Privacy policy
Data protection information
When visiting and using various functions of our cloud service, personal data is processed. Personal data means any information relating to an identified or identifiable natural person. With the following information, we would like to inform you about the scope, type and purpose of data processing and how we handle this data.

Overview / Contents

You will find the following information in our Data Protection Information

A. Our contact data and general matters relating to our data processing

  • A.1 Name and contact data of the controller
  • A.2 Contact data of the data protection officer
  • A.3 General information about legal basis for the processing of personal data
  • A.4 General information about data deletion and duration of archiving
  • A.5 Sources of personal data
  • A.6 Recipients and categories of recipients of the personal data
  • A.7 Contacting by email, fax and phone call

B. The scope of the processing of personal data via our cloud service

  • B.1 Hosting and provision of the website, creation of log files
  • B.2 Use of technically necessary cookies
  • B.3 Registration/Login
  • B.4 Encryption of data transfers via the cloud service
  • B.5 Transmission of personal data to a third country (countries outside the EU/EEA)

C. Your rights as the data subject

  • C.1 The right to be informed
  • C.2 The right to rectification
  • C.3 The right to erasure
  • C.4 The right to restrict processing
  • C.5 The right to information
  • C.6 The right to data portability
  • C.7 The right to object to processing because of a legitimate interest and direct mail
  • C.8 The right to revoke consent
  • C.9 Automatic decision-making including profiling
  • C.10 Voluntary provision of data
  • C.11 The right to complain to a supervisory authority

A. Our contact data and general matters relating to our data processing

A.1 Name and contact data of the controller

The controller for the collection and use of personal data within the meaning of data protection legislation is

HQS Quantum Simulations GmbH
Rintheimer Straße 23
76131 Karlsruhe

represented by the managing directors Michael Marthaler and Iris Schwenk

Email address: info@quantumsimulations.de
Website: www.quantumsimulations.de

A.2 Contact data of the controller’s Data Protection Officer

You can reach our Data Protection Officer as follows:

MeinDatenschutzPartner.de GbR
Mr Timo Schutt
E-Mail: dsb@meindatenschutzpartner.de

A.3 General information about legal basis for the processing of personal data

In general, the following applies when we process personal data:

  • In so far as we obtain your consent for processing procedures of personal data, Art. 6 para. 1 letter a) of the EU General Data Processing Regulation (GDPR) acts as the legal basis for the processing of personal data.
  • In the case of the processing of personal data which is needed for the performance of a contract with you, Art.6 para.1 letter b) of the GDPR acts as the legal basis. This also applies already if the processing for the performance of pre-contractual measures is necessary, also e.g. for orders, quotations, contractual negotiations.
  • In so far as the processing of personal data is necessary for the performance of a legal obligation to which we are bound, Art. 6 para. 1 letter c) of the GDPR acts as the legal basis.
  • In the event that the vital interests of yours or another natural person render the processing of personal data necessary, Art. 6 para. 1 letter d) of the GDPR acts as the legal basis.
  • If it is necessary to process your personal data for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us, this is done on the basis of Art. 6 para. 1 letter e) of the GDPR.
  • If the processing is necessary for the protection of a legitimate interest of us or of a third party and your interests, fundamental rights and freedoms do not override this interest, Art. 6 para. 1 letter f) of the GDPR acts as the legal basis.

A.4 General information about Data deletion and duration of archiving

Generally we delete or block the personal data as soon as the purpose of the archiving no longer applies. Data can also be archived if this was stipulated by the European or national legislative body in EU regulations, laws or other provisions to which we, as the controller, are subject. Data is also blocked or deleted if a retention period required by the above-mentioned regulations etc. expires unless it is necessary that the data continues to be archived for the conclusion or performance of a contract.

In specific terms this means:
If we are processing the personal data on the basis of consent for data processing (Art. 6 para. 1 letter a) of the General Data Protection Regulation (GDPR), the processing is ended when you revoke your consent unless a further legal basis for processing the data exists. This is e.g. the case if, at the time of the revocation, we are still entitled to process your data for the purpose of the performance of a contract (on this point see also below).

If we are processing the data by reason of our legitimate interests (Art. 6 para. 1 letter f) of the GDPR as part of a previous assessment, we will save this data until the legitimate interest no longer exists, the assessment comes to a different conclusion, or you have lodged a valid objection pursuant to Art. 21 of the GDPR (on this point see the highlighted “Note on a particular right to object” below under C.).

If we are processing the data for the purpose of the performance of a contract we will save the data until the contract has been finally performed and brought to a conclusion and no further claims can asserted under the contract, in other words until the matter becomes time-barred. The general period of prescription according to § 195 of the German Civil Code is three (3) years. However, certain claims, for example claims for compensation, only become time barred after 30 years (cf. § 197 German Civil Code). If there is a legitimate reason for assuming that this is relevant in a particular case, we will save the personal data during this period of time. The above-mentioned periods of prescription commence at the end of the year (therefore on December 31) in which the claim arose and the obligee becomes aware or should have become aware of the circumstances giving rise to the claim and the person of the liable party becomes or should have become aware of the foregoing without gross negligence.

We wish to point out that we are also subject to statutory retention obligations for reasons associated with commercial law, taxation and book-keeping. These oblige us to archive certain data as evidence for our orderly business activity respectively book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods also commence at the end of the year in question, and therefore December 31.

A.5 General information about the sources of personal data

The personal data we process originates primarily from the data subject himself or herself, for example by these persons

  • as users of our web-site via their browser and terminal (e.g. a PC, smartphone, tablet or notebook) transmitting information such as their IP address to us respectively our web-server,
  • as interested parties requesting information material or quotation,
  • as clients confirm an order with us close a contract with us,
  • as representatives of the press asking for press releases, a statement or similar,

As a rare exception, the personal data we process may also come from third parties, for example if a person is acting on behalf of another person.

A.6 Categories of recipients of the personal data

Your personal data is only passed or transmitted to third parties if this is absolutely essential for the relevant purpose and is permissible. We explain to whom and why we pass data in connection with the data processing described below; at the end of Section B of this Data Protection Information we also provide further information on data transmitted to EU countries outside Germany.

Categories of recipients can basically be:

  • service providers,
  • suppliers,
  • business partners,
  • tax advisers.

A.7 Contacting us by Email and phone call

If you wish you can contact us in several ways, for example by email and phone call. If you send us an email or call us we will also inevitably process your personal data. As a minimum we save or our system saves the personal data transmitted to us by email or your phone call.

The data is not passed to third parties in this context. The data is only used for the processing of the conversation.

The purposes of data processing: The processing of the personal data when contacting us by email or phone call is so that we can deal with your request and the approach you made to us. It is also essential that we have your email address or phone number so that we can respond.

The legal basis for data processing: The legal basis for the processing of the data is the consent as required in Art. 6 para. 1 letter a) of the GDPR which you have given by actively making contact with us.
If the purpose of the contact or your request is the conclusion of a contract, the legal basis for the processing is Art. 6 para. 1 letter b) of the GDPR (execution of pre-contractual measures).

Duration of the archiving:The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.
For the personal data which was sent by email, this is the case if the relevant exchange with you is at an end and we have then waited for a period of up to 6 months to establish whether we must refer again to your request and the details of the exchange. The conversation is at an end if it can be gathered from the circumstances that the matter in question has been definitely settled. In the case of an incoming or outgoing phone call your phone number or your name / company name which you have registered with your telephone provider as well as the date and time of the call are stored in what is called a “ring memory” in our phone system. This memory overwrites the oldest data with the new data. In normal circumstances this means that the data is automatically deleted in the phone system after about 3-4 months.
It may happen that due to commercial or fiscal law the exchange is subject to a retention obligation which then comes into play (cf. the information above in the section “Data deletion and retention period”).

The right to object and the right to erasure: You may at any time revoke consent given for the processing of the personal data and object to further data processing because of a legitimate interest (cf. the advice on a particular right to object under C of this Data Protection Information). In such a case the conversation cannot be continued.
You can revoke the consent and object to further data processing without any need for a specific form (e.g. you can use email).
In this case all personal data which was saved in the course of the contact with you is deleted.


B. Scope of the processing of personal data via our cloud service (cloud.quantumsimulations.de)

As a matter of principle we only collect and use the personal data of users during the use of our cloud service in so far as this is necessary and reasonable for the provision of a functioning web-site. its content and our services. Normally the personal data of our users is collected and used only after the user has granted his/her consent. The exception is such cases in which it is not factually possible to obtain consent in advance and/or the processing is permitted by the provisions of law.


B.1 Hosting and provision of the website, creation of log files

Our cloud service is hosted by AWS, a service of Amazon Web Services, Inc., USA, whereby the data is hosted exclusively on AWS servers of the EU-Central-1 region in the Frankfurt/Main area, i.e. is located and processed exclusively within the EU or EEA.

Every time you access our cloud service, our web server hosted by AWS automatically collects data and information for technical reasons. This is saved in the server's log files. This information is:

  • the data and time of access,
  • the URL of the web-site from which access was made (the referrer),
  • the web-sites which were accessed by the user's system via our web-site,
  • the user's screen resolution,
  • the file(s) accessed and a report of the success of the access,
  • the amount of data sent,
  • the user's Internet service-provider,
  • the browser, browser type and version, the browser engine and engine version,
  • the operating system, operating system version and type,
  • the user's anonymised IP address and Internet service-provider, and
  • home country of the IP address.

The data is processed completely separately from other data via the host provider. This data is not processed in combination with the user's other personal data. We cannot attribute this data to a particular person. The data is processed exclusively in a depersonalised form.

The purposes of data processing: The temporary processing of the data by the system is necessary so that it is possible to send the contents of our cloud service to the user's computer. The user's IP address must be saved for the duration of the session to achieve this. Data is saved in log files to ensure the functionality of the cloud service. The data also enables us to optimise our offering and to protect the security of our computer system and also prevent the fraud. The data is not evaluated for marketing purposes in this connection.

The legal basis for the data processing: The data and the log files are temporarily saved on the legal basis of Art. 6 para. 1 letter f) of the GDPR Our overriding legitimate interest in this data processing is to be found in the purposes stated above.

Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the case of data capture for the provision of the web-site, the data is deleted when the session is terminated. In the case of storage of data in log files, this is usually the case after seven days. It is not possible to save the data for longer. In this case the users' IP addresses are deleted or distorted so that it is no longer possible to attribute them to the client accessing the web-site.

The right to object and the right to erasure: The capture of data is essential for the provision of the cloud service, and the saving of data in log files is necessary for the operation of the web-site. As a consequence the user has no right to object to this practice. However, the user may terminate the use of the web-site at any time and therefore prevent the continued collection of the data specified above.


B.2 Use of technically necessary cookies

When accessing our individual pages we or the host provider use so-called cookies. Cookies are small text files which are installed on the terminal (PC, smartphone, tablet etc.). If you access such a site a cookie can be saved in your browser. This cookie includes a characteristic sequence of characters which enable the browser to be unmistakeably identified if the page is accessed again.

Only those cookies are used that are technically necessary to make the functions of the cloud service usable at all (caching of authentication tokens and user account data while the user is logged in, which includes created documents, user ID and email address).

The purposes of data processing: The purpose of the use of technically necessary cookies is to enable the use of the cloud service for users. Some of the functions cannot be provided without the use of cookies. For these it is necessary that the browser is re-identified after switching to a different page. The user data collected by the cookies needed for technical purpose is not used for creating user profiles.

The legal basis for the data processing: The legal basis for the processing of personal data using technically necessary cookies is Art. 25 para. 2 No. 2 TTDPA in conjunction with Art. 6 para. 1 letter f) GDPR, i.e. a legitimate interest on our part. Our legitimate interest is to be found in the purposes stated above.

Duration of the archiving: The technically necessary cookies we use are deleted again at the end of the browser session, in other words when you close your browser (these are called “session cookies”).

The right to object and right of erasure: Cookies are saved on your computer and transmitted from there to our site. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies which have already been saved can be deleted at any time. Note: If cookies for our web-site are deactivated, it is possible that all functions of the web-site can no longer be used to their full extent.

B.3 Registration/Login

Users can register with our cloud service by providing personal data and logging into a protected area. This process involves entering data in an entry mask which is sent to us and saved. The data is not passed to third parties. The following data is collected during the registration process:

  • E-mail address,
  • First name and surname,
  • Company or institution,
  • Position in the company or institution,
  • Registration reason.

The following data is also saved at the time of registration:

  • user’s IP address,
  • the data and time of the subscription.

The user’s consent for processing this data is obtained as part of the registration process.

The purposes of data processing: The registration of the user is mandatory in order to be able to make use of our offers within the framework of the cloud service. In the case of initially free use by selected users, registration serves to ensure that only these users can access the protected area of the service and to prepare the offer of paid use. In the case of chargeable use, the registration also serves the purpose of contract processing and billing. The registration of the user is therefore a necessary prerequisite for the conclusion of a contract and serves as the implementation of a pre-contractual measure.

The legal basis for data processing: The legal basis for processing the data is the user’s consent as described in Art. 6 para. 1 letter a) of the GDPR.
If the purpose of the registration is the performance of a contract and the contractual party is the user, or if the purpose is the execution of pre-contractual activities, there exists a legal basis for the processing of the data in the form of Art. 6 para. 1 letter b) of the GDPR.

Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.
If the registration does not serve to conclude a contract with the user, this is the case for the data collected during the registration process if the registration is cancelled or modified or the user effectively declares to us that he/she objects to his/her consent.
If the registration results in the conclusion of a contract with the user, this applies if the data is no longer necessary for the performance of the contract. The need to save the personal data of a contractual partner can exist after even after the termination of the contract in order to comply with contractual or legal obligations. We draw the reader’s attention to the statements above in the section “Data deletion and retention period“.

The right to object and the right to erasure: You have the right to terminate the registration at any time. You can do this via your user account or by notifying us accordingly.
If the data is necessary for the performance of a contract or the execution of pre-contractual activities, premature deletion of the data is only possible in so far as non-contractual or legal obligations do not conflict with premature deletion of the data.
You can also change/correct the data stored about you at any time.


B.4 Encryption of data transfers via the cloud service

Data transmissions via our cloud service are encrypted using TLSv1.3, SHA-256 with RSA-2048.


B.5 Transmission of personal data to a third country (countries outside the EU/EEA)

It is not intended or assumed by us, but personal data may still be processed outside the EU or EEA.

Data processing may also take place in the USA. The USA is assessed by the European Court of Justice as a country with an insufficient level of data protection according to EU standards. There is a particular risk that your data may be processed by US authorities, for control and for monitoring purposes, possibly also without any legal remedy.

Insofar as such a third country transfer comes into consideration, the corresponding service providers/providers/third parties have subjected themselves to a regulation comparable to the EU data protection level by binding agreement of the EU Standard Contractual Clauses (SCC, cf. Art. 46 an (2) c) GDPR). The transmission of data is therefore unquestionably permitted.
Furthermore, in the case of commissioned processing, corresponding commissioning contracts have been concluded with these companies for the secure processing of the data and guaranteeing our rights to issue instructions.


C. Rights of data subjects

If your personal data is processed you are a "data subject" and you are entitled to the following rights in respect of us as the controller.


C.1 The right to be informed

You have the right to receive a confirmation from us free of charge whether we are processing personal data relating to you. In this case you have the right to information about this personal data and other information which you can see in Art. 14 of the GDPR. You can contact us for this purpose by post or email.


C.2 The right to rectification

You have the right to require that we immediately correct inaccurate personal data relating to you. You also have the right, for the purposes set out above, to require additions to incomplete personal data, including by means of a supplementary declaration. You can contact us for this purpose by post or email.


C.3 The right to erasure

You have the right to require the immediate deletion of personal data relating to you if one of the conditions of Art. 17 of the GDPR is met. You can contact us for this purpose by post or email.


C.4 The right to restrict processing

You have the right to require the restriction of processing if one of the conditions of Art. 18 of the GDPR is met. You can contact us for this purpose by post or email.


C.5 The right to information

If you have asserted the right to the correction, deletion or restriction of the processing to the controller, the latter is obliged to inform all recipients to which the personal data relating to you was disclosed about the correction or deletion of the data or about the restriction of the processing unless this proves to be impossible or is associated with disproportionate effort. You have the right to be informed by the Controller about these recipients.


C.6 The right to data portability

You have the right to receive the personal data you sent to us relating to you in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from us if the conditions of Art. 20 of the GDPR are met. You can contact us for this purpose by post or email.


C.7 The right to object to processing because of a legitimate interest and direct mail

In so far as we process personal data on by way of exception the basis of Art. 6 para. 1 letter f) of the GDPR (therefore for reason of a legitimate interest,) you have the right, for reasons arising from your particular situation, to object at any time to our processing of the personal data relating to you. We will cease processing your data if we can demonstrate no compelling reasons worthy of protection for the further processing which override your interests, rights and freedoms or if we are processing your data for the purposes of direct advertising (cf. Art. 21 of the GDPR). You can contact us for this purpose by post or email.

A technical process which you use, for example an unambiguous statement sent by technical means by your browser (a "do not track" message) is also deemed to be objections in within these meanings.

If personal data is processed for the purpose of direct marketing, you have the right at any time to lodge an objection to the processing of personal data relating to yourself for the purposes of this type of advertising; this also applies to profiling insofar as it is associated with such direct marketing.


C.8 The right to revoke consent

You have the right at any time to revoke an agreement you have given for the collection and use of personal data with effect for the future. You can contact us for this purpose by post or email. The lawfulness of the processing undertaken by reason of the consent you gave up to the time of its revocation is not affected.


C.9 Automatic decision-making including profiling

You have the right not to be subject to a decision based exclusively on automated processing (including profiling) which has a legal effect on you or which is significantly to your detriment in a similar manner unless the decision is necessary for the conclusion of an agreement between you and us, is admissible by reasons of provisions of law of the European Union or member states to which we are subject and these provisions of law contain reasonable measures to protect your rights, freedoms and legitimate interests, or the decision is taken with your express consent. We do not take automated decisions of this nature.


C.10 Voluntary provision of data

If the provision of the personal data is stipulated by law or a contract, we will always point this out when the data is collected. The data we collect is sometimes necessary for the conclusion of a contract, to be specific, if we are unable to meet our contractual obligation to you or cannot adequately meet them in any other way. You are under no obligation to provide personal data. However, the failure to provide such information can mean that we are unable to perform or offer the service, action, measure or similar you require, or that it is impossible to conclude a contract with you.


C.11 The right to complain to a supervisory authority

Notwithstanding other rights, if you are of the opinion that the processing of personal data relating to you infringes data protection law, you have the right at all times to complain to a supervisory authority for data protection, particularly in the member state where you reside, where you work or the place of the alleged infringement.

The supervisory body responsible for us is:

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information,
Königstraße 10A
70173 Stuttgart
Webseite: www.baden-wuerttemberg.datenschutz.de.


Data privacy statement version: 07.04.2022

HQS Cloud v0.1.0
© 2024 HQS Quantum Simulations