Privacy Policy - Ouhud CRM

1. Controller

Ouhud Ltd.
Sundernholz 112
45134 Essen, Germany
Email: info@ouhud.com
Data protection contact: Data protection

2. Definitions

Personal data: any information relating to an identified or identifiable natural person.
Processing: any operation related to personal data (e.g., collection, storage, retrieval, deletion).
Controller: entity that determines the purposes and means of processing.
Processor: entity that processes data on behalf of a controller.

3. Role: Controller and Processor

The Ouhud GmbH is the controller responsible for the processing of personal data on this website.

When using Ouhud CRM to process customer data, we regularly act as a processor in accordance with Article 28 GDPR; the respective customer remains the controller for this data processing.

4. Categories of data collected

Master data (name, contact details, company)

Contract and billing data

Communication data (support, email, tickets)

Usage data and log data (e.g., IP, timestamp, login events)

Consent and preference data

Content stored in the system by customers

5. Purposes and Legal Bases

Contract performance and provision of the platform (Art. 6(1)(b) GDPR)
Compliance with legal obligations (Art. 6(1)(c) GDPR)
Operational security, quality assurance, and abuse prevention (Art. 6(1)(f) GDPR)
Consent-based processing, e.g., optional cookies (Art. 6(1)(a) GDPR)

6. Recipients and processors

Personal data will only be transferred insofar as this is necessary for the performance of the contract or permitted by law.

Hosting and infrastructure provider
Email and communications service provider
Payment service provider
IT security and maintenance service provider

Contracts are concluded with processors in accordance with Article 28 GDPR.

7. Transfer to third countries

A transfer to countries outside the EU/EEA will only take place if the requirements under Art. 44 et seq. GDPR are met.

Adequacy decision
EU Standard Contractual Clauses
additional protective measures, as necessary

8. Professional secrecy (Section 203 of the German Criminal Code)

To the extent that our customers are subject to professional secrecy pursuant to Section 203 of the German Criminal Code (StGB), processing is carried out in compliance with professional secrecy, with strict confidentiality and access requirements.

Employees are bound to confidentiality; access is granted only on a need-to-know basis.

9. Cookies and Sessions

Technically necessary cookies/sessions: Section 25 (2) No. 2 TDDDG, Article 6 (1) (f) GDPR
Optional statistics and marketing cookies: Section 25 (1) TDDDG, Article 6 (1) (a) GDPR

Consents can be changed or revoked at any time via the cookie manager.

10. Retention periods

Tax and commercial law documents: generally 6, 8, or 10 years (depending on the type of document)
Contact and support inquiries: generally up to 6 months after completion
Security and access data: generally up to 14 days, unless longer storage is required for incident investigation

11. Data Security (TOMs)

Encryption during transmission via TLS/SSL
Encrypted storage of sensitive data (AES-256)
Role and permission concepts, multi-factor authentication, and access restrictions
Regular security checks, backup and recovery procedures

Server location Germany, hosting in the EU (Frankfurt am Main).

12. Audit Log and Logging

For traceability and security, security-relevant actions in the system are logged (e.g., logins, changes, permission events).

Logging is used to detect and investigate security incidents and to comply with legal requirements.

13. Your rights

Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection (Art. 21 GDPR)
Revocation of consent with effect for the future

14. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
https://www.ldi.nrw.de

15. No automated decision-making

No exclusively automated decision-making, including profiling within the meaning of Article 22 GDPR, takes place.

16. Data protection incidents

In the event of a personal data protection breach, defined incident response processes apply.

Notifiable incidents are reported in a timely manner to the competent supervisory authority in accordance with Articles 33 and 34 GDPR and, where necessary, to the affected individuals.

17. Changes to this statement

We will update this privacy policy if legal, technical, or organizational changes make it necessary.

Status: 10. April 2026