This document is written in German. In case of deviations, the German version applies.
Privacy Policy of DEON GmbH & Co. KG
Valid since: November 8, 2025
The protection of your data is of utmost importance to us. This privacy policy informs you about the processing of personal data when using our website deon.de and our DEON Software-as-a-Service (SaaS) platform (web, desktop and mobile apps).
1. Controller and Data Protection Officer
1.1 Controller
The controller for data processing within the meaning of the GDPR is:
DEON GmbH & Co. KG
Ella-Kay-Str. 22c
10405 Berlin, Germany
Email: info@deon.de
1.2 Data Protection Officer (DPO)
You can contact our company data protection officer at:
Email: privacy@deon.de
2. Data processing on the website (deon.de)
When using our website for purely informational purposes, we only process data that is technically necessary to display the website to you.
| Data category | Purpose of processing | Legal basis | Storage duration |
|---|---|---|---|
| Server log files (IP address, access time, browser data) | Provision of the website, system security and stability. | Art. 6 (1) (f) GDPR (Legitimate interest) | Until automated deletion (short-term). |
| Technically necessary cookies | Ensuring the functionality and language settings of the website. | Art. 6 (1) (f) GDPR (Legitimate interest) | Until the browser is closed or after expiry. |
| External libraries/fonts (Google Web Fonts, StackPath CDN) | Optimization of loading speed and uniform presentation of the website. | Art. 6 (1) (f) GDPR (Legitimate interest) | Data access is only temporary. |
| Contact inquiries (E-mail, name, content) | Processing of your inquiries. | Art. 6 (1) (b) GDPR (Fulfillment of contract or pre-contractual measures) | Until your request is finally processed. |
Note on YouTube: Embedded YouTube videos are used in enhanced privacy mode. Data is only transferred to YouTube/Google when you click on the video.
The legal basis is your consent (Art. 6 (1) (a) GDPR), which is given by clicking.
3. Processing for the SaaS service (DEON Apps/Platform)
3.1 Data for contract fulfillment (DEON as controller)
We process your data to provide your user account and fulfill the terms of use.
| Data category | Purpose of processing | Legal basis |
|---|---|---|
| Registration and account data (name, email address, user ID, roles/permissions) | Authentication, license management, technical implementation of the service. | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) |
| Usage metadata (Last online, interaction data according to architecture) | Ensuring real-time collaboration (SignalR) and system stability. | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in system security) |
| System emails (Sending registration confirmations, password resets) | Technical implementation of the service (via the service provider Mailgun). | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) |
3.2 Customer content and projects (DEON as a contract processor)
For all content that you or other users enter, upload or generate in DEON Projects (Workspaces) (such as texts, documents, images, comments, structural data), the following applies:
DEON acts solely as a processor (Art. 28 GDPR).
The data protection officer responsible for processing this content is your company or you as an individual user. The rights and obligations between DEON and the customer are regulated in the contract for processing on behalf (AVV). We process this content strictly according to instructions, store it encrypted in the EU (Microsoft Azure West-Europe) and do not pass it on to third parties, unless this is necessary for the provision of the service (e.g. subcontractor) or due to your active use of AI functions.
4. Use of optional AI functions (Opt-in)
If you actively enable the optional AI functions in DEON (Apps) (Opt-in), we process data as follows:
- Processed data: The inputs (prompts) and data (e.g. text excerpts) that you enter into the AI function, as well as the results generated by the AI.
- Purpose: Provision of the AI function requested by you (e.g. summary, translation, text generation).
- Legal basis: Your consent (Art. 6 para. 1 lit. a GDPR) through the active activation of the function.
- Processors: To provide the AI service, we use external providers like OpenAI, L.L.C. (USA) as subprocessors.
- Data usage: Neither DEON nor our AI providers use your input or output data to train their models or for other independent purposes, unless you have separately consented.
- Third-country transfer: Data will be transferred to the USA on the basis of the standard contractual clauses (SCCs) issued by the EU Commission pursuant to Art. 46 (2) (c) GDPR.
- Withdrawal of consent: You can withdraw your consent at any time by deactivating the AI functions in the DEON settings (opt-out).
The current list of AI providers used, their locations and protective measures can be found at: https://deon.de/ai-providers
5. Applications
We process the data you provide in the context of an application (e.g. name, contact details, CV, certificates) solely for the purpose of conducting the application process.
- Legal basis: Section 26 Federal Data Protection Act (BDSG) (decision on the establishment of an employment relationship).
- Storage duration: In case of rejection, your data will be deleted after six months according to the statutory provisions (to prevent possible legal claims). In case of acceptance, the data will be transferred to the employment relationship.
6. Recipients of data (processors)
We use carefully selected service providers to provide our services, who process data on our behalf and under our control (processors, Art. 28 GDPR).
| Service provider | Purpose | Location | Protective measure |
|---|---|---|---|
| STRATO AG | Hosting of the website deon.de and processing of server log files. | Germany (EU) | Data processing agreement (DPA) |
| Microsoft Ireland Operations Ltd. | Hosting of the DEON platform and storage of all data (Azure SQL, Cosmos DB, Blob Storage). | EU/EWR (Azure West-Europe) | Data processing agreement (DPA) |
| Mailgun Technologies, Inc. | Sending of technical system emails (e.g. registration, password reset). | EU server location | Data processing agreement (DPA) |
| OpenAI, L.L.C. | Provision of optional AI functions (subprocessor). | USA (Third country) | DPA and EU standard contractual clauses (SCCs) |
Your personal data will only be passed on to third parties (apart from the aforementioned processors) if this is legally permissible (e.g. in the case of official inquiries or to enforce legal claims).
7. Your data subject rights
As a data subject, you have the following rights against us:
- Right to information (Art. 15 GDPR): You have the right to request confirmation as to whether personal data concerning you is being processed, and if so, to obtain information about the personal data.
- Right to rectification (Art. 16 GDPR): You can request the rectification of inaccurate data.
- Right to erasure ("Right to be forgotten") (Art. 17 GDPR): You may request the erasure of your data if the conditions of Art. 17 GDPR are met.
- Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
- Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.
- Right to withdraw consent (Art. 7 (3) GDPR): Any consent given may be withdrawn at any time with effect for the future.
- Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of your data based on Art. 6 (1) (e) or (f) GDPR.
To exercise your rights, please contact the address mentioned in Section 1.1.
Notwithstanding any other administrative or judicial remedy, you have the right to complain to a supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.