Data privacy

Below we would like to inform you about our privacy policy.

Here you will find information about the collection and use of personal data when using our website. In doing so, we comply with the data protection law applicable for Germany. You can access this policy at any time on our website. We explicitly state that data transmission on the Internet (e.g. communication by e-mail) is subject to security vulnerabilities and cannot be completely protected against access by third parties. The use of the contact data of our imprint for commercial advertising is expressly not desired, unless we had previously given our written consent or a business relationship already exists. The provider and all persons named on this website hereby object to any commercial use and disclosure of their data.

1. Responsible entity

The responsible party in terms of the DSGVO for processing your personal data via this internet platform is greenhats ® GmbH, Buchenweg 22, 35096 Weimar (Lahn), owner Arwid Carlo Zang.

2. Purpose of collection of personal data

You can visit our website without providing personal data. As far as personal data (such as surname, first name, maiden name, as well as the declaration that you are acting exclusively as a consumer according to § 13 BGB (German Civil Code); optionally, address and bank data (bank details, PayPal)) are collected on our pages, this is done according to (Art. 6 para. 1a DSGVO) based on your consent.

Insofar as a contractual relationship is to be established between you and us, or its content is to be developed or changed, or you submit an inquiry to us, we collect and use personal data from you insofar as this is necessary for the fulfillment of contractual obligations (Art. 6 para. 1 b DSGVO) (inventory data). We collect, process and use personal data to the extent necessary to enable you to use the website (usage data). This includes in particular the pre-contractual measures, as well as the measures necessary for the execution.

The purposes of the data processing primarily depend on the specific service order (e.g. IT security service (security checks / control bug bounty / penetration tests); data protection / compliance and forensics (data protection web check / control bug bounty compliance / other); auditing of management systems; insurance solutions; software solutions).

In addition, when you use our website, your browser automatically transmits server log data. This is information about operating systems, browser type and version, referrer (URL of the page from which you reached us), IP address and time of visit.

Your personal data will not be disclosed to third parties without your express consent. This may be necessary in the course of the execution of the contract. In point 6 you will find the possible third parties listed.

3. How long is personal data stored?

We generally process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract. Retention periods under tax and commercial law are taken into account. By order of the competent authorities, we may provide information on this data (inventory data) in individual cases, insofar as this is necessary for the purposes of criminal prosecution, averting danger, fulfilling the statutory tasks of the constitution protection authorities or the military counterintelligence service, or enforcing intellectual property rights.

4. Data sources

Comment function

In the context of the comment function, we collect personal data (e.g. name, e-mail) in the context of your comments on a post only to the extent that you have provided it to us. When publishing a comment, the email address you provide will be stored but not published. Your name will be published if you have not written under a pseudonym.

Contact form

When using the contact form, data necessary for processing will be collected. This includes, among other things, your name, address and email address, as well as telephone number and possibly tax identification number and account information. The processing of the data serves exclusively the processing of your contact or the processing of the contractual relationship.

5. Data subject rights

As a user of our website, you have the right, in accordance with Art. 15 DSGVO, to request information from us about the data stored about you or your pseudonym. According to Art. 16 DSGVO, you have the right to rectification. In addition, you may exercise your right to erasure in accordance with Art. 17 of the GDPR or restrict data processing in accordance with Art. 18 of the GDPR. Upon request, we will provide you with your data in a structured, common and machine-readable format in accordance with Art. 20 DSGVO. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 DSGVO in conjunction with § 19 BDSG).

Should you use your right to object in accordance with Art. 21 DSGVO, we will no longer process the personal data, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

Please note that for security reasons, inquiries can only be answered in written form. For this purpose and to exercise your right of objection and revocation, please contact us at the following address:

6. Who receives my data?

Within greenhats® GmbH, access to your data is granted to those departments that require it to fulfill contractual obligations or for which you have given us your consent to transfer data. Processors employed by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories of consulting services companies in the areas of IT security, software solutions, insurance solutions, compliance consulting and data protection consulting, among others. With regard to the transfer of data to recipients outside greenhats® GmbH, it should be noted that we only work with processors who provide sufficient guarantees that appropriate technical and organizational measures are used that are in line with the legal requirements for data protection and ensure the protection of the rights of the data subjects. You can find the transmitted data in the GTCs of the respective partners.

7. Cookies

We do not use cookies on our website, i.e. you can visit our website without cookies being stored on your terminal device.

When you register and log in to our site, we use so-called session cookies to recognize that you have already visited individual pages of our website. Session cookies are automatically deleted after you leave our website.

We base data processing in connection with the use of cookies on your voluntarily granted consent, Art. 6 para. 1 S. 1 lit. f GDPR, as well as our legitimate interests and those of third parties, Art. 6 para. 1 S. 1 lit. f GDPR, because the use of cookies is necessary to safeguard the aforementioned interests.

8. Youtube

We use the provider YouTube, among others, for the integration of videos. YouTube wird betrieben von YouTube LLC mit Hauptgeschäftssitz in 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube wird vertreten durch Google Inc. mit Sitz in 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

On some of our web pages, we use plugins from the provider YouTube in extended data protection mode, so that no cookies are stored. When you access the Internet pages of our website that are provided with such a plugin - for example, our media library - a connection is established to the YouTube servers and the plugin is displayed. This transmits to the YouTube server which of our Internet pages you have visited. If you are logged in to YouTube as a member, YouTube assigns this information to your personal user account. When using the plugin, such as clicking the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your YouTube user account and other user accounts of the companies YouTube LLC and Google Inc. before using our website and deleting the corresponding cookies of the companies.

Further information on data processing and notes on data protection by YouTube (Google) can be found at

9. Single-sign On

For our services and we allow our users to log in with external third-party providers (authentication).

Google OAuth 2.0

Users can log in to the aforementioned web services with their Google account by using Google OAuth 2.0. In this way, they can authorize the API without disclosing their access data. By confirming in the OAuth consent screen, personal data (only the e-mail address and an OpenID identifier) is exchanged between Google and us. Metadata such as IP address and browser information are transmitted to Google by clicking on the corresponding login button. Details on the data that Google collects and how Google processes it can be found in Google's privacy policy (

By using the Google OAuth 2.0 function on our website, the user expressly consents to the use of this data. The authorization of API requests only takes place if the user actively decides to share this data with us via the Google OAuth 2.0 procedure and has previously received all necessary information about their processing and has confirmed receipt. In this case, the legal basis is the user's consent pursuant to Art. 6 para. 1 S. 1 lit. a GDPR.

Microsoft Entra (OpenID Connect)

For authentication via Microsoft Entra, we use OpenID Connect, an extension of OAuth. Users can log in to our services with their Microsoft account, whereby access is only granted to their e-mail address within the "openid" and "" scopes. No further personal information is exchanged via the OpenID Connect procedure. The processing of user data by Microsoft is explained in their privacy policy ( Consent to data processing through the use of Microsoft Entra as an authentication method is given in accordance with Art. 6 para. 1 S. 1 lit. a GDPR.

GitHub OAuth 2.0

Similar to Google, GitHub OAuth 2.0 allows users to log in to our services with their GitHub account. Here too, the scope is limited to "openid" and "", so that only the user's email address is retrieved. No other personal data will be exchanged. Information on data collection and processing by GitHub can be found in their privacy policy ( Consent to the use of GitHub OAuth 2.0 on our websites and to the corresponding data processing is based on Art. 6 para. 1 S. 1 lit. a GDPR.