Our Privacy Policy
The following Information on the joint controllership pursuant to Art. 26 (2) 2 of the General Data Protection Regulation (GDPR) serves to make the essential contents of the agreement between the contracting parties transparent to the data subjects.
The parties have jointly determined the order of the processing of your personal data in each section of processing. Therefore, they are so-called joint controllers (Art. 26 GDPR) for the protection of your personal data within the sections of processing described below.
1. Definitions
In this data protection declaration, we use the following terms:
Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject: Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing: Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Controller: Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient: Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party: Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2) Joint controller (Art. 26 GDPR)
Joint Controller of the ESA Business Accelerator for the purposes of the GDPR are:
UnternehmerTUM gGmbH
Lichtenbergstraße 6
85748 Garching
E-Mail: info@unternehmertum.de
Website: www.unternehmertum.de
TUM Venture Labs Management gGmbH
Lichtenbergstraße 6
85748 Garching
E-Mail: venturelabs@tum.de
Website: www.venturelabs.tum.de/venturelabs/home/
acitoflux GmbH
Königstraße 35
70173 Stuttgart
Website: www.acitoflux.com
E-Mail: community@acitoflux.com
3) Data Protection Officer
The Data Protection Officer of TM Venture Labs and UnternehmerTUM is:
Alexander Stolberg-Stolberg
SVF Attorneys at Law
Oberanger 30
80331 Munich
Tel.: 089 210 25 120
E-Mail: stolberg@unternehmertum.de
Any data subject may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.
4) Collection of general data and information
Our website collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be
the browser types and versions used,
the operating system used by the accessing system,
the website from which an accessing system reaches our website (so-called referrers),
the sub-websites,
the date and time of access to the Internet site,
an Internet protocol address (IP address),
the Internet service provider of the accessing system, and
any other similar data and information that may be used in the event of attacks on our information technology systems.
When using these general data and information, we do not draw any conclusions about the data subject. Rather, this information is needed to
deliver the content of our website correctly,
optimize the content of our website as well as its advertisement,
ensure the long-term viability of our information technology systems and website technology, and
provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
Therefore, the Controller analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
5) Purpose of the data processing
The processing of the above data is carried out,
to enable the use of the website in technical terms
to authenticate and authorize a user to use the website (e.g. when using paid online services)
to create pseudonymous usage statistics for us and our users (e.g. evaluation of usage for optimization and marketing purposes, in particular to make product improvements)
to document possible contract conclusions and consents in a legally compliant manner
to prevent data misuse and to investigate criminal offences
6) Cookies
We use cookies. Cookies are text files that are stored in a computer system via an Internet browser. Many Internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subjects from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.
Through the use of cookies, we can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.
By means of a cookie, the information and offers on our website can be optimized with the user in mind. Cookies allow us, as previously mentioned, to recognize our website users. The purpose of this recognition is to make it easier for users to utilize our website. The website user that uses cookies, e.g. does not have to enter access data each time the website is accessed, because this is taken over by the website, and the cookie is thus stored on the user’s computer system. Another example is the cookie of a shopping cart in an online shop. The online store remembers the articles that a customer has placed in the virtual shopping cart via a cookie.
The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
7) Responsibility for data processing
The above-mentioned parties involved are jointly responsible for the lawfulness of all data processing operations, notwithstanding the details of the joint responsibility agreement pursuant to Art. 26(1) GDPR.
Within the framework of joint controllership, the parties involved have also agreed on the following responsibilities:
Process Step: Administering ESA Incentives and Data from Programme Application
Data Categories:
• First name
• Surname
• Address
• Email address
• Qualification
Data Subjects:
1. Customers of those responsible: Participating Start-ups, including their founders and employees.
2. Employees of those responsible.
3. Service providers supporting the Accelerator Programme, such as Workshop Lecturers and Experts.
4. Mentors voluntarily supporting the Accelerator Programme.
Responsible Party: UnternehmerTUM
Process Step: Matchmaking with Investors
Data Categories:
• First name
• Surname
• Email address (business)
• Phone number (business)
Data Subjects:
1. Founders or persons responsible for fundraising at Start-ups.
2. Potential investors and employees of investors.
Responsible Party: Acitoflux
Process Step: Matchmaking with Corporates
Data Categories:
• First name
• Surname
• Email address (business)
• Job Title
Data Subjects:
1. Founders or persons responsible for fundraising at Start-ups.
2. Corporates as potential partners or customers and employees of those companies.
Responsible Party: Venture Labs Management
Process Step: Events
Data Categories:
• First name
• Surname
• Address
• Email address
• Job Title
Data Subjects:
1. Customers of those responsible: Participating Start-ups, including their founders and employees.
2. Employees of those responsible.
3. Mentors voluntarily supporting the Accelerator Programme.
4. Potential investors and employees of investors.
5. Corporates as potential partners or customers and employees of those companies.
Responsible Parties: UnternehmerTUM, Acitoflux, Venture Labs
The following obligations exist for the exercise of the rights of the data subjects:
7a) Information obligations
All parties involved ensure compliance with the information obligations when collecting personal data pursuant to Art. 13 GDPR (collection from the data subject) and Art. 14 GDPR (collection not from the data subject).
For this purpose, we provide the information required in each case free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
7b) Requests for the exercise of data subjects' rights
Data subjects may contact any party involved in the ecosystem to exercise their respective data subject rights. In such a case, the other parties involved in the ecosystem are obliged to forward the data subject's request to the other parties involved.
7c) Security of data processing
The parties involved in the ecosystem shall ensure that all appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the requirements of applicable data protection regulations (in particular the GDPR) and ensures the protection of the rights of the data subject.
7d) The use of processors
The parties involved may use the services of third parties to process data on their behalf ("processors").
8) Mail contact and contact forms
If you contact us via an e-mail address provided by us, we will store the data you provide with the e-mail. If you have the option of contacting us via a contact form on our website, the data you provide will be stored by us. The data is stored for the purpose of processing the request transmitted with your communication and, if necessary, to contact you. The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR; our legitimate interest is the appropriate response to contact requests. If the request is directed towards the conclusion of a contract, the legal basis is also Art. 6 para. 1 p. 1 lit. b) GDPR.
9) LinkedIn
With your consent, we activate a cookie from LinkedIn when you visit our website (LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland).
The tag reports to LinkedIn which actions you have performed on our website and possibly identifying data.With the data, LinkedIn can recognise that you have visited our website, what you have clicked on and if you have clicked on a link on LinkedIn that connects you to our website. This allows LinkedIn to show you interest-based content. LinkedIn may associate this data with your user account and use it for its own purposes. The processing of your data by LinkedIn is explained in the data protection information at https://www.linkedin.com/legal/privacy-policy.
We do not receive any data about you or other users from LinkedIn, but only statistics that show us, aggregated for all users in a certain period, how they have used our offers and advertisements on other LinkedIn platforms. This helps us to analyse which of our ads were successful and which were not.
10) Google Analytics (GA4)
We use the analysis tracking tool Google Analytics in the version Google Analytics 4 (GA4) of the American company Google Inc. on our website. For the European area, the company
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
is responsible for all Google services in Europe. Google Analytics collects data about your actions on our website. Through the combination of various technologies such as cookies, device IDs and login information, you can be identified as a user across different devices. This means that your actions can also be analysed across platforms.
For example, when you click on a link, this event is stored in a cookie and sent to Google Analytics. The reports we receive from Google Analytics help us to better tailor our website and services to your needs. In the following, we will discuss the tracking tool in more detail and, in particular, inform you about what data is processed and how you can prevent this.
Google Analytics is a tracking tool that is used to analyse the data traffic on our website. These measurements and analyses are based on a pseudonymous user identification number. This number does not contain any personal data such as your name or address, but is used to assign events to a device. GA4 uses an event-based model that collects detailed information about user interactions such as page views, clicks, scrolling, and conversion events. In addition, GA4 also incorporates various machine learning functions to better understand user behaviour and certain trends. GA4 relies on modelling with the help of machine learning functions. This means that missing data can be extrapolated on the basis of the collected data in order to optimise the analysis and also to be able to make forecasts.
To make Google Analytics work, a tracking code is built into the code of our website. When you visit our website, this code records various events that you perform on our website. With the event-based data model of GA4, we as website operators can define and track specific events to obtain analyses of user interactions. This means that, in addition to general information such as clicks or page views, special events that are important for our business can also be tracked. Such special events can be, for example, sending a contact form or purchasing a product.
As soon as you leave our website, this data is sent to the Google Analytics server and stored there.
Google processes the data and we receive reports about your user behaviour. These reports may include, but are not limited to, the following:
Target group reports: Target group reports help us get to know our users better and give us a more precise idea of who is interested in our service.
Display reports: Display reports help us to analyse and improve our online advertising.
Acquisition reports: Acquisition reports provide us with helpful information on how we can attract more people to our service.
Behaviour reports: These reports tell us how you interact with our website. We can see which links you click on and the path you take through our site.
Conversion reports: A conversion is when you take a desired action in response to a marketing message. For example, when you go from being a website visitor to a buyer or newsletter subscriber. These reports help us learn more about how our marketing efforts reach you. This is how we want to increase our conversion rate.
Real-time reports: These always tell us immediately what is happening on our website. For example, we can see how many users are currently reading this text.
In addition to the above-mentioned analysis reports, Google Analytics 4 also offers the following functions:
Event-based data model: This model records very specific events that can take place on our website. For example, playing a video, purchasing a product or registering for our newsletter.
Advanced analytics: These functions enable us to better understand your behaviour on our website or certain general trends. For example, we can segment user groups, perform comparative analyses of target groups or track your path on our website.
Predictive modelling: Based on collected data, machine learning can be used to extrapolate missing data that predicts future events and trends. This can help us to develop better marketing strategies.
Cross-platform analysis: Data can be collected and analysed from both websites and apps. This offers us the opportunity to analyse user behaviour across platforms, provided that you have, of course, consented to the data processing.
Our goal with this website is to offer you the best possible service. The statistically evaluated data shows us a clear picture of the strengths and weaknesses of our website. On the one hand, we can optimise our site so that it is easier for interested people to find on Google. On the other hand, the data helps us to better understand you as a visitor. We therefore know exactly what we need to improve on our website to offer you the best possible service. The data also helps us to carry out our advertising and marketing measures in a more individualised and cost-effective manner. After all, it only makes sense to show our products and services to people who are interested in them.
Google Analytics uses a tracking code to create a random, unique ID associated with your browser cookie. This is how Google Analytics recognises you as a new user and assigns you a user ID. The next time you visit our site, you will be recognised as a ‘returning’ user. All the data collected is stored together with this user ID. This is what makes it possible to evaluate pseudonymous user profiles. To analyse our website with Google Analytics, a property ID must be added to the tracking code. The data is then saved in the corresponding property. The Google Analytics 4 property is standard for each newly created property. Depending on the property used, data is stored for different lengths of time. Your interactions are measured across platforms through identifiers such as cookies, app instance IDs, user IDs or custom event parameters, provided you have given your consent. Interactions are all types of actions that you perform on our website. If you also use other Google systems (such as a Google account), data generated by Google Analytics can be linked to third-party cookies. Google does not share Google Analytics data unless we, as the website operator, authorise it. Exceptions may apply if required by law.
According to Google, IP addresses are not logged or stored in Google Analytics 4. However, Google uses the IP address data to derive location data and deletes it immediately afterwards. All IP addresses collected from users in the EU are therefore deleted before the data is stored in a data centre or on a server.
Since Google Analytics 4 focuses on event-based data, the tool uses significantly fewer cookies than previous versions (such as Google Universal Analytics). Nevertheless, there are some specific cookies that are used by GA4. These include, for example:
Name: _ga
Value: 2.1326744211.152331733739010-5
Purpose: By default, analytics.js uses the _ga cookie to store the user ID. It is used to distinguish between website visitors.
Expiry date: after 2 years
Name: _gid
Value: 2.1687193234.152331733739010-1
Purpose: This cookie is also used to distinguish between website visitors
Expiry date: after 24 hours
Name: _gat_gtag_UA_<property-id>
Value: 1
Purpose: Used to lower the request rate. If Google Analytics is provided through Google Tag Manager, this cookie is named _dc_gtm_ <property-id>.
Expiry date: after 1 minute
Note: This list cannot claim to be complete, as Google keeps changing the choice of their cookies. The aim of GA4 is also to improve data protection. Therefore, the tool offers some options for controlling data collection. For example, we can set the storage period ourselves and also control data collection.
Here we show you an overview of the main types of data collected by Google Analytics:
Heat maps: Google creates so-called heat maps. Heat maps show you exactly the areas that you click on. This way we get information about where you are ‘travelling’ on our site.
Session duration: Google defines session duration as the time you spend on our site without leaving it. If you have been inactive for 20 minutes, the session ends automatically.
Bounce rate: A bounce occurs when you view only one page on our website and then leave our website.
Account creation: If you create an account on our website or place an order, Google Analytics collects this data.
Location information: IP addresses are not logged or stored in Google Analytics. However, location data is used shortly before the IP address is deleted.
Technical information: Technical information includes, among other things, your browser type, your internet service provider or your screen resolution.
Source of origin: Google Analytics and we are naturally also interested in which website or which advertisement you came to our site from.Other data includes contact details, any ratings, playing media (e.g. if you play a video on our site), sharing content via social media or adding to your favourites. This list is not exhaustive and is only intended to provide a general overview of how Google Analytics stores data.
Google has servers all over the world. You can find out exactly where the Google data centres are located here:
Your data is distributed across a number of physical storage devices. This has the advantage that the data can be accessed more quickly and is better protected against manipulation. Each Google data centre has appropriate disaster recovery programmes for your data. If, for example, Google's hardware fails or natural disasters cripple servers, the risk of service interruption at Google remains low. The retention period for the data depends on the properties used. The storage period is always defined separately for each individual property.
Google Analytics offers us four options for controlling the storage period:
2 months: this is the shortest storage period.
14 months: by default, GA4 stores the data for 14 months.
26 months: the data can also be stored for 26 months.
Data is only deleted if we delete it manually
There is also the option that data is only deleted if you no longer visit our website within the period we have selected. In this case, the retention period is reset each time you visit our website again within the specified period.
Once the specified time period has passed, the data is deleted once a month. This retention period applies to your data associated with cookies, user identification and advertising IDs (e.g. cookies from the DoubleClick domain). Reporting results are based on aggregated data and stored independently of user data. Aggregated data is a merging of individual data into a larger unit.
According to the data protection law of the European Union, you have the right to request, update, delete or restrict access to your information. You can use the browser add-on to disable Google Analytics JavaScript (analytics.js, gtag.js) to prevent Google Analytics 4 from using your data. You can download and install the browser add-on at . Please note that this add-on only deactivates data collection by Google Analytics.
If you generally wish to deactivate, delete or manage cookies, you will find the corresponding links to the respective instructions for the most popular browsers under the ‘Cookies’ section.
The use of Google Analytics requires your consent, which we have obtained with our cookie popup. This consent is the legal basis for the processing of personal data, as may occur during its collection by web analytics tools, in accordance with Art. 6 para. 1 lit. a GDPR (consent).
In addition to consent, we have a legitimate interest in analysing the behaviour of website visitors and thus improving our offering both technically and economically. With the help of Google Analytics, we can detect website errors, identify attacks and improve efficiency. The legal basis for this is Art. 6 para. 1 lit. f DSGVO (legitimate interests). However, we only use Google Analytics if you have given your consent.
Google processes your data in the United States, among other places. Google is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data of EU citizens to the United States. You can find more information about this at .
In addition, Google uses standard contractual clauses (Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission to ensure that your data also meets European data protection standards when it is transferred to and stored in third countries (such as the US). Through the EU-US Data Privacy Framework and the standard contractual clauses, Google is obliged to comply with the European data protection level when processing your relevant data, even if the data is stored, processed and managed in the United States. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
11) Rights of the data subject
Each data subject shall have the following rights:
for information pursuant to Article 15 GDPR
to rectification under Article 16 GDPR
to cancellation under Article 17 GDPR
to limit the processing pursuant to Article 18 GDPR
to appeal under Article 21 GDPR, and
to data transferability under Article 20 GDPR.
The restrictions according to §§ 34 and 35 BDSG apply to the right of information and the right of deletion. Furthermore, you have the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR in conjunction with & 19 BDSG). You can revoke your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.
12) Data protection provisions Typeform
We use the ‘Typeform’ service for the purpose of possible evaluations and/or surveys. This service is offered by:
TYPEFORM S.L., Carrer Bac de Roda
163, 08018 Barcelona
(‘Typeform’).
Further information on data processing in connection with Typeform can be found here: https://admin.typeform.com/to/.
13) Data processing in third countries
If the Controller processes data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transmission of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we process or allow the data to be processed only in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, if certifications or binding internal data protection regulations are in place (Art. 44 to 49 DSGVO, information page of the EU Commission: https://ec.europa.eu/info/law/.
14) Events and pictures
If you attend an event of the ESA Business Accelerator, personal data will be processed for the purpose of conducting the event in accordance with the following information.
In particular, the following categories of personal data may be processed for the purpose of conducting the event:
Name and contact details (email, telephone)
Information on the employment relationship (legal company, job title)
Data for participation in workshops
Pictures from the event
Data on participation in the event as such
If you provide personal data of other persons in the context of registration, you agree that it is your responsibility to obtain the consent of these third parties in accordance with the applicable law.
Our events are regularly accompanied by photographers or film crews who take pictures or make video recordings (‘recordings’) of the event. The production and publication of the event recordings is based on the controller's legitimate interest in providing illustrated reporting, provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail (Art. 6 para. 1 sentence 1 lit. f GDPR).
The recordings are made for public relations purposes and published on our website, our social media channels or on the event website.
15) Legal basis for the processing
Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR). Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.
16) Period for which the personal data will be stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
Status: 09.12.2024