Preamble: Scope and Principles

The protection of your personal data has the highest priority for Surion GmbH (hereinafter "we" or "us"). With this privacy policy, we inform you transparently and comprehensively in accordance with the requirements of the General Data Protection Regulation (GDPR), in particular Articles 13 and 14, about which personal data we collect, for which purposes we process it, and which rights you have in this context.

This policy applies to the use of our website, the use of our services, and any other interaction with our company.

Our offer is exclusively directed at entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). Conclusion of contracts with consumers within the meaning of Section 13 BGB is excluded. This clear B2B orientation means that specific consumer protection information obligations, such as those found in distance selling law, do not apply. Nevertheless, the GDPR protects the data of natural persons. For this reason, the personal data of our business contacts, applicants, and website visitors are subject to the full scope of protection of this regulation.

We additionally note that our offer is expressly not directed at minors under 16 years of age. We do not knowingly process personal data of children and adolescents.

1. Name and Contact Details of the Controller

The controller for data processing within the meaning of Article 4 No. 7 GDPR is:

Surion GmbH Hauptstraße 122 66780 Rehlingen-Siersburg Germany

Email: info@surion-group.com Phone: +49 6835/9556730 Website: www.surion-group.com

We ensure that this information is always consistent with the information in the imprint of our website to guarantee legal coherence. For expedited processing of your data protection matters, we recommend directing inquiries directly to datenschutz@surion-group.com.

1.1 Data Protection Officer

After reviewing the legal requirements of Article 37 GDPR and Section 38 BDSG (German Federal Data Protection Act), we are not obligated to appoint a data protection officer. The contact point for all data protection-related inquiries is the controller mentioned above.

2. Definitions and Legal Bases for Processing

To ensure comprehensibility, we briefly explain some key GDPR terms:

Personal Data: All information relating to an identified or identifiable natural person (e.g., name, email address, IP address). Processing: Any operation performed with or without automated means on personal data (e.g., collection, storage, use, transmission). Controller: The natural or legal person who determines the purposes and means of processing personal data.

The processing of your personal data is exclusively based on legal provisions. The legal bases relevant to us under Article 6(1) GDPR are:

Consent (Article 6(1)(a) GDPR): If you have given us explicit consent for a specific processing purpose. Contract Performance and Pre-contractual Requests (Article 6(1)(b) GDPR): When processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. Compliance with Legal Obligations (Article 6(1)(c) GDPR): Where we are subject to legal obligations that require processing of your data, such as tax and commercial law retention obligations. Legitimate Interests (Article 6(1)(f) GDPR): When processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Additionally, the Telecommunications and Digital Services Data Protection Act (TDDDG), particularly Section 25 TDDDG, is relevant for access to or storage of information in the user's terminal equipment.

3. Your Rights as a Data Subject (Data Subject Rights)

As a person affected by data processing, you have comprehensive rights. To exercise your rights, you can contact us at any time using the contact details specified in Section 1. We process your requests in accordance with legal requirements, generally within one month.

Your rights in detail:

Right of Access (Article 15 GDPR): You have the right to request information about the personal data we process about you. If your data is transferred to a third country outside the European Union, you also have the right, as part of your right of access, to receive a copy of the specific safeguards that ensure an adequate level of data protection. This particularly concerns copies of the EU Standard Contractual Clauses (SCCs) concluded with our service providers. Right to Rectification (Article 16 GDPR): You may request the correction of inaccurate data or the completion of your data stored with us. Right to Erasure (Article 17 GDPR): You may request the deletion of your data stored with us, provided that no legal obligations (e.g., retention periods) or our legitimate interests (e.g., for the defense of legal claims) prevent deletion. Right to Restriction of Processing (Article 18 GDPR): Under certain conditions, you may request the restriction of processing of your data. Right to Data Portability (Article 20 GDPR): You have the right to receive data that you have provided to us and that we process automatically on the basis of your consent or for contract performance, in a structured, commonly used, and machine-readable format, or to request transmission to another controller. Right to Object (Article 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Article 6(1)(f) GDPR (legitimate interests). Right to Withdraw Consent (Article 7(3) GDPR): You may withdraw consent you have given at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected. Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

3.1 Special Notice on Your Right to Object to Direct Marketing

If your personal data is processed for direct marketing purposes, you have the right under Article 21(2) GDPR to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

3.2 Competent Supervisory Authority

The supervisory authority responsible for us, where you can lodge a complaint, is:

Independent Data Protection Centre Saarland State Commissioner for Data Protection and Freedom of Information Fritz-Dobisch-Straße 12 66111 Saarbrücken Germany

Email: poststelle@datenschutz.saarland.de Phone: +49 681 94781-0

4. Data Processing in the Context of Our Business Activities

4.1 Contract Initiation, Performance, and Termination

In the context of our business relationship, we process personal data that is necessary for the initiation, performance, and termination of a contractual relationship and for the fulfillment of associated contractual obligations.

Data Categories Processed: Salutation, first and last name, business contact details (address, email address, phone number), position, company, contract data, billing and payment data. Purpose: Processing of the entire contract cycle, from quotation preparation through service delivery to invoicing and receivables management. Legal Basis: Processing is necessary for the performance of a contract or to take steps prior to entering into a contract (Article 6(1)(b) GDPR). Obligation to Provide: Without provision of this data, we generally cannot conclude a contract with you or your company or cannot provide the owed services.

4.2 Business Communication (Email, Contact Form via Google Workspace)

For our internal and external business communication, including processing of inquiries through our contact form, we use the services of Google Workspace. The provider for the European Economic Area (EEA) is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; the parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Data Categories Processed: Name, email address, phone number (if provided), content of your message, and communication metadata. Name and email address are marked as mandatory fields in our contact form as they are essential for personal address and response. Purpose: Efficient and traceable processing of your specific request. Legal Basis: If your contact serves to initiate or fulfill a contract, the legal basis is Article 6(1)(b) GDPR. For all other inquiries, we base processing on our legitimate interest in structured and professional communication according to Article 6(1)(f) GDPR. Data Transfer to Third Countries: We have configured the "EU Data Residency" option so that primary storage of core data takes place on servers within the EU. Since Google is a US corporation, access from the USA for support purposes or due to US laws cannot be entirely excluded. Any transfer to the USA is based on Google LLC's certification under the EU-U.S. Data Privacy Framework (DPF), an adequacy decision pursuant to Article 45 GDPR. Further information can be found in Section 8.2.

4.3 Use of AI Assistant Functions (Gemini in Workspace)

Additionally, we use the AI assistant functions ("Gemini") integrated in Google Workspace to increase internal productivity.

Our Legitimate Interest (Purpose): Our interest lies in increasing internal efficiency in the creation, summarization, and analysis of business documents and communication content. This enables us to respond more quickly and precisely to inquiries and to use our resources more effectively. Necessity of Processing: The use of these AI functions is necessary to realize the aforementioned efficiency gains in an environment of high information density. Balancing and Protective Measures: Processing is based on our legitimate interest pursuant to Article 6(1)(f) GDPR. After careful consideration, we have concluded that our interests are not outweighed by your interests or fundamental rights and freedoms. We base this on the following protective measures implemented and contractually guaranteed by Google: No Training of General Models: Google contractually assures us as a commercial customer that our content (e.g., emails, documents) is not used to train Google's general AI models. Your data remains within our protected Workspace environment. Compliance with Access Permissions: The AI does not receive its own or extended access rights. It operates exclusively within the permissions already assigned to the employee using the function. This ensures that the confidentiality of your data is maintained and processing follows the "need-to-know" principle. Data Transfer: The protective measures described in Section 4.2 for data transfer (EU Data Residency, DPF) also apply to processing by Gemini.

4.4 Customer Relationship Management (CRM via HubSpot)

For managing our customer and prospect relationships, we use the CRM system from HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA.

Data Categories Processed: Master, contact, contract, and communication data. Purpose: Efficient customer management, documentation of business relationships, and needs-based communication. Legal Basis: Processing of existing customer data is necessary for the fulfillment of our contractual obligations (Article 6(1)(b) GDPR). Management of data of potential customers (prospects) is based on our legitimate interest in effective sales management (Article 6(1)(f) GDPR). Data Transfer to Third Countries: We have configured our HubSpot account so that primary storage takes place in the European data center in Germany. However, for infrastructure provision, HubSpot uses sub-processors (e.g., Amazon Web Services, Google LLC) in the USA. These transfers are secured by HubSpot's certification under the EU-U.S. Data Privacy Framework (DPF) and/or by Standard Contractual Clauses (SCCs). Further information can be found in Section 8.2.

4.5 Invoicing and Accounting (Lexoffice)

For our accounting and invoice creation, we use the Lexoffice service from Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany.

Data Categories Processed: Relevant invoicing and payment data (name, address, contract details, bank details). Purpose and Legal Basis: Processing of this data is necessary to fulfill our legal obligations under the German Commercial Code (HGB) and the Tax Code (AO) (Article 6(1)(c) GDPR). Storage Location: Processing takes place exclusively on servers in Germany or the EU.

5. Data Processing for Marketing and Sales Purposes

5.1 Direct Marketing and Prospect Outreach (B2B)

We process contact data of potential business partners that we either receive directly from you, obtain from publicly accessible sources (e.g., professional networks such as LinkedIn, company websites), or from B2B address data providers.

Data Categories Processed: Name, business contact details (email, phone), position, company. Purpose and Legal Basis: Processing serves business initiation and direct marketing in the B2B context. We base this on our legitimate interest in B2B acquisition and customer care according to Article 6(1)(f) GDPR. We observe the additional fair competition provisions of the German Act Against Unfair Competition (UWG). Marketing contact via email to non-customers is generally only made with your consent (Article 6(1)(a) GDPR). An exception for existing customers exists in accordance with Section 7(3) UWG. Information Obligation for Third-Party Collection: If we do not collect your data directly from you, we inform you about the processing according to Article 14 GDPR at the latest upon first contact with you.

5.2 Newsletter Distribution (HubSpot)

If you have subscribed to our newsletter, we use HubSpot for its distribution and success measurement.

Purpose and Legal Basis: Distribution of the newsletter as well as associated processing of your email address and analysis of opening and click rates are carried out exclusively on the basis of your explicit consent according to Article 6(1)(a) GDPR. Registration Process and Withdrawal: Registration is done through a legally secure double opt-in procedure, the implementation of which we log to fulfill our documentation obligations. You may withdraw your consent at any time with effect for the future by using the unsubscribe link at the end of each newsletter or by sending us an informal notification.

5.3 AI-Supported Telephony (Fonio.ai)

For efficient appointment scheduling and answering standard inquiries, we use AI-based telephony solutions.

Fonio.ai (Fonio GmbH, Austria): This service is also used for call handling. Legal Basis: Processing of information transmitted during the conversation for appointment scheduling or answering your inquiry serves contract initiation (Article 6(1)(b) GDPR). Consent to Recording: At the beginning of each conversation, we explicitly ask for your consent to record the phone call for documentation and quality purposes (Article 6(1)(a) GDPR). If you do not give this consent, no recording is created, or one already started is immediately deleted. Storage Location: Fonio.ai stores and processes all data, including any recordings, exclusively on servers in Germany (Nuremberg).

6. Data Processing on Our Website and Online Presences

6.1 Provision of the Website and Server Log Files (Hosting via Wix.com)

For the operation of our website, we use the services of Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel.

Data Processed: Each time our website is accessed, the system automatically collects data and information from the computer system of the accessing computer (so-called server log files). These include IP address, browser type and version, operating system used, referrer URL, hostname of the accessing computer, and date and time of the server request. Purpose and Legal Basis: This processing is technically necessary to display the website to you in a stable and secure manner. The legal basis for this is our legitimate interest in secure and functional operation of our online presence according to Article 6(1)(f) GDPR. Data Transfer to Third Countries: Data is transferred to Wix in Israel. An adequacy decision by the EU Commission exists for Israel (Article 45 GDPR), which confirms an adequate level of data protection. Wix uses sub-processors (e.g., Amazon Web Services) located in the USA for technical provision. This onward transfer is secured by the EU Commission's Standard Contractual Clauses (SCCs) according to Article 46 GDPR. Further information can be found in Section 8.2.

6.2 Use of Cookies and Consent Management (Usercentrics)

Our website uses cookies and comparable technologies. We distinguish between technically strictly necessary technologies and consent-based technologies. For legally compliant collection, management, and documentation of your consents, we use a Consent Management Platform (CMP) from Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany.

Legal Framework (TDDDG & GDPR): The use of these technologies is subject to a two-stage principle: Access to Your Terminal Equipment (Section 25 TDDDG): Storing information on your terminal equipment or accessing already stored information generally requires your consent according to Section 25(1) TDDDG. An exception applies only to technologies that are "strictly necessary" to provide the service you have expressly requested (Section 25(2) No. 2 TDDDG). Processing of Personal Data (GDPR): Subsequent processing of personal data also requires a legal basis. For technically necessary technologies, this is our legitimate interest in a functional website (Article 6(1)(f) GDPR). For all other technologies (e.g., for marketing or statistics), the legal basis is your explicit consent according to Article 6(1)(a) GDPR. Processing of Consent Data: The CMP processes data on your consent status (consent data) to fulfill our legal documentation obligation under Article 7(1) GDPR. This processing is therefore justified on the basis of Article 6(1)(c) GDPR. Withdrawal of Your Consent: You may withdraw consent you have given at any time with effect for the future. You can easily do this through the settings in our consent banner, which is permanently accessible on our website. Detailed Information: An always current overview of all cookies and technologies used, their providers, purposes, and durations can be found directly in our consent banner.

6.3 Website Analytics (Google Search Console)

We use Google Search Console (provider: Google Ireland Ltd. / Google LLC) to monitor and optimize the presence of our website in Google search results.

Purpose and Legal Basis: Use serves our legitimate interest in technical optimization of our website and improvement of our discoverability (Article 6(1)(f) GDPR). Type of Data: Exclusively aggregated and anonymized data is processed (e.g., search queries, click numbers, countries). We do not receive access to personal data of individual visitors.

6.4 Presences on Social Networks (Facebook, TikTok, Instagram, LinkedIn, X) and Joint Controllership

We maintain online presences within social networks (currently Facebook, TikTok, Instagram, LinkedIn, and X) to inform about our company and communicate with relevant target groups.

Joint Controllership (Article 26 GDPR): For certain processing operations, particularly for the creation of statistical evaluations about page visits (so-called "Insights"), we are jointly responsible with the respective platform operator. We have concluded the legally required agreements with the operators (e.g., LinkedIn's "Page Insights Controller Addendum," accessible via the respective provider's link). These agreements stipulate that the platforms assume primary responsibility for processing Insights data and fulfilling data subject rights. Purpose and Legal Basis: Operating our social media pages serves our legitimate interest in contemporary public relations and company presentation according to Article 6(1)(f) GDPR. Responsibility of Platforms: The respective platform operator is solely responsible for all other data processing. We have no influence on this processing. Information on this can be found in the privacy policies of the respective platform.

7. Data Processing in the Application Process

If you apply to us, we process your personal data to conduct the application process.

Data Categories Processed: Contact details, cover letter, CV, certificates, and all other information you provide. Purpose and Legal Basis: Processing is carried out for the purpose of deciding on the establishment of an employment relationship. The legal basis for this is Section 26(1) BDSG in conjunction with Article 88 GDPR. Storage Duration in Case of Rejection: In case of rejection, your application documents will be retained for a maximum of six months after notification of the rejection decision. This retention is necessary to protect our legitimate interests (Article 6(1)(f) GDPR), particularly for defense against possible claims under the General Equal Treatment Act (AGG). After this period expires, the data will be completely deleted. Talent Pool: Longer storage of your data in our talent pool is carried out exclusively on the basis of your separate, explicit consent (Article 6(1)(a) GDPR), which you may withdraw at any time.

8. Data Transfer to Third Parties and Third Countries

8.1 Categories of Recipients

Transfer of your data to third parties only occurs if legally permitted or if you have consented. Recipients of your data may include:

Processors: External service providers who process data strictly according to our instructions (e.g., IT service providers, hosters, SaaS providers). We have concluded contracts with all processors according to Article 28 GDPR. Own Controllers: Third parties who process data under their own responsibility (e.g., payment service providers, postal service providers, banks, tax advisors).

8.2 Summary Overview of Data Transfers to Third Countries

We only transfer personal data to countries outside the EEA if an adequate level of data protection is ensured. The following table provides you with a transparent overview of our regular transfers to third countries.

Service / Provider / Purpose / Legal Basis for Transfer / Protective Measures

Google Workspace (Google Ireland Ltd. / Google LLC, USA)

• Purpose: Business communication, email, contact form, AI assistance (Gemini)

• Legal Basis: EU-U.S. Data Privacy Framework (DPF) - Adequacy Decision (Article 45 GDPR)

• Additional Measures: EU Data Residency activated; Google LLC DPF-certified

HubSpot (HubSpot, Inc., USA)

• Purpose: CRM, newsletter distribution

• Legal Basis: EU-U.S. Data Privacy Framework (DPF) - Adequacy Decision (Article 45 GDPR); Standard Contractual Clauses (SCCs, Article 46 GDPR)

• Additional Measures: Primary storage in European data center (Germany); HubSpot DPF-certified; SCCs with sub-processors

Wix.com (Wix.com Ltd., Israel; sub-processors in USA)

• Purpose: Website hosting

• Legal Basis: Adequacy Decision for Israel (Article 45 GDPR); Standard Contractual Clauses (SCCs, Article 46 GDPR) for USA

• Additional Measures: Israel adequacy decision; SCCs with US sub-processors (e.g., AWS)

Fonio.ai (Fonio GmbH, Austria)

• Purpose: AI-supported telephony

• Legal Basis: No third country transfer

• Additional Measures: Exclusive storage in Germany (Nuremberg)

9. Data Security (Technical and Organizational Measures)

We implement comprehensive technical and organizational measures (TOMs) pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk for your data. Our security concept follows a multi-layered approach and includes, among other things, encryption of data transmission (TLS) and data at rest (at-rest encryption), strict access controls according to the need-to-know principle (RBAC), mandatory two-factor authentication (MFA) for all critical systems, regular creation of backups, and careful selection and contractual commitment of our service providers to high security standards.

10. Storage Duration and Deletion Concept (Retention Matrix)

We store your data only for as long as is necessary for the respective processing purpose or as prescribed by legal retention periods. After the purpose has been fulfilled or the deadlines have expired, the data is routinely deleted.

Data Category / Storage Duration / Legal Basis

Contract and Business Data

• Duration: Duration of the business relationship + statutory retention periods (6-10 years)

• Legal Basis: §§ 147 AO (Tax Code), 257 HGB (Commercial Code)

Communication Data (emails, inquiries)

• Duration: Duration of business relationship + up to 6 years

• Legal Basis: Limitation periods (§ 195 BGB)

Marketing Data (newsletter recipients, prospects)

• Duration: Until withdrawal of consent or objection; otherwise, reviewed annually

• Legal Basis: Article 6(1)(a) or (f) GDPR

Website Access Data (log files)

• Duration: Maximum 7 days, then anonymized or deleted

• Legal Basis: Technical operation (Article 6(1)(f) GDPR)

Consent Data (Usercentrics)

• Duration: 3 years from last interaction

• Legal Basis: Documentation obligation (Article 7(1) GDPR)

Application Documents (rejected)

• Duration: Maximum 6 months after rejection notification

• Legal Basis: Defense against AGG claims (Article 6(1)(f) GDPR)

Application Documents (Talent Pool)

• Duration: Until consent withdrawal; otherwise maximum 2 years

• Legal Basis: Consent (Article 6(1)(a) GDPR)

11. Final Provisions: Currency and Amendments to This Privacy Policy

We reserve the right to amend this privacy policy as necessary, for example in case of changes in legislation, introduction of new technologies, or adaptation of our services. We recommend that you consult this policy at regular intervals. The respective effective date is noted at the beginning of the document.