Data privacy - Long version

Privacy Policy GROPYUS

See our current openings below

GROPYUS hereby informs you about the processing of your personal data by companies of the GROPYUS Group of companies. This Privacy Policy covers processing activities by the following companies:

GROPYUS AG, Barichgasse 38/2/4, 1030 Vienna, Austria
GROPYUS Technologies GmbH, Hauptstraße 27, 10827 Berlin
GROPYUS Engineering GmbH, Pointstraße 14, 4641 Steinhaus bei Wels
GROPYUS Solutions GmbH, Hauptstraße 27, 10827 Berlin
GROPYUS Production Richen GmbH, Römerstr. 20, 75031 Eppingen

In individual cases, other affiliated companies of GROPYUS may be responsible for processing your data. Typically, you can find out the identity of the controller from legal notices, email signatures or letterheads. Please also consider any special area-specific privacy notices, e.g. for apps, special websites, or events.

Whenever the controller is not expressly named for a specific processing activity in this privacy policy (e.g., “we”), GROPYUS AG is referred to as the controller.

Questions regarding data protection can also be sent to privacy@gropyus.com.

Data protection officer of the GROPYUS Group is attorney Nikolaus Bertermann, daspro GmbH, Kurfürstendamm 21, D-10719 Berlin. You can reach the data protection officer by sending an e-mail to gropyus-dsb@daspro.de.

Where the term "data" is used, only personal data within the meaning of the GDPR are meant.

Visitors of the GROPYUS Website
Communication Partners and Interested Parties
Customers and Contact Persons at Customers
Job Applicants
Participants in a Videoconference via Microsoft Teams
Photos and Videos
Contact on LinkedIn
Click Analysis
Building Operating System (BOS)
Surveys and Research Activities
Speak Up Portal (AdvoWhistle)
Data transfers to other countries
Rights of Data Subjects and Further Information

1. Visitors of GROPYUS Websites

1.1 Technical necessary cookies

We use cookies on our website. Cookies are information stored in and retrieved from your web browser by our services.

Some cookies that are technically necessary for the function of the website and cannot be deactivated via the cookie management function of this website.

(i) The purpose of data processing is the implementation of technical and organizational measures to protect the website and to detect errors and to provide necessary functions of the website like login or language select. A change of the purposes is not planned.

(ii) The data processed are:

Protocol data: This is data that is technically generated when the website is accessed. This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access (Log data)
User ID
Pseudonymized usage data.
User preferences

(iii) The legal basis for the processing is our legitimate interest in properly providing the basic functions of the website, technical protection of the website and the detection and correction of errors (Art. 6 (1) (f) GDPR).

(iv) The data is actively provided by you or automatically by your browser.

(v) Recipients of the data are IT service providers, which we use within the framework of a processor controller agreement.

(vi) The data is predominantly deleted at the end of the session, but at the latest after one year.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website is technically not possible without disclosing data.

1.2 Server log data

When using the website, certain information is sent to the server of our website by the browser used on your device for technical reasons. This data is stored and processed on our server.

(i) We process the following data for the purpose of providing the contents of the website that you have visited, to ensure the security of the IT infrastructure used, to correct errors, to enable and simplify searches on the website, and to manage cookies. A change of purpose is not planned.

(ii) The data processed are protocol data: This is data that is technically generated when the website is accessed. This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access (Log data).

(iv) The data is automatically transmitted by the browser of the website visitor.

(v) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement.

(vi) The log data is only stored permanently in the event of logins and deleted after one year.

(vii) Without disclosure of personal data such as the IP address, the use of the website is not possible.

1.3 Web analytics and analytics cookies

We analyze website usage to regularly review and improve our website and services. We also store analytics cookies if the website visitor has given their consent.

(i) We regularly process the following categories of data for the purpose of usage analytics and service/product optimization. A change of purpose is not planned.

(ii) The data is processed in a pseudonymized or anonymized form; We do not receive any information that allow us to identify individual users. The data categories collected in this context are:

Device and session data (e.g., browser version, screen size, session ID, session duration, time of page view);
Interaction data (e.g., mouse movements, clicks, scrolling behavior, sequence and duration of page views);
Technical event data (e.g., loading times, error events, type and time of user actions);
Page elements and structural information (e.g., HTML elements, position and display of individual elements on the page—but without recording the actual content of input fields or texts).

(iii) The legal basis for the processing is our legitimate interest in in analyzing usage behavior on the website to ensure the functionality, user-friendliness, and security of the website and to continuously optimize the offering in accordance with Article 6 (1) (f) GDPR. For advanced tracking and analysis mechanisms, e.g., tracking across multiple devices or sessions and setting of cookies, we obtain the consent of users, Article 6 (1) (a) GDPR.

(iv) The data is automatically transmitted by the browser of the website visitor.

(v) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement.

(vi) We store analysis data that is processed on the basis of our legitimate interest for up to 60 days after collection. We store analysis data that is processed on the basis of consent for up to one year after collection.

(vii) Without disclosure of personal data such as the device data, the use of the website is not possible.

2. Communication Partners and Interested Parties

The company of the GROPYUS Group to which you specifically address your communication request is responsible for data processing in the context of communication. GROPYUS AG is responsible for processing data in the context of a general contact form without specification of a particular company of the GROPYUS Group.

(i) The purpose of the processing is the preparation and execution of a contractual relationship or other communication. A change of purpose is not planned.

(ii) Processed data are name, contact data, communication details, the time stamp of communication as well as technical metadata of communication.

(iii) The legal basis for processing is Article 6 (1) (b) GDPR (contract or contract initiation) in the case of contracts with natural persons, whereas for contracts with legal persons, Article 6 (1) (f) GDPR (legitimate interest, namely communication with contact persons relevant to the contract) and in all cases Article 6 (1) (c) GDPR (statutory obligations, in particular, tax and commercial law provisions). For simple communication, the legal basis is Article 6 (1) (f) GDPR (legitimate interest, namely documentation of communication processes). If we send you marketing material at your request, the legal basis is your consent pursuant to Art. 6 (1) (a) GDPR.

(iv) Contact data is actively provided by the data subject. Communication metadata and communication data are automatically collected.

(v) Contact and contract data can be transmitted to other service providers, business partners, as well as offices and authorities if necessary for the execution of the contract or order. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems.

(vi) Data of contract partners and service providers will be deleted 8 calendar years after termination of the contract or order. Inquiries and communication will be deleted after 8 calendar years.

(vii) The processing of contact data of the service providers and business partners is necessary to execute the contract or order. If the data is not provided, the communication may be considerably disturbed. For interested parties, the provision of data is obligatory. Without the provision of data, communication is not possible.

3. Customers and Contact Persons at Customers

The company of the GROPYUS Group with which you have a contractual relationship is responsible for data processing in the context of communication with customers and contact persons at customers.

(i) We process your data for the purpose of performing the contractual relationship and processing payments. This also includes consulting, support, and information about new services. A change of purpose is not planned.

(ii) The processed data are name, address data, information on the company, and payment data, as well as contractual relevant communication data.

(iii) The legal basis for processing the data of customers who are natural persons is Article 6 (1) (b) GDPR (contract) and Article 6 (1) (c) GDPR (legal obligations). The legal basis for the processing of contact data for customers who are not natural persons is Article 6 (1) (f) GDPR (legitimate interest, namely communication with the customer). The legal basis for information on services is Article 6 (1) (f) GDPR (legitimate interest, namely advertising. The legal basis for the transfer of payment information to payment providers is Article 6 (1) (f) GDPR (legitimate interest in centrally controlled payment processing by a payment service provider).

(iv) The data is provided either by yourself or your supervisor.

(v) Recipients of data may be banks and payment providers for the processing of payments and creditworthiness checks. In individual cases, data may be transferred to debt collection service providers, lawyers, and courts. We also use service providers within the framework of a data processing agreement for the provision of services, in particular for the provision, maintenance and servicing of IT systems.

(vi) All contractual and booking relevant data are stored for a period of 8 calendar years after termination of the contract in accordance with tax and commercial law retention periods.

(vii) The provision of data is obligatory for customers based on statutory and contractual regulations. The contractual relationship cannot be established and performed without providing data.

4. Job Applicants

The company of the GROPYUS Group to which you specifically apply is responsible for data processing in the job application process. GROPYUS AG is responsible for the processing of data in the context of initiative applications or job postings without specification of a particular company of the GROPYUS Group.

(i) The purpose of data processing is the selection of job applicants for employment. We also use anonymized data for statistical evaluations. To check the suitability of applicants and to verify information and trustworthiness, in some cases we carry out background research from publicly accessible sources. A change of purpose is not planned.

(ii) The processed data are name, contact data, communication details, login data on the job website (if applicable), interview notes, job application documents including certificates and curriculum vitae, the time stamp of communication, as well as technical metadata of communication, as well as data collected as part of background research from publicly available sources (e.g. public profiles on job portals).

(iii) The legal basis is Article 6 (1) (b) (initiation of the employment contract) in conjunction with Article 88 GDPR and the national regulations on employee data protection at the headquarters of the GROPYUS Group company to which you are applying. If we transfer your application documents to other affiliated companies, the legal basis for this is Article 6 (1) (f) GDPR (legitimate interest in group-internal job applicant management). If we are currently unable to offer you a position, but your application is suitable for other positions in the future, and you do not object to further storage, the legal basis for further storage is Article 6 (1) (f) GDPR (legitimate interest in retaining suitable job applications).

(iv) Some of the applicant data mentioned is provided by the applicants. Another part is added by employees during the application process or collected from public sources.

(v) The job application data will be transferred internally to the responsible employees in charge of the decision-making. In this context, the data may also be passed on to other affiliated companies of the GROPYUS Group, provided that you do not object to such transfer. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems. We use the service provider Greenhouse Software, Inc. 228 Park Avenue S. PMB 14744, Attn: Privacy, New York, New York 10003-1502 USA for the application portal. There is an adequacy decision for the data transfer to the USA, as the service provider is certified in accordance with the US-EU data protection framework. The service provider that we use to operate the job portal may process personal data as an independent controller (e.g. reach measurement). The service provider itself is responsible for this. See their privacy policy: https://www.greenhouse.com/de/privacy-policy.

(vi) Application data is deleted six months after the end of the specific application process. If job applicants are also considered for future positions and do not object to further storage of their data, the data will remain stored for up to 12 months after the end of the job application process.

(vii) The provision of personal data is necessary for the examination of the job application and, if applicable, the subsequent conclusion of an employment contract. A job application cannot be considered without the provision of personal data.

5. Participants in a Video Conference via Microsoft Teams

The company within the GROPYUS Group that organizes the video conference is responsible for data processing in the context of the videoconference via Microsoft Teams.

(i) We process the data of participants for the purpose of organizing, conducting, and documenting video conferences via Microsoft Teams. If we separately indicate this in the context of the individual video conference and obtain your consent in this regard, a recording of the video conference is made. There are no plans to change these purposes.

(ii) The data of the participants processed in the context of the video conference are:

Participant data: Name and surname, e-mail address
Conference data and meeting metadata: Topic, IP address, device/hardware information, telephone data: For dial-in with telephone, information on incoming and outgoing telephone number, country name, start and end time, additional connection data if necessary.
Communication data within the online event, your communication data in the form of questions, requests to speak or vote, as well as chat content will be processed. You always decide whether and in what form you want to participate.
Image, sound, and video data (and, in case of consent, the corresponding recordings): Within the video conference, image, sound, and video data of the participants will be processed. However, each person is always free to decide whether they want to switch on their camera and microphone or whether they just want to communicate via the chat window. If we have obtained your consent in this regard, the online event will be recorded, including the image, sound, and video data of the participants.

(iii) The legal basis for the processing of data of participants for the purpose of conducting the video conference is your consent pursuant to Art. 6 (1) (a) GDPR. The legal basis for making recordings is also your consent pursuant to Art. 6 (1) (a) GDPR.

(iv) The participant data is actively provided by the participants. The conference data is actively provided by the data subject or automatically by the browser or device of the data subject. The image, sound, or video data and communication data are collected automatically, and the recordings of the image, sound, or video data are made by the responsible GROPYUS Group company.

(v) The recipients of the name, communication data, and image, sound, and video data are always the other participants of the video conference. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems, in particular the service provider Microsoft Ireland Operations Ltd. In this context, personal data may also be transferred to third countries, in particular the USA. In the USA, there is currently an adequacy decision by the European Commission for companies that have joined the EU-U.S. Data Privacy Framework. This is the case for Microsoft. If data is transferred to subcontractors in other countries, appropriate measures (e.g. standard contractual clauses) are taken insofar as these are necessary to ensure an adequate level of data protection.

(vi) The conference data and communication data will usually be deleted 24 months after the video conference has taken place unless otherwise specified in the context of the individual video conference. However, the excess raw material of the recordings will be deleted 24 months after the online event has taken place. In addition, you can request the deletion of your personal data at any time unless we are legally or contractually obliged or entitled to further process the data.

(vii) Without the provision of data, participation in the video conference is not possible. The provision of communication, image, sound, and video data, as well as the production of image, sound, and video recordings, is not obligatory for participation in the video conference.

6. Photos and Videos

The GROPYUS Group company that organizes the respective project or event is responsible for the processing of photo and video recordings.

(i) The purpose of data processing is the use of photo and video material, primarily for internal information purposes, but also for public relations work. Photos and videos may also be uploaded to public platforms in individual cases.

(ii) The data processed are still and moving images, possibly combined with an audio track that may contain the voice of the data subjects.

(iii) The legal basis for the processing is Art. 6 (1) (f) GDPR, our legitimate interest in internal and public information about the work of GROPYUS and events. If individual persons are the focus of recordings, the consent of the data subject is obtained for further processing. The legal basis is then Art. 6 (1) (a) GDPR.

(iv) The aforementioned recordings are collected directly from the data subjects.

(v) Recordings are passed on internally to employees. They may also be passed on to other affiliated companies in the GROPYUS Group. We also use service providers by way of order processing for the provision of services, in particular photographers to create the recordings or service providers for the provision, maintenance and care of IT systems, in particular the service provider Microsoft Ireland Operations Ltd. Such transfers are based on an adequacy decision of the European Union for companies that are certified under the EU/US Data Privacy Framework. This is the case with Microsoft. When transferring data to subcontractors in other countries, appropriate measures (e.g. standard contractual clauses) are taken insofar as these are necessary to ensure an adequate level of data protection. We may also use public platforms on which material can be published.

(vi) All recordings are deleted or recognizable persons are anonymized (e.g. by pixelating or cutting out persons) if they are no longer relevant for internal information purposes or publication After 10 years at the latest, the responsible department will carry out a documented assessment of whether the photos have historical value for GROPYUS and whether the information contained in the photos is no longer relevant.

(vii) The production and use of recordings is neither contractually nor legally required.

7. Contact on LinkedIn

(i) We process your data to draw your attention to products and services or vacant positions in our staff. For this purpose, we will send you messages, e.g. if you are registered on the LinkedIn platform.

(ii) The data processed are: Your full name, job role, affiliation and time of inclusion in the contact list, status of contact activity, notes, the location of your company, time of job changes, time of last LinkedIn post, follower status of the GROPYUS page, profile information, response to contact request (accept/reject), and other information you share during communication with us.

(iii) The legal basis for the initial contact with you and its documentation is our legitimate interest (Article 6 (1) (f) GDPR) in contacting people for the purpose of direct marketing and recruiting activities. You can adjust the visibility of your profile and the permission to contact you at any time via your LinkedIn profile settings. If you object to the use of your data, we will add your contact to a blacklist so that we do not contact you again. The legal basis for this is our legal obligation to no longer contact you (Art. 6 (1) (c) GDPR). The further processing of the data collected in the course of communication is based on the consent given to us.

(iv) We collect the data via the LinkedIn platform.

(v) Recipients of data may be affiliated companies of GROPYUS and external consultants involved in the project. We also use LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland and its subcontractors. As part of this processing, your data may be transferred to third countries, in particular the USA. LinkedIn is certified under the EU/US Data Privacy Framework, which is an adequacy decision of the European Commission.

(vi) The data collected by LinkedIn for the initial contact will be deleted one year after collection. We retain data about the rejection of a contact request for as long as we use the service so that we do not inadvertently contact the data subjects again.

(vii) There is no legal or contractual obligation to provide personal data for us to contact you. However, we are unable to communicate with you without this data.

8. Click Analysis

(i) We collect click statistics for selected links (especially in the form of QR-Codes). The purpose is to measure the popularity of our offerings and, if necessary, adapt the content, products, and services to the expectations of the audience.

(ii) The data processed is: IP address, time of access.

(iii) The legal basis for the collection is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR in aligning our activities with the interests of the public.

(iv) The data is collected automatically when you click on shortened links.

(v) Recipients of anonymized data may be affiliated companies of GROPYUS and external parties. We use the the following service provider for the click tracking activities: URLR, LE LAB'O VILLAGE BY CA, 1 AVENUE DU CHAMP DE MARS, 45100 Orléans France.

(vi) The data is only personal when it is collected and is immediately anonymized. No personal data is stored permanently or transferred to third parties.

(vii) It is not possible to click on shortened links without processing the data.

9. Building Operating System (BOS)

The GROPYUS Technologies GmbH operates the Building Operating System (BOS), a smart home solution for controlling devices in the home, and provides related additional services. Information about data protection in the BOS system can be found here:

BOS privacy information

10. Surveys and Research Activities

10.1 Invitation to Surveys or other Research Activities

The GROPYUS Technologies GmbH occasionally invites persons to participate in surveys and studies. Participation is voluntary. The aim of the surveys and studies is to further develop products and services.

(i) The purposes of the processing are research and product development for residential buildings and related services, the further development and improvement of products and services, the promotion of interaction with tenants and their active involvement in innovation processes in order to better identify needs.

(ii) The processed data is usually: email address, physical address, name.

(iii) The legal basis for invitations to surveys and studies is our legitimate interest in conducting surveys and studies (Art. 6 (1) (f) GDPR, Sec. 7 (3) UWG) or your consent in accordance with Art. 6 (1) (a) GDPR.

(iv) The data is actively provided by you or automatically through your browser or device.

(v) We use service providers for the provision of services by way of order processing, in particular for the provision, maintenance and care of IT systems.

(vi) Unless otherwise stated in the survey or study, we will delete personal data no later than six months after the survey or study has been conducted. The results of the survey will only be stored in anonymized form after evaluation.

(vii) There is no legal or contractual obligation to participate in surveys or to provide the data. However, an invitation or participation is not possible without disclosing personal data.

10.2 Surveys and other Research Methods

GROPYUS processes personal data for research and development purposes, in particular through questionnaires, surveys, and other research methods. Further information about the processing of personal data in this context can be found here:

Surveys and other research methods

10.3 GROPYUS Panel of Experts

GROPYUS processes personal data in order to invite individuals to join our Panel of Experts and to conduct interviews and studies with them. Detailed information about these processing activities can be found here:

Expert panel privacy information

11. Speak Up Portal (AdvoWhistle)

GROPYUS offers a Speak Up Portal (AdvoWhistle, former: iWhistle) to enable anonymous hints, e.g. regarding compliance issues. Detailed information on the processing activities in this context can be found here:

AdvoWhistle privacy information

12. Data transfers to other countries

For the above processing activities, a transfer of personal data to so-called third countries cannot be ruled out. If there is no adequacy decision for the potential recipient, we conclude the EU Standard Contractual Clauses (2021/914; Module 2 or 3). You may request a copy of the essential contractual contents of the Standard Contractual Clauses at any time.

13. Rights of Data Subjects and Further Information

(i) We do not use any methods of automated individual decision-making.

(ii) You have the right to request information at any time about all your personal data, which we are processing.

(iii) If your personal data is incorrect or incomplete, you have the right to have it rectified and completed.

(iv) You can request the erasure of your personal data at any time, as long as we are not bound by legal obligations that require or allow us to continue processing your data.

(v) If the applicable legal requirements are met, you can request a restriction to the processing of your personal data.

(vi) You have the right to object to the processing insofar as the data processing is based on profiling or direct marketing purposes.

(vii) If the processing is carried out on the basis of the balancing of interests, you may object to the processing by stating reasons arising from your particular situation.

(viii) If the data processing takes place on the basis of your consent or a contract, you have the right to a transfer of the data provided by you, insofar as the rights and freedoms of others are thereby not impaired.

(ix) If we process your data on the basis of a declaration of consent, you have the right to revoke this consent at any time with future effect. The processing carried out prior to revocation remains unaffected by the revocation.

(x) Moreover, you have the right to file a complaint at any time with a data protection supervisory authority if you believe that data processing has been carried out in violation of the applicable law.

Version 11 March 2026

TEST MENU

Privacy Policy GROPYUS

See our current openings below

GROPYUS

FEATURES

ReACH OUT