This document is written in German. In case of deviations, the German version applies.
Privacy Policy of DEON GmbH & Co. KG
Valid since: 8. November 2025
Updated: 7. December 2025
The protection of your data is of utmost importance to us. This privacy policy informs you about the processing of personal data when using our website deon.de and our DEON Software-as-a-Service (SaaS) platform (web, desktop and mobile apps).
1. Controller and Data Protection Officer
1.1 Controller
The controller for data processing within the meaning of the GDPR is:
DEON GmbH & Co. KG
Ella-Kay-Str. 22c
10405 Berlin, Germany
Email: info@deon.de
1.2 Data Protection Officer (DPO)
You can contact our company data protection officer at:
Email: privacy@deon.de
2. Data processing on the website (deon.de)
When using our website for purely informational purposes, we only process data that is technically necessary to display the website to you.
| Data category | Purpose of processing | Legal basis | Storage duration |
|---|---|---|---|
| Server log files (IP address, access time, browser data) | Provision of the website, system security and stability. | Art. 6 (1) (f) GDPR (Legitimate interest) | Until automated deletion (short-term). |
| Technically necessary cookies | Ensuring the functionality and language settings of the website. | Art. 6 (1) (f) GDPR (Legitimate interest) | Until the browser is closed or after expiry. |
| External libraries/fonts (Google Web Fonts, StackPath CDN) | Optimization of loading speed and uniform presentation of the website. | Art. 6 (1) (f) GDPR (Legitimate interest) | Data access is only temporary. |
| Contact inquiries (E-mail, name, content) | Processing of your inquiries. | Art. 6 (1) (b) GDPR (Fulfillment of contract or pre-contractual measures) | Until your request is finally processed. |
Note on YouTube: Embedded YouTube videos are used in enhanced privacy mode. Data is transferred to YouTube/Google übertragen only when the video is clicked.
Legal basis is your consent (Art. 6 Abs. 1 lit. a GDPR), given by the click.
3. Processing for the SaaS service (DEON Apps/Platform)
3.1 Data for contract fulfillment (DEON as controller)
We process your data to provide your user account and fulfill the terms of use.
| Data category | Purpose of processing | Legal basis |
|---|---|---|
| Registration & Account data (Name, Email address, User ID, Roles/Permissions) | Authentication, license management, technical implementation of the service. | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) |
| Usage metadata (Last online, Interaction data gemäß architecture) | Ensuring real-time collaboration (SignalR) and system stability. | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in system security) |
| System emails (Sending of registration bestätigungen, password resets) | Technical implementation of the service (via the service provider Mailgun). | Art. 6 para. 1 lit. b GDPR (fulfillment of contract) |
3.2 Customer content and projects (DEON as a contract processor)
For all content that you or other users enter, upload or generate in DEON Projects (Workspaces) (such as texts, documents, images, comments, structural data), the following applies:
DEON acts exclusively as a data processor (Art. 28 GDPR).
The data protection officer responsible for processing this content is your company or you as an individual user. The rights and obligations between DEON and the customer are regulated in the contract for processing on behalf (AVV). We process this content strictly according to instructions, store it encrypted in the EU (Microsoft Azure West-Europe) and do not pass it on to third parties, unless this is necessary for the provision of the service (e.g. subcontractor) or due to your active use of AI functions.
4. Use of optional AI functions (Opt-in)
If you actively enable the optional AI functions in DEON (Apps) (Opt-in), we process data as follows:
- Processed data: The inputs (prompts) and data (e.g., text excerpts) you enter into the AI function, as well as the results generated by the AI.
- Purpose: Provision of the AI function you requested (e.g., summarization, translation, text generation).
- Legal basis: Your consent (Art. 6 para. 1 lit. a GDPR) through the active activation of the function.
- Processor: To provide and improve the AI service we also use external providers as sub‑processors when needed. The current list of used AI providers, their locations and security measures can be found at any time at: https://deon.de/ai-providers
- Data usage: Neither DEON nor our AI providers use your input or output data to train their models or for other independent purposes, unless you have separately consented.
- Third-country transfer: Data are transferred to the USA on the basis of the Standard Contractual Clauses (SCCs) issued by the EU Commission pursuant to Art. 46(2)(c) GDPR.
- Withdrawal of consent: You can withdraw your consent at any time by disabling the AI functions in the DEON settings (opt-out).
5. Applications
We process the data you provide in the context of an application (e.g. name, contact details, CV, certificates) solely for the purpose of conducting the application process.
- Legal basis: § 26 Federal Data Protection Act (BDSG) (Decision regarding the establishment of an employment relationship).
- Retention period: In case of a rejection, your data will be deleted after six months in accordance with the legal regulations (to defend possible legal claims). In case of an acceptance, the data will be taken over into the employment relationship.
6. Recipients of data (processors)
We use carefully selected service providers to provide our services, who process data on our behalf and under our control (processors, Art. 28 GDPR).
| Service provider | Purpose | Location | Protective measure |
|---|---|---|---|
| STRATO AG | Hosting of the website deon.de and processing of server log files. | Germany (EU) | Data processing agreement (DPA) |
| Microsoft Ireland Operations Ltd. | Hosting of the DEON platform and storage of all data (Azure SQL, Cosmos DB, Blob Storage). | EU/EWR (Azure West-Europe) | Data processing agreement (DPA) |
| Mailgun Technologies, Inc. | Sending of technical system emails (e.g. registration, password reset). | EU server location | Data processing agreement (DPA) |
| OpenAI LLC | Optional: Provision of AI functions (subprocessor). | USA (Third country) | DPA and EU standard contractual clauses (SCCs) |
| Google LLC | Optional: Provision of AI functions (subprocessor). | USA (Third country) | AVV and EU Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework. |
Your personal data will only be passed on to third parties (apart from the aforementioned processors) if this is legally permissible (e.g. in the case of official inquiries or to enforce legal claims).
7. Your data subject rights
As a data subject, you have the following rights against us:
- Right to information (Art. 15 GDPR): You have the right to request a Bestätigung darüber to determine whether your personal data is being processed, and, if so, to obtain information über the personal data.
- Right to rectification (Art. 16 GDPR): You können request the correction of inaccurate data.
- Right to erasure („Right to be forgotten“) (Art. 17 GDPR): You can request the erasure of your data, provided the conditions of Art. 17 GDPR are met.
- Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing of your data.
- Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.
- Right to withdraw consent (Art. 7 Para. 3 GDPR): Any given consent can be withdrawn at any time with effect for the future.
- Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of your data based on Art. 6 (1) (e) or (f) GDPR.
To exercise your rights, please contact the address mentioned in Section 1.1.
Notwithstanding any other administrative or judicial remedy, you have the right to complain to a supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.