Privacy Policy
We are pleased about your interest in our website. Protecting your privacy when processing personal data as well as the security of all business data is important to us and is taken into account in our business processes. Below we provide detailed information about how we handle your data.
§ 1 General information about the collection of personal data in connection with visiting our website
(1) The following provides information on the collection of personal data when you use our website. Personal data means all data relating to you personally, e.g., name, address, email addresses, user behavior. Please note that data transmission on the internet (e.g., when communicating by email) may have security gaps. It is not possible to completely protect data from access by third parties.
(2) The data controller in accordance with EU General Data Protection Regulation (GDPR) Art. 4 (7) is
BioSpring Gesellschaft für Biotechnologie mbH
Alt-Fechenheim 34
60386 Frankfurt am Main
Phone: +49 69 6605500 0
e-mail: info@biospring.de
You can reach our data protection officer at datenschutz@biospring.de or our postal address with the addition "Der Datenschutzbeauftragte".
(3) This website is hosted by an external service provider (host). The personal data collected on this website is stored on the host’s servers. This may include, in particular, IP addresses, contact requests, metadata and communication data, contract data, contact details, names, website access data, and other data generated via a website. The use of the hoster is for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). Where consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as consent encompasses the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time. Our host will only process your data to the extent necessary to fulfill its service obligations and will follow our instructions regarding this data.
We use the following host:
HubSpot Ireland Ltd.
HubSpot House
One Sir Jon Rogerson’s Quay
Dublin 2
Ireland
We have concluded a data processing agreement (DPA) with the website host. This is a contract required by data protection law which ensures that the personal data of our website visitors is processed only according to our instructions and in compliance with the GDPR.
(4) Unless a more specific storage period is specified in this privacy policy, your personal data remains with us until the purpose for data processing no longer applies. If you assert a legitimate deletion request or revoke your consent to data processing, your data will be deleted unless we have other legally permissible grounds for storing your personal data (e.g., retention periods under tax or commercial law); in the latter case, deletion takes place after these reasons no longer apply.
(5) If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR and, where special categories of data pursuant to Art. 9(1) GDPR are processed, on the basis of Art. 9(2)(a) GDPR. In the case of an explicit consent to transfer personal data to third countries, processing also takes place on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access information on your device (e.g., via device fingerprinting), processing also takes place on the basis of § 25(1) TDDDG. Consent may be withdrawn at any time. If your data is required to fulfill a contract or to carry out pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if necessary to fulfill a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be based on our legitimate interests pursuant to Art. 6(1)(f) GDPR. The applicable legal basis in each individual case is set out in the following sections of this privacy policy.
(6) We also use tools from companies based in the USA or other third countries that are not considered safe under data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there. We point out that no level of data protection comparable to that of the EU can be guaranteed in these countries. For example, US companies are obliged to surrender personal data to security authorities without the possibility for you, as the data subject, to take legal action. It can therefore not be ruled out that US authorities (e.g., intelligence services) process, evaluate, and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities.
§ 2 Your rights
(1) Below we inform you about your rights as a data subject in accordance with Art. 15 et seq. GDPR. You can exercise these rights at any time by contacting us directly. If you assert these rights against us, we will examine them in detail, taking into account the legal requirements and obligations associated with them. We may need additional information from you for this purpose. We will explain the results of our review and how we will comply with your request in detail. It is possible that we may not fully comply with your wishes in the exact manner you desire. This should not deter you from asserting your rights or asking us questions about them. We will gladly answer all your queries.
(2) Right of access
You have the right to request information at any time about whether and which data concerning your person we process. This also includes information about the purposes of processing, any recipients to whom we have disclosed your data, the planned storage period, and, where applicable, information on the source of this data, if we did not collect it directly from you. In addition, you have the right to one free copy of your personal data stored with us. For the creation of further copies, we reserve the right to charge a reasonable administrative fee.
(3) Right to rectification
You have the right to obtain the rectification of inaccurate data concerning you that we have stored. This also includes the right to have incomplete personal data completed.
(4) Right to erasure
You have the right to obtain the deletion of data concerning you that we have stored. If we have published data about you, this also includes our obligation, within the framework of the “right to be forgotten” pursuant to Art. 17(2) GDPR, taking into account available technology and implementation costs, to forward your deletion request regarding all links to this data as well as copies or replications of this data to other controllers processing such published personal data.
(5) Right to restriction of processing
You have the right to obtain the restriction of processing of data concerning you that we have stored. Thereafter, such data may only be processed with your consent or for a few legally defined purposes.
(6) Right to object of processing
Insofar as we base the processing of your personal data on the weighing of interests, you can object to the processing. This is the case if the processing is in particular not necessary for the fulfilment of a contract with you, which is described by us in the following description of the functions. In the event of such an objection, we request that you explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the facts of the case and will either stop or adapt the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing.
(7) Right of withdraw a consent
If you have given your consent to process your data, you can withdraw it at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.
(8) Right to data portability
You have the right to receive from us personal data relating to you which you have provided to us in a structured, common and machine-readable format for the purpose of transfer to another responsible party. At your request and taking into account the available technical possibilities, this also includes the direct transfer from us to the other responsible party.
(9) Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint at any time with a data protection supervisory authority regarding our processing of data concerning you.
§ 3 Collection of personal data when visiting our website
(1) When using the website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser sends to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and to ensure its stability and security (the legal basis for this is GDPR Art. 6 (1) (f))
- IP address
- Host name
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request comes (referrer)
- The specific pages of our website that you call up
- Browser: Type, version and set language
- Operating system: type and version
- With JavaScript enabled as well:
- Screen resolution
- Colour depth
- Size of the browser window
- Installed Browser Plugins
(2) Use of cookies and other storage technologies:
Cookies are small text files stored on your device and associated with the browser you use. Websites can also place HTML5 storage objects on your device. In both cases, information is stored and read out again. This can serve very different purposes, but no programs can be executed or malware transmitted thereby.
a) This website sets the elements listed below on your device, directly or via external sources. Through our consent tool, which you can access via the button at the beginning of these privacy notices, you can grant and withdraw consent for certain elements or categories of elements. The legal basis for using these elements is your consent pursuant to Art. 6(1) sentence 1(a) GDPR and § 25(1) TDDDG. The legal basis for the use of other elements is generally our legitimate interest in operating our website due to technical necessity pursuant to Art. 6(1) sentence 1(f) GDPR in conjunction with § 25(2) TDDDG. If a different legal basis applies in an individual case, you will be informed in the description of the respective functionality to which an element is assigned.
| Name | Type | Purpose / source | Lifetime |
| [unique alphanumeric string] | Cookie Technically required |
Used for the technical management of the website during the current session.. Set by biospring.de. | End of session |
| T3D, tADe, tADu, tAE, tC, tMQ, tnsApp, tPL, tTDe, tTDu, tTE, tTf | HTML5 storage objects Technically required | Used for the correct display and presentation of contents in connection with controls for scrolling through partial contents of web pages.Set by biospring.de.; | Unlimited |
b) You can configure your browser settings according to your wishes and, for example, refuse third-party cookies or all cookies. We generally recommend deleting cookies, browser history, and other temporary web storage objects automatically or regularly to enhance the protection of your privacy.
§ 4 Further functions and offers of our website
(1) In addition to purely informational use of our website, we offer various services that you can use if interested. You will generally need to provide additional personal data, which we use to provide the respective service and to which the aforementioned principles of data processing apply. Mandatory fields are marked with an asterisk. Information not marked in this way is purely voluntary.
(2) When you contact us by email or via a contact form, we store your email address and other data you provide to answer your inquiry. If a business relationship exists between you and us or is established as a result of your inquiry, we store this data for the duration of our business relationship. Otherwise, we delete this data once storage is no longer necessary for the complete processing of your inquiry. If legal retention obligations prevent deletion, we restrict processing for their duration and delete thereafter. Please observe the mandatory field markings as described in para. 1 when contacting us via a contact form to avoid transmitting unnecessary personal data. By submitting the contact form or your email, you consent to our processing of the data you have transmitted in the manner described above (legal basis: Art. 6(1) sentence 1(a) GDPR).
(3) We sometimes use external service providers to process your data. These have been carefully selected and commissioned by us, and we have concluded agreements to protect your data to the extent required by data protection law.
§ 5 Provision of personal data due to legal or contractual obligations of the controller or the data subject
If you wish to apply for a position in our company via our website, it is necessary that you provide the usual application documents so that we can assess your potential suitability in an initial evaluation. If you do not provide sufficient information, we may not be able to consider you appropriately in our selection process, which may result in rejection of your application.
Below we provide detailed information about the special forms of use employed on our website, email-based information services, tracking and analytics tools, social media offerings, and other third-party services.
Special forms of use
1. Use of our application portal
(1) On our website you can apply online for positions or apprenticeships offered by us, as well as submit speculative applications. In the course of the online application, you provide us with personal data. It is especially important to us to handle your personal data confidentially during the application process. We therefore naturally treat all personal data entrusted to us strictly confidentially and responsibly, in compliance with applicable data protection regulations. We use technical and organizational security measures to protect your personal data against accidental or deliberate manipulation, loss, destruction, or access by unauthorized persons. When personal data is collected and processed, it is transmitted in TLS-encrypted form to prevent misuse by third parties.
(2) In connection with the application portal, we use Microsoft services. For this purpose, you will be redirected to our website hosted at Microsoft’s Power Apps portal for this purpose. We have carefully selected this service provider and concluded a data processing agreement. The provider is also obligated to comply with data protection rules and our instructions. The data you enter here and attached documents as well as all processing steps associated with your application are securely stored on a server of this provider within the EU. Only authorized persons have access to the data stored with the service provider. Further information on data protection at Microsoft is available at https://www.microsoft.com/de-de/trust-center/privacy.
(3) For all further data protection information regarding the processing of your personal data in connection with your application, please refer to our “Privacy Notice for Applicants.” Please read this information before submitting your application.
2. Download of product documentation
(1) We offer the option to download product documentation on our site. For this, you must complete the required fields marked as mandatory and subscribe to our newsletter. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. This consent is voluntary and can be withdrawn at any time with effect for the future.
Email- and messenger-based as well as other information services
1. Newsletter
(1) With your consent you can subscribe to our newsletter, with which we inform you about our current interesting offers. The goods and services advertised are specified in the declaration of consent. Your consent constitutes the legal basis pursuant to Art. 6(1) sentence 1(a) GDPR for all processing of personal data connected with our newsletter.
(2) We use the double-opt-in procedure for newsletter registration. This means that after you register, we will send an email to the specified address asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 1 week, your information will be deleted automatically. We also store your IP addresses and the times of registration and confirmation. The purpose is to be able to prove your registration and, if necessary, clarify possible misuse of your personal data.
(3) The only mandatory information for sending the newsletter is your email address. The provision of further, separately marked data is voluntary and is used to address you personally. After your confirmation we process this data for the purpose of sending the newsletter. Legal basis is Art. 6(1) sentence 1(a) GDPR.
(4) You can withdraw your consent to receive the newsletter at any time and unsubscribe. You can declare withdrawal by clicking the link provided in every newsletter email or by sending an email to unsubscribe@biospring.de.
(5) Please note that your consent also extends to the evaluation of your user behavior associated with the newsletter dispatch and carried out by us. For this evaluation, the emails sent contain so-called web beacons or tracking pixels (one-pixel image files) stored on our website. For the analyses we link the data mentioned in §3(1) and the web beacons with your email address and an individual ID. The data is collected exclusively in pseudonymized form, i.e., the IDs are not linked with your other personal data; direct personal reference is excluded.
The information is stored as long as you are subscribed to the newsletter. After unsubscribing we store the data in purely statistical and anonymous form. Such tracking is not possible if you have disabled the display of images by default in your email program. In that case, the newsletter will not be fully displayed and you may not be able to use all functions. If you manually display the images, the tracking described above will occur.
(6) We use HubSpot services for sending the newsletter. This newsletter system is connected to our HubSpot CRM system, which may result in links being made where a personal reference is known. Provider: HubSpot Ireland Ltd., HubSpot House, One Sir Jon Rogerson’s Quay, Dublin 2, Ireland. HubSpot Ireland Ltd. is a subsidiary of HubSpot, Inc., Two Canal Park, Cambridge, MA 02141, USA. We have carefully selected this provider and concluded a DPA. The data required for sending the newsletter is securely stored on a server of this provider within the EU. Only authorized persons have access to the data stored with the provider. Further information can be obtained directly from the provider or found in the company’s privacy notices: https://legal.hubspot.com/de/privacy-policy. More information on data analysis by HubSpot newsletters: https://knowledge.hubspot.com/de/marketing-email/analyze-your-marketing-email-campaign-performance.
Web analytics
Unless another legal basis is set out in the explanations for the respective web analytics tool, the legal basis for all tools mentioned in this section is Art. 6(1) sentence 1(a) GDPR and § 25(1) TDDDG, i.e., your consent given via our consent tool. If you did not grant consent there, the tools listed in this section are not used. You can withdraw your consent at any time by changing your selection in our consent tool.
1. Use of Google Analytics
(1) This website uses Google Analytics, a web analytics service of Google Inc. (“Google”). Google Analytics uses “cookies”, text files stored on your computer, enabling analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to and stored on a Google server in the USA. If IP anonymization is activated on this website, your IP address will first be shortened by Google within member states of the EU or other parties to the Agreement on the EEA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services relating to website and internet usage.
(2) In addition to opting out of analytics cookies in our consent tool, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout?hl=de.
(3) This website uses Google Analytics with IP anonymization. IP addresses are thus further processed in shortened form; a direct personal reference can be excluded.
(4) This website also uses Google Signals. Google provides cross-device reports and user group reports based on different device combinations. Google uses data of users logged into their Google account who have activated “personalized advertising”. Note this option is enabled by default (opt-out model) and must be deactivated if you do not want personalized advertising. Google Signals is only used with IP anonymization. We cannot draw conclusions about individual identities. For Google, cross-device tracking is possible if you are logged in to your Google account. According to our information, Google stores these data for 26 months. You can object by disabling “personalized advertising” in your Google account: https://support.google.com/ads/answer/2662922?hl=de.
(5) This website also uses Google Analytics for cross-device analysis via a user ID (“Universal Analytics”). The user ID is a pseudonym and is not merged with personal data by us or Google. A prerequisite is that you are logged into your [Company] account. If you install the opt-out plug-in described in para. 3, your access to our website can no longer be tracked across devices. You must do this on every device and for every browser you use.
(6) For data transfers to unsafe third countries, Google relies on the EU-US Data Privacy Framework and the EU Commission’s Standard Contractual Clauses. Details: https://policies.google.com/privacy/frameworks?hl=de.
(7) Third-party information: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
General privacy information: https://www.google.de/intl/de/policies/privacy and https://www.google.com/policies/privacy/partners/?hl=de
Specific Google Analytics privacy info: https://support.google.com/analytics/answer/6004245?hl=de&ref_topic=2919631
2. Use of HubSpot tracking and analytics
(1) We use a HubSpot module to capture and analyze user behavior on our website. It is connected to our HubSpot CRM system; where personal reference is known, corresponding links may be made. Provider: HubSpot Ireland Ltd., HubSpot House, One Sir Jon Rogerson’s Quay, Dublin 2, Ireland (subsidiary of HubSpot, Inc., USA).
(2) HubSpot uses technologies that allow user recognition for analyzing user behavior (e.g., cookies). Your personal data is stored on HubSpot servers within the EU.
(3) We have concluded a DPA with this provider. This ensures processing of our website visitors’ personal data only in accordance with our instructions and the GDPR.
(4) Further information on privacy at HubSpot: https://legal.hubspot.com/de/privacy-policy. More on HubSpot website traffic analytics: https://knowledge.hubspot.com/de/reports/analyze-your-site-traffic-with-the-traffic-analytics-tool.
Social media and other third party services
1. Social media
(1) We currently do not use any plug-ins from social media providers on our website, but have only set links to our presence on the following social media providers: LinkedIn, Instagram. The mere existence of these links does not result in the transmission of personal data to the respective provider. Only if you click on the link, which you can recognise by the respective social media icon, and thereby call up our page hosted by the respective provider, does the provider become aware of this.
(2) Addresses of the relevant social media providers and URL with their data protection notices:
a) Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; https://www.facebook.com/about/privacy; more info on data collection and privacy settings: https://www.facebook.com/help/1075880512458213/, https://www.facebook.com/help/186325668085084, https://m.facebook.com/help/238318146535333
b) LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland; https://www.linkedin.com/legal/privacy-policy
2. Embedding Google reCAPTCHA
(1) We use Google reCAPTCHA on this website to prevent misuse of our contact forms by bots. Legal basis: our legitimate interest under Art. 6(1) sentence 1(f) GDPR.
(2) The Google reCAPTCHA plug-in distinguishes between bots (automated programs) and humans. You must either complete inputs the current state of the art assumes bots cannot perform, or your interaction with our website is analyzed by an algorithm. Your inputs or interactions are transmitted to Google and evaluated. The plug-in then returns whether you are likely a human or a bot so our site can react accordingly. The data listed in §3(1) is also transmitted to Google, even if you do not use the reCAPTCHA plug-in. This occurs regardless of whether Google provides a user account you are logged into. If you are logged in to Google, the data is assigned directly to your account. If you do not want this association, you must log out before accessing the subpage. Google stores your data as usage profiles and uses them for advertising, market research, and/or to tailor its website. Such evaluation (even for users who are not logged in) serves to provide tailored advertising and to inform other users of the social network about your activities. You have the right to object to the creation of these profiles; to exercise it, contact Google. Whether and how Google actually uses your inputs/interactions for its own purposes or links them to your Google user profile is unknown to us.
(3) More information on the purpose and scope of data collection and processing by Google can be found in Google’s privacy notices, where you will also find more information about your rights and settings to protect your privacy: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; https://www.google.de/intl/de/policies/privacy and https://www.google.com/policies/privacy/partners/?hl=de
(4) For transfers to unsafe third countries, Google relies on the EU-US Data Privacy Framework and the EU Commission’s Standard Contractual Clauses. Details: https://policies.google.com/privacy/frameworks?hl=de.
3. HubSpot Consent Management
(1) We use HubSpot’s consent management tool. It is connected to our HubSpot CRM system; where a personal reference is known, corresponding links may be made. Provider: HubSpot Ireland Ltd., HubSpot House, One Sir Jon Rogerson’s Quay, Dublin 2, Ireland (subsidiary of HubSpot, Inc., USA). We use this tool to manage your consents for other services on our website that we may use only with your consent. Legal basis: compliance with corresponding legal requirements per Art. 6(1)(c) GDPR.
(2) The following data is transmitted to HubSpot during your visit: your consents (consent ID/number, time of consent, opt-in/opt-out, banner language, customer settings, template version), device data (HTTP Agent, HTTP Referrer), IP address, geolocation.
(3) We have concluded contractual agreements with HubSpot to the extent required by data protection law. More information: https://legal.hubspot.com/de/privacy-policy.
4. HubSpot CMS
(1) We use HubSpot’s content management system (CMS) to manage and present our web presence. It is connected to our HubSpot CRM; where a personal reference is known, corresponding links may be made. Provider: HubSpot Ireland Ltd., HubSpot House, One Sir Jon Rogerson’s Quay, Dublin 2, Ireland (subsidiary of HubSpot, Inc., USA). Legal basis: Art. 6(1)(f) GDPR—our legitimate interest in a modern, efficient website that integrates with our customer/prospect interaction and management.
(2) We have concluded contractual agreements with HubSpot to the extent required by data protection law. More information: https://legal.hubspot.com/de/privacy-policy.
5. Integration of other third-party services
(1) We have also integrated Google services (Google Tag Manager: management of tags/plugins). We use this service based on a balance of interests due to technical necessity or to provide you with a better user experience and enhance our website’s attractiveness (legal basis Art. 6(1) sentence 1(f) GDPR).
(2) When you visit the website, the respective third-party provider is informed that you have accessed the corresponding subpage. The data listed in §3(1) is also transmitted. This occurs regardless of whether the third-party provider provides a user account you are logged into. If you are logged in, the data is assigned directly to your account. If you do not want this association, you must log out before visiting our website. The third-party provider may store your data as usage profiles and use them for advertising, market research, and/or to tailor its website. Such evaluation (even for users who are not logged in) serves to provide tailored advertising and to inform other users about your activities. You have the right to object; to exercise it, contact the respective provider.
(3) Further information on the purpose and scope of data collection and processing by the third-party provider can be found in the providers’ privacy notices listed below. There you will also find information on your rights and settings to protect your privacy.
(4) Addresses and URLs of the respective providers and their privacy notices:
a) Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; https://www.google.de/intl/de/policies/privacy and https://www.google.com/policies/privacy/partners/?hl=de
Date: 23/09/2025