Privacy Policy
Information about the handling of your personal data
1. Introduction and Controller
The protection of your personal data is of particular importance to us. In this privacy policy, we inform you in detail about how your data is handled when you visit our website and use our services.
Controller within the meaning of the GDPR:
Triccon GmbH
Dammstraße 20
06667 Weißenfels
Germany
Managing Director: Nico Werner
Contact Person: Hannes Werner
Email: info@origin-labs.de
Phone: +49 152 03037738
2. Legal Basis for Data Processing
We process personal data on the basis of the following legal grounds:
- Art. 6 Abs. 1 lit. a DSGVO: Consent of the data subject
- Art. 6 Abs. 1 lit. b DSGVO: Performance of a contract or pre-contractual measures
- Art. 6 Abs. 1 lit. f DSGVO: Legitimate interests in safeguarding our business interests
- Art. 6 Abs. 1 lit. c DSGVO: Compliance with legal obligations
3. Collection and Storage of Personal Data
3.1 When Visiting the Website
When you access our website, your browser automatically sends information to our website's server. This information is temporarily stored in a so-called log file:
- IP address of the requesting device
- Date and time of access
- Name and URL of the retrieved file
- Website from which the access was made (referrer URL)
- Browser used and, if applicable, the operating system of your device
The aforementioned data is processed to ensure a smooth connection setup, comfortable use of our website, and to evaluate system security and stability.
3.2 When Using Our Contact Form
For any type of inquiry, we offer you the option to contact us via a form provided on the website. A valid email address is required so that we know who the inquiry is from and can respond to it. Additional information may be provided voluntarily. The personal data collected for the use of the contact form will be automatically deleted after your inquiry has been processed.
3.3 When Entering into a Contract
For the performance of a contract, we collect the following personal data:
- First and last name
- Address (if required)
- Email address
- Phone number (if provided)
- Payment data (depending on the chosen payment method)
The personal data we process for the performance of the contract will be stored until the expiry of the statutory retention period (usually 10 years after the end of the contract) and then deleted.
4. Disclosure of Data
Your personal data will not be transmitted to third parties for purposes other than those listed below.
We only share your personal data with third parties if:
- You have given your explicit consent (Art. 6(1)(a) GDPR)
- the disclosure is necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR)
- this is necessary for the performance of contractual relationships (Art. 6(1)(b) GDPR)
Payment Service Provider: To process payments, we forward your payment data to the credit institution responsible for the payment transaction.
5. Use of Cookies
We use cookies on our website. These are small files that your browser automatically creates and stores on your device when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, trojans, or other malware.
The use of cookies serves to make the use of our website more pleasant for you. We use session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.
Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer. However, the complete deactivation of cookies may mean that you cannot use all functions of our website.
6. Analytics Tools
The tracking measures listed below are carried out on the basis of Art. 6(1)(f) GDPR. With the tracking measures employed, we aim to ensure a demand-oriented design and the continuous optimisation of our website.
Server Log Files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of the server request, and IP address. This data is not merged with other data sources.
Storage period: Server logs (in particular IP address, user agent and request URL) are retained by our hosting provider Vercel Inc. for a maximum of 30 days and are then deleted automatically (state of the Vercel platform SLA as of May 2026). Edge logs are rotated within a few hours. Longer retention only occurs where required for the investigation of a specific security incident (Art. 6(1)(f) GDPR).
7. Rights of the Data Subject
You have the right:
- Art. 15 DSGVO pursuant to Art. 15 GDPR, to request information about your personal data processed by us
- Art. 16 DSGVO pursuant to Art. 16 GDPR, to request the immediate rectification of inaccurate or completion of your personal data stored by us
- Art. 17 DSGVO pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us
- Art. 18 DSGVO pursuant to Art. 18 GDPR, to request the restriction of processing of your personal data
- Art. 20 DSGVO pursuant to Art. 20 GDPR, to receive your personal data in a structured, commonly used, and machine-readable format
- Art. 22 DSGVO pursuant to Art. 22 GDPR, not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you
- Art. 7 Abs. 3 DSGVO pursuant to Art. 7(3) GDPR, to withdraw your consent given to us at any time
- Art. 77 DSGVO pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority
8. Right to Object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right pursuant to Art. 21 GDPR to object to the processing of your personal data, insofar as there are grounds relating to your particular situation.
If you wish to exercise your right of withdrawal or objection, an email to info@origin-labs.de is sufficient.
9. Automated Lead Scoring (Profiling)
Within our internal sales process, we use AI-assisted lead scoring. Based on your request and interaction data (source, stage history, number of configurations/requests, email engagement, internal notes) we compute a numeric score between 0 and 100 that estimates the likelihood of a future contract. This processing constitutes profiling within the meaning of Art. 4 No. 4 GDPR.
Purpose and legal basis: Sales prioritisation (which leads are contacted first). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient sales operations). A balancing of interests has been performed.
No solely automated decision with legal effect: The score is an internal aid without direct legal effect on you. There is no automatic rejection, preferential treatment or contract decision — the decision on outreach, offer or contract is always made by a human. Art. 22(1) GDPR is therefore not engaged.
Right to manual correction and deletion: You may at any time request a manual correction or full deletion of your lead score. Deletion covers the score, the textual reasoning, the underlying signals and the confidence level. Please send any such request to info@origin-labs.de.
Data transfer to the USA: For the AI-assisted scoring, we transmit the data points relevant to the score computation to OpenAI, OpenAI OpCo, LLC (3180 18th Street, San Francisco, CA 94110, USA). OpenAI is certified under the EU-US Data Privacy Framework (EU Commission adequacy decision of 2023-07-10); a data processing agreement (DPA) under Art. 28 GDPR including the EU Standard Contractual Clauses is additionally in place. Data submitted via the OpenAI API is not used to train OpenAI models (API default as of 2026-05).
Internal knowledge-base queries: In our internal admin area (/admin/ai-suite/wissensbasis), authorised staff can submit natural-language questions to an AI assistant. When a question is submitted, the assistant may — depending on the question — transmit data points from our database to OpenAI (e.g. contact names, company names, email addresses, invoice numbers, stage and score data). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient internal knowledge retrieval). Recipient, data-protection framework and DPA are identical to those described above for lead scoring. Transmission only occurs ad-hoc upon active request by an authorised staff member, not automatically or in the background.
10. Data Security
We use the widely-used SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser when you visit our website. You can tell whether an individual page of our website is transmitted in encrypted form by the closed lock symbol in the status bar of your browser.
We also employ appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorised access by third parties.
11. Service Providers and Recipients in Use
As part of our processing activities, we use the following processors and recipients. Data processing agreements under Art. 28 GDPR exist with all named providers. Transfers to third countries (especially the USA) are based on the EU-US Data Privacy Framework (DPF) and additional Standard Contractual Clauses (SCC) under Art. 46 GDPR.
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Hosting, Edge Network, Server-Logs (max. 30 Tage Aufbewahrung, dann automatisierte Löschung) | USA / EU-Region (FRA) | EU-US DPF + SCC + AVV |
| Supabase Inc. | Datenbank, Authentifizierung, Storage, Realtime | EU (eu-central-1, Frankfurt) | AVV (Mutterfirma USA, SCC für ggf. Drittlandzugriffe) |
| Resend, Inc. | Transaktionaler E-Mail-Versand (Bestätigungen, Mahnungen, Newsletter) | USA | EU-US DPF + SCC + AVV |
| OpenAI, L.L.C. | KI-Auftragsverarbeiter für sämtliche backendseitigen KI-Funktionen (Lead-Scoring, Wissensbasis, Brand-Voice-Audit, Content-Generierung). Keine Trainingsnutzung der API-Daten. | USA | EU-US DPF + DPA |
| DeepL SE | Inhaltsübersetzung (interne Pflege mehrsprachiger Inhalte) | EU (Köln, Deutschland) | AVV (EU-intern) |
| Cloudflare, Inc. | DNS-Resolver (MX-Validierung der eingereichten E-Mail-Domain bei Konfigurator/Relaunch). Keine Inhalts- oder Identifikationsdaten. | USA / globales Anycast-Netzwerk | EU-US DPF + SCC |
| Google LLC (Google Maps Embed, Google Places API, Google Reviews) | Anzeige Standort-Karte und Einbindung Google-Unternehmensprofile / -bewertungen auf öffentlichen Seiten | USA / weltweit | EU-US DPF |
| Meta Platforms Ireland Ltd. (Instagram, Facebook) | Social-Media-Publishing aus dem internen Backend, OAuth-Authentifizierung (admin-only) | Irland / USA | EU-US DPF + AVV |
| Google LLC (Google Calendar) | Synchronisation gebuchter Termine mit dem Geschäfts-Kalender (admin-only) | USA | EU-US DPF + AVV |
12. Public Document Viewer, Question Feature and Newsletter
12.1 Quote acceptance via magic link (/dokument/[token] and /a/[jwt])
When you accept a quote via the link sent to you by email, we collect first name, last name, company and an optional comment. To document conclusion of the contract (§ 126b German Civil Code, text form), we also store your IP address and the user-agent of your browser. Legal basis is Art. 6 (1) (b) GDPR (contract initiation and performance). IP address and user-agent are automatically removed after 90 days; the remaining acceptor data is stored until contract fulfilment and then for the commercial and tax retention periods (typically 10 years under the German Fiscal Code/Commercial Code).
12.2 Question feature for quotes
In the public document viewer you can submit questions about a quote. We collect first name (required), email address (required, for our reply), optionally last name and company as well as the content of your question. Legal basis: Art. 6 (1) (b) and (f) GDPR (pre-contractual contact). The data is kept until the question is resolved and then for up to 6 months; processed or dismissed questions are automatically deleted afterwards.
12.3 Newsletter with one-time discount code
When you sign up for the newsletter, we collect your email address and use a double opt-in: you receive a confirmation email with an activation link. Only after clicking this link will you receive our newsletter and a one-time discount code. Legal basis is Art. 6 (1) (a) GDPR (consent). You can unsubscribe at any time via the link in every email; after revocation, the address is kept in a suppression list for up to 3 years to evidence the revocation (Art. 7 (1) GDPR).
12.4 Reach measurement (page views, click tracking)
We measure reach only after your consent in the cookie banner (Statistics category). We collect page path, source (e.g. google or direct), referrer domain and a generalised browser type (e.g. Windows / Chrome). Neither IP addresses nor unique device IDs are stored. Retention: 12 months. Click tracking on links we generate (/api/track/[slug]) stores an IP hash with a daily rotating salt — the original IP cannot be reconstructed from it. Legal basis: Art. 6 (1) (a) GDPR (consent), or (f) (legitimate interest in reach measurement for click tracking).
13. Contact for Data Protection Matters
If you have any questions about data protection, you can contact us at any time:
Triccon GmbH
Dammstraße 20
06667 Weißenfels
Germany
Email: info@origin-labs.de
Phone: +49 152 03037738
For complaints, you can also contact the supervisory authority responsible for us:
The State Commissioner for Data Protection and the Right of Access to Files of Saxony-Anhalt
Leiterstraße 9
39104 Magdeburg
Phone: 0391 81803-0
Email: poststelle@lfd.sachsen-anhalt.de
Last updated: May 2026
This privacy policy was created taking into account current legislation. In the event of changes to legal provisions or our business activities, this information will be updated accordingly.