DevArena
Privacy Policy of DevArena GmbH
As of: April 2026
- 1. Responsible Party and Contact
- 2. General Information on Data Processing
- 3. Server Log Files
- 4. Cookies
- 5. Registration and User Account
- 6. Authentication via Third-Party Providers (Google, Apple)
- 7. Assessment and Candidate Data
- 8. Email Communication and Notifications
- 9. Payment Processing
- 10. Data Retention Periods
- 11. Your Rights as a Data Subject
- 12. Data Security
- 13. Links to Third-Party Websites
- 14. Children's Privacy
- 15. Changes to This Privacy Policy
- 16. Contact for Data Protection Inquiries
1. Responsible Party and Contact
The entity responsible for data processing under the General Data Protection Regulation (GDPR) and applicable data protection laws is:
For all questions and requests relating to data protection, please contact us
at the above address or by email.
2. General Information on Data Processing
2.1 Scope
This Privacy Policy applies to all personal data collected and processed via
the DevArena platform (web application for companies), the DevCourt assessment
app (iOS and Android), and our associated web services. DevArena is a
technical assessment platform that allows companies to create, manage, and
evaluate developer assessments.
2.2 Legal Basis
We process personal data on the following legal bases under GDPR Art. 6:
- Art. 6(1)(b) GDPR — Processing necessary for the performance of a contract or pre-contractual measures
- Art. 6(1)(c) GDPR — Processing necessary for compliance with a legal obligation
- Art. 6(1)(f) GDPR — Processing based on our legitimate interests (e.g., platform security, fraud prevention)
- Art. 6(1)(a) GDPR — Processing based on your consent, where explicitly given
2.3 Data Minimisation
We collect only the personal data that is necessary for the stated processing
purposes. We do not process data beyond what is required.
2.4 Data Transfers Outside the EU
Your data is primarily stored and processed within the European Union. Where
data is transferred to third countries outside the EU/EEA, we ensure
appropriate safeguards are in place (e.g., EU Standard Contractual Clauses
pursuant to Art. 46 GDPR). Details of any such transfers are provided in the
relevant sections below.
3. Server Log Files
3.1 Description
When you access our web services, our server automatically records information
sent by your browser or app client in so-called server log files.
3.2 Data Collected
- IP address of the requesting device
- Date and time of the request
- URL and HTTP method of the request
- HTTP response code and response size
- Referrer URL (if applicable)
- Browser type, version, and operating system
- App version (for DevCourt mobile app requests)
3.3 Purpose and Legal Basis
Log data is processed to ensure the technical operation, security, and
availability of our services. The legal basis is our legitimate interest under
Art. 6(1)(f) GDPR in operating a secure and reliable platform.
3.4 Retention
Log files are retained for up to 30 days and then automatically deleted, unless a longer retention period is required for security investigations.
3.5 Note on IP Addresses
IP addresses are considered personal data under GDPR. We process them solely
for technical and security purposes and do not link them to individual user
accounts unless required for a security investigation.
4. Cookies
4.1 What Are Cookies?
Cookies are small text files stored on your device by your browser when you
visit a website. They allow the website to recognise your device on subsequent
visits and to maintain session state.
4.2 Cookies We Use
We use only technically essential cookies required for the operation of our services. We do not use tracking, analytics, or advertising cookies.
| Name |
Type |
Purpose |
Duration |
| access_token |
Session / Auth |
Stores a signed JWT to authenticate the user session on the DevArena platform |
Until logout / token expiry |
| refresh_token |
Session / Auth |
Allows renewal of the access token without requiring re-login |
30 days (or until logout) |
4.3 Legal Basis
Essential cookies are set on the basis of our legitimate interest in providing
a functioning and secure web service (Art. 6(1)(f) GDPR). No consent banner is
required for strictly necessary cookies under applicable law.
4.4 Marketing and Analytics Cookies
We currently do not use any marketing, advertising, or analytics cookies (e.g.,
Google Analytics, Facebook Pixel). Should we introduce such cookies in the
future, we will update this Privacy Policy and, where required, obtain your
prior consent.
5. Google Analytics 4
5.1 Scope of Processing
This website uses Google Analytics 4, a web analytics service provided by
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
("Google").
Google Analytics uses cookies and similar technologies to analyze the use of
our website. The information generated by the cookie about your use of this
website (including your shortened IP address) is usually transmitted to and
stored by Google on servers. Google processes the data on our behalf to
evaluate the use of the website, compile reports on website activity, and
provide other services related to website and internet use.
5.2 IP Anonymization
We have activated IP anonymization on this website. This means that your IP
address will be shortened by Google within member states of the European Union
or in other contracting states of the Agreement on the European Economic Area.
Only in exceptional cases will the full IP address be transmitted to a Google
server and shortened there. The IP address transmitted by your browser as part
of Google Analytics will not be merged with other Google data.
5.3 Processed Data
Google Analytics collects the following data:
- Anonymized IP address
- Browser type and version
- Operating system used
- Referrer URL (previous page visited)
- Hostname of the accessing computer
- Time of server request
- Screen resolution
- Visited pages and duration of stay
- Clicks and interactions on the website
- Geographic origin (country, region – not exact location data)
Important: No personal data such as name, email address or
phone number is transmitted to Google Analytics.
5.4 Purpose of Data Processing
The use of Google Analytics serves the purpose of analyzing, optimizing, and
economically operating our website. The evaluations enable us to:
- Improve the user-friendliness of the website
- Optimize content
- Identify and fix technical problems
- Evaluate the effectiveness of marketing measures
5.5 Legal Basis
Processing is based on your consent in accordance with Art. 6(1)(a) GDPR and
§ 25(1) TTDSG (Telecommunications-Telemedia Data Protection Act).
5.6 Recipient / Processor
The recipient of the data is Google Ireland Limited as a processor. We have
concluded a Data Processing Agreement (DPA) with Google for this purpose.
5.7 Data Transfer to Third Countries (USA)
Google processes your data also in the USA. The USA is not a safe third country
within the meaning of EU data protection law. US companies are obliged to
disclose personal data to security authorities without you as the data subject
being able to take legal action against this.
Data transfer to the USA is based on:
- EU Standard Contractual Clauses (SCC) according to Art. 46(2)(c) GDPR
- Adequacy decision of the EU Commission for the EU-US Data Privacy Framework (DPF)
Google is certified under the EU-US Data Privacy Framework. More information:
https://www.dataprivacyframework.gov/
5.8 Storage Duration
Data stored by Google Analytics at the user and event level are automatically
deleted after 14 months. We have configured this retention period accordingly.
5.9 Withdrawal and Objection
You can withdraw your consent at any time with effect for the future by
accessing the cookie settings via the link in the footer of our website and
deactivating the analysis cookies.
In addition, you can prevent the collection of data generated by the cookie
and related to your use of the website (including your IP address) to Google
as well as the processing of this data by Google by downloading and installing
the browser plugin available under the following link:
Google Analytics Opt-Out Browser Add-on:
https://tools.google.com/dlpage/gaoptout
5.10 Further Information
For more information on terms of use and data protection, please visit:
6. Hosting & Server (Hetzner Online GmbH)
6.1 Description and Scope
Our website is hosted by Hetzner Online GmbH. All data collected in the course
of using our website is processed on servers by Hetzner.
6.2 Scope of Data Processing
Hetzner processes the following data on our behalf:
- IP addresses of website visitors
- Log files (see section 3)
- All data transmitted via the website (e.g., form entries, assessment data)
- Database contents (customer data, candidate data, campaign data)
6.3 Legal Basis
Processing is based on Art. 6(1)(f) GDPR (legitimate interest in a reliable,
secure, and efficient hosting service) and Art. 28 GDPR (processing on behalf).
6.4 Data Processing Agreement (DPA)
We have concluded a Data Processing Agreement (DPA) with Hetzner according to
Art. 28 GDPR. Hetzner processes personal data exclusively according to our
instructions and is contractually obliged to take appropriate technical and
organizational measures to protect the data.
6.5 Server Location
All servers are located in data centers in Germany (Falkenstein/Vogtland,
Nuremberg, Helsinki). No data transmission to third countries outside the
EU/EEA takes place.
6.6 Storage Duration
The data is stored on Hetzner's servers as long as it is necessary for the
provision of our website and services. For specific storage periods, please
refer to the respective sections of this privacy policy.
6.7 Security Measures
Hetzner employs comprehensive security measures, including:
- Physical access control to data centers
- Encrypted data transmission (SSL/TLS)
- Regular security updates and backups
- Firewall and DDoS protection
- Certification according to ISO 27001
6.8 Further Information
Further information on data protection at Hetzner can be found at:
https://www.hetzner.com/de/rechtliches/datenschutz
7. DevCourt Assessment Platform (B2B Customers)
7.1 Description and Scope of Data Processing
In the context of using our DevCourt Assessment Platform by companies (B2B customers), we process the following data:
Customer Data (Company):
- Company name, legal form, commercial register number
- Address (street, zip code, city, country)
- Name, first name, position of contact person(s)
- Email address, phone number
- Billing address, VAT ID (if available)
- Payment information (IBAN or credit card data – processed via external payment service providers)
- Campaign data (created assessments, invitations, evaluations, reports)
- Usage data (login times, pages accessed in customer portal)
Candidate Data (processed on behalf of customer):
- Name, email address (if provided by customer or voluntarily provided by candidate)
- Participation code (unique identifier)
- Assessment results (responses to questions, scores achieved, timestamps)
- Technical data (IP address, device ID, app version, operating system, focus loss events)
7.2 Legal Basis
Customer Data: Processing of customer data is based on:
- Art. 6(1)(b) GDPR (contract fulfillment): Providing the customer account, conducting booked assessments, invoicing
- Art. 6(1)(c) GDPR (legal obligation): Compliance with tax and commercial retention obligations (§ 147 AO, § 257 HGB)
- Art. 6(1)(f) GDPR (legitimate interest): Fraud prevention, assertion of legal claims
Candidate Data: Processing of candidate data is performed exclusively on behalf and according to instructions of the B2B customer (processing on behalf according to Art. 28 GDPR).
Important: The data controller within the meaning of the GDPR for the processing of candidate data is the respective B2B customer (the inviting company), not DevArena GmbH. We process this data exclusively as a processor according to the customer's instructions.
7.3 Purpose of Data Processing
Customer Data:
- Provision and management of the customer account in the DevCourt portal
- Creation and management of assessment campaigns
- Processing of bookings and payments
- Sending invoices and payment reminders
- Technical support and customer service
- Communication about product updates and new features
- Compliance with tax and commercial retention obligations
Candidate Data:
- Conducting the assessments booked by the customer
- Generating assessment reports for the customer
- Ensuring the integrity and comparability of results (anti-cheating measures)
- Technical provision of the assessment platform and mobile app
7.4 Storage Duration
Candidate Data: Candidate data is stored for the duration of the campaign defined by the customer:
- Campaign duration: 30, 60, 90, or 120 days (selectable by customer)
- Automatic deletion: Within 24 hours after the campaign ends, all candidate data (assessment results, technical data, IP addresses) will be automatically and irrevocably deleted
- Exception: If a candidate has expressly consented to the storage of their data in the DevArena Candidate Portal (see section 9), name and email address will be stored permanently until consent is withdrawn
- Backup systems: Data in backup systems will be overwritten at the latest 30 days after expiry of the regular storage period
7.5 Disclosure of Data
Customer Data: Disclosure of customer data to third parties only occurs in the following cases:
- To payment service providers (e.g., Stripe, PayPal) for processing payments
- To our tax advisor for fulfilling tax obligations
- To authorities when legally required (e.g., tax office, law enforcement agencies)
- To external service providers (processors) according to Art. 28 GDPR (see section 12)
Candidate Data: Assessment results are provided exclusively to the respective B2B customer in the form of PDF reports. No disclosure to other third parties takes place.
DevArena GmbH does not evaluate candidate data for its own purposes and does not create cross-company statistics or profiles.
7.6 Data Subject Rights for B2B Customers
As a B2B customer, you have the following rights (see also section 11):
- Right of access (Art. 15 GDPR): Information about the data stored about your company
- Right to rectification (Art. 16 GDPR): Correction of incorrect data
- Right to erasure (Art. 17 GDPR): Deletion of your data after contract termination (provided no retention obligations exist)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR): Export of your campaign data in a machine-readable format
To exercise your rights, please contact: daten@devarena.de
7.7 Data Subject Rights for Candidates
Since DevArena GmbH acts as a processor on behalf of the inviting company when
processing candidate data, requests regarding data subject rights (access,
rectification, erasure, restriction, data portability, objection) should be
directed to the inviting company (the B2B customer).
The data controller for your candidate data is the company that invited you to the assessment.
If you have technical questions about data processing or cannot identify the
controller, you can contact daten@devarena.de.
We will then forward your request to the responsible customer or assist you in making contact.
7.8 Data Processing Agreement (DPA) with B2B Customers
We conclude a Data Processing Agreement (DPA) according to Art. 28 GDPR with every B2B customer. This regulates:
- The scope and purpose of data processing
- The type of personal data
- The categories of data subjects (candidates)
- The obligations and rights of the controller (customer)
- Our obligation to follow instructions as a processor
- Technical and organizational measures (TOMs)
- The conditions for engaging sub-processors
- Support obligations regarding data subject rights
- Regulations on data deletion after contract termination
The DPA is an integral part of our GTC and automatically becomes effective upon
conclusion of the contract.
8. DevCourt Mobile App (Candidates)
8.1 Description and Scope of Data Processing
When using the DevCourt Mobile App (available for iOS and Android), we process the following data:
Access Data:
- Unique participation code (provided by the inviting company)
- Device ID (pseudonymized technical identifier to ensure integrity)
- App version, operating system (iOS/Android), device model
- Time of app start and assessment execution
Assessment Data:
- Responses to the questions asked (multiple choice, code entries, etc.)
- Timestamps (start of assessment, end, duration per question)
- Focus loss events (time and frequency when the app was left)
- Score achieved and evaluation
Optional Data (only with express consent):
- Name (first and last name)
- Email address
- Consent to receive personal assessment report
- Consent to information about the DevArena Candidate Portal
8.2 Legal Basis
Access and Assessment Data: Processing is based on Art. 6(1)(b) GDPR
(implementation of pre-contractual measures at the request of the data subject in the
context of the application process) in conjunction with Art. 28 GDPR (processing on
behalf of the inviting company).
You participate in the assessment as part of an application process with the inviting
company. Conducting the assessment is a pre-contractual measure that takes place at
your request (your application).
Optional Data (name, email): Processing is based on your express
consent according to Art. 6(1)(a) GDPR. Consent is given in the app by checking a
checkbox and is completely voluntary. You can also complete the assessment without
providing this data.
8.3 Purpose of Data Processing
Access and Assessment Data:
- Conducting the assessment (technical provision, question management, time recording)
- Ensuring the integrity and comparability of results (anti-cheating measures)
- Generating the assessment report for the inviting company
- Providing the results to the inviting company
Optional Data (with consent):
- Sending your personal assessment report via email
- Information about the DevArena Candidate Portal and the possibility to register
- Enabling contact in case of technical problems
8.4 Anti-Cheating Measures
To ensure fair and comparable results, the DevCourt Mobile App employs the following technical protective measures:
a) Screenshot Block: Taking screenshots is technically prevented during the assessment. This prevents questions and answers from being saved and shared.
b) Focus Monitoring (App Switch Detection): The app detects when you leave the application (e.g., by switching to another app, to the browser, or to the phone app). Each focus loss is logged with:
- Time of leaving
- Duration of absence
- Number of focus losses
Consequences of Focus Loss:
- Warning: A warning appears when leaving the app for the first time
- Termination: Repeated or prolonged leaving of the app may result in automatic termination of the assessment
- Marking in report: Focus losses are noted in the assessment report and communicated to the inviting company
c) One-time Participation: Each participation code can only be used once. The device ID ensures that multiple participation is detected.
Important Notes on Your Privacy:
NO biometric data is collected: No camera recordings, no microphone recordings, no facial recognition, no behavioral biometrics (typing behavior, mouse movements), no location data (GPS).
NO screen recording takes place: Your screen is not recorded; no videos or screenshots are created.
The examination takes place exclusively at app level: Technical detection of app switches (focus loss) only — no monitoring of other apps or system functions, no installation of surveillance software.
8.5 Storage Duration
During the campaign: All data collected during the assessment will be stored for at
least the duration of the campaign defined by the inviting company (30, 60, 90, or
120 days).
Within 30 days after the campaign ends, all data will be automatically and irrevocably deleted:
- Assessment results (responses, scores)
- Technical data (IP address, device ID, focus loss events)
- Timestamps and usage data
Exception with consent: If you have consented to the storage of your
contact data (name, email address) for the DevArena Candidate Portal, only this data
will be stored permanently until you withdraw your consent (see section 9). The
assessment results themselves will also be deleted after 30 days in this case, unless
you actively register in the Candidate Portal and consent to the permanent storage of
your skill data there.
8.6 Disclosure of Data
Your assessment data will be disclosed exclusively to the inviting company that invited
you to the assessment. The disclosure takes the form of a PDF report containing the
following information:
- Score achieved and evaluation
- Responses to questions (correct/incorrect)
- Timestamps (duration per question, total duration)
- Focus loss events (if occurred)
- Comparison with other candidates (anonymized)
If you have provided name and email address, these will also be listed in the report.
Otherwise, only your participation code will appear in the report as an identifier.
Your data will not be disclosed to other companies, recruiters, or other third parties.
DevArena GmbH does not use your assessment results for its own purposes and does not
create cross-company candidate profiles.
8.7 Data Subject Rights
Since DevArena GmbH processes your assessment data as a processor on behalf of the
inviting company, the inviting company is the controller within the meaning of the GDPR.
For requests regarding your data subject rights, please contact the company that invited
you to the assessment directly.
You have the following rights:
- Right of access (Art. 15 GDPR): Information about the data stored about you
- Right to rectification (Art. 16 GDPR): Correction of incorrect data
- Right to erasure (Art. 17 GDPR): Deletion of your data (provided no legal retention obligations exist)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
You can also contact us: daten@devarena.de
— we will forward your request to the inviting company or assist you in making contact.
8.8 Right of Withdrawal
You can withdraw your consent to the storage of your contact data (name, email address)
at any time with effect for the future. To do so, send an email to:
daten@devarena.de
The lawfulness of the processing carried out until the withdrawal remains unaffected.
The withdrawal only relates to the optional contact data. The conduct of the assessment
itself and the disclosure of results to the inviting company cannot be withdrawn, as
these are necessary for carrying out the pre-contractual measure (application process).
8.9 App Permissions
The DevCourt Mobile App requires the following permissions on your device:
| Permission |
Purpose |
Required |
| Internet access |
Loading assessment questions, submitting responses |
Yes |
| Network status |
Checking internet connection |
Yes |
| Storage |
Temporary storage of data during assessment execution |
Yes |
| Prevention of standby mode |
Ensuring that the assessment is not interrupted |
Yes |
NOT required permissions: Camera, Microphone, Location (GPS), Contacts, Phone, SMS
8.10 Technical Security Measures
To protect your data, we employ the following security measures:
- Encrypted data transmission: All data is transmitted encrypted via HTTPS/TLS
- Encrypted storage: Assessment data is stored encrypted in the database
- Access controls: Only authorized employees have access to the data
- Regular security updates: The app is continuously checked for security vulnerabilities
- Secure servers: Hosting in certified data centers in Germany (see section 6)
9. DevArena Candidate Portal
9.1 Description and Scope of Data Processing
The DevArena Candidate Portal (accessible at portal.devarena.de) is a platform
for developing IT skills and increasing visibility to potential employers.
Mandatory Data (upon registration):
- Email address
- Password (stored encrypted)
- Registration date and timestamp
- Login data (time of last login)
Optional Data (upon profile completion):
- Name (first and last name) or pseudonym
- Professional experience (years, position, industry)
- Qualifications (degrees, certificates)
- Skill profile (completed challenges, scores achieved, technologies)
- Location (city/region, not exact address or GPS data)
- Preferred technologies/programming languages
- GitHub profile, LinkedIn profile (URL)
- Profile picture (optional, max. 5 MB)
- Availability (e.g., "immediately", "in 3 months")
- Desired position (e.g., "Backend Developer", "DevOps Engineer")
Automatically Captured Usage Data:
- Completed challenges and competitions
- Scores achieved and rankings
- Timestamps of activities
- Learning progress and statistics
9.2 Legal Basis
Processing is based on your consent according to Art. 6(1)(a) GDPR. By
registering in the Candidate Portal, you expressly consent to the processing
of the data you provide. Consent is voluntary and can be withdrawn at any time.
9.3 Purpose of Data Processing
The data processing serves the following purposes:
- Provision of the Candidate Portal: Account management, access to challenges, leaderboards, learning materials
- Creation of a skill profile: Presentation of your skills and competencies based on completed challenges
- Gamification: Points system, achievements, rankings, competitions
- Providing visibility: Increasing your visibility to employers (only with separate consent, see 9.5)
- Communication: Sending notifications about new challenges, competitions, product updates (via email, only with consent)
- Service improvement: Analysis of usage to optimize the platform (anonymized)
9.4 Voluntary Nature of Information
Providing data is generally voluntary. However, the following data is required to use the Candidate Portal:
- Email address: Required for login, password reset, important notifications
- Password: Required to secure your account
All other information (name, professional experience, location, etc.) is optional. You
can use the Candidate Portal without providing this data. In this case, your profile
will not be visible to employers.
9.5 Visibility to Employers
Your profile will not be disclosed to or made visible to employers without your express consent. You can set the following at any time in your account settings:
a) Profile Visibility:
- Profile hidden: Your profile is only visible to you
- Profile public: Your profile is visible to registered employers
b) Visible Information (with public profile):
- Display name
- Display location
- Display professional experience
- Display skill profile (challenges, scores)
- Display GitHub/LinkedIn profile
- Display availability
c) Contact Options:
- Employers may contact me (via the platform)
- Employers may see my email address
- I want to receive notifications about contact requests
After registration, your profile is hidden by default. You must actively enable visibility.
9.6 Contact by Employers
If you have enabled contact by employers, registered companies can contact you via the platform. Process:
- Employer sees your public profile
- Employer sends contact request via the platform
- You receive a notification (email and/or in the portal)
- You can accept or decline the request
- Upon acceptance: message exchange via the platform or direct email communication (if you have enabled this)
- You have full control over contact requests
- You can block employers
- You can deactivate the contact function at any time
- DevArena GmbH only discloses your email address if you have expressly enabled this
9.7 Storage Duration
Your data will be stored as long as your account is active.
Account deletion: You can delete your account yourself at any time:
All personal data will be irrevocably deleted within 30 days after deletion:
- Name, email address, contact data
- Profile picture, profile information
- Login data, password
The following data may be stored longer in anonymized form for analysis purposes:
- "A user completed Challenge X" (without personal reference)
- Aggregated statistics (e.g., "Average score for Challenge Y")
This data can no longer be traced back to your person.
Accounts that have not been used for more than 3 years (no login) will be automatically
deleted. You will receive a reminder via email 30 days before deletion.
9.8 Right of Withdrawal
You can withdraw your consent at any time with effect for the future:
- Via email: daten@devarena.de
- In the portal: Settings → Delete account
- By mail: DevArena GmbH, Wolfgang-Reuter-Str. 20a, 58300 Wetter (Ruhr)
The lawfulness of the processing carried out until the withdrawal remains unaffected.
9.9 Data Security in the Candidate Portal
To protect your data, we employ the following security measures:
- Password encryption: Passwords are hashed with bcrypt/Argon2 (not stored in plain text)
- Two-factor authentication (2FA): Optionally activatable for additional protection
- HTTPS/TLS encryption: All data transmissions are encrypted
- Session management: Automatic logout after inactivity
- Access controls: Only you have access to your complete profile data
- Regular security updates: Continuous review and updating of systems
- Penetration tests: Regular security reviews by external experts
- Backup systems: Daily encrypted backups with 30-day retention
9.10 Data Portability
You have the right to receive your data stored in the Candidate Portal in a structured,
commonly used, and machine-readable format (Art. 20 GDPR).
Export function: You can export your data yourself at any time:
Login → Settings → Export data
- Format: JSON or CSV
- Contains: Profile data, skill data, challenge results, statistics
Alternatively, you can request the export via email:
daten@devarena.de
— we will provide the data to you within 30 days.
10. Contact
10.1 Contact via Email, Phone, or Contact Form
When you contact us via email, phone, or our contact form, the data you provide
will be stored by us to process your inquiry and for possible follow-up questions.
Processed Data:
- Name, first name
- Email address
- Phone number (if provided)
- Company (if provided)
- Subject and message content
- Time of contact
- IP address (when using the contact form)
10.2 Legal Basis
The processing of data is based on:
- Art. 6(1)(a) GDPR (consent), when you actively contact us
- Art. 6(1)(b) GDPR (pre-contractual measures), if your inquiry aims at concluding a contract
- Art. 6(1)(f) GDPR (legitimate interest), for processing general inquiries and communication with interested parties
10.3 Purpose of Data Processing
The processing of personal data serves us exclusively to process your contact. In
the case of contact via email, this also constitutes the necessary legitimate interest
in processing the data.
10.4 Storage Duration
The data will be deleted as soon as it is no longer necessary to achieve the purpose
for which it was collected. For personal data sent via email, phone, or contact form,
this is the case when the respective conversation with the user has ended.
Specific periods:
- General inquiries: Deletion after 6 months
- Support inquiries from customers: Deletion after 3 years (for traceability of recurring problems)
- Inquiries related to contracts: Retention according to legal periods (see section 2)
10.5 Objection and Removal Options
You have the option at any time to withdraw your consent to the processing of
personal data. If you contact us via email, you can object to the storage of your
personal data at any time. In such a case, the conversation cannot be continued.
To exercise the withdrawal, please contact: daten@devarena.de
11. Newsletter
11.1 Description and Scope of Data Processing
On our website, there is an option to subscribe to a free newsletter. When
registering for the newsletter, the data from the input form is transmitted to us.
Data collected upon registration:
- Email address (mandatory field)
- First name, last name (optional)
- Company (optional, only for B2B newsletter)
- Time of registration
- IP address at the time of registration
- Confirmation of registration (double opt-in)
Data collected during newsletter dispatch:
- Open rate (whether and when you opened the newsletter)
- Click rate (which links you clicked)
- Device type (desktop, mobile, tablet)
- Email client (e.g., Gmail, Outlook)
- Unsubscriptions and bounces (undeliverable emails)
11.2 Double Opt-In Procedure
Registration for our newsletter follows the so-called double opt-in procedure:
- You enter your email address in the registration form
- You receive a confirmation email at the provided address
- You must click the confirmation link in this email
- Only after confirmation will your email address be added to the newsletter distribution list
No newsletter email will be sent without your confirmation. The double opt-in
procedure serves as proof that you yourself registered and prevents registration
by third parties using your email address.
11.3 Legal Basis
Processing is based on your consent according to Art. 6(1)(a) GDPR and
§ 7(2) No. 3 UWG. By registering for the newsletter and confirming in the double
opt-in procedure, you consent to the processing of your email address and the other
provided data for the purpose of newsletter dispatch.
11.4 Purpose of Data Processing
The collection of the email address serves to deliver the newsletter. The collection of other personal data as part of the registration process serves to:
- Prevent misuse of the services or the email address used
- Prove the registration (legal protection)
- Personalize the newsletter (e.g., salutation with name)
- Measure and improve the effectiveness of the newsletter
11.5 Newsletter Content
a) Product Newsletter (DevCourt/DevArena):
- New features and product updates
- Tips for using the platform
- Success stories and best practices
- Invitations to webinars and events
b) Marketing Newsletter:
- Offers and promotional campaigns
- Industry news and trends in IT recruiting
- Studies and whitepapers
c) Transactional Emails (not newsletters):
- Confirmations (e.g., booking confirmations)
- Invoices
- Important security notices
- Password reset
Note: Transactional emails are not newsletters and cannot be
unsubscribed from, as they are necessary for contract fulfillment.
11.6 Newsletter Service Provider
The newsletter is sent via HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge,
MA 02141, USA. We have concluded a Data Processing Agreement with HubSpot. HubSpot
is certified under the EU-US Data Privacy Framework.
Data processed by HubSpot:
- Email address
- Name (if provided)
- Company (if provided, only for B2B newsletter)
- Registration time and source
- Opening and click data
- Email preferences and unsubscriptions
- IP address upon registration and opening
HubSpot Privacy Policy:
https://legal.hubspot.com/de/privacy-policy
Legal basis for data transfer to the USA:
- EU Standard Contractual Clauses (SCC)
- EU-US Data Privacy Framework
Further information on HubSpot:
11.7 Storage Duration
The data will be stored as long as the newsletter subscription is active.
- After unsubscribing, your data will be deleted within 30 days, unless legal retention obligations exist
- Registration logging: The logging of registration (IP address, time, confirmation) is retained for 3 years for legal reasons to prove lawful registration
11.8 Unsubscription / Withdrawal
You can unsubscribe from the newsletter at any time and withdraw your consent:
- Unsubscribe link: Each newsletter contains an unsubscribe link at the end. With one click, you will be automatically removed from the distribution list.
- Email: newsletter@devarena.de or daten@devarena.de
- In writing: DevArena GmbH, Wolfgang-Reuter-Str. 20a, 58300 Wetter (Ruhr)
The unsubscription becomes effective within 48 hours. The lawfulness of the processing carried out until the withdrawal remains unaffected.
11.9 Analysis of Newsletter Usage Behavior
Our newsletters contain so-called "tracking pixels" — miniature graphics embedded
in emails to enable log file recording and analysis, allowing statistical evaluation
of online marketing campaigns.
Data collected:
- Whether and when the newsletter was opened
- Which links were clicked
- From which device / email client it was opened
Purpose: This data serves to optimize newsletter content and improve relevance for you.
Objection: If you do not want analysis, you must unsubscribe from the
newsletter. A separate objection option only against tracking (while continuing to
receive the newsletter) is not technically possible.
11a. Customer Relationship Management (HubSpot CRM)
11a.1 Description and Scope of Data Processing
We use HubSpot CRM (Customer Relationship Management) from HubSpot, Inc.,
25 First Street, 2nd Floor, Cambridge, MA 02141, USA, to manage customer
relationships, contacts, and business processes.
Contact and Customer Data:
- Name, first name
- Email address
- Phone number
- Company, position, industry
- Address
- Communication history (emails, calls, meetings, notes)
- Contract history and customer interactions
- Inquiries and support tickets
- Campaign assignment (how the contact found us)
Website Tracking Data (only with consent via cookie banner):
- Visited pages and duration of stay
- Form submissions
- Downloads (e.g., whitepapers, documentation)
- Anonymized IP address
- Browser type, device type
- Referrer URL
- Cookie ID
11a.2 Purpose of Data Processing
The use of HubSpot CRM serves the following purposes:
- Management of customer relationships and contacts
- Lead management and sales support
- Processing of inquiries and support tickets
- Documentation of communication history
- Personalization of customer communication
- Analysis and optimization of sales processes
- Automation of workflows and reminders
- Segmentation of target groups
- Tracking of user behavior on our website (only with consent)
- Assignment of website visits to existing contacts
11a.3 Legal Basis
Processing is based on:
- Art. 6(1)(b) GDPR (contract fulfillment): For the management of existing customer relationships, contract processing, and customer service
- Art. 6(1)(f) GDPR (legitimate interest): For the management of prospect inquiries, lead management, and optimization of our sales and marketing processes
- Art. 6(1)(a) GDPR (consent): For website tracking and behavioral analysis (via cookie consent banner)
11a.4 HubSpot Tracking and Cookies
HubSpot uses cookies and similar technologies to analyze user behavior on our website.
This only occurs with your consent via our cookie consent banner.
The following HubSpot cookies are used:
| Cookie Name |
Purpose |
Storage Duration |
Category |
| __hssc |
Session tracking |
30 minutes |
Analysis |
| __hssrc |
Session detection |
Session end |
Analysis |
| __hstc |
Visitor tracking |
13 months |
Analysis |
| hubspotutk |
Visitor identification |
13 months |
Analysis |
| __hs_opt_out |
Opt-out status |
13 months |
Necessary |
| __hs_do_not_track |
Do-not-track status |
13 months |
Necessary |
| __hs_initial_opt_in |
Cookie consent |
7 days |
Necessary |
| hs_ab_test |
A/B testing |
Session end |
Analysis |
You can deactivate the use of HubSpot cookies at any time via the cookie settings in the footer of our website.
11a.5 Data Processing Agreement (DPA)
We have concluded a Data Processing Agreement according to Art. 28 GDPR with HubSpot.
HubSpot processes personal data exclusively according to our instructions and is
contractually obliged to take appropriate technical and organizational measures to
protect the data.
11a.6 Data Transfer to Third Countries (USA)
HubSpot processes data also in the USA. The USA is not a safe third country within
the meaning of EU data protection law. US companies are obliged to disclose personal
data to security authorities without you as the data subject being able to take legal
action against this.
Data transfer to the USA is based on:
- EU Standard Contractual Clauses (SCC) according to Art. 46(2)(c) GDPR
- Adequacy decision of the EU Commission for the EU-US Data Privacy Framework (DPF)
HubSpot is certified under the EU-US Data Privacy Framework. More information:
DPF participant detail
11a.7 Storage Duration
| Data Type |
Retention Period |
| Active customers |
Duration of business relationship + legal retention periods (6–10 years per § 147 AO, § 257 HGB) |
| Prospects without contract conclusion |
Deleted after 3 years of inactivity |
| Contact inquiries without further interaction |
Deleted after 6 months |
| Website tracking data |
Automatically deleted after 13 months |
11a.8 Withdrawal and Objection
You can deactivate HubSpot tracking at any time:
- Via the cookie settings in the footer of our website
- By withdrawing your cookie consent
For processing based on legitimate interests (Art. 6(1)(f) GDPR), you can object to
the processing of your data in the CRM. Please contact us at:
daten@devarena.de
For processing based on a contract (Art. 6(1)(b) GDPR), objection is not possible
as data processing is necessary for contract fulfillment.
11a.9 Further Information
12. External Service Providers & Processors
12.1 General Information
We use external service providers to provide our services, who process personal
data on our behalf (processors according to Art. 28 GDPR). We have concluded Data
Processing Agreements (DPA) with all processors that meet the data protection
requirements of the GDPR.
12.2 Overview of Processors Used
a) Hosting & Infrastructure
| Service Provider |
Purpose |
Location |
Legal Basis |
| Hetzner Online GmbH |
Server hosting, databases, infrastructure |
Germany |
Art. 6(1)(f) GDPR, Art. 28 GDPR |
Details see section 6.
b) Analysis & Tracking
| Service Provider |
Purpose |
Location |
Legal Basis |
| Google Ireland Limited (Google Analytics 4) |
Web analysis, usage statistics |
Ireland / USA |
Art. 6(1)(a) GDPR (consent), Art. 28 GDPR |
Details see section 5.
c) Payment Service Providers
| Service Provider |
Purpose |
Location |
Legal Basis |
| Stripe Payments Europe Ltd. |
Credit card payments, SEPA direct debit |
Ireland / USA |
Art. 6(1)(b) GDPR (contract fulfillment) |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. |
PayPal payments |
Luxembourg |
Art. 6(1)(b) GDPR (contract fulfillment) |
Processed data:
- Name, email address
- Billing address
- Payment information (IBAN, credit card number – processed directly by the payment service provider, not stored by us)
- Transaction data (amount, date, purpose)
We do not store complete credit card data or bank details. These are processed and
stored exclusively by the respective payment service provider.
Privacy policies:
d) Email Dispatch & Newsletter
| Service Provider |
Purpose |
Location |
Legal Basis |
| HubSpot, Inc. |
Newsletter dispatch, email marketing |
USA |
Art. 6(1)(a) GDPR (consent) |
Details see sections 11 and 11a.
e) Development & Code Repositories
| Service Provider |
Purpose |
Location |
Legal Basis |
| GitHub Inc. (Microsoft) |
Code versioning, development |
USA |
Art. 6(1)(f) GDPR (legitimate interest) |
No personal customer data is stored in code repositories — only source code and
technical documentation.
12.3 Data Transfer to Third Countries
Some of the service providers we use process data in third countries (outside the
EU/EEA), particularly in the USA.
a) EU-US Data Privacy Framework (DPF)
The USA was recognized as a safe third country by the EU Commission's adequacy
decision of July 10, 2023, provided the data importer is certified under the DPF.
Certified service providers:
- Google LLC (Google Analytics)
- Stripe Inc.
- PayPal Inc.
- HubSpot, Inc.
Verification of certification:
https://www.dataprivacyframework.gov/
b) EU Standard Contractual Clauses (SCC)
With service providers not certified under the DPF, we have concluded EU Standard
Contractual Clauses according to Art. 46(2)(c) GDPR. These ensure an adequate level
of data protection.
c) Additional Protective Measures
- Encrypted data transmission (TLS/SSL)
- Encrypted data storage
- Pseudonymization and anonymization where possible
- Minimization of transmitted data to the necessary extent
12.4 No Disclosure to Third Parties for Their Own Purposes
We do not disclose your personal data to third parties for their own purposes, unless:
- You have expressly consented (Art. 6(1)(a) GDPR)
- The disclosure is necessary for contract fulfillment (Art. 6(1)(b) GDPR)
- A legal obligation exists (Art. 6(1)(c) GDPR), e.g., to tax authorities or law enforcement agencies
- The disclosure is necessary to protect legitimate interests and your interests do not override (Art. 6(1)(f) GDPR)
In particular, no disclosure is made to:
- Advertising partners or address traders
- Social media platforms (except when actively integrated by you)
- Credit agencies (except in case of payment default)
- Other companies for marketing purposes
13. Your Rights as a Data Subject
As a data subject, you have comprehensive rights regarding the processing of your
personal data. You can assert these rights at any time.
13.1 Right of Access (Art. 15 GDPR)
You have the right to request confirmation from us as to whether personal data
concerning you is being processed. If this is the case, you have a right to access
this personal data and the following information:
- The purposes of processing
- The categories of personal data being processed
- The recipients or categories of recipients to whom the personal data has been or will be disclosed
- If possible, the planned duration for which the personal data will be stored or, if not possible, the criteria for determining this duration
- The existence of a right to rectification, erasure, or restriction of processing, or a right to object
- The existence of a right to lodge a complaint with a supervisory authority
- If the personal data was not collected from you: all available information about the origin of the data
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved
Furthermore, you have the right to information as to whether personal data has been
transferred to a third country or an international organization, including information
about the appropriate safeguards in connection with the transfer.
How to exercise: Send an email to
daten@devarena.de — we will respond within 30 days.
13.2 Right to Rectification (Art. 16 GDPR)
You have the right to request that we immediately rectify inaccurate personal data
concerning you. Taking into account the purposes of processing, you also have the
right to request the completion of incomplete personal data.
Examples: Correction of a misspelled email address, update of your company address, addition of missing contact details.
How to exercise:
- B2B customers: Directly in the customer portal under "Settings" or via email to daten@devarena.de
- Candidates (Candidate Portal): Directly in the portal under "Edit Profile"
- Others: Via email to daten@devarena.de
13.3 Right to Erasure (Art. 17 GDPR)
You have the right to request that we immediately erase personal data concerning you, provided one of the following reasons applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed
- You withdraw your consent on which the processing was based, and there is no other legal basis for processing
- You object to processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds, or you object pursuant to Art. 21(2) GDPR
- The personal data has been unlawfully processed
- The erasure is necessary to comply with a legal obligation under Union or Member State law
- The personal data was collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR
Exceptions – No right to erasure exists if processing is necessary for:
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation (e.g., tax retention obligations)
- The establishment, exercise, or defense of legal claims
Legal retention periods: Invoices, booking receipts: 10 years (§ 147 AO) · Business letters: 6 years (§ 257 HGB)
How to exercise:
- Email: daten@devarena.de
- Candidate Portal: Settings → Delete account
- B2B Customer Portal: Contact our support
13.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request that we restrict processing if one of the following conditions is met:
- The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy
- The processing is unlawful, you oppose erasure and instead request restriction of use
- We no longer need the personal data, but you need it for the establishment, exercise, or defense of legal claims
- You have objected to processing pursuant to Art. 21(1) GDPR and it is not yet clear whether our legitimate grounds override yours
What does "restriction of processing" mean? The data is marked and may
only be processed for certain purposes (e.g., for the establishment of legal claims),
but not for the original purpose.
13.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided
to us in a structured, commonly used, and machine-readable format, and to have it
transmitted to another controller without hindrance from us, provided:
- The processing is based on consent (Art. 6(1)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR), and
- The processing is carried out by automated means
Practical implementation:
- B2B customers: Export of campaign data, customer data, invoices in JSON or CSV format
- Candidates (Candidate Portal): Export of profile, skill data, challenge results in JSON or CSV format
- Newsletter subscribers: Export of email address and registration data
How to exercise:
- Email: daten@devarena.de
- Candidate Portal: Settings → Export data
- B2B Customer Portal: Settings → Export data
We will provide you with the data within 30 days.
13.6 Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular
situation, to processing of personal data concerning you which is based on
Art. 6(1)(e) or (f) GDPR. We will no longer process the personal data unless we
can demonstrate compelling legitimate grounds which override your interests, rights,
and freedoms, or the processing serves the establishment, exercise, or defense of
legal claims.
Special right to object to direct marketing (Art. 21(2) GDPR):
If personal data is processed for direct marketing purposes, you have the right to
object at any time. This also applies to profiling related to such direct marketing.
Practical examples:
- Objection to log file storage: Technically not possible, as it is absolutely necessary for operation
- Objection to newsletter: At any time via unsubscribe link or by email
- Objection to profiling in the Candidate Portal: Deactivation in settings or deletion of account
- Objection to data processing based on legitimate interests: Reasoned objection via email to daten@devarena.de
How to exercise: Send an email with justification to
daten@devarena.de — we will respond within 30 days.
13.7 Right to Withdraw Data Protection Consent (Art. 7(3) GDPR)
You have the right to withdraw your data protection consent at any time with effect
for the future. The withdrawal of consent does not affect the lawfulness of processing
based on consent before its withdrawal.
Consents you can withdraw:
- Cookie consent (Google Analytics): Via cookie settings in the footer
- Newsletter consent: Via unsubscribe link or by email
- Consent to storage in the Candidate Portal: Deletion of account or by email
- Consent to contact by employers: Deactivation in portal settings
- Consent to sending the assessment report: By email to daten@devarena.de
13.8 Automated Individual Decision-Making Including Profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects or similarly
significantly affects you.
We do not use fully automated decisions that produce legal effects or significantly
affect you. In particular:
- Assessment evaluations: Automated evaluation, but the hiring/rejection decision is always made by the inviting company
- Fraud detection: Automatic detection of multiple participations leads to a warning, not automatic rejection
- Candidate Portal matching: Suggestions for suitable positions are automated, but contact requires human decision
13.9 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right
to lodge a complaint with a supervisory authority if you consider that the processing
of personal data relating to you infringes the GDPR.
Competent supervisory authority for DevArena GmbH:
You can also contact the data protection supervisory authority of your place of
residence or work. An overview of all EU data protection authorities:
https://edpb.europa.eu/about-edpb/board/members_de
13.10 Exercise of Your Rights
Processing periods: We generally respond within 30 days of receipt.
In complex cases, this period may be extended by a further two months; we will
inform you in good time.
Proof of identity: To verify your identity and prevent misuse, we
may ask you to identify yourself (e.g., by confirming your email address). This
serves your protection.
Costs: The exercise of your rights is generally free of charge. In
the case of manifestly unfounded or excessive requests, we may charge a reasonable
fee or refuse the request (Art. 12(5) GDPR).
14. Data Security
14.1 Technical and Organizational Measures
We employ comprehensive technical and organizational measures (TOMs) to protect your
personal data against accidental or intentional manipulation, loss, destruction, or
against access by unauthorized persons. Our security measures are continuously
improved in line with technological developments.
14.2 Technical Security Measures
a) Encryption
- Transport encryption: All data transmissions are via HTTPS with TLS 1.2 or higher
- Database encryption: Sensitive data is stored encrypted in the database (AES-256)
- Password encryption: Passwords are hashed with bcrypt or Argon2 (not stored in plain text)
- Backup encryption: All backups are stored encrypted
b) Access Control
- Authentication: Access to internal systems only with strong passwords and two-factor authentication (2FA)
- Authorization: Role-based access rights (Principle of Least Privilege)
- Logging: Logging of all access to personal data
- VPN access: Remote access to servers only via encrypted VPN connections
c) Network Security
- Firewall: Configured firewalls at server and network level
- DDoS protection: Protection against distributed denial-of-service attacks
- Intrusion detection: Automatic detection of attack attempts
- Regular security updates: Timely installation of security patches for all systems
d) Application Security
- Input validation: Protection against SQL injection, cross-site scripting (XSS), and other attacks
- CSRF protection: Protection against cross-site request forgery attacks
- Rate limiting: Limitation of requests to protect against brute-force attacks
- Security headers: Implementation of security headers (Content-Security-Policy, X-Frame-Options, etc.)
e) Backup & Disaster Recovery
- Daily backups: Automated daily backups of all databases
- Geographic redundancy: Backups stored in multiple geographically separated data centers
- Backup tests: Regular tests of recoverability
- Retention period: Backups are retained for 30 days
14.3 Organizational Security Measures
a) Data Protection Management
- Data protection concept: Documented data protection management system
- Record of processing activities: According to Art. 30 GDPR
- Data protection impact assessment: For high-risk processing according to Art. 35 GDPR
- Regular audits: Internal review of data protection compliance
b) Employee Training
- Commitment to confidentiality: All employees are bound to data secrecy (§ 53 BDSG)
- Data protection training: Regular training on data protection and IT security
- Awareness raising: Continuous awareness measures (e.g., phishing tests)
c) Incident Response
- Emergency plan: Documented plan for handling data breaches
- Reporting obligation: Notification of data breaches to the supervisory authority within 72 hours (Art. 33 GDPR)
- Notification of data subjects: Information to affected persons in case of high risk (Art. 34 GDPR)
- Post-incident review: Analysis and improvement after security incidents
d) Physical Access Control
- Data center: Hosting at Hetzner in certified data centers with physical access controls (biometrics, video surveillance, 24/7 security service)
- Office premises: Access control to office premises, lockable cabinets for documents
- Clean desk policy: No sensitive documents on desks after end of work
e) Data Carrier Disposal
- Secure deletion: Data carriers are securely deleted before disposal (multiple overwriting)
- Physical destruction: Defective data carriers are physically destroyed
- Certified disposal: Cooperation with certified disposal service providers
14.4 Penetration Tests and Security Audits
- Penetration tests: Annual review by external IT security experts
- Vulnerability scans: Automated weekly scans for known security vulnerabilities
- Code reviews: Regular review of source code for security vulnerabilities
- Dependency checks: Automatic checking of used libraries for known vulnerabilities
14.5 Certifications
Hetzner Online GmbH (our hosting provider) holds the following certifications:
- ISO/IEC 27001 (Information Security Management System)
- ISO/IEC 27002 (Code of Practice for Information Security)
- TÜV certification of data centers
14.6 Reporting Security Incidents
Despite all security measures, complete protection against all threats cannot be
guaranteed. In the event of a data breach:
- Internal reporting: Immediate escalation to the data protection officer
- Assessment: Evaluation of the risk to the rights and freedoms of data subjects
- Authority notification: Notification to LDI NRW within 72 hours (Art. 33 GDPR)
- Data subject information: Prompt notification of affected persons in case of high risk (Art. 34 GDPR)
- Documentation: Complete documentation of the incident and measures taken
14.7 Privacy by Design & Privacy by Default
Privacy by Design (Art. 25(1) GDPR):
- Data protection is integrated into the system architecture from the outset
- Data minimization: Only necessary data is collected
- Pseudonymization and anonymization where possible
- Encryption of sensitive data
Privacy by Default (Art. 25(2) GDPR):
- Privacy-friendly default settings
- By default, only data necessary for the purpose is processed
- Users must actively consent to additional data processing
- Example: Candidate Portal profiles are "hidden" by default, not "public"
15. Changes to the Privacy Policy
15.1 Updates
We reserve the right to update this privacy policy to adapt it to changed legal
situations or changes to our services and data processing.
Reasons for changes may be:
- Changes in legislation (new laws, case law)
- New features or services
- Change of service providers used
- Improvement of comprehensibility and transparency
- Recommendations from supervisory authorities
15.2 Information About Changes
In case of significant changes (e.g., new data processing, new recipients, change of legal basis), we will inform you actively:
- Registered users (B2B customers, Candidate Portal): Via email and by notice at next login
- Newsletter subscribers: Via email
- Website visitors: By clearly visible notice on the website
In case of minor changes (e.g., editorial adjustments, clarifications), no active
information is provided. The current version is always available on our website.
15.3 Right to Object to Changes
If you do not agree with a significant change, you have the following options:
- Lodge an objection: Via email to daten@devarena.de
- Withdraw consent: Insofar as the processing is based on consent
- Terminate contract: For B2B customers according to contractual termination periods
- Delete account: For Candidate Portal possible at any time
15.4 Versioning
- Current version: April 2026
- Last update: April 2, 2026
Previous versions are available upon request. Please contact:
daten@devarena.de
15.5 Validity
This privacy policy applies to:
- Website: www.devarena.de, www.devcourt.de and all subdomains
- DevCourt Mobile App: iOS and Android version
- DevArena Candidate Portal: portal.devarena.de
- DevCourt B2B Customer Portal: Customer area for assessment platform
- Newsletter: All newsletters sent by DevArena GmbH
- Other communication: Email, phone, mail
16. Contact & Questions
If you have questions about data protection, the processing of your personal data,
or this privacy policy, please feel free to contact us:
Competent supervisory authority:
Final Provisions
Severability Clause
Should individual provisions of this privacy policy be or become invalid, this does
not affect the validity of the remaining provisions. The invalid provision will be
replaced by a valid provision that comes closest to the meaning and purpose of the
invalid provision.
Applicable Law
The law of the Federal Republic of Germany applies, excluding the UN Convention on
Contracts for the International Sale of Goods. Mandatory consumer protection
provisions of the country in which you have your habitual residence remain unaffected.
Place of Jurisdiction
To the extent legally permissible, the place of jurisdiction for all disputes
arising from or in connection with this privacy policy is Hagen, Germany.
Status of this Privacy Policy: April 14, 2026