TRUSC Platform
Privacy Policy
last changed 25.03.2025, V2.0
Person responsible for data processing
The controller within the meaning of Art. 4 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and national data protection laws as well as the provider within the meaning of the Telecommunications Digital Services Data Protection Act (TDDDG) is
Trusc GmbH
Lübecker Str. 89
23843 Bad Oldesloe
E-mail: info@trusc.com
Managing directors: Michael Frautz, Wolfram Felber
Fur further details, see the imprint.
Contact details of the data protection officer
The data protection officer of Trusc GmbH is:
Oscar Nissen (NNW Consulting GmbH)
Lübecker Straße 89
D-23843 Bad Oldesloe
E-mail: privacy_infosec@trusc.com
You can contact our data protection officer directly at any time with any questions or concerns relating to data protection.
1. Introduction
The protection of your personal data is a high priority for us. This privacy policy informs you about how we collect and process your personal data. We always act in a sincere effort to strictly comply with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and other applicable laws, e. g. the German Telecommunications Digital Services Data Protection Act (TDDDG).
2. What data we collect and why
a) When registering on the platform
If you apply for a user account on the platform and enter information in the form fields provided by us (customer data) and/or upload documents, this information provided by you will be stored by us in a user account of the company for which you are acting in order to enable you or the company for which the registration was made to use the platform as a seller, buyer and/or service provider. For this purpose, we require the requested information about the company for which you are acting and, in this context, also individual personal data relating to you or other persons from the company, in particular the persons acting on the platform or the persons authorized to represent the company.
The legal basis for processing is therefore Article 6(1)(b) or (f) GDPR. As far as the personal data of the persons acting for the companies on the platform are concerned, we pursue our legitimate interest in the processing to be able to fulfill the contractual relationship between us and the company for which you and other persons act and the interest of the companies for which you and/or others act, which in turn typically processes the personal data of the persons acting for them on the basis of an employment contract.
The information collected and stored will be deleted after termination of the contractual relationship within the legally stipulated periods.
b) When using the platform
When using the platform, a range of data and information is collected by our systems each time it is accessed. This includes in particular the metadata transmitted to our server for technical reasons, such as the IP address assigned to your end device, information about the end devices and browsers used to access the platform and their respective configuration, such as operating system and version, screen resolution, preferred language setting, installed plug-ins, etc. (information that is proactively transmitted from the client to the respective server during an initial http-request, so-called browser fingerprint).
Some of the aforementioned information is only processed temporary, insofar as it is necessary to be able to deliver the platform operated by us and requested by you in a technically correct manner (e.g. preferred language, screen resolution, browser/version). Other information is stored in the server log files for up to 7 days and possibly longer, such as the IP address used when accessing the website. In addition to the initial processing, any subsequent storage and processing of this information is necessary to ensure the long-term functionality of our information technology systems, e.g. by detecting and then defending against attacks on our systems (e.g. blocking IP addresses to prevent DDOS attacks). In addition, this information is used to provide law enforcement authorities with the information necessary for prosecution in the event of an attack or to pursue own legal interests on the basis of the documented information.
Accordingly, we process this data on the basis of Art. 6 (1) (b) (f) and (c) GDPR (partly in conjunction with Art. 32 GDPR) and on the basis of the exception from Section 25 (2) TDDDG.
Further information about the use of the platform is stored and linked to the respective user account in order to be able to provide the service offered by the platform of documenting all user interactions in the context of sales initiation and processing. Furthermore, this data is evaluated in pseudonymized, partially aggregated and partially anonymized form in order to continuously improve the processes offered on the platform. In addition, the storage of user interactions is intended to ensure that it is possible to verify in individual cases whether the behavior of users is in line with the principles and terms of use of the platform.
The data processed in this way includes, in particular, usage data, i.e. information about how users interact with the platform, such as pages viewed, length of stay, click behavior, activation of interaction fields, entries in text fields (but not the content of the entry), termination of a session, etc.
Since the platform aims to digitize the industry-standard processes of buying and selling used hardware, as well as offer and communication processes related to industry-standard services, and to continuously improve these processes in terms of usability, the processing of the above-mentioned usage data is necessary for this purpose in order to provide the platform’s service that has been offered and explicitly requested by users. Accordingly, we process this data on the basis of Art. 6(1)(b) and (f) GDPR and on the basis of the exception from Section 25(2) TDDDG.
For these purposes, we use a web analysis tool and a so-called tag manager from Matomo. We host Matomo on our servers, which means that personal data relating to you is not passed on to Matomo. Further information about Matomo itself can be found here: https://matomo.org/gdpr-analytics/
c) When contacting Customer Care
When contacting the platform’s Customer Care, the information from the inquiry form is processed and stored by us for the purpose of processing the inquiry and in the event of follow-up questions.
The processing in this regard is carried out on the basis of Art. 6 (1) (b) or (f) GDPR.
Deletion takes place after termination of the contractual relationship within the legally stipulated periods.
3. Recipients
The recipients of the personal data concerning you are primarily other users of the platform. They will only receive the information concerning you together with the information of the company for which you are acting in cases where the initiation of a business relationship requires the transmission of this information.
Data will only be passed on to other third parties if this is required by law or on the basis of your prior consent to be obtained in individual cases. Under these conditions, recipients of personal data may be, in particular, public bodies and institutions (e.g. supervisory authorities or tax authorities) in the event of a legal or official obligation or those recipients that we have specified in the context of your consent to the processing of personal data concerning you.
Disclosure in the above-mentioned cases then takes place on the basis of Art. 6 (1) (c) or (f) GDPR in conjunction with the respective special legal regulations or a corresponding official order or – in the case of prior consent – on the basis of Art. 6 (1) (a) GDPR.
Within the framework of existing controller-processor-relationships (see Art. 28 GDPR), processors acting on behalf of us sometimes receive access to your personal data or to parts of our systems on which your personal data is stored. However, processor may only process your personal data within the limits of the respective controller-processor-agreement. Processing by the processors for their own purposes is not permitted and would result in a violation of the GDPR.
The service providers with whom we work on the basis of a controller-processor-agreement include hosting providers and other service providers. These are currently the following:
a) Hosting at Hetzner Online GmbH
The Trusc platform is hosted by Hetzner Online GmbH (Hetzner). Hetzner offers us the technical requirements to provide our platform securely and efficiently. This includes the storage and processing of user data on Hetzner’s servers. This includes IP addresses, which are required to access the platform, as well as other technical information required for the operation of the site (see above under 2.).
Legal basis:
The processing of data by Hetzner on our behalf is carried out on the basis of Art. 6 (1) (b), (c) and (f) GDPR, as it is necessary for the provision and secure operation of our platform.
Server location and data security:
The Hetzner servers we use are located within the European Union. In the existing contract processing relationship with us, Hetzner has undertaken to use state-of-the-art security measures to protect the processed data from unauthorized access, loss or destruction. All data is processed exclusively in highly secure data centers that are protected by state-of-the-art firewalls and encryption technologies.
Data transfer to third parties:
Hetzner processes data exclusively within the limits of our controller-processor-agreement and does not disclose personal data to third parties unless this is required by law.
Storage duration:
The log files, which contain technical data such as IP addresses, are stored for a maximum of 7 days and then deleted, provided that no security-relevant events occur or contractually guaranteed documentation of certain events is required, which would require a longer storage period.
Further information about our service provider can be found here: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/#auftragsverarbeitung
Darüber hinaus kann im Einzelfall eine Datenweitergabe an externe Personen (z. B. Rechtsanwälte) dann erfolgen, wenn dies zur Durchsetzung eigener rechtlicher Interessen oder den Interessen eines Dritten erforderlich ist, sofern nicht die Interessen oder Grundrechte und Grundfreiheiten der betroffenen Person, die den Schutz personenbezogener Daten erfordern, überwiegen.
Eine Weitergabe in solchen Fällen erfolgt dann auf Grundlage des Art. 6 Abs. 1 Buchst. f DSGVO.
b) Other Recipients
In addition, data may be passed on to external persons (e.g. lawyers) in individual cases if this is necessary to enforce our own legal interests or the interests of a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
Disclosure in such cases is carried out on the basis of Art. 6 (1) (f) GDPR.
4. Cookies used
Our website only uses cookies that are necessary to deliver the platform in a technically correct manner and/or to serve the purposes of contract performance, IT security and product optimization described above under 2. The setting and reading of information from the end devices you use is carried out accordingly on the basis of Section 25 (2) No. 2 TDDDG, any subsequent processing that may take place is based on Section 6 (1) (b) and (f) GDPR.
Currently used cookies and runtimes:
| Purpose | Designation | Storage duration |
| Cookie from Matomo to generate a UID | _pk_id | 13 months |
| Cookie from Matomo to be able to assign the information from a referrer | _pk_ref | 6 months |
| Cookie from Matomo to temporarily store information about the respective session | _pk_ses | 30 minutes |
| Cookie from Hetzner for load balancing | HCLBSTICKY | Session |
| Cookie to enable continued use during a session on the platform | PHPSESSID | Session |
5. Data storage and deletion
Trusc GmbH processes and stores personal data of data subjects only for the time necessary to achieve the purpose of the respective processing or if this is required by European or national legislation to which Trusc GmbH is subject to.
Where necessary, we process and store your personal data for the duration of our business relationship, which includes the initiation and execution of a contract.
In addition, we are subject to various retention and documentation obligations, which arise in particular from the German Commercial Code (Handelssgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO). The retention and documentation periods specified there are up to ten years.
Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), are generally three years, but in certain cases can be up to thirty years.
If the storage purpose no longer applies or if a storage period prescribed by European or national legislation expires, the personal data will be routinely restricted in its processing or deleted in accordance with the statutory provisions.
Automated decision-making or profiling within the meaning of Art. 22 GDPR does not take place.
6. Safety of processing
Trusc GmbH implements technical and organizational security measures in accordance with Art. 32 GDPR to protect your personal data against destruction, loss or alteration, whether accidental or unlawful, or unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. This includes, in particular, encryption of portal access using standard, state-of-the-art procedures.
Trusc GmbH has also implemented a procedure for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures taken in order to be able to continuously improve our security measures in line with technological developments.
In addition, Trusc GmbH has set up an information security management system in accordance with ISO 27001 and has had this certified.
7. Changes to this privacy policy
We will update this privacy policy when necessary. You will always find a link to the current version, stating the version number and the date of application, on the homepage of the platform
8. Data subjects rights
You have the following rights as a data subject:
– Right of access pursuant to Art. 15 GDPR
– Right to rectification pursuant to Art. 16 GDPR
– Right to erasure (“right to be forgotten”) pursuant to Art. 17 GDPR
– Right to restriction of processing pursuant to Art. 18 GDPR
– Right to data portability pursuant to Art. 20 GDPR
– Right to object pursuant to Art. 21 GDPR
If we process data to protect our legitimate interests, you have the right to object to this processing at any time on grounds relating to your particular situation. The objection applies with effect for the future.
With regard to the right to information under Art. 15 GDPR and the right to erasure under Art. 17 GDPR, the restrictions under Sections 34 and 35 BDSG apply.
To exercise your rights, you can contact our data protection officer or Trusc GmbH at any time using the details provided above.
In addition, you have the right to lodge a complaint with a data protection supervisory authority (pursuant to Art. 77 GDPR in conjunction with Section 19 BDSG).
The respective competent data protection supervisory authority is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/
Independent State Center for Data Protection Schleswig-Holstein
Holstenstraße 98
24103 Kiel
Telefon: +49 431 988-1200
mail@datenschutzzentrum.de
9. Contact
If you have any questions about exercising your data subjects rights, you can contact the data protection officer listed above or our Customer Care at customer-care@trusc.com
last changed 25.03.2025, V2.0
Let us hear from you!
Do you have any questions or would you like to find out more about TRUSC? We are here for you and look forward to contact with you!
Note: The data provided in the contact form will be processed for the purpose of handling your request and further communication in accordance with Art. 6 para. 1 lit. a GDPR. Further information concerning data processing can be found in our privacy policy.