Privacy Policy

Effective: 26 May 2026

We, netcup GmbH, appreciate your interest in our website, our offers, services, and company. We take the protection of your personal data very seriously and strictly comply with applicable data protection laws. This Privacy Policy informs you about how we process your personal data in connection with our offering.

The terms used in this Privacy Policy correspond to the definitions of the General Data Protection Regulation (GDPR).

General

• Controller
• Data Protection Officer
• Cookies and Tracking Technologies
• Deletion and Retention of Data
• Data Transfers to Third Countries
• Automated Decision-Making

Processing Activities

• Website Operation and Security
• Contract Performance and Customer Account
• Server Control Panel (SCP) and Customer Control Panel (CCP)
• Payment Processing
• Identity Verification
• Contact and Inquiries
• Customer Feedback and Reviews
• Customer Surveys
• Customer Forum
• Form Security
• Chatbot
• Abuse Reports
• Retargeting and Online Advertising
• Newsletter
• Email Direct Marketing
• Postal Advertising
• Referral Program (Customers Refer Customers)
• Prize Competitions on the Website and at Events
• Social Media Presences
• Community Events
• Application Procedure

Your Rights

• Your Rights as a Data Subject

   

Appendix

• Legal Bases Index

Controller

The controller responsible for the data processing on this website is:

netcup GmbH
Emmy-Noether-Straße 10
76131 Karlsruhe
Germany

Phone: +49 721 7540755-0
Fax: +49 721 7540755-9
Email: mail@netcup.de

Data Protection Officer

You can reach our Data Protection Officer at:

Email: data-protection@anexia-it.com

Alternatively, you can use the contact form on our website.

Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device.

We distinguish between necessary cookies, which are technically required for the operation of the website, and optional cookies for analysis, marketing, and personalization, which are only set with your consent.

A complete overview of all cookies used – including purpose, provider, duration, and category – can be found in our cookie banner. There you can view and adjust your consent at any time. You can access the cookie banner via the “Cookie settings” link in the footer of our website.

Deletion and Retention of Data

Personal data will be deleted as soon as the purpose of processing no longer applies and no statutory retention obligations exist to the contrary. Commercial and tax-related retention periods are, depending on the type of document, up to 6 or 10 years. During such periods, processing is restricted to storage.

Data Transfers to Third Countries

As part of our data processing, personal data may be transferred to recipients in countries outside the European Union or the European Economic Area (so-called third countries). The following overview shows which services may involve a third-country transfer and on what basis it takes place:

Where a transfer is based on an adequacy decision, the EU Commission has determined that the country concerned provides an adequate level of data protection. Where Standard Contractual Clauses (SCCs) are used, these are contractual clauses approved by the EU Commission that contractually oblige the recipient to maintain an adequate level of data protection. You may request a copy of the Standard Contractual Clauses used from us via the contact details listed above.

Automated Decision-Making

We do not engage in automated decision-making, including profiling. To the extent that individual service providers (e.g. PayPal in the context of creditworthiness checks) use their own automated procedures, this takes place under their own responsibility. We ourselves do not make any decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.

Website Operation and Security

When you access our website, your browser automatically transmits information to our server. The following data is stored in log files: IP address, date and time of access, page and file accessed, referrer URL, browser and operating system used, status codes, and amount of data transferred.

We process this data to provide and ensure the operation of our website, to guarantee system security and stability, and to forward it to law enforcement authorities in the event of unlawful interference with our systems.

The data is deleted or anonymized after fourteen days, unless required for other purposes (e.g. defending or asserting claims). The legal basis is our legitimate interest in the secure operation of the website. [1]

Contract Performance and Customer Account

To fulfill pre-contractual measures and contractual obligations, we process the following data: name, address, email address, phone number, where applicable a separate billing email address and company, customer number, contract data (booked services, term, customer category), and payment data (bank details, credit card data, payment history). Additional contact data and a second factor for login may optionally be processed.

The legal basis is the performance of the contract with you. [2] We set up a customer account so that you can view, monitor, and configure your booked services. Through your personal user access, you can view and change your data.

Your data is stored until you terminate your contracts and delete your customer account, or instruct us to do so. Statutory retention obligations remain unaffected.

When you place an order or use your user account, we store the IP address and the time of the usage activity – to provide our service and to protect against misuse.

Disclosure to third parties only takes place to the extent necessary for contract performance – for example to banks, payment service providers, and credit card companies for payment processing, to shipping service providers, or in the case of domain registrations to the responsible registrars.

Providing the above-mentioned personal data is required for concluding and performing the contract. Without this data, we cannot conclude the contract and cannot provide our services.

Server Control Panel (SCP) and Customer Control Panel (CCP)

To manage the products you have booked with us, we provide you with two portals: the Customer Control Panel (CCP) for managing your customer data, contracts, and invoices, and the Server Control Panel (SCP) for the technical administration of your servers. The SCP is additionally available as a mobile app for Android and iOS.

When using the portals and the app, we process your access data (username, password, second factor where applicable), the IP address and time of each login, as well as the actions and configuration changes you carry out. This data is stored in logs to ensure the security of your account, to detect misuse, and to enable you to trace your actions.

The SCP app is developed and operated on our behalf by Anexia Digital Engineering GmbH (Klagenfurt, Austria). When using the app, no data is transferred to third parties beyond the regular communication with our servers. There is no transfer to third countries.

The legal basis is the performance of the contract with you and our legitimate interest in the security of our systems. [2] [1] The log data is deleted upon expiry of statutory retention periods.

Payment Processing

If you do not consent to the transfer of data to payment service providers, you may pay for our services by bank transfer in advance.

PayPal

We use PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg) as a payment service provider. When paying via PayPal, your name, email address, the products purchased, the invoice amount, and your billing and delivery address are transferred to PayPal. For certain payment methods (credit card, direct debit, purchase on account via PayPal), PayPal may carry out a creditworthiness check.

The legal basis is your consent and contract performance. [3] PayPal may transfer your data to the USA; the basis for this is the EU Commission’s adequacy decision (EU-US Data Privacy Framework). Further information can be found in PayPal’s privacy policy.

SEPA Direct Debit

For payments by direct debit, your name, the address of the account holder, the invoice amount, IBAN, creditor identification number, and mandate reference are transmitted to our payment service provider or our bank. The legal basis is your consent and contract performance. [3]

Stripe

We use Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland) as a payment service provider. When paying via Stripe, your customer number and email address are transferred to Stripe. Stripe also transmits to us a unique identifier (hash) of your card or bank account, which allows us to check whether the same payment method has already been used for another customer account. The actual card or account number cannot be derived from this. We store this hash for fraud prevention as long as your customer account exists.

The legal basis is your consent and contract performance. [3] Stripe may transfer your data to the USA; the basis for this is the EU Commission’s adequacy decision (EU-US Data Privacy Framework) supplemented by Standard Contractual Clauses. Further information can be found in Stripe’s privacy policy.

Identity Verification

For identity verification, we offer a video identification procedure carried out by an external processor (Stripe Payments Europe, Ltd., Dublin, Ireland).

In doing so, we process your identification data (name, address), contact data (email address), and identification document data (photos of your ID, ID details such as type, number, issuing authority, and expiry date). The processing serves to prevent unlawful activities such as fraud or identity theft.

After completion of the identity verification, the transmitted data is automatically redacted. We only retain a note that the verification was carried out.

The legal basis is pre-contractual measures, our legitimate interest, and your consent. [4] Providing the data is voluntary – alternatively, you may use a different identification method or contact support.

The processor uses sub-processors located partly in third countries. Information on the transfer instruments can be found at stripe.com/at/privacy. We do not use automated decision-making in connection with identity verification.

Contact and Inquiries

When you use our contact form or other means of communication (email, phone, fax), we process your name, contact details, and the content of your inquiry in order to address your request.

The legal basis is contract performance or pre-contractual measures, insofar as your inquiry relates to such matters. In all other cases, we process your data on the basis of your consent or our legitimate interest in efficient processing and documentation to provide evidence in legal disputes or in the event of regulatory audits. [5]

The data is deleted once your inquiry has been conclusively handled and no further retention reasons exist.

Customer Feedback and Reviews

After handling a support ticket, we may ask you by email for feedback on our customer service. In this context, we process your name, email address, ticket ID, your feedback, and any comments. We use this data to create statistical evaluations in order to improve the quality of our customer service.

Submitting feedback is based on your consent. Consent is voluntary and may be withdrawn at any time. Contacting you by email is based on our legitimate interest in quality improvement. [6]

Processors from the Anexia group may be involved in the processing, supporting us in conducting and evaluating customer feedback. No transfer to third countries takes place in this case.

We also cooperate with an external review platform (Trustpilot) to enable customers to rate the quality of our services. Your name and email address are only transferred to the platform if you actively click on “Review on Trustpilot” or use a corresponding link in an email. You will only receive a review request by email if you have previously given us your consent to receive promotional emails.

When submitting a review, Trustpilot is the controller within the meaning of the GDPR. Trustpilot’s privacy policy can be found at de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms.

Customer surveys

We occasionally carry out surveys amongst our customers in order to further develop our products, services and customer service. As part of these surveys, we process the information you provide.

The surveys are used to analyse your feedback, as well as any reported faults and suggestions for improvement regarding our products and services. We use the results exclusively to improve what we offer.

Our surveys are configured in such a way that we cannot link your answers to a specific individual. We do not use personalised invitation links and receive the responses without any identifying details. When you access the survey, your IP address is technically transmitted to our data processor; the data processor does not link this to your answers and does not pass it on to us. Where necessary to prevent multiple entries, the data processor stores the IP address exclusively in the form of a cryptographic hash value. In addition, the responses to the survey questions and the information you provide in the free-text fields are processed. Please do not enter any information in the free-text fields that could be used to identify you.

At the end of a survey, you may have the option to voluntarily provide your company name or customer number so that we can contact you should we have any queries regarding your feedback or reported errors.

Please do not enter any information in the free-text fields that could identify you personally.

At the end of a survey, you may have the option to voluntarily provide your company name or customer number so that we can contact you should we have any queries regarding your feedback or reported errors. It is only through this voluntary provision of information that your participation can be linked to a specific individual. If you leave the field blank, we will not be able to link your responses to you personally.

We use the Lamapoll service (Lamano GmbH & Co. KG, Frankfurter Allee 69, 10247 Berlin) for the technical administration of our surveys. The service provider processes the data exclusively on our behalf and in accordance with our instructions, based on a data processing agreement pursuant to Article 28 of the GDPR. Processing takes place on servers in Germany; no data is transferred to third countries.

The legal basis for conducting our surveys and analysing the responses is our legitimate interest in improving our products and services. Where you voluntarily provide your company name or customer number, the processing of this information is based on your consent. You may withdraw this consent at any time with future effect. [1] [7]

We store the survey results until the respective analysis has been completed and then delete them. We delete any identification data provided voluntarily (company name/customer number) as soon as the enquiry has been resolved or the purpose no longer applies, but no later than twelve months after the survey was conducted.

Customer Forum

When you create a user account for our customer forum, we process your name, email address, and chosen username in order to set up the account. The legal basis is the performance of the user agreement. [2] The terms of use can be found at forum.netcup.de/system/disclaimer/.

After setup, you can voluntarily store additional data (e.g. avatar, photos, address) and exchange messages with other users. Posts and other public content remain visible to all readers even after deletion of your account – your account is then labeled as “deleted individual”.

When using the forum, we store your IP address and the time of each action on the basis of our legitimate interests. [1] IP addresses are anonymized or deleted no later than 14 days.

To protect against spam bots, we use captcha questions for registration and certain functions. This is an internal service of our forum software.

Form Security

To ensure that forms on our website are used by natural persons and not by automated procedures, we use a captcha service. The provider is Captcha GmbH, which acts as a processor on our behalf.

In doing so, your IP address is recorded in anonymized form, and a cryptographic task is sent to your device, which is solved without your input. Additionally, browser information, timestamps, and the referrer URL are processed. An anonymized counter is stored for each IP address to control the complexity of the tasks – identification of individual users is not possible.

The legal basis is our legitimate interest in the security of our website. [1]

Chatbot

Our chatbot uses artificial intelligence to answer your inquiries. For this purpose, we use technology from an external provider (OpenAI Ireland Ltd, Dublin, Ireland). When using the chatbot, the data you enter may be transferred to this provider for evaluation and response. This may involve a transfer to the USA. The rights of data subjects are safeguarded by Binding Corporate Rules and Standard Contractual Clauses.

The legal basis is your consent arising from your use of the chatbot, as well as our legitimate interest in providing the best possible support. [6]

Chat histories are stored for one month so that you can continue your chat. They are then pseudonymized and stored for a further 6 months in order to improve the chatbot. You have the right to object to the pseudonymized processing – please contact us using the contact details listed above.

Abuse Reports

We operate a contact point to which unlawful, abusive, or security-relevant incidents relating to services provided by us (e.g. spam, phishing, copyright infringements, DDoS attacks, malware hosting, other unlawful content) can be reported. Reports can be submitted by email to abuse@netcup.de or via the abuse web form available on our website.

If you submit an abuse report to us, we process the following data: your name (if provided), your email address and any other contact details you provide, the content of your report including any attached evidence (e.g. log files, header information, screenshots, URLs, IP addresses, timestamps), the affected content or systems you have identified, as well as technical metadata of the report (e.g. time of receipt, transmitted IP address when using the web form).

We process this data in order to review your report, to clarify the reported matter, to take appropriate measures (e.g. blocking content, requesting a statement from the affected customer, terminating contracts, forwarding to law enforcement authorities), to fully document the processing, and to comply with our legal and contractual obligations as a provider.

To the extent necessary for processing your report, we forward the content of the report to the affected customer. We only disclose personal data of the reporting party if this is essential for clarifying the matter or if we are legally obliged to do so. If there are indications of criminal offences, the data may be forwarded to the competent authorities.

The legal basis is compliance with a legal obligation as well as our legitimate interest and the legitimate interest of third parties in ensuring the safe and lawful operation of our services and in effectively preventing misuse. [9]

Abuse reports and the associated processing documentation are generally stored for the duration of the processing and beyond, for as long as is necessary to assert, exercise, or defend legal claims and to comply with statutory retention obligations (as a rule, up to three years after completion of processing, in justified cases longer).

Providing your contact details is voluntary; however, without contact details, we cannot provide you with feedback on the status of processing and may not be able to make any necessary follow-up inquiries.

Retargeting and Online Advertising

We use retargeting technologies on our website in order to be able to display relevant product and service offers to you outside our website as well. Third-party providers collect information about your usage behavior on our website (e.g. which pages you have visited or which forms you have completed) by means of tags, pixels, and cookies.

The data collected in this way is transferred to the respective third-party providers, who provide their services under their own responsibility. Beyond data collection on our website, we have no influence on the further processing by these providers.

Recipient groups include providers of social networks and advertising platforms, search engine operators and advertising networks, video platforms, and marketing automation services. With some providers, a data transfer to a third country may take place. Where available, we base such transfers on the EU Commission’s adequacy decision (EU-US Data Privacy Framework) or on Standard Contractual Clauses. Otherwise, the transfer takes place on the basis of your consent. A detailed list of all retargeting services used, including the respective transfer basis, can be found in our cookie banner.

The processing is carried out exclusively on the basis of your consent. [7] You can withdraw your consent at any time via our cookie banner. A detailed list of all retargeting services used, their privacy policies, and opt-out options can also be found there.

Newsletter

If you wish to subscribe to our newsletter, we need your email address. You may voluntarily provide your name. Sign-up takes place via a double opt-in procedure. The legal basis is your consent. [7]

In our newsletters, we use so-called tracking pixels to analyze whether and when a newsletter has been opened and which links have been clicked. These analyses serve to optimize the newsletter dispatch. For dispatch, we are supported by a third-party service provider with whom a data processing agreement has been concluded.

You can unsubscribe at any time – for example via the link at the end of each newsletter or by email to mail@netcup.de.

Email Direct Marketing

If you are a customer of ours, we may use your email address for direct marketing of our own similar goods or services, provided you have not objected. In this context, we process your email address, your name, your company affiliation where applicable, and data about your use of our offers in order to tailor the advertising individually to you.

The legal basis is our legitimate interest in direct marketing in conjunction with applicable rules of unfair competition law. [8] You can object to such use at any time – for example via the unsubscribe link at the end of each email or by email to mail@netcup.de.

Postal Advertising

If you are a customer of ours, we may use your name, address, and where applicable your company affiliation for postal direct marketing. To this end, we may add further lawfully collected data (e.g. order history) in order to tailor the advertising to your interests.

The legal basis is our legitimate interest in direct marketing. [1] You can object to postal advertising at any time. As the production process requires a certain lead time, it may exceptionally occur that you receive a mailing already in production after your objection.

Referral Program (Customers Refer Customers)

We operate a referral program through which existing customers can refer new customers. Participation requires an active customer account. As part of the program, we process the customer number and referral code of the referring customer, the assignment to the referred customer, and the data required for calculating and crediting the bonus.

The legal basis is the performance of the participation conditions of the referral program and our legitimate interest in acquiring new customers. [2] [1] The data is stored for as long as your customer account exists and the bonus claims have not been settled. Statutory retention obligations remain unaffected.

Prize Competitions on the Website and at Events

We occasionally run prize competitions on our website (e.g. via online forms, landing pages, or as part of our newsletter) as well as in the context of events (e.g. at our trade fair booth, at community events or conferences, for example through raffle lists, competition cards, or QR-code-based forms).

If you take part in a prize competition, we process – depending on the design of the competition – the following data: first and last name, email address, postal address (for delivery of physical prizes), where applicable phone number, company affiliation, the answers or content requested in the entry form (e.g. answer to a competition question), the time and place of participation, and – in the case of a win – the data required to deliver the prize and, where applicable, information on whether tax obligations are triggered.

We process this data in order to run and administer the competition (participant administration, determining the winner, notification, delivery of the prize), to document the prize award, and – insofar as you have expressly consented – to publish the winner’s name (e.g. on our website or in our social media channels) and to send further information or advertising.

The legal basis for running the competition and the related processing of your data is the performance of the contractual relationship arising from your participation (terms of participation). [2] To the extent that we process your data beyond this – for example to publish your name as a winner, to send promotional information, or to record your interest in future activities – we do so on the basis of your consent. [7] Consent is voluntary and can be withdrawn at any time with effect for the future.

Recipients of your data may include processors who support us in the technical execution of the competition (e.g. providers of form or newsletter tools, shipping service providers for physical prizes). For prize competitions that we run together with cooperation partners or sponsors, a transfer to such partners may be necessary; in such cases, we will provide a separate notice in the respective terms of participation.

Your data will be deleted as soon as it is no longer required for running and administering the competition and no statutory retention obligations exist to the contrary. As a rule, we delete the participation data within six months after completion of the competition, unless tax or commercial retention periods (in particular for physical prizes above certain value thresholds) require longer storage.

Providing the data required for participation is voluntary; however, without this data, participation in the competition is not possible.

Social Media Presences

We maintain public profiles on various social networks (currently Facebook, X/Twitter, Mastodon, and Instagram). When you visit our social media pages, personal data is transferred to the respective operator of the network. In addition to the data you actively enter (e.g. comments, messages, likes), the platform operators may also collect technical information about your usage behavior.

We do not embed any social media plugins on our website that automatically transfer data to the networks upon a mere visit to the site. Linking to our profiles is done via simple hyperlinks.

The respective operator is responsible for the data processing on the platforms themselves. To the extent that we are jointly controllers together with the platform operator (e.g. in the case of Facebook fan pages), we have entered into a corresponding joint controllership agreement. The legal basis for operating our social media presences is our legitimate interest in effective public relations and communication. [1]

Community Events

If you wish to participate in one of our community events, we need your first and last name and your email address. You may optionally provide additional information (e.g. allergies, intolerances, forum name) and indicate your interest in future events.

The processing is carried out on the basis of your consent using a double opt-in procedure. [7] Recipients of the data may include Anexia Holding GmbH (Klagenfurt, Austria). No transfer to third countries takes place.

Your data is stored until you withdraw your consent or until it is no longer required for the purpose. Withdrawal is possible at any time – most easily by email to mail@netcup.de.

Application Procedure

If you apply for a position with us, we process your application documents (cover letter, CV, certificates), your personal data (name, address, email address, phone number, date of birth), information on the position you are applying for, as well as information on your previous professional experience and qualifications.

The application procedure is handled on our behalf by Anexia Holding GmbH (Klagenfurt, Austria). The legal basis is your consent and our legitimate interest in the efficient management of application processes. [6] Additionally, the software onlyfy by New Work SE is used to simplify applicant management. A data processing agreement between New Work SE and Anexia Holding GmbH has been concluded.

If you withdraw your application, we will delete your documents. Your name, contact details, and the relevant timestamps will remain stored. Unless the data is required for other purposes, it will be automatically deleted six months after the end of the application procedure.

Your Rights as a Data Subject

You have the following rights with regard to your personal data:

• Right of access to your stored data (Art. 15 GDPR)
• Right to rectification of inaccurate data (Art. 16 GDPR)
• Right to erasure of your data (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent with effect for the future (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, please contact us or our Data Protection Officer using the contact details listed above.

Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR. The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Heilbronner Straße 35
70191 Stuttgart, Germany

Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

Legal Bases Index

The short references [1]–[9] used in this Privacy Policy refer to the following legal bases of the GDPR: