← Go Back

Privacy Policy of DevArena GmbH

As of: April 2026

1. Responsible Party and Contact

The entity responsible for data processing under the General Data Protection Regulation (GDPR) and applicable data protection laws is:

DevArena GmbH

Email: info@devarena.de

Website: https://devarena.de

For all questions and requests relating to data protection, please contact us at the above address or by email.

2. General Information on Data Processing

2.1 Scope

This Privacy Policy applies to all personal data collected and processed via the DevArena platform (web application for companies), the DevCourt assessment app (iOS and Android), and our associated web services. DevArena is a technical assessment platform that allows companies to create, manage, and evaluate developer assessments.

2.2 Legal Basis

We process personal data on the following legal bases under GDPR Art. 6:

2.3 Data Minimisation

We collect only the personal data that is necessary for the stated processing purposes. We do not process data beyond what is required.

2.4 Data Transfers Outside the EU

Your data is primarily stored and processed within the European Union. Where data is transferred to third countries outside the EU/EEA, we ensure appropriate safeguards are in place (e.g., EU Standard Contractual Clauses pursuant to Art. 46 GDPR). Details of any such transfers are provided in the relevant sections below.

3. Server Log Files

3.1 Description

When you access our web services, our server automatically records information sent by your browser or app client in so-called server log files.

3.2 Data Collected

3.3 Purpose and Legal Basis

Log data is processed to ensure the technical operation, security, and availability of our services. The legal basis is our legitimate interest under Art. 6(1)(f) GDPR in operating a secure and reliable platform.

3.4 Retention

Log files are retained for up to 30 days and then automatically deleted, unless a longer retention period is required for security investigations.

3.5 Note on IP Addresses

IP addresses are considered personal data under GDPR. We process them solely for technical and security purposes and do not link them to individual user accounts unless required for a security investigation.

4. Cookies

4.1 What Are Cookies?

Cookies are small text files stored on your device by your browser when you visit a website. They allow the website to recognise your device on subsequent visits and to maintain session state.

4.2 Cookies We Use

We use only technically essential cookies required for the operation of our services. We do not use tracking, analytics, or advertising cookies.

Name Type Purpose Duration
access_token Session / Auth Stores a signed JWT to authenticate the user session on the DevArena platform Until logout / token expiry
refresh_token Session / Auth Allows renewal of the access token without requiring re-login 30 days (or until logout)

4.3 Legal Basis

Essential cookies are set on the basis of our legitimate interest in providing a functioning and secure web service (Art. 6(1)(f) GDPR). No consent banner is required for strictly necessary cookies under applicable law.

4.4 Marketing and Analytics Cookies

We currently do not use any marketing, advertising, or analytics cookies (e.g., Google Analytics, Facebook Pixel). Should we introduce such cookies in the future, we will update this Privacy Policy and, where required, obtain your prior consent.

5. Google Analytics 4

5.1 Scope of Processing

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Analytics uses cookies and similar technologies to analyze the use of our website. The information generated by the cookie about your use of this website (including your shortened IP address) is usually transmitted to and stored by Google on servers. Google processes the data on our behalf to evaluate the use of the website, compile reports on website activity, and provide other services related to website and internet use.

5.2 IP Anonymization

We have activated IP anonymization on this website. This means that your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

5.3 Processed Data

Google Analytics collects the following data:

Important: No personal data such as name, email address or phone number is transmitted to Google Analytics.

5.4 Purpose of Data Processing

The use of Google Analytics serves the purpose of analyzing, optimizing, and economically operating our website. The evaluations enable us to:

5.5 Legal Basis

Processing is based on your consent in accordance with Art. 6(1)(a) GDPR and § 25(1) TTDSG (Telecommunications-Telemedia Data Protection Act).

5.6 Recipient / Processor

The recipient of the data is Google Ireland Limited as a processor. We have concluded a Data Processing Agreement (DPA) with Google for this purpose.

5.7 Data Transfer to Third Countries (USA)

Google processes your data also in the USA. The USA is not a safe third country within the meaning of EU data protection law. US companies are obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.

Data transfer to the USA is based on:

Google is certified under the EU-US Data Privacy Framework. More information: https://www.dataprivacyframework.gov/

5.8 Storage Duration

Data stored by Google Analytics at the user and event level are automatically deleted after 14 months. We have configured this retention period accordingly.

5.9 Withdrawal and Objection

You can withdraw your consent at any time with effect for the future by accessing the cookie settings via the link in the footer of our website and deactivating the analysis cookies.

In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link:

Google Analytics Opt-Out Browser Add-on: https://tools.google.com/dlpage/gaoptout

5.10 Further Information

For more information on terms of use and data protection, please visit:

6. Hosting & Server (Hetzner Online GmbH)

6.1 Description and Scope

Our website is hosted by Hetzner Online GmbH. All data collected in the course of using our website is processed on servers by Hetzner.

Hetzner Online GmbH

Industriestr. 25, 91710 Gunzenhausen, Germany

Phone: +49 (0)9831 505-0

Email: info@hetzner.com

Website: https://www.hetzner.de

6.2 Scope of Data Processing

Hetzner processes the following data on our behalf:

6.3 Legal Basis

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in a reliable, secure, and efficient hosting service) and Art. 28 GDPR (processing on behalf).

6.4 Data Processing Agreement (DPA)

We have concluded a Data Processing Agreement (DPA) with Hetzner according to Art. 28 GDPR. Hetzner processes personal data exclusively according to our instructions and is contractually obliged to take appropriate technical and organizational measures to protect the data.

6.5 Server Location

All servers are located in data centers in Germany (Falkenstein/Vogtland, Nuremberg, Helsinki). No data transmission to third countries outside the EU/EEA takes place.

6.6 Storage Duration

The data is stored on Hetzner's servers as long as it is necessary for the provision of our website and services. For specific storage periods, please refer to the respective sections of this privacy policy.

6.7 Security Measures

Hetzner employs comprehensive security measures, including:

6.8 Further Information

Further information on data protection at Hetzner can be found at: https://www.hetzner.com/de/rechtliches/datenschutz

7. DevCourt Assessment Platform (B2B Customers)

7.1 Description and Scope of Data Processing

In the context of using our DevCourt Assessment Platform by companies (B2B customers), we process the following data:

Customer Data (Company):

Candidate Data (processed on behalf of customer):

7.2 Legal Basis

Customer Data: Processing of customer data is based on:

Candidate Data: Processing of candidate data is performed exclusively on behalf and according to instructions of the B2B customer (processing on behalf according to Art. 28 GDPR).

Important: The data controller within the meaning of the GDPR for the processing of candidate data is the respective B2B customer (the inviting company), not DevArena GmbH. We process this data exclusively as a processor according to the customer's instructions.

7.3 Purpose of Data Processing

Customer Data:

Candidate Data:

7.4 Storage Duration

Candidate Data: Candidate data is stored for the duration of the campaign defined by the customer:

7.5 Disclosure of Data

Customer Data: Disclosure of customer data to third parties only occurs in the following cases:

Candidate Data: Assessment results are provided exclusively to the respective B2B customer in the form of PDF reports. No disclosure to other third parties takes place.

DevArena GmbH does not evaluate candidate data for its own purposes and does not create cross-company statistics or profiles.

7.6 Data Subject Rights for B2B Customers

As a B2B customer, you have the following rights (see also section 11):

To exercise your rights, please contact: daten@devarena.de

7.7 Data Subject Rights for Candidates

Since DevArena GmbH acts as a processor on behalf of the inviting company when processing candidate data, requests regarding data subject rights (access, rectification, erasure, restriction, data portability, objection) should be directed to the inviting company (the B2B customer).

The data controller for your candidate data is the company that invited you to the assessment.

If you have technical questions about data processing or cannot identify the controller, you can contact daten@devarena.de. We will then forward your request to the responsible customer or assist you in making contact.

7.8 Data Processing Agreement (DPA) with B2B Customers

We conclude a Data Processing Agreement (DPA) according to Art. 28 GDPR with every B2B customer. This regulates:

The DPA is an integral part of our GTC and automatically becomes effective upon conclusion of the contract.

8. DevCourt Mobile App (Candidates)

8.1 Description and Scope of Data Processing

When using the DevCourt Mobile App (available for iOS and Android), we process the following data:

Access Data:

Assessment Data:

Optional Data (only with express consent):

8.2 Legal Basis

Access and Assessment Data: Processing is based on Art. 6(1)(b) GDPR (implementation of pre-contractual measures at the request of the data subject in the context of the application process) in conjunction with Art. 28 GDPR (processing on behalf of the inviting company).

You participate in the assessment as part of an application process with the inviting company. Conducting the assessment is a pre-contractual measure that takes place at your request (your application).

Optional Data (name, email): Processing is based on your express consent according to Art. 6(1)(a) GDPR. Consent is given in the app by checking a checkbox and is completely voluntary. You can also complete the assessment without providing this data.

8.3 Purpose of Data Processing

Access and Assessment Data:

Optional Data (with consent):

8.4 Anti-Cheating Measures

To ensure fair and comparable results, the DevCourt Mobile App employs the following technical protective measures:

a) Screenshot Block: Taking screenshots is technically prevented during the assessment. This prevents questions and answers from being saved and shared.

b) Focus Monitoring (App Switch Detection): The app detects when you leave the application (e.g., by switching to another app, to the browser, or to the phone app). Each focus loss is logged with:

Consequences of Focus Loss:

c) One-time Participation: Each participation code can only be used once. The device ID ensures that multiple participation is detected.

Important Notes on Your Privacy:

NO biometric data is collected: No camera recordings, no microphone recordings, no facial recognition, no behavioral biometrics (typing behavior, mouse movements), no location data (GPS).

NO screen recording takes place: Your screen is not recorded; no videos or screenshots are created.

The examination takes place exclusively at app level: Technical detection of app switches (focus loss) only — no monitoring of other apps or system functions, no installation of surveillance software.

8.5 Storage Duration

During the campaign: All data collected during the assessment will be stored for at least the duration of the campaign defined by the inviting company (30, 60, 90, or 120 days).

Within 30 days after the campaign ends, all data will be automatically and irrevocably deleted:

Exception with consent: If you have consented to the storage of your contact data (name, email address) for the DevArena Candidate Portal, only this data will be stored permanently until you withdraw your consent (see section 9). The assessment results themselves will also be deleted after 30 days in this case, unless you actively register in the Candidate Portal and consent to the permanent storage of your skill data there.

8.6 Disclosure of Data

Your assessment data will be disclosed exclusively to the inviting company that invited you to the assessment. The disclosure takes the form of a PDF report containing the following information:

If you have provided name and email address, these will also be listed in the report. Otherwise, only your participation code will appear in the report as an identifier.

Your data will not be disclosed to other companies, recruiters, or other third parties. DevArena GmbH does not use your assessment results for its own purposes and does not create cross-company candidate profiles.

8.7 Data Subject Rights

Since DevArena GmbH processes your assessment data as a processor on behalf of the inviting company, the inviting company is the controller within the meaning of the GDPR. For requests regarding your data subject rights, please contact the company that invited you to the assessment directly.

You have the following rights:

You can also contact us: daten@devarena.de — we will forward your request to the inviting company or assist you in making contact.

8.8 Right of Withdrawal

You can withdraw your consent to the storage of your contact data (name, email address) at any time with effect for the future. To do so, send an email to: daten@devarena.de

The lawfulness of the processing carried out until the withdrawal remains unaffected.

The withdrawal only relates to the optional contact data. The conduct of the assessment itself and the disclosure of results to the inviting company cannot be withdrawn, as these are necessary for carrying out the pre-contractual measure (application process).

8.9 App Permissions

The DevCourt Mobile App requires the following permissions on your device:

Permission Purpose Required
Internet access Loading assessment questions, submitting responses Yes
Network status Checking internet connection Yes
Storage Temporary storage of data during assessment execution Yes
Prevention of standby mode Ensuring that the assessment is not interrupted Yes

NOT required permissions: Camera, Microphone, Location (GPS), Contacts, Phone, SMS

8.10 Technical Security Measures

To protect your data, we employ the following security measures:

9. DevArena Candidate Portal

9.1 Description and Scope of Data Processing

The DevArena Candidate Portal (accessible at portal.devarena.de) is a platform for developing IT skills and increasing visibility to potential employers.

Mandatory Data (upon registration):

Optional Data (upon profile completion):

Automatically Captured Usage Data:

9.2 Legal Basis

Processing is based on your consent according to Art. 6(1)(a) GDPR. By registering in the Candidate Portal, you expressly consent to the processing of the data you provide. Consent is voluntary and can be withdrawn at any time.

9.3 Purpose of Data Processing

The data processing serves the following purposes:

9.4 Voluntary Nature of Information

Providing data is generally voluntary. However, the following data is required to use the Candidate Portal:

All other information (name, professional experience, location, etc.) is optional. You can use the Candidate Portal without providing this data. In this case, your profile will not be visible to employers.

9.5 Visibility to Employers

Your profile will not be disclosed to or made visible to employers without your express consent. You can set the following at any time in your account settings:

a) Profile Visibility:

b) Visible Information (with public profile):

c) Contact Options:

After registration, your profile is hidden by default. You must actively enable visibility.

9.6 Contact by Employers

If you have enabled contact by employers, registered companies can contact you via the platform. Process:

  1. Employer sees your public profile
  2. Employer sends contact request via the platform
  3. You receive a notification (email and/or in the portal)
  4. You can accept or decline the request
  5. Upon acceptance: message exchange via the platform or direct email communication (if you have enabled this)

9.7 Storage Duration

Your data will be stored as long as your account is active.

Account deletion: You can delete your account yourself at any time:

All personal data will be irrevocably deleted within 30 days after deletion:

The following data may be stored longer in anonymized form for analysis purposes:

This data can no longer be traced back to your person.

Accounts that have not been used for more than 3 years (no login) will be automatically deleted. You will receive a reminder via email 30 days before deletion.

9.8 Right of Withdrawal

You can withdraw your consent at any time with effect for the future:

The lawfulness of the processing carried out until the withdrawal remains unaffected.

9.9 Data Security in the Candidate Portal

To protect your data, we employ the following security measures:

9.10 Data Portability

You have the right to receive your data stored in the Candidate Portal in a structured, commonly used, and machine-readable format (Art. 20 GDPR).

Export function: You can export your data yourself at any time: Login → Settings → Export data

Alternatively, you can request the export via email: daten@devarena.de — we will provide the data to you within 30 days.

10. Contact

10.1 Contact via Email, Phone, or Contact Form

When you contact us via email, phone, or our contact form, the data you provide will be stored by us to process your inquiry and for possible follow-up questions.

Processed Data:

10.2 Legal Basis

The processing of data is based on:

10.3 Purpose of Data Processing

The processing of personal data serves us exclusively to process your contact. In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

10.4 Storage Duration

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data sent via email, phone, or contact form, this is the case when the respective conversation with the user has ended.

Specific periods:

10.5 Objection and Removal Options

You have the option at any time to withdraw your consent to the processing of personal data. If you contact us via email, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.

To exercise the withdrawal, please contact: daten@devarena.de

11. Newsletter

11.1 Description and Scope of Data Processing

On our website, there is an option to subscribe to a free newsletter. When registering for the newsletter, the data from the input form is transmitted to us.

Data collected upon registration:

Data collected during newsletter dispatch:

11.2 Double Opt-In Procedure

Registration for our newsletter follows the so-called double opt-in procedure:

  1. You enter your email address in the registration form
  2. You receive a confirmation email at the provided address
  3. You must click the confirmation link in this email
  4. Only after confirmation will your email address be added to the newsletter distribution list

No newsletter email will be sent without your confirmation. The double opt-in procedure serves as proof that you yourself registered and prevents registration by third parties using your email address.

11.3 Legal Basis

Processing is based on your consent according to Art. 6(1)(a) GDPR and § 7(2) No. 3 UWG. By registering for the newsletter and confirming in the double opt-in procedure, you consent to the processing of your email address and the other provided data for the purpose of newsletter dispatch.

11.4 Purpose of Data Processing

The collection of the email address serves to deliver the newsletter. The collection of other personal data as part of the registration process serves to:

11.5 Newsletter Content

a) Product Newsletter (DevCourt/DevArena):

b) Marketing Newsletter:

c) Transactional Emails (not newsletters):

Note: Transactional emails are not newsletters and cannot be unsubscribed from, as they are necessary for contract fulfillment.

11.6 Newsletter Service Provider

The newsletter is sent via HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. We have concluded a Data Processing Agreement with HubSpot. HubSpot is certified under the EU-US Data Privacy Framework.

Data processed by HubSpot:

HubSpot Privacy Policy: https://legal.hubspot.com/de/privacy-policy

Legal basis for data transfer to the USA:

Further information on HubSpot:

11.7 Storage Duration

The data will be stored as long as the newsletter subscription is active.

11.8 Unsubscription / Withdrawal

You can unsubscribe from the newsletter at any time and withdraw your consent:

The unsubscription becomes effective within 48 hours. The lawfulness of the processing carried out until the withdrawal remains unaffected.

11.9 Analysis of Newsletter Usage Behavior

Our newsletters contain so-called "tracking pixels" — miniature graphics embedded in emails to enable log file recording and analysis, allowing statistical evaluation of online marketing campaigns.

Data collected:

Purpose: This data serves to optimize newsletter content and improve relevance for you.

Objection: If you do not want analysis, you must unsubscribe from the newsletter. A separate objection option only against tracking (while continuing to receive the newsletter) is not technically possible.

11a. Customer Relationship Management (HubSpot CRM)

11a.1 Description and Scope of Data Processing

We use HubSpot CRM (Customer Relationship Management) from HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA, to manage customer relationships, contacts, and business processes.

Contact and Customer Data:

Website Tracking Data (only with consent via cookie banner):

11a.2 Purpose of Data Processing

The use of HubSpot CRM serves the following purposes:

11a.3 Legal Basis

Processing is based on:

11a.4 HubSpot Tracking and Cookies

HubSpot uses cookies and similar technologies to analyze user behavior on our website. This only occurs with your consent via our cookie consent banner.

The following HubSpot cookies are used:

Cookie Name Purpose Storage Duration Category
__hssc Session tracking 30 minutes Analysis
__hssrc Session detection Session end Analysis
__hstc Visitor tracking 13 months Analysis
hubspotutk Visitor identification 13 months Analysis
__hs_opt_out Opt-out status 13 months Necessary
__hs_do_not_track Do-not-track status 13 months Necessary
__hs_initial_opt_in Cookie consent 7 days Necessary
hs_ab_test A/B testing Session end Analysis

You can deactivate the use of HubSpot cookies at any time via the cookie settings in the footer of our website.

11a.5 Data Processing Agreement (DPA)

We have concluded a Data Processing Agreement according to Art. 28 GDPR with HubSpot. HubSpot processes personal data exclusively according to our instructions and is contractually obliged to take appropriate technical and organizational measures to protect the data.

11a.6 Data Transfer to Third Countries (USA)

HubSpot processes data also in the USA. The USA is not a safe third country within the meaning of EU data protection law. US companies are obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.

Data transfer to the USA is based on:

HubSpot is certified under the EU-US Data Privacy Framework. More information: DPF participant detail

11a.7 Storage Duration

Data Type Retention Period
Active customers Duration of business relationship + legal retention periods (6–10 years per § 147 AO, § 257 HGB)
Prospects without contract conclusion Deleted after 3 years of inactivity
Contact inquiries without further interaction Deleted after 6 months
Website tracking data Automatically deleted after 13 months

11a.8 Withdrawal and Objection

You can deactivate HubSpot tracking at any time:

For processing based on legitimate interests (Art. 6(1)(f) GDPR), you can object to the processing of your data in the CRM. Please contact us at: daten@devarena.de

For processing based on a contract (Art. 6(1)(b) GDPR), objection is not possible as data processing is necessary for contract fulfillment.

11a.9 Further Information

12. External Service Providers & Processors

12.1 General Information

We use external service providers to provide our services, who process personal data on our behalf (processors according to Art. 28 GDPR). We have concluded Data Processing Agreements (DPA) with all processors that meet the data protection requirements of the GDPR.

12.2 Overview of Processors Used

a) Hosting & Infrastructure

Service Provider Purpose Location Legal Basis
Hetzner Online GmbH Server hosting, databases, infrastructure Germany Art. 6(1)(f) GDPR, Art. 28 GDPR

Details see section 6.

b) Analysis & Tracking

Service Provider Purpose Location Legal Basis
Google Ireland Limited (Google Analytics 4) Web analysis, usage statistics Ireland / USA Art. 6(1)(a) GDPR (consent), Art. 28 GDPR

Details see section 5.

c) Payment Service Providers

Service Provider Purpose Location Legal Basis
Stripe Payments Europe Ltd. Credit card payments, SEPA direct debit Ireland / USA Art. 6(1)(b) GDPR (contract fulfillment)
PayPal (Europe) S.à r.l. et Cie, S.C.A. PayPal payments Luxembourg Art. 6(1)(b) GDPR (contract fulfillment)

Processed data:

We do not store complete credit card data or bank details. These are processed and stored exclusively by the respective payment service provider.

Privacy policies:

d) Email Dispatch & Newsletter

Service Provider Purpose Location Legal Basis
HubSpot, Inc. Newsletter dispatch, email marketing USA Art. 6(1)(a) GDPR (consent)

Details see sections 11 and 11a.

e) Development & Code Repositories

Service Provider Purpose Location Legal Basis
GitHub Inc. (Microsoft) Code versioning, development USA Art. 6(1)(f) GDPR (legitimate interest)
No personal customer data is stored in code repositories — only source code and technical documentation.

12.3 Data Transfer to Third Countries

Some of the service providers we use process data in third countries (outside the EU/EEA), particularly in the USA.

a) EU-US Data Privacy Framework (DPF)

The USA was recognized as a safe third country by the EU Commission's adequacy decision of July 10, 2023, provided the data importer is certified under the DPF.

Certified service providers:

Verification of certification: https://www.dataprivacyframework.gov/

b) EU Standard Contractual Clauses (SCC)

With service providers not certified under the DPF, we have concluded EU Standard Contractual Clauses according to Art. 46(2)(c) GDPR. These ensure an adequate level of data protection.

c) Additional Protective Measures

12.4 No Disclosure to Third Parties for Their Own Purposes

We do not disclose your personal data to third parties for their own purposes, unless:

In particular, no disclosure is made to:

13. Your Rights as a Data Subject

As a data subject, you have comprehensive rights regarding the processing of your personal data. You can assert these rights at any time.

13.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have a right to access this personal data and the following information:

Furthermore, you have the right to information as to whether personal data has been transferred to a third country or an international organization, including information about the appropriate safeguards in connection with the transfer.

How to exercise: Send an email to daten@devarena.de — we will respond within 30 days.

13.2 Right to Rectification (Art. 16 GDPR)

You have the right to request that we immediately rectify inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to request the completion of incomplete personal data.

Examples: Correction of a misspelled email address, update of your company address, addition of missing contact details.

How to exercise:

13.3 Right to Erasure (Art. 17 GDPR)

You have the right to request that we immediately erase personal data concerning you, provided one of the following reasons applies:

  1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed
  2. You withdraw your consent on which the processing was based, and there is no other legal basis for processing
  3. You object to processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds, or you object pursuant to Art. 21(2) GDPR
  4. The personal data has been unlawfully processed
  5. The erasure is necessary to comply with a legal obligation under Union or Member State law
  6. The personal data was collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR

Exceptions – No right to erasure exists if processing is necessary for:

Legal retention periods: Invoices, booking receipts: 10 years (§ 147 AO) · Business letters: 6 years (§ 257 HGB)

How to exercise:

13.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we restrict processing if one of the following conditions is met:

  1. The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy
  2. The processing is unlawful, you oppose erasure and instead request restriction of use
  3. We no longer need the personal data, but you need it for the establishment, exercise, or defense of legal claims
  4. You have objected to processing pursuant to Art. 21(1) GDPR and it is not yet clear whether our legitimate grounds override yours
What does "restriction of processing" mean? The data is marked and may only be processed for certain purposes (e.g., for the establishment of legal claims), but not for the original purpose.

13.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller without hindrance from us, provided:

  1. The processing is based on consent (Art. 6(1)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR), and
  2. The processing is carried out by automated means

Practical implementation:

How to exercise:

We will provide you with the data within 30 days.

13.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Special right to object to direct marketing (Art. 21(2) GDPR): If personal data is processed for direct marketing purposes, you have the right to object at any time. This also applies to profiling related to such direct marketing.

Practical examples:

How to exercise: Send an email with justification to daten@devarena.de — we will respond within 30 days.

13.7 Right to Withdraw Data Protection Consent (Art. 7(3) GDPR)

You have the right to withdraw your data protection consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Consents you can withdraw:

13.8 Automated Individual Decision-Making Including Profiling (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

We do not use fully automated decisions that produce legal effects or significantly affect you. In particular:

13.9 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR.

Competent supervisory authority for DevArena GmbH:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)

Kavalleriestraße 2-4, 40213 Düsseldorf, Germany

Phone: 0211 / 38424-0 · Fax: 0211 / 38424-10

Email: poststelle@ldi.nrw.de

Website: https://www.ldi.nrw.de

You can also contact the data protection supervisory authority of your place of residence or work. An overview of all EU data protection authorities: https://edpb.europa.eu/about-edpb/board/members_de

13.10 Exercise of Your Rights

Email: daten@devarena.de

Mail: DevArena GmbH, Attn: Data Protection, Wolfgang-Reuter-Str. 20a, 58300 Wetter (Ruhr)

Processing periods: We generally respond within 30 days of receipt. In complex cases, this period may be extended by a further two months; we will inform you in good time.

Proof of identity: To verify your identity and prevent misuse, we may ask you to identify yourself (e.g., by confirming your email address). This serves your protection.

Costs: The exercise of your rights is generally free of charge. In the case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse the request (Art. 12(5) GDPR).

14. Data Security

14.1 Technical and Organizational Measures

We employ comprehensive technical and organizational measures (TOMs) to protect your personal data against accidental or intentional manipulation, loss, destruction, or against access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

14.2 Technical Security Measures

a) Encryption

b) Access Control

c) Network Security

d) Application Security

e) Backup & Disaster Recovery

14.3 Organizational Security Measures

a) Data Protection Management

b) Employee Training

c) Incident Response

d) Physical Access Control

e) Data Carrier Disposal

14.4 Penetration Tests and Security Audits

14.5 Certifications

Hetzner Online GmbH (our hosting provider) holds the following certifications:

14.6 Reporting Security Incidents

Despite all security measures, complete protection against all threats cannot be guaranteed. In the event of a data breach:

If you suspect a security incident, please inform us immediately: security@devarena.de

14.7 Privacy by Design & Privacy by Default

Privacy by Design (Art. 25(1) GDPR):

Privacy by Default (Art. 25(2) GDPR):

15. Changes to the Privacy Policy

15.1 Updates

We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to our services and data processing.

Reasons for changes may be:

15.2 Information About Changes

In case of significant changes (e.g., new data processing, new recipients, change of legal basis), we will inform you actively:

In case of minor changes (e.g., editorial adjustments, clarifications), no active information is provided. The current version is always available on our website.

15.3 Right to Object to Changes

If you do not agree with a significant change, you have the following options:

15.4 Versioning

Previous versions are available upon request. Please contact: daten@devarena.de

15.5 Validity

This privacy policy applies to:

16. Contact & Questions

If you have questions about data protection, the processing of your personal data, or this privacy policy, please feel free to contact us:

DevArena GmbH

Wolfgang-Reuter-Str. 20a, 58300 Wetter (Ruhr), Germany

Data protection inquiries: daten@devarena.de

General inquiries: info@devarena.de

Security incidents: security@devarena.de

Managing Directors: Christoph Swoboda, Nicolas Asbeck

Competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)

Kavalleriestraße 2-4, 40213 Düsseldorf

Phone: 0211 / 38424-0

Email: poststelle@ldi.nrw.de

Website: https://www.ldi.nrw.de

Final Provisions

Severability Clause

Should individual provisions of this privacy policy be or become invalid, this does not affect the validity of the remaining provisions. The invalid provision will be replaced by a valid provision that comes closest to the meaning and purpose of the invalid provision.

Applicable Law

The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods. Mandatory consumer protection provisions of the country in which you have your habitual residence remain unaffected.

Place of Jurisdiction

To the extent legally permissible, the place of jurisdiction for all disputes arising from or in connection with this privacy policy is Hagen, Germany.

Status of this Privacy Policy: April 14, 2026