Skip to Content

Privacy Policy

We, IT-Direkt GmbH, take the protection of your personal data seriously. This Privacy Policy informs you in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR) about which personal data we process in connection with your use of this portal, for what purposes, and on what legal basis.

1. Controller

The controller within the meaning of the GDPR is:

IT-Direkt GmbH

Aroser Allee 66, 13407 Berlin, Germany

Email: datenschutz@it-direkt.de

2. Data Protection Officer

We have appointed an external Data Protection Officer:

PRIVE Datenschutz GmbH

Contact: Mr Michael Michalak

Reinhardtstr. 7, 10117 Berlin, Germany

Phone: +49 30 / 887 27 609

Fax: +49 30 / 887 27 606

Email: datenschutz@prive.eu

You may contact our Data Protection Officer directly at any time with questions or concerns regarding data protection.

3. Processing of Personal Data in the Portal

The portal is used by two groups of users: administrators and contact persons on the customer side, and employees of the customer who log into the portal themselves. Depending on the user group and the features used, we process different categories of data.

3.1 Registration and User Account

Access to the portal requires the creation of a user account. For this purpose, we process the following data:

  1. 3.1.1 First name and surname
  2. 3.1.2 Email address
  3. 3.1.3 Company affiliation and role within the portal
  4. 3.1.4 Password (stored in encrypted form)

Purpose: Providing portal access, user authentication, role management.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

Retention period: For the duration of the contractual relationship. Following termination of the contract, user account data will be deleted within 30 days, unless statutory retention obligations apply.

3.2 Access Credentials for External Interfaces (Administrators)

Administrators may store access credentials (username, password, machine numbers) for external third-party interfaces (APIs) within the portal. These credentials are used by our system for automated authentication against those interfaces.

  1. 3.2.1 Access credentials (username, password) for external APIs
  2. 3.2.2 Authentication tokens derived therefrom
  3. 3.2.3 Machine numbers and associated identifiers

Purpose: Authentication against external services for the purpose of controlling and monitoring machines or other systems on behalf of the customer.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Note: Access credentials are stored exclusively in encrypted form (minimum AES-256). No plaintext access by IT-Direkt GmbH employees takes place.

Retention period: Until the relevant interface is deactivated by the administrator or until termination of the contract.

3.3 Access Logs

When the portal is used, technical access data is logged automatically:

  1. 3.3.1 IP address (truncated)
  2. 3.3.2 Date and time of access
  3. 3.3.3 Functions and pages accessed
  4. 3.3.4 Browser type and operating system
  5. 3.3.5 Error messages and system events

Purpose: Ensuring portal operation, fault diagnosis, detection and prevention of attacks.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Our legitimate interest consists in maintaining the security and availability of the portal.

Retention period: Log data is automatically deleted after 90 days at the latest, unless required for the investigation of a specific security incident.

3.4 Email Communication

The portal sends emails via our Exchange Online infrastructure, for example for notifications, activation confirmations, or system-related messages.

  1. 3.4.1 Recipient's email address
  2. 3.4.2 Message content
  3. 3.4.3 Delivery metadata (timestamp, delivery status)

Purpose: System messages, notifications, and communication in connection with portal usage.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for operationally necessary messages; Art. 6(1)(f) GDPR (legitimate interests) for security-related notifications.

Retention period: Delivery logs are deleted after 90 days. Retention of message content follows the retention periods applicable to the relevant process.

3.5 Customer Support via WhatsApp

For customer support purposes, we use WhatsApp to communicate with our customers (portal users and their contact persons). Messages are sent and received via the WhatsApp Business API provided by Meta Platforms Ireland Limited. We no longer engage a Business Solution Provider between IT-Direkt and Meta; we interact directly with the Meta API.

  1. 3.5.1 Phone number of the customer or contact person
  2. 3.5.2 Message content (including attached files, where transmitted)
  3. 3.5.3 Send and receive metadata (timestamps, delivery status, read receipts)

Purpose: Handling support enquiries and support communication between IT-Direkt and its customers via a messaging channel preferred by the customer.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract, as customer support forms part of the agreed scope of services) and, in addition, Art. 6(1)(f) GDPR (legitimate interests in providing efficient and customer-friendly support). Use of the WhatsApp channel is voluntary for the customer; email and telephone remain available as alternatives.

Note: In the context of the WhatsApp Business API, Meta processes additional data of its own beyond the mere transport of messages (e.g. usage metadata, device identifiers). This processing is outside IT-Direkt GmbH's sphere of control and is governed by Meta's own privacy notices.

Retention period: Send and receive logs are deleted after 90 days. Message content is deleted after completion of the relevant support case in accordance with our general retention periods, unless statutory or contractual retention obligations apply.

3.6 Retrieval of Weather Data via External Services (Virtual Weather Station)

Where this feature has been activated, the portal automatically retrieves weather and environmental data (e.g. precipitation, temperature, humidity, wind speed, soil moisture, evapotranspiration) for the parcels or sites configured in the portal from an external weather data service. This service is currently provided by Weenat SAS, Nantes, France. Access is performed via an API account operated by IT-Direkt GmbH; the customer does not store any credentials for this purpose.

  1. 3.6.1 Geolocation data (coordinates) of the parcels or sites
  2. 3.6.2 Internal identifiers for the relevant parcel or virtual weather station
  3. 3.6.3 Query periods and technical query parameters (e.g. the requested measurement variables)
  4. 3.6.4 Weather and environmental data returned in response, associated with the respective parcels

Purpose: Provision of parcel- and site-specific weather and environmental data for control and decision-support purposes within the portal (e.g. for irrigation decisions).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for the provision of the contractually agreed feature. Insofar as a link to natural persons may exist and the processing is not already necessary for the performance of the contract, we also rely on Art. 6(1)(f) GDPR (legitimate interests in providing an effective, data-based control service).

Note: In connection with this processing, Weenat SAS acts exclusively as a sub-processor of IT-Direkt GmbH in accordance with Art. 28 GDPR (see section 4). With regard to the data processed via this interface, Weenat SAS does not act as an independent controller towards the customer.

Retention period: The retrieved weather data is retained in the portal for as long as required for the agreed feature, and in any case no longer than until the feature is deactivated or the contract is terminated. Data storage at Weenat is governed by the data processing agreement concluded between IT-Direkt and Weenat.

3.7 AI-Based Help Assistant (in-portal chat)

An AI-based help assistant is available to authenticated users within the portal. The help assistant answers questions about the use of the portal and supports you in using its features (FAQ / operating-help function). The help assistant does not make any automated decisions producing legal effects concerning you within the meaning of Art. 22 GDPR.

Technically, the help assistant is operated via the application programming interface (API) of Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA (hereinafter "Anthropic"). Responses are generated by Anthropic's large language model "Claude".

The following data is processed in the context of the use of the help assistant:

  1. 3.7.1 The content of the request you enter into the help assistant (free text);
  2. 3.7.2 Supplementary context data from the portal (e.g. the function currently in use, technical configuration and status information, anonymised or pseudonymised sensor data) which we attach to the request in order to enable a context-aware response;
  3. 3.7.3 A pseudonymous technical session or user identifier;
  4. 3.7.4 Response texts returned by the AI model and associated metadata (timestamps, request duration, error codes).

Purpose: Provision of an in-portal operating help, answering questions about the functions and configuration of the portal, improving usability.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract), to the extent that the help function forms part of the agreed scope of services; supplemented by Art. 6(1)(f) GDPR (legitimate interests). Our legitimate interest consists in providing an efficient, low-threshold operating help and in reducing the workload of our traditional customer support.

User obligations: Please only enter information into the help assistant that is necessary to answer your question about using the portal. In particular, please do not enter personal data of third parties, no special categories of personal data (Art. 9 GDPR), no credentials, and no confidential business information into the chat.

AI transparency notice (Art. 50 EU AI Act): You are interacting with an AI system. The responses of the help assistant are generated automatically by an AI model and may be inaccurate, incomplete, or out of date. They do not replace professional advice or a review by our support team. Binding information can only be obtained via the support channels described in this notice.

Transfer to a third country: Anthropic processes requests in the USA. For details on the applicable safeguards, see section 5.

Processing by Anthropic: Anthropic processes inputs exclusively for the purpose of providing the contractually agreed service to IT-Direkt GmbH. Anthropic does not use the inputs to train its models in accordance with the agreed commercial terms of service. Inputs and responses are retained at Anthropic for a period of up to 30 days for security and abuse-monitoring purposes and are subsequently deleted.

Retention at IT-Direkt: Requests and responses are retained in our portal for quality assurance and error analysis purposes for a maximum of 30 days and are then automatically deleted.

Your rights: You may exercise the rights of data subjects listed in section 6 of this Privacy Notice (right of access, rectification, erasure, restriction, data portability, objection, right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR) also in relation to the data processed in the context of the AI help assistant.

Objection / non-use: The use of the AI help assistant is voluntary. You can ignore the help assistant at any time and use the traditional support channels (email, telephone) instead. Where processing is based on Art. 6(1)(f) GDPR, you may object to the processing in accordance with Art. 21 GDPR.

4. Recipients and Sub-Processors

In connection with the provision of the portal, we engage the following sub-processors who may process personal data on our behalf:

  1. 4.1 Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany
    1. 4.1.1 Purpose: Server hosting, data storage, backups, logging
    2. 4.1.2 Location of processing: Germany (EU)
  2. 4.2 Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland
    1. 4.2.1 Purpose: Email delivery via Exchange Online
    2. 4.2.2 Location of processing: EU
  3. 4.3 Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
    1. 4.3.1 Purpose: Provision of the WhatsApp Business API for handling customer support communication
    2. 4.3.2 Location of processing: Ireland (EU); transfers to Meta Platforms, Inc. (USA) possible on the basis of the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses
  4. 4.4 Weenat SAS, 2 rue Crucy, 44000 Nantes, France
    1. 4.4.1 Purpose: Provision of parcel- and site-specific weather and environmental data via the Weenat API (virtual weather station)
    2. 4.4.2 Location of processing: France (EU)
  5. 4.5 Anthropic, PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA (EU representative: Anthropic Ireland, Limited, 6th Floor, South Bank House, Barrow Street, Dublin 4, Ireland)
    1. 4.5.1 Purpose: Operation of the AI-based help assistant ("Claude" API) within the portal
    2. 4.5.2 Location of processing: USA
    3. 4.5.3 Safeguards: EU-US Data Privacy Framework (Art. 45 GDPR); supplemented by Standard Contractual Clauses (Art. 46(2)(c) GDPR)

An up-to-date list of all sub-processors is available at https://desk.it-direkt.de/subavv .

External third-party API providers made available by the customer for use within the portal act as independent controllers and do not form part of this sub-processor structure.

5. Transfers to Third Countries

The primary processing of personal data by our sub-processors takes place within the European Union (EU) or the European Economic Area (EEA). In a limited number of cases, however, transfers to third countries — in particular to the USA — may occur.

To the extent that Microsoft Ireland Operations Limited or Meta Platforms Ireland Limited process data, in the course of providing their services (Exchange Online or the WhatsApp Business API, respectively), in data centres or through affiliated companies outside the EU, this is carried out on the basis of the European Commission's adequacy decision regarding the EU-US Data Privacy Framework (Art. 45 GDPR) and, in addition, on the basis of the Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR).

When using the AI help assistant (see section 3.7), the transmitted requests and context data are processed by Anthropic, PBC in the USA. This transfer is carried out on the basis of the European Commission's adequacy decision regarding the EU-US Data Privacy Framework (Art. 45 GDPR); Anthropic, PBC is certified under the Data Privacy Framework List. In addition, the Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) apply between IT-Direkt GmbH and Anthropic; they form part of the Data Processing Addendum (DPA) concluded with Anthropic.

6. Your Rights as a Data Subject

You have the following rights with regard to your personal data:

  1. 6.1 Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
  2. 6.2 Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  3. 6.3 Right to erasure (Art. 17 GDPR): Under certain conditions, you may request the deletion of your data.
  4. 6.4 Right to restriction of processing (Art. 18 GDPR): You may request that processing of your data be restricted.
  5. 6.5 Right to data portability (Art. 20 GDPR): You may request your data in a machine-readable format.
  6. 6.6 Right to object (Art. 21 GDPR): You may object at any time to processing based on a legitimate interest.
  7. 6.7 Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw that consent at any time with effect for the future.

To exercise your rights, please contact our Data Protection Officer (see section 2) or write to us directly at datenschutz@it-direkt.de.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The supervisory authority competent for IT-Direkt GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information)

Friedrichstr. 219, 10969 Berlin, Germany

Phone: +49 30 / 13 889-0

Email: mailbox@datenschutz-berlin.de

Website: www.datenschutz-berlin.de

8. Updates to this Privacy Policy

This Privacy Policy is current as of 01/07/2026. We reserve the right to update it as necessary to reflect changes in applicable law, portal features, or processing activities. The current version is available in the portal at all times. Users will be notified by email of any material changes.

As of: 01/07/2026 | IT-Direkt GmbH, Aroser Allee 66, 13407 Berlin | +49 30 8900610 | info@it-direkt.de