPR).
- Standard Contractual Clauses (SCC): Additionally or alternatively, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are used.
- Where applicable, further supplementary safeguards (e.g. encryption, pseudonymisation).
11. Recipients / Data Processors
We engage the following categories of service providers that process data on our behalf or independently:
- Hosting: Hetzner Online GmbH, Germany (Art. 28 GDPR)
- AI Chatbot: OpenAI, L.L.C., USA
- Web Analytics: Google Ireland Limited (Google Analytics 4)
- Newsletter: Provider to be determined (will be added here once selected)
Where required, we conclude data processing agreements (Art. 28 GDPR) or ensure the lawfulness of data transfers through appropriate safeguards.
12. Data Subject Rights
You have the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (Art. 7(3) GDPR)
To exercise your rights, simply send a message to: info@onchain-systems.com
13. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.
Competent supervisory authority:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de
14. Data Security
We use appropriate technical and organisational measures (e.g. TLS/HTTPS, access controls, backups) to protect your data. However, absolute protection against third-party access cannot be guaranteed.
15. Updates and Changes
We update this privacy policy whenever our website, the tools we use or legal requirements change. The current version always applies.
Note: We do not provide financial advice.