1. General information

1.1. Responsible body

ORCA Group LLC

Georg-Wiesböck-Ring 9

83115 Neubeuern

ORCA Group GmbH is the holding company of a group of companies consisting of several construction software companies in the fields of planning, tendering, execution, and operation. The companies belonging to the group are listed on this website.

Insofar as processing operations are carried out jointly within the group of companies, the companies involved act as joint controllers. Appropriate contractual arrangements are in place for this cooperation, in particular an agreement on joint responsibility (Art. 26 GDPR), to ensure that personal data is processed in accordance with data protection regulations, confidentiality is guaranteed, the rights of data subjects are protected, and the companies involved commit to complying with data protection requirements.

1.2. Data Protection Officer

An external data protection officer has been appointed for our company.

This can be found at melodie.lange@privacy-compliant.de .

1.3. Rights of data subjects

You have the right at any time to

• To obtain information about whether and which personal data we process about you (Art. 15 GDPR),
• have inaccurate data corrected (Art. 16 GDPR),
• Have your data deleted (Art. 17 GDPR),
• restrict processing, e.g., if deletion is not yet possible due to legal obligations (Art. 18 GDPR),
• To receive your data in a transferable format or to have it transferred to a third party, provided that the processing is based on your consent or a contract (Art. 20 GDPR),
• Object to the processing (Article 21 GDPR).

You may object to the processing of your personal data at any time for reasons arising from your particular situation, if this is based on a legitimate interest (Art. 6 para. 1 lit. f GDPR). This also applies to profiling within the meaning of Art. 4 No. 4 GDPR.

After your objection, we will no longer process your data unless we can demonstrate compelling legitimate grounds that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

Withdrawal of consent

If you have given us your consent, you can revoke it at any time with effect for the future.

1.4. Right to lodge a complaint with the supervisory authority

You can lodge a complaint with a data protection supervisory authority at any time—in particular with the authority in the state where you live or with the supervisory authority responsible for us.

The Bavarian State Office for Data Protection Supervision (BayLDA) is responsible for us.

1.5. Legal basis

We process personal data only if this is permitted under the GDPR. Depending on the purpose, we base the processing in particular on the following legal bases:

• Consent (Art. 6 para. 1 lit. a GDPR)
• Contract fulfillment or pre-contractual measures (Art. 6 para. 1 lit. b GDPR)
• Compliance with a legal obligation (Art. 6 para. 1 lit. c GDPR)
• Protection of legitimate interests (Art. 6 para. 1 lit. f GDPR)

1.6. Recipients of the data

Depending on the processing activity, personal data may be transferred to recipients. The respective recipients are referred to separately in the relevant sections of this privacy policy. These may include:

• Processors (Art. 28 GDPR): Service providers who process personal data exclusively on our behalf and in accordance with our instructions. We conclude the necessary processing agreements with these service providers.
• Companies in our group: Depending on the specific processing operation, the companies involved act as joint controllers (Art. 26 GDPR); a corresponding agreement exists for this purpose.
• Other recipients / own controllers: Third parties who process personal data on their own responsibility (e.g., social media platforms). In these cases, we provide separate information about the transfer in the respective sections.

In all cases, we ensure that the transfer complies with data protection regulations and that there is an appropriate legal basis for this.

1.7. Data transfer to third countries

Unless expressly stated otherwise in this privacy policy, we do not transfer your personal data to countries outside the European Union or the European Economic Area (third countries).

Data will only be transferred to a third country if the requirements of Articles 44 to 49 GDPR are met, e.g. on the basis of an adequacy decision by the EU Commission or through appropriate safeguards such as EU standard contractual clauses or binding corporate rules.

1.8. Storage periods

The duration of storage depends on the respective processing activity. Unless a specific retention period is specified, we will delete or block your personal data as soon as the purpose of processing no longer applies and there is no longer any legal basis for storage.

Deletion will not take place if we are legally obliged to retain the data (e.g., tax law retention obligations) or if the data is required for the assertion, exercise, or defense of legal claims or in connection with a possible legal dispute.

1.9. Provision of data

The provision of your data is generally voluntary. You are only obliged to provide data if this is contractually necessary or required by law. Please note: If you do not provide certain data, the desired service may not be provided or may only be provided to a limited extent.

1.10. Changes to the Privacy Policy

We reserve the right to update this privacy policy as necessary to ensure that it always complies with current legal requirements. The current version of this privacy policy applies.

2. Data processing

2.1. Server log files

Purpose of data processing

When you visit our website, certain access data is automatically stored in so-called server log files by the hosting provider. This includes, for example, the name of the file/page accessed, your IP address, the date and time of access, the amount of data transferred, and the requesting provider.

We evaluate this data exclusively to ensure the smooth operation of the website, to guarantee security and stability, and to improve the website.

legal basis

Processing is based on our legitimate interest in the stability, security, and functionality of the website (Art. 6 para. 1 lit. f GDPR).

recipient

The hosting and technical provision of the website are carried out by a service provider in Germany, which acts as a processor for us. Unless otherwise stated in this privacy policy, access data and data from forms are processed on the servers of this service provider.

Storage period / deletion

The server log files are deleted no later than 14 days after your visit to the website.

If a security-related event occurs (e.g., a DDoS attack), the log files may be stored for a longer period until the incident has been resolved and fully investigated.

Provision of data

The provision of this data is neither required by law nor contractually stipulated. However, without the processing of server log files, the website cannot be operated securely and reliably. Individual functions may then not be available or only available to a limited extent.

2.2. Cookies

Our website uses cookies. These are small text files that are stored on your device (e.g., laptop, tablet, or smartphone) when you visit our website. Cookies do not cause any damage and do not contain viruses.

We use cookies for various purposes and distinguish between technically necessary and non-necessary cookies.

2.2.1. Technically necessary cookies

These cookies are necessary for the website to function and to provide basic functionality (e.g., page navigation, security, load balancing, language settings, or saving your cookie preferences). Without these cookies, the website cannot function or can only function to a limited extent.

The legal basis is a legitimate interest in the technically error-free and secure provision of the website (Art. 6 para. 1 lit. f GDPR).

2.2.2. Non-essential cookies

If you agree in the cookie banner (consent pursuant to Art. 6 (1) (a) GDPR), we also use cookies that are not strictly necessary for the operation of the website.

These cookies may serve the following purposes in particular:

• Marketing: These cookies help to show you more relevant advertising. They can also be used to limit the frequency of ads and measure the effectiveness of advertising campaigns.
• Personalization: These cookies enable the website to remember your settings and choices (e.g., language or region) and personalize features. For example, depending on which areas of our website you have already visited, different content may be displayed.
• Analytics/statistics: These cookies help us understand how visitors interact with the website, measure the website's performance, and identify technical issues.

You can find the specific cookies/tools, providers, storage periods, and other details in the cookie banner or cookie settings.

You can change or revoke your consent there at any time with effect for the future.

2.2.3. Storage period

Cookies are either stored only for the duration of the respective session (session cookies) or remain on your device for a defined period of time (persistent cookies). You can find the respective storage period in the information provided in the cookie banner.

2.3. Contact

You can contact us at any time, e.g. by email or via the (end-to-end encrypted) contact form on this website. You can describe your request in detail and contact us directly using the contact details provided.

Purpose of data processing

We process the data you provide in order to process your request and communicate with you.

legal basis

Processing takes place depending on the occasion

• to carry out pre-contractual measures or to fulfill a contract (Art. 6 para. 1 lit. b GDPR) and/or
• based on our legitimate interest in efficient and secure communication (Art. 6 (1) (f) GDPR).

Storage period / deletion

Unless there are legal retention requirements, we will delete your data no later than 3 years after the last contact.

If a contractual relationship is established, we will store your contact details for the duration of the contractual relationship. Statutory retention periods remain unaffected; after these periods have expired, the data will be deleted.

Provision of data

The provision of your data is voluntary. However, without the necessary information, we are generally unable to process your request.

2.4. Applications

Purpose of processing

We process applicants' personal data for the purpose of conducting the application process (e.g., reviewing applications, communication, scheduling, selection decisions) and establishing an employment relationship.

legal bases

We only process your applicant data if this is legally permitted. Depending on the situation, we base the processing in particular on the following legal grounds:

• To carry out the application process and to decide on the establishment of an employment relationship (Art. 6 para. 1 lit. b GDPR)
• To fulfill legal obligations, e.g., under labor or tax law (Art. 6 para. 1 lit. c GDPR)
• If special categories of data are involved, e.g., health data (such as information on severe disabilities), and processing is necessary to exercise rights and fulfill obligations under labor law (Art. 9(2)(b) GDPR)
• If you give us your consent, e.g., for the transfer of your application within the group of companies or for inclusion in an applicant pool (Art. 6 para. 1 lit. a GDPR)

recipient

The recipients of your data are the internal departments responsible for the application process and, where applicable, service providers (e.g., IT/hosting service providers) acting as processors.

If you apply to a company within our group and we believe that your application would be better suited to another group company, we will only forward your documents to that company with your prior consent. In this case, we will inform you of the company in question in advance.

data sources

We generally process the data you provide us with as part of your application (e.g., cover letter, resume, references, communication content).

Depending on the individual case, we may also obtain data from other sources, in particular:

• from recruitment agencies or referrers (if applicable),
• from publicly available sources, e.g., professional profiles on platforms such as LinkedIn or Xing (to the extent necessary for the application process).

storage period

In the event of rejection, we will delete the application documents no later than 6 months after completion of the application process, provided that there are no legal retention obligations or the data is required for the assertion or defense of legal claims.

If you would like us to consider your application for future positions, we will obtain your consent in advance and add your data to our applicant pool. In this case, we will store your data for up to 12 months and then delete it, unless you revoke your consent beforehand.

Provision of data

The provision of your data is voluntary. However, without the information required to carry out the application process, we will generally be unable to consider your application.

2.5. Social media

Purpose of data processing

We maintain profiles on LinkedIn, Facebook, and Instagram to cultivate our online presence. This includes, in particular:

• publishing content (posts/content),
• responding to comments and messages,
• the evaluation of interactions (e.g., reach, clicks, engagement) using the statistics and analysis functions provided by the platforms.

Please note: The respective social media platform processes personal data on its own responsibility and provides information on this in its privacy policy. Since the platforms have direct access to usage data, they are usually also the primary point of contact when it comes to platform-specific processing and exercising your rights.

The providers' privacy policies can be found here:

• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Instagram: https://privacycenter.instagram.com/policy
• Facebook: https://www.facebook.com/privacy/policy/

legal basis

We process personal data in connection with our social media profiles, in particular:

• based on our legitimate interest in conducting our public relations work and maintaining our online presence (Art. 6(1)(f) GDPR),
• to initiate or execute a contract, if your contact relates to a (potential) business relationship (Art. 6 para. 1 lit. b GDPR).

If a platform offers tracking or analysis functions that require consent, this consent is regularly obtained and managed by the platform (Art. 6 (1) (a) GDPR, where applicable).

recipient

The recipients are the respective platform operators:

• LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• Meta Platforms Ireland Limited (for Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

third country transfer

When using LinkedIn and Facebook/Instagram, data processing outside the EU/EEA cannot be ruled out. Where necessary, the providers rely on appropriate safeguards for such transfers, in particular EU Standard Contractual Clauses (SCCs) and supplementary protective measures.

2.6. IFCtoLV (Beta Phase)

When using IFCtoLV, you can upload IFC files, which the tool will analyze and convert to provide the conversion you need. In addition, the uploaded data may be used to a limited extent to further develop the tool technically, analyze errors, improve performance, and conduct statistical analyses of the tool’s usage.

The tool primarily processes technical files and the technical information they contain. However, since it is not possible to verify in advance what content users upload, it cannot be ruled out that the uploaded files may also contain personal data.

The processing is carried out to perform the requested conversion in accordance with Article 6(1)(b) of the GDPR.

Data processing is carried out under joint responsibility with ORCA Software GmbH. Another recipient of the data is a technical service provider engaged for hosting and cloud infrastructure services.

Uploaded files are generally deleted after three months. In exceptional cases where data is needed for a longer period for analysis and improvement purposes, it is retained only in anonymized form.

Providing personal data is generally not required to use the tool. However, since the conversion tool processes the contents of uploaded files exactly as they are provided, personal data should be removed or redacted before uploading, if possible.

 

ORCA Group LLC

Georg-Wiesböck-Ring 9
, 83115 Neubeuern, Germany

Register court: Traunstein Local Court, HRB 34673
Management: Manfred Scholz, Matthias Werner

Phone: +49 8035 9637-0
Email: info@orca.group