DreamIT Logo

Privacy Policy

As of: 5 May 2026

This is a non-binding English translation provided for convenience. The legally binding version is the German Datenschutzerklärung. In the event of any discrepancy, the German version prevails.

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

dreamIT GmbH
Managing Director: Sebastian Cario
Gaußstr. 126
22765 Hamburg, Germany
Phone: +49.40.60 94 52 47 – 0
Fax: +49.40.60 94 52 47 – 9
Email: info@dreamit.de

II. Data protection officer

The controller’s data protection officer is:

ARTANA Digital GmbH
Prof. Dr. Christian Rauda
Alstertwiete 3, 20099 Hamburg, Germany
Phone: +49.40.537 981 260
Website: www.artana.law

III. General information on data processing

1. Scope of processing personal data

As a matter of principle, we collect and use our users’ personal data only insofar as this is necessary to provide a functional website and our content and services. The collection and use of our users’ personal data regularly takes place only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by law. Insofar as we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data within the scope of our processing, this is done only on the basis of a legal permission (e.g. where a transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Art. 6 (1) (b) GDPR), where you have consented, where a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

The types of data processed are:

  • Master data (e.g. names, addresses).
  • Contact data (e.g. email, telephone numbers).
  • Content data (e.g. text input, photographs, videos).
  • Usage data (e.g. websites visited, interest in content, access times).
  • Meta/communication data (e.g. device information, IP addresses).

Insofar as we engage third parties to process data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR. Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this happens in the context of using third-party services or the disclosure or transfer of data to third parties, this only takes place if it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have data processed in a third country only where the special requirements of Art. 44 et seq. GDPR are met. This means processing takes place, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the EU (e.g. by way of a so-called adequacy decision) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

2. Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. Insofar as processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing.

3. Data erasure and storage duration

The data subject’s personal data is erased or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data is also blocked or erased when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

When you access our website, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected on a time-limited basis:

  • Information about the browser type and version used.
  • The user’s operating system.
  • The user’s internet service provider.
  • The user’s IP address.
  • Date and time of access.
  • Websites from which the user’s system reaches our website (referrer).

The data is stored in our system’s log files. This data is only needed to analyse any malfunctions and is deleted within seven days at the latest. The legal basis for the temporary storage of the data and log files is Art. 6 (1) (f) GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s device. For this purpose, the user’s IP address must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context, and no conclusions are drawn about your person. Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

V. Use of cookies

Our website currently uses exclusively technically necessary cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user calls up a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (f) GDPR. The purpose of using technically necessary cookies is to make the use of websites easier for users. Some functions of our website cannot be offered without the use of cookies. The user data collected by technically necessary cookies is not used to establish your identity.

Should non-essential cookies or third-party services be used in the future, these will only be loaded after your explicit consent via our cookie banner. Consent can be withdrawn at any time via the privacy settings.

VI. Contact form, data protection for applications

When you contact us (e.g. via the contact form, email, telephone or social media), the user’s details are processed for the purpose of handling and processing the contact request pursuant to Art. 6 (1) (b) GDPR. The users’ details and your registration may be stored in a customer relationship management system (“CRM system”) or comparable enquiry organisation.

We collect and process the personal data of applicants for the purpose of handling the application procedure. Processing may also take place electronically. This is particularly the case if an applicant submits the relevant application documents electronically, for example by email. If we conclude an employment contract with an applicant, the transmitted data is stored for the purpose of handling the employment relationship in compliance with the statutory provisions. If no employment contract is concluded with the applicant, the application documents are automatically deleted after the rejection decision has been announced, provided that no other legitimate interests of the controller conflict with deletion. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the German General Equal Treatment Act (AGG).

VII. Online presence on social media and integration of third-party services

We maintain online presences within social networks and platforms in order to communicate with the customers, prospects and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply. Unless otherwise stated in our privacy policy, we process users’ data insofar as they communicate with us within the social networks and platforms, e.g. by writing posts on our online presences or sending us messages. Within our online offering, we set links to these third-party services on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offering within the meaning of Art. 6 (1) (f) GDPR). No content from these providers is automatically embedded in our site; a connection to the respective provider is only established when you click on the respective link.

Instagram

We have placed a link to our page on Instagram. This service is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for users in the EEA and Switzerland). Instagram privacy policy: https://privacycenter.instagram.com/policy/.

kununu

We have placed a link to our profile on kununu. The provider is kununu GmbH, Wollzeile 1-3, 1010 Vienna, Austria (part of New Work SE). kununu privacy policy: https://www.kununu.com/datenschutz.

Hosting (Cloudflare)

This website is hosted by Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany (parent company: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). On our behalf (Art. 28 GDPR), Cloudflare processes technical connection data (IP address, timestamp, user agent, referrer) in order to deliver the website and protect it against attacks. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in secure and stable operation). Privacy policy: https://www.cloudflare.com/privacypolicy/.

Applicant management (B-ITE)

For the publication of our job postings and the processing of applications, we use the service B-ITE provided by BITE GmbH, Magirus-Deutz-Straße 12, 89077 Ulm, Germany (managing directors: Hubert Ketterer, Stefan Häck; Ulm Local Court HRB 722234). When you click on a job posting on our careers page (/stellenanzeigen/<slug>), you are redirected via a server redirect (HTTP 302) to jobs.b-ite.com. In doing so, your IP address and your user agent are transmitted to BITE GmbH, as your browser follows the redirect. Any further application data is collected and processed by you directly with B-ITE where applicable. BITE GmbH processes this data on our behalf (Art. 28 GDPR). The legal basis is Art. 6 (1) (b) GDPR (initiation and conduct of an application procedure) in conjunction with Art. 6 (1) (f) GDPR (legitimate interest in making our open positions visible to applicants). The storage period is governed by the data processing agreement with BITE GmbH. Processing takes place within the EU. Privacy policy of BITE GmbH: https://www.b-ite.de/datenschutz.

VIII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may request information from the controller about the following:

  • the purposes for which the personal data is processed;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
  • the planned duration for which the personal data concerning you will be stored or, if specific information on this is not possible, criteria for determining the storage duration;
  • the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data, where the personal data is not collected from the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification without delay.

3. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of the personal data concerning you:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
  • if the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or
  • if you have objected to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

4. Right to erasure

You may request the controller to erase the personal data concerning you without delay, provided one of the legally specified grounds applies – for example, where the data is no longer necessary for the purposes for which it was collected, you withdraw your consent, you object to the processing, or the processing has been unlawful.

5. Right to notification

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out by automated means.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising.

8. Right to withdraw the data protection consent declaration

You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, place of work or place of the alleged infringement, if you consider that the processing of the personal data concerning you infringes the GDPR. The competent authority for dreamIT GmbH is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, HmbBfDI).