Privacy Notice
Last updated: May 19, 2026
This privacy notice provides information, pursuant to Article 13 of the General Data Protection Regulation (GDPR), on the processing of personal data in connection with the use of the website www.arx-robotics.com (hereinafter"Website") by ARX Robotics GmbH as the controller. "Personal data" within the meaning of Article 4(1) GDPR refers to any information relating to an identified or identifiable natural person (data subject), such as name, address, telephone number, date of birth, email address, or IP address. Information that cannot be linked to a specific individual, for example as a result of anonymization, is not considered personal data.
1. Controller
The controller for the processing of personal data on the website within the meaning of the General Data Protection Regulation (GDPR) is:
ARX Robotics GmbH
Möslstraße 19B
85445 Oberding
Germany
info@arx-robotics.com
For data protection inquiries or to exercise your data subject rights, please contact dataprivacy@arx-robotics.com
2. Data Protection Officer
The following person has been appointed as Data Protection Officer:
Kertos GmbH
Brienner Straße 41
80333 Munich
Germany
Email: dsb@kertos.io
3. Data Processing on Our Website
3.1 Provision of the Website
Purpose of processing:
We process your data in order to
· ensure the reliable operation of the website
· provide user-friendly access to our website
· and maintain IT security
Recipients: Webflow, Inc., 398 11thSt., Floor 2, San Francisco, CA 94103, USA (Provision and operation of a web-based platform)
Data processed:
· IP address of the requesting device
· Method (e.g., GET, POST), date and time of the request
· Address of the accessed website and path of the requested file
· if applicable, previously accessed or requested website/file (HTTP referer)
· Information regarding the browser and operating system used
· Version of the HTTP protocol, HTTP status code, size of the delivered file
· Request information such as language, content type, content encoding, character encodings
Legal basis: Article 6(1)(f) GDPR. The processing of the specified data is necessary to provide the website and to ensure secure and user-friendly operation.
Retention period: The collected data will be deleted as soon as it is no longer required for the operation of the website, but no later than 30 days, unless a statutory retention obligation applies.
Further information: https://webflow.com/legal/eu-privacy-policy
3.2 Content Delivery Network
Purpose: To accelerate website loading times and protect against DDoS attacks through the use of a content delivery network (CDN).
Recipient: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Data processed:
· Accessed webpage
· Browser type used
· Operating system
· Referrer URL
· IP address
· Requesting provider
Legal basis: Legitimate interests pursuant to Art. 6(1)(f) GDPR (website security and performance).
Storage period: Data is generally transferred to and stored on a Cloudflare server in the USA, only as long as required for the purpose stated above.
International data transfer: For the use of cloudflare, Data is transferred to the USA on the basis of the EU-U.S. Data Privacy Framework (Art. 45 GDPR). Cloudflare is certified under the Framework and thereby recognized as providing an adequate level of data protection.
Further information: https://www.cloudflare.com/privacypolicy/
3.3 Video Delivery
Purpose: To deliver video content efficiently and reliably on the website, including optimized loading times and stable playback via a content delivery network (CDN).
Recipient: BunnyWay d.o.o.(bunny.net), Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia.
Data processed:
· Accessed video
· IP Address
· Browser type used
· Operating system
· Referrer URL
· Date and time of access
· Technical connection data strictly required for video delivery (e.g. request headers,streaming segments)
Legal basis: Legitimate interests pursuant to Art. 6(1)(f) GDPR (provision of video content, ensuring performance, stability, and protection against misuse).
Storage period: Data is processed only for the duration necessary to deliver the video content and to ensure technical security. Server log data is stored for a limited period and is subsequently deleted or anonymized.
International data transfer: Bunny.net operates a globally distributed content delivery network (CDN). Data is primarily processed on servers within the European Union. Where processing outside the EU cannot be excluded for technical reasons, appropriate safeguards pursuant to Art. 46 GDPR (in particular Standard Contractual Clauses) are in place to ensure an adequate level of data protection.
Further information: https://bunny.net/privacy/.
3.4 Analytics and Tracking
Cookies are small text files stored by your browser on your device. Cookies do not execute programs or install malware. Comparable technologies include web storage (local/session storage), fingerprinting, tags, and pixels. Most browsers accept these technologies by default; however, you can adjust your settings to block their use or to require consent. Please note that blocking cookies or similar technologies may restrict certain functionalities of the website.
Purpose: We use tracking and analytics tools to continually optimize our website and adapt it to your needs. For this purpose, information is collected using these technologies or device information is combined (device fingerprinting).
Legal basis: Technically necessary tools required for the operation of the website are used on the basis of our legitimate interests in accordance with Art. 6(1)(f) GDPR, or for the performance of a contract or pre-contractual measures pursuant to Art. 6(1)(b)GDPR. The storage of or access to information on your device is strictly necessary in these cases and is based on Section 25(2) TDDDG. Optional tools are used exclusively with your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. Below, we outline the tracking and analytics tools used, their respective purposes, and the data processed.
Cookie Table
4. Applicant Management
Purpose: Management of the application process, active sourcing for concrete open roles, candidate relationship management, outreach, scheduling, documentation, technical candidate assessments, coding tests, live interviews and related decision support within the recruiting process. Where we do not collect personal data directly from the data subject, we provide the information required underArticle 14 GDPR at the latest at the time of the first communication.
Recipients:
· Greenhouse Software, Inc., 228 Park Avenue S, PMB14744, New York, NY 10003-1502, USA
· Gem Software, Inc., 525 Market Street, 6th Floor, SanFrancisco, CA 94105, USA
· Codility Limited, 107 Cheapside, London EC2V 6DN,United Kingdom
· Related hosting, infrastructure, integration, communication and support providers engaged by these services
· Internal recipients on a need-to-know basis, in particular recruiters, People Operations / HR, interviewers, hiring managers and authorized viewers involved in the recruiting process.
Data Categories: Depending on the stage and scope of the recruiting process, we may process identification and contact data, professional and profile data, application materials, communication data, interview and scheduling data, technical assessment data, and source, activity and audit data. We do not intentionally process special categories of personal data in Gem as part of the approved active sourcing scope. Greenhouse’s public DPA states that special categories should not be disclosed unless expressly foreseen.
Legal Basis: Processing for the application process is based primarily on Section 26(1) sentence 1 BDSGand, where applicable, Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Active sourcing, outreach and candidate relationship management before an application are based on Article 6(1)(f) GDPR. Talent pool processing without a concrete vacancy, where applicable, is based on Article 6(1)(a) GDPR.
Storage Period: Applicant data is generally retained for 6 months after completion of the application process. If proactive sourcing does not lead to an application, sourcing data is generally retained for up to 6 months and then deleted or blocked.Greenhouse states that personal data in the customer account is automatically deleted 90 days after expiration or termination of the services agreement, subject to a 30-day backup schedule. Codility’s public DPA provides for deletion of protected data within 90 days of the Processing End Date, unless legal retention obligations apply.
International Data Transfers: Personal data processed in the recruiting context may be transferred to recipients in the United States or other countries outside the EU / EEA. Depending on the relevant recipient and transfer path, such transfers are based on an adequacy decision, in particular the EU-U.S. Data Privacy Framework, or on StandardContractual Clauses and supplementary safeguards. Greenhouse’s public DPA expressly refers to the Data Privacy Framework and EU SCCs for restricted transfers. Gem publicly states compliance with the EU-U.S. DPF, the UKExtension and the Swiss-U.S. DPF. Codility’s public DPA refers to adequacy decisions or Standard Contractual Clauses for international transfers.
Further Information: https://www.greenhouse.io/privacy-policy
5. Contact via email
Purpose: To process and respond to your inquiry.
Data processed:
· Name
· Email address
· Content of your message
Legal basis: Article 6(1)(f) GDPR (legitimate interest in communicating with you). If your inquiry is aimed at concluding or performing a contract, processing is carried out on the basis of Article 6(1)(b) GDPR.
Retention period: Your data will only be stored for as long as necessary to fully process your inquiry.
6. External Links
Our website contains links to external websites of third parties (e.g.,Google, LinkedIn etc.) over whose content we have no control. Therefore, we cannot assume any liability for these external contents.
The respective provider or operator of the linked pages is always responsible for their content. The linked pages were checked for possible legal violations at the time the links were created. No unlawful content was apparent at that time.
However, continuous monitoring of the linked pages is not reasonable without concrete evidence of a violation. If we become aware of any legal infringements, we will remove such links immediately.
When you follow an external link, please note that the privacy policies of the respective provider may apply, and we have no influence over how those providers handle your personal data. We recommend reviewing the privacy policies of any third-party websites before using their services.
7. International Data Transfers
Personal data is primarily processed within the EU / EEA. In therecruiting context, transfers to third countries may occur in particular inconnection with Greenhouse, Gem, Codility and their related infrastructure,hosting, integration, communication and support providers. Depending on therecipient and transfer path, such transfers may be based on an adequacydecision, including the EU-U.S. Data Privacy Framework, or on StandardContractual Clauses and other lawful safeguards under Articles 44 et seq. GDPR.Greenhouse’s public DPA expressly refers to the Data Privacy Framework and EUSCCs. Gem publicly states compliance with the EU-U.S. DPF, the UK Extension andthe Swiss-U.S. DPF. Codility’s public DPA refers to adequacy decisions orStandard Contractual Clauses.
8. Recipients
Personal data collected by us will only be disclosed if:
· you have given us your explicit consent pursuant to Article 6(1)(a) GDPR;
· the disclosure is necessary to safeguard our legitimate interests or for the establishment,exercise, or defence of legal claims, and there is no reason to assume that your interests or fundamental rights and freedoms which require the protection of personal data override those interests (Article 6(1)(f) GDPR);
· we are legally obliged to disclose the data (Article 6(1)(c) GDPR); or
· such disclosure is lawful and necessary for the performance of a contract with you or for the implementation of pre-contractual measures at your request (Article 6(1)(b)GDPR).
Possible recipients include:
· Processors: Group companies or external service providers (e.g., for technical infrastructure and processing, maintenance, payment processing) that are carefully selected and monitored. Processors may only process data in accordance with our instructions.
· Public authorities: Government agencies and public institutions (e.g., tax authorities, public prosecutors, courts) to whom we are required to transfer personal data, for example to comply with legal obligations or to protect legitimate interests.
9. Data Security and Safeguards
We implement appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. These measures are designed to protect against unauthorized access, manipulation, loss, or misuse. Our security measures are regularly reviewed and adapted to reflect technological advancements and current industry standards.
Please note that despite extensive protective measures, data transmission over the internet may involve security vulnerabilities. In particular, unencrypted communication (e.g., standard email) carries the risk that data may be accessed by third parties. We have no influence over the actions of external parties. We therefore recommend that you use encryption or other protective measures when transmitting sensitive information electronically to minimize potential risks.
10. Retention and Erasure/Blocking of Data
Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Further storage will only take place if required by European Union or national legal provisions to which the controller is subject. Data will also be deleted or blocked once a statutory retention period expires,unless continued storage is necessary for the performance of a contractual relationship.
11. Data Subject Rights
You have the following rights with regard to your personal data:
a. Right of access (Article 15 GDPR, Section 34 BDSG): You may request information as to whether and which personal data we process, for what purpose, to whom or to which categories of recipients the data is disclosed, and how long it is stored.
b. Right to rectification (Article 16 GDPR): You may request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.
c. Right to erasure (Article 17 GDPR): You may request the erasure of your personal data, in particular if it is no longer necessary, you withdraw your consent, or the data has been unlawfully processed.
d. Right to restriction of processing (Article 18 GDPR): You may request the restriction of the processing of your data, for example if the accuracy of the data is contested.
e. Right to data portability (Article 20 GDPR): You have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or to request the transfer of this data to another controller, where technically feasible.
f. Right to withdraw consent (Article 7(3) GDPR): You may withdraw any consent given at any time with effect for the future. The lawfulness of processing up to the point of withdrawal remains unaffected.
Right to object (Article 21 GDPR): You may object at any time to the processing of your personal data for reasons relating to your particular situation, especially in the context of direct marketing or any related profiling.
Right to lodge a complaint with a supervisory authority (Article 77GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection regulations.
