General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information on the subject of data protection, please refer to our data protection declaration listed below.

1. General
2. Data processing of website visitors and those interested in our products
3. Data processing by using cookies and analysis methods
4. Data processing in conjunction with the use of additional functions of our websites and products
5. Data processing after personal contact
6. Data processing when you subscribe to our marketing newsletter
7. Data processing for data collected by third parties (Data Enrichment)
8. Data processing of mXP customers
9. Data processing for business partners and suppliers
10. Data processing of applicant
11. Use of CRM system
12. Data recipients
13. Storage duration
14. Rights of the data subject
15. Modification of the data policy

1. General

Metals Experience GmbH (hereinafter referred to as "mXP") securely and sensitively handles your personal data in accordance with applicable data protection provisions, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Personal data is all information that pertains to identified or identifiable natural persons, e.g. name, address, email addresses or IP addresses.

mXP provides software, services and consulting to interested parties. mXP primarily acts as a Processor for users of its products within the meaning of Art 4 para 8 GDPR.

Independently of this, mXP also processes personal data under its own responsibility and thus acts as a Controller within the meaning of Art 4 para 7 GDPR. This privacy policy concerns the processing in which mXP is the Controller (hereafter called the “Controller” or “we”). The Controller’s Data Protection Officer (Stefan Rauch) can be reached at the above-mentioned address and via email at privacy@metalsxp.com.

As the Controller, mXP processes personal data in various ways and for various purposes:

2. Data processing of website visitors and those interested in our products

By only visiting our website or using our products, without registering or providing other information, we process only the personal data that your device transfers to our servers. This data comprises primarily of technical information (e.g. IP address, web browser, operating system or time the site was accessed). This information is recorded automatically when you access our website. The legal basis for this processing is for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the analysis and guaranteed operation of our websites and our products.

This data is not transferred to third parties.

Providing the listed information is not a statutory requirement but is required for the operation of our website or the use of our products.

3. Data processing by using cookies and analysis methods

When our own cookies and the cookies of selected partners during website visits are being used, you will be asked for consent. This also applies to various tools for analysis and optimization (e.g. web and app tracking, performance tracking) when our websites are visited, and our products are used. Cookies and these optimization/analysis tools are used only if and to the extent that your consent has been obtained unless they are required for the functionality or guaranteed safe operation of our websites or our products. On our website, you can find more information on the cookies and analysis tools used.

If you have granted us your consent to do so, we also use these tools to process your IP address and technical information about your browser and operating system, the approximate location, the source of our website visitors and activity data such as clicks and page views to improve the user experience and our range of information, and to analyze and optimize the operation of our websites and our products, including the optimization of our marketing activities.

The legal basis for this processing is your explicit consent in accordance with Art 6 para 1 lit a GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the analysis and guaranteed operation of our websites and our products. You may withdraw your previously given consent to cookies at any time by adjusting your browser settings, deleting cookies through your browser options.

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

Providing the listed data is not a statutory requirement but is, in some cases, required to provide particular functionalities of our websites or products. If this data is not provided or is partially provided, you may be unable to use or have restricted use of certain functions of our websites or our products. There are no negative consequences to refraining from providing data for optimization and analysis purposes.

4. Data processing in conjunction with the use of additional functions of our websites and products

If you do not only use our websites for information purposes but make use of additional functions and services that our websites and products offer (e.g. the contact form, chat, webinar) or would like to participate in information campaigns, as a rule you must provide us with additional personal data for us to process your inquiries and make the provided functions available. This typically includes information that we require to contact you, e.g. full name, email address, telephone number and company master data. We process this data together with the data collected in connection with visiting our website and using our products (see Section 2), in particular the IP addresses collected, and the activity data associated therewith (e.g. clicks, page call-ups, etc.). Furthermore, we process the data made available to us by transferring it to our CRM system (see Section 11).

The legal basis for this processing is your express consent in accordance with Art 6 para 1 lit a GDPR, to take steps prior to entering into a contract or to fulfill our contractual obligations in accordance with Art 6 para 1 lit b GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the analysis and guaranteed operation of our websites and products, continuous improvement of our products and optimization of our marketing activities. In some instances, we complete data sets processed by us with the use of data enrichment solutions to obtain a full data set about you (Data Enrichment, see Section 7).

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

Providing the listed data is not a statutory requirement but is required to contact you and to use the provided functions of our websites and products. If this data is not provided or is partially provided, you may be unable to use certain functions of our websites and products or have limited use of these, or we may not be able to contact you. There are no negative consequences to refraining from providing data for optimization and analysis purposes.

5. Data processing after personal contact

If you contact us at trade fairs or exhibitions, e.g., and provide your data to us, by handing us business cards or completing a form, e.g. we process the data made available to us by transferring it to our CRM system (see Section 11). This typically includes information that we require to contact you, e.g. full name, email address, telephone number and company master data.

The legal basis for this processing is to take steps prior to entering into a contract in accordance with Art 6 para 1 lit b GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically establishing a business relationship and maintaining our business contacts (CRM). In some cases, we also supplement the data by collecting data from third parties (Data Enrichment, see Section 7).

Providing the listed data is not legally stipulated but is required to contact you. If this data is not provided or partially provided, we may not be able to contact you and enter into a business relationship with you.

6. Data processing when you subscribe to our marketing newsletter

If you subscribe to our newsletter, we process your contact details, in particular your email address and full name to send our marketing newsletter. We also process the information on which newsletter we have sent you, whether and when you have opened this, whether it could be delivered, whether you have subscribed or unsubscribed to the newsletter and if you have clicked on links in the newsletters, which and how many. In particular, we process the data made available to us by transferring it to our CRM system (see Section 11).

The legal basis for this processing is your express consent (Art 6 (1) (a) GDPR). You can withdraw your consent to receiving the marketing newsletter at any time. To do this, you can unsubscribe from the marketing newsletter at any time by using the link within the newsletter or by emailing privacy@metalsxp.com.

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.
Providing the listed data is not a statutory requirement but is required for our marketing newsletter to be sent. If this data is not provided or is partially provided, we may not be able to send you our marketing newsletter.

7. Data processing for data collected by third parties (Data Enrichment)

In general, we collect personal data directly from you, so that as a rule you can decide on making your personal data available to us. However, in some cases we may obtain personal data from other sources.

These other sources are primarily the internet, from which we obtain publicly available information. In addition, we also obtain information from data enrichment providers.

This personal data is typically limited to contact information (full name, email address, telephone number, postal address) as well as information on your work for a specific company, the company headquarters, the company industry and your role in this company.

If you apply to work with us, we may also process information from publicly available sources on your educational and professional background.

The legal basis for this processing is our legitimate interest in accordance with Art 6 para 1 lit f GDPR in a complete data set about you, which is required for professional communication and the establishment of a business relationship or the application process. In general, the recipients and storage duration of this data comply with the respective processing for which the data was collected.

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

8. Data processing of mXP customers

If you become our customer, we process (i) information that we require to contact you, which includes your full name, email address, telephone number, (ii) company master data (e.g. company name, postal address, email addresses, telephone numbers, contact person, role), (iii) information on the type and content of our contractual relationship (e.g. number, type and duration of activated licenses and information on the requested and created offers), (iv) marketing-relevant information such as industry and target group as well as information on the origin and history of accounts (e.g. responsible sales partners, date of last contact, clicked adverts).

The legal basis for this processing is to take steps prior to entering into a contract or to fulfill our contractual obligations in accordance with Art 6 para 1 lit b GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the analysis and guaranteed operation of our websites and products, continuous improvement of our products and optimisation of our marketing activities.

If we have received the respective consent, we also process the contact details of users of our products to (i) interactively support and facilitate the use of our products (Onboarding, see Section 9) and (ii) to provide information on (new) product functions or updates/upgrades, or (iii) hold customer surveys on improving service quality. For these purposes, we may also contact you via email or, phone. If you have given us your consent for this, we may also list you as a reference customer on our websites.
The legal basis for this processing is your express consent in accordance with Art 6 para 1 lit a GDPR. You can withdraw this consent at any time, e.g. by emailing privacy@metalsxp.com.

Where applicable, we process payment information in addition to the above-mentioned data. Payment information includes invoice recipients, invoice addresses, invoice numbers, invoice period, due date, bank details, payment conditions, contact person for invoices, VAT ID, etc.

The legal basis for this processing is to fulfill our contractual obligations in accordance with Art 6 para 1 lit b GDPR, to fulfil our legal obligations in accordance with Art 6 para 1 lit c GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the optimisation of our accounting processes and for liquidity management purposes.

We specifically process the listed data by transferring it to our CRM system (see Section 11). We may also disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

Providing the listed data is not a statutory requirement but is required to initiate, maintain and fulfil the business relationship and to meet our legal obligations. If this data is not provided or partially provided, we may not be able to conclude a contract with you or support you when you use our products.

9. Data processing for business partners and suppliers

If you are our business partner or supplier or would like to become one, we process (i) information that we require to contact you (e.g. full name, email address, telephone number), (ii) company master data (e.g. company name, company register number, postal addresses, email addresses, telephone numbers, contact people, role) as well as (iii) payment information (e.g. invoice recipients, invoice addresses, invoice numbers, invoice period, bank details, contact person for invoices, VAT ID, etc.) to initiate, maintain and fulfil our goods and services contracts and to conduct the ongoing business of our company.

The legal basis for this processing is to take steps prior to entering into a contract or to fulfil our contractual obligations in accordance with Art 6 para 1 lit b GDPR, to fulfil our legal obligations in accordance with Art 6 para 1 lit c GDPR, and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the optimisation of our accounting processes and for the purposes of liquidity management.

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

Providing the listed data is not a statutory requirement but is required to initiate, maintain and fulfil the business relationship and to meet our legal obligations. If this data is not provided or partially provided, we may not be able to conclude a contract with you.

10. Data processing of applicant

If you submit a job application to us, we process all the data that you provide in your application (such as CV, cover letter, other documents such as school certificates and recommendation letters). These typically include i) personal data (full name, date and place of birth, nationality), ii) contact details (email and postal address, telephone number, social media profiles), and iii) other information (photo, training, skills, knowledge, official assessments, certificates, experience, professional experience, hobbies and interests, family members, etc.). We ask you to refrain from communicating any special categories of personal data in your application. This includes information indicating your racial and ethnic background, political opinions, religious or philosophical beliefs or trade union membership, as well as health data or data on your sexual life or orientation. Such information is automatically saved together with your other data and is not processed separately.

If you give us your consent to this, we also keep you on file as an applicant

The legal basis for this processing is to take steps prior to entering into a contract in accordance with Art 6 para 1 lit b GDPR, your consent, if applicable your express consent in accordance with Art 6 para 1 lit a GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically the optimisation of our application processes.

We may disclose your data to the recipients listed under Section 12 to achieve the purposes listed above.

Providing the listed data is not a statutory requirement but is required for the application procedure. If this data is not provided or partially provided, we may not be able to process your application and establish an employment relationship.

11. Use of CRM system

We use Microsoft 365 as our customer relationship management (CRM) system to manage customer information, track leads, and store business communications. Microsoft365 is a service from Microsoft Ireland, South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, D18 P521 Dublin (Ireland). You can obtain more information on this here: https://privacy.microsoft.com/en-us/privacystatement.

All data is stored on Microsoft's servers located within the European Union in compliance with GDPR requirements. Personal data we collect may include names, email addresses, phone numbers, company information, and communication history. This information is processed based on our legitimate business interests and, where applicable, your consent. Microsoft acts as a data processor, and we have appropriate data processing agreements in place. You have the right to access, rectify, delete, or restrict the processing of your personal data. For more information about how Microsoft handles data, please refer to Microsoft's Privacy Statement. To exercise your data protection rights regarding information we store in our CRM, please contact us at privacy@metalsxp.com.

If you create an account to use our products or disclose to us contact information and other demographic information in another way (e.g. in a contact form on our website), we may transfer this information and any content retrieved from our website or in our products, to Microsoft 365. The services help us to subsequently contact website visitors, interested parties and users of our products and, additionally, to answer their enquiries and to determine which of our company services would be of interest to them. What’s more, Microsoft365’s services also improve the efficiency when working with our products and help to generally improve user experience and service quality when one uses our products and visits our websites.

If you have granted us consent to this, we also process your contact details such as full name, email address and title for email marketing and to provide product information such as new functions, unused functions or updates/upgrades and. You can withdraw your consent at any time, by emailing privacy@metalsxp.com.

The legal basis for this processing is your express consent in accordance with Art 6 para 1 lit a GDPR and for the purposes of our legitimate interests in accordance with Art 6 para 1 lit f GDPR, specifically improving user experience and service quality when our products are used or our websites are visited (e.g. quick and efficient processing of enquiries).

13. Storage duration

In general, your data is only kept for as long as required for the respective purpose:

• The storage duration of log data is 3 months.
• We delete data that is required for processing enquiries and making contact, within 3 years of the business relationship ending or our last contact with you.
• We keep data and contracts that are relevant for our accounting in compliance with company or tax law regulations, in general, this duration is for 7 or 10 years respectively.
• In general, we keep data stored on the basis of your consent until consent is withdrawn or the contractual relationship is complete.
• Data from unsuccessful job applicants is generally stored for 6 months. Beyond this, we only keep applicant data if consent has been given for this to be kept on file as stated in Section 10.

Data is then deleted unless such deletion, in some individual cases, conflicts with any of our legitimate interests (e.g. continued storage of data as evidence, or to establish or defend legal claims, taking into consideration the relevant applicable limitation periods).

14. Rights of the data subject

Right of Access in accordance with Art 15 GDPR: You have the right to obtain confirmation as to whether or not personal data concerning you is processed.

Right to rectification in accordance with Art 16 GDPR: If we process your data and this is incorrect or incomplete, you have the right to request its rectification or completion.

Right to erasure in accordance with Art 17 GDPR: You have the right to request the erasure of your personal data where one of the following grounds applies:

• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
• You withdraw consent and there is no other legal ground for the processing
• You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct advertising purposes
• The personal data has been unlawfully processed
• The personal data has to be erased for compliance with a legal obligation
• The personal data has been collected in relation to the offer of information society services from a child

As stated above, there may be reasons that preclude immediate deletion, e.g. in the case of legally prescribed storage obligations.

Right to restriction of processing in accordance with Art 18 GDPR: You have the right to request the restriction of processing if:

• You contest the accuracy of the personal data, and for a period enabling us to verify the accuracy of the personal data
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
• We no longer need the personal data for the purposes of the processing, but you require it for the establishment, exercise or defense of legal claims
• You have objected to the data processing

Right to data portability in accordance with Art 20 GDPR: You have the right to receive any personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right to transmit this data to another controller if we process this data on the basis of consent that you gave, or to fulfil a contract between us and this processing is carried out by automated means.

Right to object in accordance with Art 21 GDPR: If we process your data to perform a task that is carried out in the public interest, or in the exercise of official authority vested in us or on the basis of legitimate interest, you have the right to object to this data processing. In this case, we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless this is for the establishment, exercise or defense of legal claims. You can withdraw consent to the processing for marketing purposes and the creation of a user profile associated with this, at any time.

Exercise of rights: You can exercise your rights against us at any time. To do this, you can contact us via email at privacy@metalsxp.com.

Withdrawing your consent: Insofar as we process data on the basis of your consent, you have the right to withdraw this at any time by emailing privacy@metalsxp.com. The lawfulness of processing based on the consent until it is withdrawn remains unaffected by the withdrawal.

Right to lodge a complaint: If you think that we have infringed GDPR, you have the right to lodge a complaint with the responsible supervisory authority (in Austria, this is the Data Protection Authority, www.dsb.gv.at).

15. Modification of the data policy

We reserve the right to adapt this data protection declaration, if necessary, e.g. due to technical developments or legal changes, or to update it in connection with the offer of new services or products. The updated privacy policy will be published on our website in each case. Please check the relevant page regularly.