Privacy

The protection of personal data and the responsible handling of the information you entrust to us are of great and special importance to us. In this privacy policy, we inform you about the processing of personal data by the Indicium Group.

1. Responsible Entity

If you have entered into a contract with Indicium Technologies GmbH or have given consent to this company, the entity responsible under data protection law is

Indicium Technologies GmbH
Große Johannisstraße 7
D-20095 Hamburg.

Contact: 040 / 5936173019

In all other instances where you use services of the Indicium Group directly, and not through your employer or client, especially when using the website www.indicium.ag, the responsible entity under data protection law is

Indicium Technologies AG
Rothusstraße 21
CH-6331 Hünenberg.

(hereinafter both referred to as "Indicium").

We operate the Indicium Digital Analyst (IDA) software (“Software”) also on behalf of companies that utilize the software's functionalities to conduct background checks. If you use the software as an employee or service provider of such a company, your employer or client is responsible under data protection law. Please inform yourself in this case about the processing of your personal data by your employer or client.

2. Data Protection Officer

Indicium's data protection officer is Mr. Nabil el Berr.

3. Rights of the Data Subject

As a data subject of processing by Indicium, you have the following rights under the respective legal prerequisites:

The right to confirmation of whether we process your personal data (Art. 15 GDPR).

The right to access your personal data processed by us and to obtain a data copy (Art. 15 GDPR).

The right to rectification if your personal data is incorrect (Art. 16 GDPR).

The right to erasure of your personal data (Art. 17 GDPR).

The right to restriction (blocking) of your personal data (Art. 18 GDPR).

The right to data portability (Art. 20 GDPR).

In cases where your personal data is processed based on Art. 6 para. 1 lit. e or f GDPR, you may also object to the respective processing under the conditions of Art. 21 para. 1 GDPR. The processing of your personal data for direct marketing purposes can be objected to at any time and without any given reason, with future effect

(Art. 21 para. 2 GDPR). If the processing is based on your consent (Art. 6 para. 1 lit. a GDPR, Art. 9 para. 2 lit. a GDPR), you can revoke your consent at any time with future effect (Art. 7 para. 3 GDPR). You also have the right to contact the relevant data protection supervisory authority (Art. 77 GDPR). If you have questions or complaints regarding data protection at Indicium or wish to exercise one of your data subject rights, you can contact our data protection officer at any time using the aforementioned contact details.

4. Storage Duration and Deletion of Your Personal Data

We delete your personal data as soon as its processing is no longer required for the purposes explained in this privacy policy; unless there are compelling legitimate grounds from Indicium against deletion in case of an objection (Art. 21 para. 1 GDPR), or if there is no other legal basis for processing in case of consent withdrawal.

If and as long as statutory retention obligations prevent deletion, we restrict the processing of your data for this archiving purpose (so-called data blocking) and delete your data at the end of the retention period. Typical retention periods under German commercial and tax law are six years from the end of the year for business correspondence (including emails) and ten years from the end of the year for accounting-relevant data.

5. Recipients of Personal Data

We may transfer your personal data for the purposes explained in this privacy policy to service providers we commission based on processing agreements (Art. 28 GDPR) with specific, purpose-related data processing (e.g., hosting, IT support).

6. Data Transfers to Third Countries

We may transfer your personal data to recipients in countries outside the European Union and the European Economic Area, particularly Switzerland and the USA. Adequacy decisions exist for Switzerland and the USA (EU-US Data Privacy Framework (DPF)) (Art. 45 GDPR). If there is no adequacy decision or an adequacy decision does not apply (e.g., because of lack of certification of the data importer in the USA), we agree with the recipient in the third country on the standard contractual clauses (SCC) and, if necessary, additional measures to ensure an adequate level of data protection.

7. Data Processing for General Use of Our Website

When you visit the Indicium website, we collect and process internet connection data (see a) below) as well as certain stored telemedia and usage data on your device's browser (see b) below).

a. Internet Connection Data

When you access Indicium websites, we process the internet connection data your browser automatically transmits to our server. These data include your IP address and other usage data (e.g., date and time of access,

name of the accessed page, the amount of transferred data, and the requesting provider). We need this information to enable you to use our website, for example, by adapting the website to the technical requirements of your device.

These internet connection data can also be personal data. The legal basis for this data processing is our legitimate interest in ensuring the security and usability of our website (Art. 6 para. 1 lit. f GDPR).

b. Cookies

We use cookies on the Indicium website. Cookies are text files stored by the browser on your device. These files can store user-related pseudonymous data, which can then be retrieved. In certain cases, information on your device is stored or accessed already stored information, which is necessary for us to provide you with the software on our website for use (“Necessary Cookies”).

Access to your device in these cases occurs within the application area of the German TTDSG based on § 25 para. 2 no. 2 TTDSG. As far as these have a personal reference and are further processed by us in our IT systems, the legal basis for this data processing is our legitimate interest in providing our website and ensuring data security (Art. 6 para. 1 f GDPR). If you are already registered on one of our websites and the data processing is for fulfilling a contract, the legal basis is Art. 6 para. 1 b GDPR.

Furthermore, we use cookies and tracking technologies for analysis and marketing purposes – provided you have given your express consent (e.g., for assessing the success of advertisements or technical inclusion via the Google Tag Manager). The processing of your data in these cases is based on Art. 6 para. 1 a GDPR, as well as § 25 para. 1 TTDSG. You can revoke your consent at any time with effect for the future in the cookie settings.

Use of Microsoft Clarity

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website. This is done using behavioral metrics, heatmaps, and session replays to enhance and market our products and services.

Website usage data is collected using cookies (first and third party) and other tracking technologies to gauge the popularity of products/services and online activities. Additionally, we use this information for website optimization, fraud/security purposes, and advertising.

Legal basis: The processing of your data occurs solely based on your consent per Art. 6 para. 1 a GDPR. You can revoke your consent at any time in the cookie settings.

Further information and the purpose and storage duration of our deployed cookies can be found in the Cookie Policy.

8. “Self-Test” Software Indicium Digital Analyst (IDA).

As a user, you can test the Indicium Digital Analyst (IDA) software (“Software”) for commercial purposes using your data as part of a “Self-Check”. The software is an Open Source Intelligence Tool (OSINT). With the software, background checks are conducted on the user. For this purpose, the user enters their name, birthdate, and potentially

other data from their resume into the software. The software searches worldwide internet sources based on the entered user data and provides the user with the findings in a consolidated report. The searched sources may include, among others:

Results from general internet searches (e.g., using Google or Bing); Press releases; Credit reference agencies (e.g., LexisNexis) Public registers (e.g., commercial and insolvency registers); Government sanction lists of the EU, EU member states, and those of third-party countries (e.g., the USA); Professional social platforms (e.g., LinkedIn, Xing) Personal social platforms (e.g., Facebook, Instagram)

Any of the user's personal data may be subject to processing in the “Self-Check”. It is not excluded that special personal data as defined by Art. 9 para. 1 of the General Data Protection Regulation (e.g., regarding political opinions, religious or philosophical beliefs, or

trade union membership) may be collected and provided to the user through the report if the user has published this data online

If you wish to conduct the Self-Check, you must register. We first collect your email address and send you a confirmation email with a confirmation link that you must click to complete the registration; Additionally, a two-factor authentication mechanism must be set up.

The legal basis of the “Self-Check” is your consent as a user (Art. 6 para. 1 lit. a GDPR, Art. 9 para. 2 lit. a GDPR). You can revoke your consent at any time with effect for the future (Art. 7 para. 3 GDPR).

9. User Account Registration

As part of your registration for a user account, we collect and process your name, company data, email address, and the password you set up, as prescribed. If there's a contract with the user, the legal basis for this data processing is the initiation and fulfillment of the user agreement (Art. 6 para. 1 b GDPR). If you register as a representative, contact person, or employee of a company that is our customer or business partner, the legal basis for processing in this case is our legitimate interest in initiating or executing the respective contractual relationship (Art. 6 para. 1 f GDPR).

10. Newsletter and Email Advertising

If you would like to receive our newsletter and register for it, we first collect your email address and send you a confirmation email with a confirmation link you must click to subscribe to our newsletter. We then inform you through the newsletter about products and services of the Indicium Group, particularly the Indicium Digital Analyst (IDA) software.

We process your data for this purpose based solely on your consent (Art. 6 para. 1 a GDPR). You can revoke your consent to the newsletter at any time with effect for the future. You will find a link to withdraw your consent to receive the newsletter in every email. The contact details for consent withdrawal can also be found in section 1.

11. Contact / Contact Form

When contacting us (e.g., via the contact form on the website or email), personal data is processed solely for the purpose of handling and responding to your request and only to the necessary extent, particularly name, first name, email, phone number, company, and position. The legal basis for processing this data is our legitimate interest in responding to your request and assessing whether it is a professional inquiry. (Art. 6 para. 1 f GDPR).

12. No Automated Individual Decision-Making

We do not make decisions that are based solely on automated processing of your data and have a legal effect on you or significantly affect you in a similar way (Art. 22 GDPR).

13. Amendment of Privacy Policy

New legal requirements, corporate decisions, or technological developments may necessitate changes in this privacy policy. The privacy policy will then be adjusted accordingly. You can always find the current version on our website.