Privacy Policy
Privacy Policies
Last Updated: 10 February, 2026
This Privacy Notice explains how personal data is processed on the website www.empacto.eco and www.arrcampus.com (the “Website”) by Empacto GmbH. Empacto GmbH processes only data necessary to provide and secure the Website and its services, in accordance with the principle of data minimisation. ‘Personal data’ means information relating to an identified or identifiable natural person (data subject), such as name, address, telephone number, date of birth, email address, or IP address. Information that cannot be linked to an individual, for instance due to anonymisation, does not qualify as personal data.
1. Controller
The controller for personal data processing on the Website under the General Data Protection Regulation (GDPR) is:
Empacto GmbH
Schopenhauerstraße 6
85579 Neubiberg
Germany
For data protection inquiries or to exercise your rights as a data subject, please contact privacy@akdo.ai.
2. Data Protection Officer
The appointed Data Protection Officer is:
3. Data Processing on our website
3.1 Provision of the website
Purpose of Processing: We process your data to ensure the reliable operation of the Website, facilitate user-friendly access to our Website, and maintain IT security.
Recipients: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxemburg (Provision of cloud computing infrastructure and services for storing, processing, and managing data, as well as operating web applications and services)
Data Processed:
- IP address of the requesting device
- Method (e.g., GET, POST), date and time of the request
- Address of the accessed website and path of the requested file
- If applicable, the previously accessed or requesting website/file (HTTP referer)
- Version of the HTTP protocol, HTTP status code, size of the delivered file
Legal Basis: Art. 6(1)(f) GDPR. The processing of the aforementioned data is necessary to provide the Website and to ensure its secure and user-friendly operation.
Retention Period: The collected data will be deleted when it is no longer necessary for the operation of the Website, and at the latest after 30 days, unless a longer retention period is required by law.
3.2 Google Fonts
Recipient: Tally as the responsible party for integrating Google Fonts; Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data processed:
- Access data (e.g. IP address, error timestamp)
- Browser data (e.g. browser type, version)
- Location data (e.g. country based on IP address)
Retention period: Data is deleted as soon as the purpose of display is fulfilled.
Third country transfer: Data may be transferred to servers in the USA. Google is certified under the EU-U.S. Data Privacy Framework, so transfers are based on Art. 45 GDPR. Standard Contractual Clauses (SCCs) are also in place with Google.
https://tally.so/privacy; https://policies.google.com/privacy
3.3 Book a demo
Purpose: Collection of contact information for scheduling and conducting product demonstrations.
Recipients: Tally.so, 228 Park Ave S, New York, NY 10003, USA; Cal.com, Inc. 2261 Market Street, Suite 4382, San Francisco, CA 94114, USA
Data Processed:
- Contact information (e.g., name, email address)
- Company data (e.g., company name, position)
- Appointment preferences (e.g., desired date, time)
- Technical data (e.g., IP address, browser type)
Legal Basis: Performance of a contract or pre-contractual measures pursuant to Art. 6(1)(b) GDPR for processing data necessary for demo booking, legitimate interest pursuant to Art. 6(1)(f) GDPR for processing additional data to optimize our services and for customer care.
Storage duration: Data is stored for the duration of the business relationship and beyond in accordance with legal retention periods.
Third country transfer: Data transfer to the USA based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
https://tally.so/privacy; https://cal.com/privacy
3.4 Booking a free course on www.arrcampus.com
Purpose: Collection of contact information for sending access to free course via email.
3.5 Purchase of a course on www.arrcampus.com
Purpose: Fulfilling of your order and processing of online payments for our services.
Recipients: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA (Payment provider), systeme.io by ITACWT Limited, 2 Cruise Park Rise, Tyrrelstown, Dublin 15, Ireland (Hosting of the course)
Data Processed:
- Contact information (e.g., email address)
- Transaction data (e.g., purchase amount, purchase date)
Legal Basis: Performance of a contract pursuant to Art. 6(1)(b) GDPR
Storage duration: Data is stored for the duration of the business relationship and beyond in accordance with statutory retention periods.
Third country transfer: Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR).
https://stripe.com/privacy
3.6 Applications
Purpose: Selection of candidates for potential establishment of an employment relationship.
Recipients: JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen.
Data Processed:
- Name
- Email address
- Phone number
- Curriculum vitae (CV)
- Other application documents provided by you
- IP address
- Browser type and version
- Operating system
- Date and time of access
Legal basis: Article 6(1)(b) GDPR (performance of pre-contractual measures) and Section 26(1) BDSG; Article 6(1)(f) GDPR, where our legitimate interest is the efficient management of the recruitment process.
Retention period: We retain your personal data until the application procedure is completed. If your application is unsuccessful, your data will be stored for an additional six months after notification. In the event of a legal dispute, data may be kept until the dispute is resolved. If you are hired, your application data will be stored in your personnel file for the duration of your employment. You may withdraw your application or object to processing at any time. In this case, we will no longer consider your application and will delete all stored data.
International data transfers: Data may be transferred to Switzerland based on an adequacy decision by the European Commission. Transfers to other third countries cannot be excluded. In such cases, JOIN ensures that appropriate safeguards are in place to maintain a level of data protection in accordance with GDPR requirements.
https://join.com/privacy-policy
3.7 Analytics and Tracking
We use tracking and analytics tools to continuously improve our website and tailor it to your needs. To achieve this, information is collected using technologies or by combining device data (device fingerprinting).
Necessary tools for website operation are used based on our legitimate interests under Art. 6(1)(f) GDPR, or to perform a contract/pre-contractual measure under Art. 6(1)(b) GDPR. Optional tools are used only with your consent under Art. 6(1)(a) GDPR, § 25(1) TDDDG.
Sentry
Purpose: To monitor and improve the stability and technical performance of the website by detecting and analyzing errors.
Categories of data processed:
- Access data (e.g., IP address, time of error occurrence)
- Event data (e.g., crash reports, error logs)
- Usage data (e.g., general usage statistics, page views at the time of error)
- Browser data (e.g., browser type, version)
- Location data (e.g., country based on IP address)
Legal Basis: Legitimate interest in accordance with Article 6(1)(f) GDPR. The legitimate interest is the monitoring, error diagnosis, and ensuring the technical stability and security of the website.
Retention period: Data is stored for up to 90 days and then deleted or anonymized.
International data transfer: Data may be transferred to the USA based on the EU-U.S. Data Privacy Framework (Article 45 GDPR).
https://sentry.io/privacy/
SpeedCurve
Processed data:
- Performance metrics (e.g. load times, interaction events)
- Approximate location (e.g. country derived from IP address)
Legal Basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (optimizing our website's performance and user experience)
Storage duration: Data is retained for 12 months, after which it is aggregated and anonymized.
Web Analytics with Plausible Analytics (self-hosted)
Purpose: Analysis of user behavior to improve our website and the usability.
Recipients: Exclusively us as the website operator. The data is processed on our own servers in Germany.
Processed data:
- Accessed pages and paths (e.g., homepage, product pages)
- Anonymized IP address (truncated)
- Time of access (e.g., date, time)
Legal Basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (improvement of our website and the usability)
Retention period: Maximum of 13 months, after which data is completely deleted or anonymized.
4. Contact by Email
Purpose: To process and respond to your inquiry.
Data Processed:
- Content of your message
Legal Basis: Article 6(1)(f) GDPR (legitimate interest in communicating with you). Where your inquiry relates to entering into or performing a contract, Article 6(1)(b) GDPR serves as the legal basis.
Retention period: We retain your data only as long as necessary to respond to your inquiry.
5. Social Media Online Presences
Recipients: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (LinkedIn)
Data Processed:
- Interaction data (e.g., likes, shares)
- Usage statistics (e.g., page views, video views)
- Content preferences (e.g., popular topics, interests)
Legal Basis: Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures)
Retention period: According to the privacy policies of the respective platforms.
International data transfer: Possible data transfer to the USA and other third countries depending on the platform.
https://legal.linkedin.com/pages-joint-controller-addendum; https://www.linkedin.com/legal/privacy-policy
Note: We have no influence over the sole data processing by the platforms. When visiting our presences, usage data may be transmitted to the operators, which they may process for their own purposes. User rights can be asserted directly against the platform operators.
6. International Data Transfers
Personal data is primarily processed within the EU/EEA. Transfers to so-called ‘third countries’ are only carried out in compliance with GDPR requirements and subject to adequate safeguards. Before transferring data to a third country service provider, the level of data protection is reviewed. Data is only transferred if sufficient safeguards exist. All service providers must enter into a data processing agreement. For providers outside the EEA, additional measures are required. According to Art. 44 ff. GDPR, data may be transferred if at least one of the following applies:
- The European Commission has determined that the third country ensures an adequate level of protection.
- Standard Contractual Clauses are included in the agreement with the data recipient.
- Other appropriate safeguards in accordance with Art. 46 GDPR are in place.
- In specific exceptional cases according to Art. 49 GDPR.
7. Recipients
Disclosure of the personal data we collect generally only takes place if:
- You have given your explicit consent in accordance with Art. 6(1)(a) GDPR,
- the disclosure is necessary pursuant to Art. 6(1)(f) GDPR for the protection of our legitimate interests or for the establishment, exercise or defense of legal claims, and there is no reason to assume that your interests or fundamental rights and freedoms which require the protection of personal data override,
- we are legally obliged to disclose the data pursuant to Art. 6(1)(c) GDPR, or
- this is legally permissible and necessary for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request pursuant to Art. 6(1)(b) GDPR.
The following are potential recipients:
- Processors: Group companies or external service providers, e.g. in the areas of technical infrastructure and processing, maintenance, and payment processing, who are carefully selected and monitored. Processors may only use the data according to our instructions.
- Public bodies: Authorities and government institutions, such as tax authorities, prosecutors, or courts, to whom we must transmit personal data (if required), e.g., to fulfill legal obligations or to protect legitimate interests.
8. Data Security and Safeguards
We implement appropriate technical and organizational measures to ensure that your personal data remains secure and confidential. These measures are designed to prevent unauthorized access, manipulation, loss, or misuse of data. Our security protocols are regularly reviewed and updated to align with technological advancements and industry standards.
9. Rights of Data Subjects
You have the following rights regarding your personal data:
Right of access: You have the right to obtain confirmation as to whether we process your personal data. If so, you may request information about which data we process, the purposes of the processing, the recipients of the data, and the duration for which the data is stored.
Right to rectification: You may request the prompt correction of inaccurate data. You also have the right to have incomplete data completed.
Right to erasure: You may request the deletion of your data, for example if it is no longer necessary, if you withdraw your consent, or if the data has been processed unlawfully.
Right to restriction of processing: You may request the restriction of processing, for example if the data is inaccurate.
Right to data portability: You have the right to receive your data in a commonly used, machine-readable format.
Right to withdraw consent: You may withdraw your consent to data processing at any time with effect for the future. The lawfulness of processing based on consent before its withdrawal remains unaffected.
Right to object: You may object to the processing of your data at any time, in particular with regard to direct marketing. This also applies to profiling carried out for direct marketing purposes.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your rights have been infringed.
Change History
24.10.2024 - v0 - Old policy
24.09.25 - v1.0 - First version of the revised Privacy Notice in the new format