Subcol
deen
Sign in
Subcol

Privacy notice

Last updated: May 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is the platform operator named in the imprint above, reachable at the address and e-mail given there.

2. Scope

This privacy policy applies to the processing of personal data in connection with the use of this platform (website and authenticated area) by registered suppliers, subcontractors and referral partners and their designated users.

3. Purposes of processing

We process personal data to provide the platform, manage accounts, enable matchmaking between suppliers and subcontractors, handle orders and commission settlements, comply with legal obligations and prevent fraud and misuse.

4. Categories of data

We process in particular master data (company, name, address, VAT ID), contact data (e-mail, phone), access and usage data (login, roles, activity), offering, order and billing data, as well as technical connection data (see server log files).

5. Legal bases

Processing is based on Art. 6(1)(b) GDPR (initiation and performance of the usage relationship), Art. 6(1)(c) GDPR (compliance with legal obligations, e.g. commercial and tax retention) and Art. 6(1)(f) GDPR (legitimate interest in a secure, functional and abuse-free platform).

6. Registration and account

When registering, we collect the data required to create the account. Activation takes place after review by the operator. Registered users may create further users of their company; these are also subject to this privacy policy.

7. Server log files

When the platform is accessed, technically necessary connection data (including a shortened IP address, date and time, requested resource, status code) is processed. The legal basis is Art. 6(1)(f) GDPR; the data serves technical provision, stability and security and is kept only briefly.

8. Cookies

We use only technically necessary cookies: a session cookie for authentication (expiring after inactivity) and a cookie storing the language setting. There is no third-party tracking or analytics; no consent is required for this.

9. Risk and abuse checks

To prevent multiple and sham registrations and to combat fraud, we evaluate login and registration data (e.g. repeated use of the same IP address, plausibility of company details). The legal basis is Art. 6(1)(f) GDPR.

10. Recipients and processors

As part of the matchmaking, the data required to initiate a contract is disclosed to the respective other contracting party (supplier or subcontractor). Hosting and e-mail delivery are provided by Hetzner Online GmbH (Germany); a data processing agreement under Art. 28 GDPR is in place. No transfer to third countries takes place.

11. Retention period

Personal data is deleted as soon as the purpose ceases to apply and no statutory retention obligations conflict. Billing and contract data is retained within the commercial and tax law periods (generally 6 or 10 years).

12. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object to processing based on legitimate interests (Art. 21 GDPR). A message to the contact address in the imprint is sufficient to exercise these rights.

13. Right to lodge a complaint

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement.

14. Data security

The platform is delivered exclusively encrypted (TLS/HTTPS). Access is restricted on a role basis; passwords are stored only as hashes. We take technical and organisational measures in line with the state of the art (Art. 32 GDPR).

Draft. Substantive initial draft — must be reviewed and approved by a lawyer before publication.