I. Name and Contact Details of the Controller

The controller responsible for the processing of personal data in accordance with the General Data Protection Regulation (GDPR), applicable national data protection laws of the EU Member States, and other relevant data protection regulations is:

Roos Vehicle Logistics GmbH
Südliche Ringstr. 66
85053 Ingolstadt
Germany

Phone: +49 841 959 140 41
Email: info@ro-os.de

---

II. Data Protection Officer

The controller’s appointed Data Protection Officer is:

David Capriati
DCC DataCapConsult
Hans-Lang-Weg 3
85072 Eichstätt
Germany

Phone: +49 8421 986 10 97
Email: d.capriati@dcc-datenschutz.de

---

III. General Information on Data Processing

1. Scope of the Processing of Personal Data

We only process personal data of our website users to the extent necessary to provide a fully functional website and to deliver our content and services.
As a general rule, personal data is processed only with the user’s consent, unless prior consent cannot reasonably be obtained and the processing is permitted by law.

---

2. Legal Basis for Processing Personal Data

We process personal data on the following legal bases:

• Article 6(1)(a) GDPR — Consent
  When you voluntarily give us permission to process your data.

• Article 6(1)(b) GDPR — Contract performance
  When processing is necessary for fulfilling a contract with you or for pre-contractual steps.

• Article 6(1)(c) GDPR — Legal obligation
  When processing is required to comply with a statutory obligation.

• Article 6(1)(d) GDPR — Vital interests
  When processing is necessary to protect someone’s life or physical safety.

• Article 6(1)(f) GDPR — Legitimate interests
  When processing is necessary for our legitimate business interests or those of a third party, provided such interests are not overridden by your rights and freedoms.

---

3. Data Deletion and Retention Period

We delete or block personal data as soon as the purpose for which it was collected no longer applies.
Retention may continue if required by EU or national legislation, regulations, or other legal provisions to which we are subject.

Data is also deleted when legally mandated retention periods expire, unless ongoing storage is necessary for contract execution or compliance with contractual obligations.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the device used to access the site.

The following data is collected:

• IP address of the requesting device

• Date and time of access

• Name and URL of the file accessed

• Website from which the request originated (referrer URL)

• Browser type, and where applicable, the operating system of your device

• Name of your internet service provider

This information is also stored in our system’s log files.
No combination of this data with other personal data takes place.

---

2. Legal Basis for Data Processing

The temporary storage of data and log files is based on Article 6(1)(f) GDPR (legitimate interests).

---

3. Purpose of Data Processing

Temporary storage of the IP address is necessary to deliver the website to the user’s device. For this purpose, the IP address must remain stored for the duration of the session.

Log file storage is carried out to ensure:

• the proper functioning of the website,

• technical optimization of the site, and

• the security and stability of our IT systems.

Data collected in this context is not used for marketing purposes.

These purposes constitute our legitimate interest in processing the data under Article 6(1)(f) GDPR.

---

4. Duration of Storage

Data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

• For website delivery, deletion occurs when the session ends.

• Log file data is typically deleted after seven days at the latest.

Longer storage may occur in exceptional cases.
In such instances, IP addresses are anonymized or masked so that identification of the user is no longer possible.

5. Objection and Removal Options

The collection of data for the provision of the website and the storage of this data in log files is essential for the operation of the website.
For this reason, users have no possibility to object to this processing.

---

V. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are small text files that are stored in your internet browser or by the browser on your device. When you visit our website, a cookie may be stored on your operating system. This cookie contains a unique identifier that enables the browser to be recognized when the user returns to the website.

We use cookies to ensure basic functionality of our website. Certain website features require us to identify the browser even after navigating between pages.

Cookies store information related to the device used. However, this does not mean that we gain direct knowledge of your identity.

We also use cookies that allow us to analyze user browsing behavior.

Upon accessing our website, users are informed about the use of analytical cookies and are asked to provide consent. A reference to this Privacy Policy is provided in the process.

---

2. Legal Basis for Data Processing

• The processing of personal data using analytical cookies is based on Article 6(1)(a) GDPR (your consent).

• The use of technically necessary cookies is based on Article 6(1)(f) GDPR (legitimate interests).

---

3. Purpose of Data Processing

The purpose of using technically necessary cookies is to enable the functional operation of our website. Some features cannot be provided without cookies, as they require the browser to be recognized after a page change.
Data collected through these cookies is not used to create user profiles.

Analytical cookies help us improve the quality of our website and its content. They provide insights into how users interact with the site, allowing us to optimize the experience continuously.

We use Google-related cookies for these purposes (e.g., Google reCAPTCHA, Secure-3…). Further details can be found in the sections describing Google reCAPTCHA and Google Fonts.

These purposes also represent our legitimate interest in processing personal data under Article 6(1)(f) GDPR.

---

4. Duration of Storage, Right to Object, and Removal Options

Cookies are stored on your device and transmitted to our website. Therefore, you have full control over the use of cookies.
You can:

• disable or restrict cookies via your browser settings

• delete previously stored cookies at any time (manually or automatically)

Please note that disabling cookies may result in certain website functions no longer working fully or correctly.

---

VI. Contact Form and Email Communication

1. Description and Scope of Data Processing

Our website contains a contact form that can be used to contact us electronically. When a user submits the form, the data entered in the form fields is transmitted to us and stored. The specific data collected is visible in each form.

During the submission process, we request your consent to process your data and refer to this Privacy Policy.

Alternatively, you may contact us via the email address provided on the website. In this case, any personal data transmitted with the email will be stored.

No data is shared with third parties. Data is used exclusively for processing the communication.

---

2. Legal Basis for Data Processing

The legal basis for data processing when consent is provided is Article 6(1)(a) GDPR.

Legal Basis for Email-Based Data Processing

If you contact us by email, the legal basis for processing the transmitted personal data is Article 6(1)(f) GDPR (legitimate interests).
If the email contact aims to conclude a contract, the processing is additionally based on Article 6(1)(b) GDPR (contract performance).

---

3. Purpose of Data Processing

The personal data collected through the contact form is used solely to process your inquiry.
When contacting us by email, this also constitutes our legitimate interest in processing the data.

Additional personal data collected during form submission is used to prevent misuse of the contact form and to ensure the security of our IT systems.

---

4. Duration of Storage

We delete personal data as soon as it is no longer required for the purpose for which it was collected.

For data submitted through the contact form or transmitted via email, this is the case when the respective conversation with the user is completed. A conversation is considered completed when it is clear from the circumstances that the matter has been fully resolved.

Additional personal data collected during the submission process is deleted after seven days at the latest.

---

5. Right to Withdraw Consent and Removal Options

Users may withdraw their consent to the processing of personal data at any time.
If you contact us by email, you may also object to the storage of your personal data at any time. In such cases, the conversation cannot be continued.

If you wish to withdraw your consent, please contact us. All personal data stored during the communication process will then be deleted.

---

VII. Google Fonts (Locally Hosted)

1. Scope of Personal Data Processing

Our website uses fonts from the Google Fonts library. These font files are stored exclusively on our own web server. When a page is loaded, your browser retrieves the files directly from our server; no connection is made to Google servers.
Aside from standard server log data (e.g., IP address, time of access, requested file), no additional personal data is processed.

---

2. Legal Basis

The legal basis is Article 6(1)(f) GDPR.
Our legitimate interest lies in providing a visually consistent, high-performance website without transferring data to third parties.

---

3. Purpose of Processing

Locally hosting the fonts ensures:

• consistent website appearance

• reduced loading times

• avoidance of personal data transmission (such as IP addresses) to Google

---

4. Duration of Storage

Font files remain permanently stored on our web server.
Personal data is processed only in the context of standard server log files, which are automatically deleted according to the retention periods defined in those logs.

---

5. Right to Object

Since the fonts are hosted locally and no personal data is transferred to third parties, no specific right to object is required.
You may, however, block font loading via browser settings or extensions, although this may affect how the website displays.

---

VIII. Google reCAPTCHA

1. Scope of Personal Data Processing

We use Google reCAPTCHA v3 on our website to protect form submissions from automated misuse (bots).
Once you have given consent via the cookie banner, a script from Google is loaded, and the following data is processed:

1. Full IP address of the requesting device

2. Date, time, and duration of the visit

3. Referrer URL (the page from which you accessed our site)

4. Browser and device characteristics (e.g., user agent, screen resolution, installed plugins)

5. Mouse and keyboard interactions or touch events

6. Cookies and similar technologies (e.g., _GRECAPTCHA, __Secure-3PSID*)

7. The analysis result (“human” or “bot”)

The data is transmitted directly to Google Ireland Limited.
We do not store this data on our own servers.
Google may combine this data with other Google services and may transfer it to Google LLC in the United States.

2. Legal Basis for the Processing of Personal Data

The legal basis for processing personal data in connection with Google reCAPTCHA is Article 6(1)(a) GDPR, based on your explicit consent given through the cookie banner.

---

3. Purpose of Data Processing

The processing is carried out solely to protect our website and its forms from automated misuse (bots).
This helps ensure the integrity of our IT systems and the availability of our online services.

---

4. Duration of Storage

Cookies set by reCAPTCHA may remain on your device for up to 24 months.
Google stores the collected data for an unspecified period of time – we have no control over this.
No reCAPTCHA data is stored on our own servers.

---

5. Right to Withdraw Consent and Removal Options

You may withdraw your consent at any time via the cookie banner. After withdrawal:

• reCAPTCHA will no longer load, and

• any previously set cookies will be disabled.

You may also:

• delete cookies via your browser,

• block JavaScript, or

• use script-blocking browser extensions.

Please note: without reCAPTCHA, certain forms may not function.

Further information on Google’s data processing practices can be found at:
https://policies.google.com/privacy

---

IX. Rights of Data Subjects

If your personal data is processed, you are considered a data subject under the GDPR. You have the following rights regarding your personal data:

---

1. Right of Access

You have the right to request confirmation from the controller as to whether personal data relating to you is being processed.

If such processing is taking place, you may request access to the following information:

1. the purposes of the processing;

2. the categories of personal data concerned;

3. the recipients or categories of recipients to whom your data has been or will be disclosed;

4. the planned retention period or, if no exact period can be provided, the criteria used to determine it;

5. the existence of rights to rectification, erasure, restriction of processing, or objection;

6. the existence of a right to lodge a complaint with a supervisory authority;

7. any available information about the source of the data (if not collected directly from you);

8. the existence of automated individual decision-making, including profiling, and — where such processes exist — meaningful information about the logic involved as well as the significance and intended effects of such processing on you.

You also have the right to request information about whether your personal data is transferred to a third country or an international organization. In this case, you may request information about the appropriate safeguards under Article 46 GDPR.

---

2. Right to Rectification

You have the right to request that inaccurate personal data concerning you be corrected without undue delay.
You also have the right to request that incomplete personal data be completed.

---

3. Right to Restriction of Processing

You may request the restriction of processing of your personal data under the following conditions:

1. You contest the accuracy of the data, for a period enabling the controller to verify its accuracy;

2. The processing is unlawful, and you oppose deletion and instead request restriction;

3. The controller no longer needs the data for processing purposes, but you need it for establishing, exercising, or defending legal claims;

4. You object to the processing under Article 21(1) GDPR and it is not yet determined whether the controller’s legitimate grounds override your interests.

If processing is restricted, such data – apart from storage — may only be processed with your consent, or for establishing, exercising, or defending legal claims, or to protect the rights of another person, or for important public interest reasons.

The controller will inform you before lifting a restriction.

---

4. Right to Erasure (“Right to be Forgotten”)

a) Obligation to Erase

You may request the immediate deletion of your personal data.
We are required to delete the data without undue delay if one of the following conditions applies:

1. The data is no longer necessary for the purposes for which it was collected or otherwise processed;

2. You withdraw your consent, and no other legal basis applies;

3. You object to the processing under Article 21(1) GDPR and no overriding legitimate grounds exist, or you object under Article 21(2) GDPR;

4. The data was unlawfully processed;

5. Deletion is required to comply with a legal obligation under EU or Member State law;

6. The data was collected in relation to services of the information society under Article 8(1) GDPR.

b) Notification of Third Parties

If we have made your personal data public and are obliged to delete it in accordance with Article 17(1) GDPR, we will take reasonable steps—taking into account available technology and implementation costs—to inform any other controllers who process this data that you, as the data subject, have requested the deletion of all links to, copies of, or replications of this personal data.

---

c) Exceptions

The right to erasure does not apply insofar as processing is necessary:

1. to exercise the right to freedom of expression and information;

2. to comply with a legal obligation under EU or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority;

3. for reasons of public interest in the area of public health under Article 9(2)(h) and (i) GDPR and Article 9(3) GDPR;

4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, to the extent that the right to erasure would likely render the achievement of such purposes impossible or seriously impair it;

5. for the establishment, exercise, or defense of legal claims.

---

5. Right to Notification

If you have exercised your right to rectification, erasure, or restriction of processing, the controller must notify all recipients to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to request information about these recipients.

---

6. Right to Data Portability

You have the right to receive the personal data you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance, provided that:

1. the processing is based on your consent (Article 6(1)(a) or 9(2)(a) GDPR) or on a contract (Article 6(1)(b) GDPR), and

2. the processing is carried out by automated means.

You also have the right to request that your personal data be transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

---

7. Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data that is based on Article 6(1)(e) or (f) GDPR; this includes profiling based on these provisions.

We will then no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you may object at any time. This also applies to profiling related to direct marketing.

If you object to processing for direct marketing, we will stop processing your personal data for this purpose.

You may exercise your right to object using automated procedures that use technical specifications, regardless of Directive 2002/58/EC.

---

8. Right to Withdraw Consent

You have the right to withdraw your consent at any time.
Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

---

9. Automated Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or significantly affects you in a similar manner. This does not apply if the decision:

1. is necessary for entering into or performing a contract between you and the controller,

2. is authorised by EU or Member State law that provides appropriate safeguards for your rights and freedoms, or

3. is based on your explicit consent.

Such decisions may not be based on special categories of personal data unless permitted under Article 9(2)(a) or (g) GDPR and appropriate safeguards are in place.

In cases under (1) and (3), the controller must implement suitable measures to safeguard your rights, including the right to obtain human intervention, to express your point of view, and to contest the decision.

---

10. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority – particularly in the Member State of your residence, workplace, or the place of the alleged infringement – if you believe that the processing of your personal data violates the GDPR.

The supervisory authority will inform you of the progress and outcome of your complaint, including the possibility of judicial remedy under Article 78 GDPR.