Privacy Policy
Last updated: 2026-07-03
This privacy policy informs you about the processing of personal data in connection with our website (injectos.de) and our ERP software InjectOS (together the "Service"). It applies both to the publicly accessible website and to the protected, logged-in application area of InjectOS. This English version is provided for convenience; the German version prevails.
1. Controller
The controller within the meaning of the GDPR is: PREHNTEC UG (haftungsbeschränkt), Im Kirchtal 18b, 53844 Troisdorf, Germany, represented by its Managing Director Florian Prehn. Email: contact@prehntec.com · Phone: +49 2241 9441565.
2. Data protection contact
For questions about data protection and to exercise your data subject rights, contact: Florian Prehn, contact@prehntec.com. PREHNTEC is currently not legally required to appoint a data protection officer under Section 38 BDSG; the person named above is a central data protection contact point, not a DPO within the meaning of Art. 37 et seq. GDPR.
3. General information and legal bases
We process personal data only to the extent necessary to provide a functioning Service. Legal bases are in particular: Art. 6(1)(b) GDPR (contract/pre-contractual measures), (c) (legal obligations, e.g. commercial and tax retention duties), (f) (legitimate interests, e.g. IT security, logging, abuse prevention), (a) (consent) and Section 26 BDSG (employee data).
4. Provision of the Service and server log files
On each access, our system or that of our hosting provider automatically collects: IP address, date/time, requested URL, transferred data volume and HTTP status, browser type/version (user agent) and operating system. This data is not merged with other sources for advertising purposes. Legal basis: Art. 6(1)(f) GDPR (technical provision, stability, security). Deletion normally after 14 days.
5. Hosting and domain
We host the Service with external providers within the EU: server hosting by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, and netcup GmbH, Emmy-Noether-Str. 10, 76131 Karlsruhe (data center Nuremberg), Germany; domain/DNS by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. The servers are located in Germany; no third-country transfer takes place in hosting. Data processing agreements pursuant to Art. 28 GDPR are in place with each provider. Legal basis: Art. 6(1)(f) GDPR.
6. Fonts (self-hosted)
For a consistent appearance we use the fonts "Inter" and "Space Grotesk", delivered exclusively from our own server (self-hosted). No connection to third-party servers (in particular not to Google Fonts) is established and your IP address is not transmitted to external font providers.
7. Local browser storage (technically necessary)
For technical operation we use your browser's local storage (localStorage/sessionStorage), including: access_token/pps_remember_me (login/session), pps_lang (language), mantine-color-scheme-value and theme (color scheme), pps_last_route (convenience) and injectos-consent (storage of your cookie/consent decision). This technically necessary storage is exempt from consent under Section 25(2) no. 2 TDDDG; the legal basis of the underlying processing is Art. 6(1)(b) and (f) GDPR. Non-essential technologies (statistics/marketing) are used only with your consent (see Section 8).
8. Consent management (cookie banner, Google Consent Mode v2)
On your first visit we display a consent banner. Statistics and marketing technologies (Sections 9–11) are activated only after your active consent; "Reject" is equally available. Technically we use Google Consent Mode v2: consent signals default to "denied" and are set to "granted" only after your approval. Until then, no identifiers (cookies or similar) are stored for statistics/marketing.
Your choice is stored locally (injectos-consent). You can withdraw or change your consent at any time with effect for the future via in the footer. Legal basis for consent-based technologies: Art. 6(1)(a) GDPR and Section 25(1) TDDDG.
Note: the services described in Sections 9–11 are technically implemented but only active once the respective IDs are configured and your consent has been given.
9. Google Analytics 4 (statistics)
With your consent we use Google Analytics 4 (GA4), a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). GA4 uses cookies or comparable identifiers to analyse website usage (e.g. pages visited, dwell time, approximate anonymised origin, devices used). Google processes the IP address in truncated/anonymised form. Data may be transferred to Google LLC in the USA; Google is certified under the EU-US Data Privacy Framework, supplemented by EU Standard Contractual Clauses. Legal basis: your consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG). More information: Google privacy policy.
10. Google Ads – conversion tracking and enhanced conversions (marketing)
With your consent we use Google Ads (Google Ireland Limited) to measure the success of our advertising. This records whether you perform a certain action (e.g. a demo request) after clicking an ad. A click identifier (GCLID) and conversion cookies may be processed. Where "Enhanced Conversions" is active, an email address you provide is transmitted to Google in hashed (pseudonymised) form to attribute conversions. Transfer to Google LLC (USA) is possible (EU-US Data Privacy Framework / EU Standard Contractual Clauses). Legal basis: your consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG).
11. LinkedIn Insight Tag (marketing)
With your consent we use the LinkedIn Insight Tag of LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland, for reach and conversion measurement of our LinkedIn campaigns and for audience building. Cookies are set and data (including truncated IP address, device/browser information, pages visited) is processed; transfer to LinkedIn Corporation in the USA is possible (EU-US Data Privacy Framework / EU Standard Contractual Clauses). Legal basis: your consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG).
12. Demo requests via the contact form
If you use the "Book a demo" form, we process the data you provide (name, company, email, number of injection-moulding machines, optionally phone and message) to handle your request and arrange an appointment. The data is stored in our own CRM (InjectOS, hosted in Germany) and not shared with third parties. This first-party processing is independent of any cookie consent. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures). Deletion once no longer required and no retention obligations apply.
13. Appointment booking (Microsoft Bookings, two-click)
For online appointment booking we embed Microsoft Bookings (Microsoft Ireland Operations Ltd., One Microsoft Place, Dublin, Ireland) exclusively via a two-click solution: the booking calendar loads only after you actively click it. Only then is data (including your IP address) transmitted to Microsoft; when booking, Microsoft processes the appointment data you enter. Legal basis: your consent (Art. 6(1)(a) GDPR), given by actively loading the calendar.
14. Videos (YouTube privacy-enhanced mode, two-click)
Embedded product videos are loaded from YouTube (Google Ireland Ltd., Dublin, Ireland) exclusively via youtube-nocookie.com and only via a two-click solution: before your click, no data flows to Google. Legal basis: your consent (Art. 6(1)(a) GDPR).
15. User account, login and authentication
A user account is required for the protected area of InjectOS. We process, among other things: name/display name, email, password (only as a cryptographic hash), 2FA secret (if enabled), registered passkeys/WebAuthn data, time and IP of the last login, number of failed login attempts/lockout periods. Purposes: access, authentication, account and IT security. Legal basis: Art. 6(1)(b) and (f) GDPR.
16. Processing of content data in InjectOS
InjectOS is an ERP/production control system. Depending on the module, we process, among other things: employee data (HR), customer, partner and contact data (CRM) and related documents. Legal bases: Section 26 BDSG and Art. 6(1)(b), (c) and (f) GDPR. Where such data is processed on behalf of a customer (tenant), PREHNTEC acts as processor (see Section 19).
17. Logging / audit log
InjectOS keeps a tamper-evident audit log (user ID, timestamp, action, affected record, old/new value, IP address, user agent), secured by cryptographic hash chaining. Purpose: IT security, auditability, accountability (Art. 5(2), Art. 32 GDPR). Legal basis: Art. 6(1)(f) and, where applicable, (c) GDPR. Retention is tiered: security-related entries 12 months, then anonymisation (in particular IP/user agent); accounting/tax-relevant entries per German HGB/AO (6 or 10 years).
18. Email dispatch
We send system and notification emails (e.g. registration, password reset, system events) via a commissioned service (by default Microsoft, MS Graph) or a mail server connected by the respective tenant. Recipient email and message content are processed. Legal basis: Art. 6(1)(b) and (f) GDPR.
19. Roles in processing / data processing on behalf
Where companies use InjectOS as customers and process data of their own employees, customers or contacts, the customer company is the controller and PREHNTEC is the processor pursuant to Art. 28 GDPR (separate DPA). For user accounts and the operation of the Service, PREHNTEC is an independent controller.
20. Recipients / processors
Engaged processors are in particular: Hetzner Online GmbH and netcup GmbH (server/backup hosting, Germany), IONOS SE (domain/DNS, Germany), Microsoft (email dispatch via MS Graph) and — subject to your consent — Google and LinkedIn for statistics/marketing (Sections 9–11). In the context of expressly commissioned data migrations, Anthropic, PBC (USA) may additionally be engaged as a processor (AI-assisted data processing via the Claude API; EU Standard Contractual Clauses as part of the Anthropic DPA; by default no use of the data to train AI models); in the normal operation of the website and product, no data is transmitted to Anthropic. Third-country transfers take place only as described and on the basis of the EU-US Data Privacy Framework or EU Standard Contractual Clauses.
21. Storage period and deletion
We store personal data only as long as necessary for the purpose or as required by statutory retention obligations (e.g. German HGB/AO, typically 6 or 10 years). Thereafter the data is deleted or anonymised.
22. Your rights as a data subject
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21, in particular against processing based on Art. 6(1)(f)) and withdrawal of consent with effect for the future (Art. 7(3)). Where PREHNTEC acts as processor, please direct requests to the responsible customer; we will forward them where necessary. A message to the contact point named in Section 2 suffices.
23. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Competent authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2–4, 40213 Düsseldorf, poststelle@ldi.nrw.de.
24. Data security and technical and organisational measures
We apply appropriate measures pursuant to Art. 32 GDPR, in particular: TLS/HTTPS encryption, passwords stored only as hashes, two-factor authentication and passkeys/WebAuthn, role-based permission model, rate limiting/throttling and security HTTP headers, tamper-evident audit log, anonymisation functions and tenant-separated data storage.
25. Changes to this privacy policy
We reserve the right to adapt this privacy policy so that it always meets current legal requirements. The version published here applies.
Version: 2026-07-03