Privacy Policy of NieRuf GmbH

Version: October 2025

1. Controller

NieRuf GmbH
Zeppelinstrasse 11
74354 Besigheim
Phone: +49 (0)7143/9666-900
E-mail: info@nieruf.com
Website: www.nieruf.com

Represented by the Managing Directors: David Niemes

2. General information on data processing

We take the protection of your personal data very seriously. Your personal information is treated confidentially and in accordance with the statutory data-protection provisions and this privacy policy. The use of our website is generally possible without providing personal data. If personal data are collected on our pages (e.g. via contact forms, inquiries or orders), this is always done on a voluntary basis.

3. Legal bases of processing

We process personal data exclusively on the basis of the GDPR, in particular:

• Art. 6 (1)(b) GDPR – performance of a contract or steps prior to entering into a contract,
• Art. 6 (1)(f) GDPR – legitimate interests (e.g. efficient handling of inquiries, improvement of our services),
• Art. 6 (1)(a) GDPR – consent (e.g. newsletter, cookies, analytics tools).

4. Server log files

The provider of this website automatically collects and stores information in so-called server log files that your browser automatically transmits. This includes:

• Browser type and version,
• Operating system used,
• Referrer URL,
• Hostname of the accessing computer,
• Time of the server request.

These data cannot be assigned to specific individuals. A combination of these data with other data sources is not carried out. Processing is based on Art. 6 (1)(f) GDPR (legitimate interest in secure website operation).

5. Cookies and consent management

Our website uses cookies to make it user-friendly and secure. Details regarding the types of cookies used, their duration and purpose can be found in our cookie banner. You may withdraw or adjust your consent at any time. The use of cookies for analytical or marketing purposes takes place solely on the basis of your consent pursuant to Art. 6 (1)(a) GDPR.

6. Contact form and e-mail contact

If you contact us by form or e-mail, your details including the contact information you provide will be stored for the purpose of processing the inquiry and for possible follow-up questions. These data will not be disclosed without your consent. Legal basis: Art. 6 (1)(b) GDPR (pre-contractual communication).

7. Automated processing of orders and inquiries (AI systems)

For efficient handling of orders and customer inquiries, we use AI-based systems. This includes in particular:

• Mistral OCR for automatic conversion of incoming PDF documents into text,
• OpenAI ChatGPT API (language-model processing) for analysing and extracting relevant data (e.g. article numbers, quantities, contact persons, delivery addresses).

Purpose: To simplify and accelerate the processing of orders and inquiries, to prepare structured data sets for our ERP system, and to reduce manual input errors.

Legal basis: Art. 6 (1)(b) GDPR (contract performance or pre-contractual measures) and Art. 6 (1)(f) GDPR (legitimate interest in efficient order handling).

Data transmission: Processing is carried out exclusively via secure interfaces. When using the OpenAI API, data may be transmitted to OpenAI LLC (USA) on the basis of the EU Standard Contractual Clauses (Art. 46 GDPR). OpenAI does not use the data for model training. Mistral AI SAS (France) processes data only within the EU or on EU-compliant servers.

Data minimisation: Personal data (e.g. signatures, phone numbers) are automatically filtered before transmission if not required for processing.

Retention period: OCR and analysis results are stored temporarily (max. 30 days). Data required for order processing are retained according to statutory commercial and tax retention periods (6 or 10 years).

8. Payment processing

To process payments, we transmit payment information to the payment service providers involved (e.g. PayPal, Klarna, banks). Legal basis: Art. 6 (1)(b) GDPR (contract performance).

9. Use of Google services

Our website may use services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This may include:

• Google Analytics / Tag Manager (statistics, reach analysis),
• Google Ads / Conversion Tracking (advertising performance measurement),
• Google reCAPTCHA (spam and abuse prevention for forms),
• Google Maps / YouTube (content display).

Personal data (e.g. IP address, device information, user behaviour) may be transferred to Google servers in the USA. Where data are transferred to third countries, this takes place on the basis of the EU Standard Contractual Clauses (Art. 46 GDPR). The use of these services is based solely on your consent under Art. 6 (1)(a) GDPR, which you can grant or revoke via the cookie banner. Further information: https://policies.google.com/privacy?hl=en

10. Use of internal systems (ERP and communication)

For handling inquiries, quotations, orders and invoices, we process personal data in our internal ERP system. This system serves the central management of customer, supplier and order data. Legal basis: Art. 6 (1)(b) GDPR (contract performance) and Art. 6 (1)(f) GDPR (legitimate interest in efficient business organisation). Where external IT service providers are engaged for maintenance or hosting, this occurs exclusively under data-processing agreements in accordance with Art. 28 GDPR. No data are transferred to third countries.

11. Use of the shop software “Shopware”

Our online shop is operated using the Shopware system of shopware AG, Ebbinghoff 10, 48624 Schöppingen, Germany. Shopware processes, within the scope of order handling, customer registration and use of customer accounts, the personal data required to perform the contract. This includes in particular:

• Name, address, contact details,
• Login data (for customer account),
• Order, billing and delivery details,
• Technical usage data (e.g. IP address, timestamp, session ID).

Processing takes place pursuant to Art. 6 (1)(b) GDPR (performance of the purchase contract) and Art. 6 (1)(f) GDPR (interest in a secure and technically proper shop operation). Data are processed on servers within the EU. If an external hosting provider is used, processing is carried out on the basis of a data-processing agreement under Art. 28 GDPR. Further information: https://www.shopware.com/en/privacy/

12. Data security

We employ technical and organisational security measures to protect your data against unauthorised access, manipulation, loss or destruction. Our security measures are regularly reviewed and adapted to the state of the art.

13. Rights of data subjects

You have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Objection (Art. 21 GDPR)
• Data portability (Art. 20 GDPR)

To exercise your rights, please contact datenschutz@nieruf.de.

14. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany. Website: www.ldi.nrw.de

15. Amendments to this Privacy Policy

We reserve the right to update this Privacy Policy in order to adapt it to amended legal requirements or technical developments. The current version is always available at www.nieruf.com/Data-privacy.