1 General information
This privacy policy provides information on the processing of personal data by Westbridge Advisory GmbH, in particular in the context of the use of the website, online services, communication and other business processes in accordance with the General Data Protection Regulation (GDPR).
Personal data is only processed if there is a legal basis - for example to fulfill a contract, on the basis of consent or to protect legitimate interests. Only the data required for the respective purpose is processed.
1.1 About us
The controller for the processing of personal data is: Westbridge Advisory GmbH, Barckhausstr. 12-14, 60325 Frankfurt am Main, Germany, reachable at contact@westbridge-advisory.com.
Our data protection officer can be contacted at datenschutz@westbridge-advisory.com.
This data protection declaration applies to the processing of personal data where reference is made to this declaration in the respective context.
1.2 Rights and data subjects
Data subjects have, insofar as they fulfill the legal requirements,
- Right on access in accordance with Art. 15 GDPR
- Right to rectification of incorrect data in accordance with Art. 16 GDPR
- Right to erasure of their data in accordance with Art. 17 GDPR
- Right to restriction of processing in accordance with Art. 18 GDPR
- Right to object to certain processing in accordance with Art. 21 GDPR
- Right to withdraw consent granted in accordance with Art. 7(3) GDPR
- Right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR
1.3 1. To whom do we pass on personal data?
1.3.1 Processors (Art. 28 GDPR)
For certain technical and organizational tasks, we use service providers who process personal data on our behalf. These so-called processors are contractually obliged to process data exclusively in accordance with the documented instructions, to take appropriate security measures and not to pass on any data to unauthorized third parties. Examples of this are hosting service providers, IT support or providers of form and communication services.
1.3.2 Affiliates
Sofern eine Weitergabe an ein Unternehmen innerhalb unserer verbundenen Unternehmensgruppe erfolgt, geschieht dies ausschließlich, wenn dies zur Erreichung des jeweiligen Zwecks erforderlich ist – etwa zur Bearbeitung einer Anfrage von Interessierten.
Die folgenden Gesellschaften gehören zur Westbridge Gruppe:
Westbridge Advisory GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com
Westbridge Advisory International AG
Bahnhofstraße 10
8001 Zürich
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com
Westbridge Energy GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com
agradblue GmbH
Poststraße 9a
20354 Hamburg
T +49 40 890 60060
E info@agradblue.com
Quantrefy GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com
Magnolia Consulting GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com
The controller responsible for data processing in the context of communication processes is the company with which you have contact or a contract. Sections 3-6 of this privacy policy apply accordingly to this company.
1.3.3 Sharing with third parties (e.g. authorities, courts)
In certain cases, disclosure to third parties may be necessary, for example
• if this is necessary for the performance of contractual measures or is in our legitimate interest,
• for the fulfillment of legal obligations,
• in the context of administrative or court proceedings,
• in response to requests from other supervisory authorities or public bodies.
Recipients may also be bodies against which a request or complaint is directed.
1.3.4 Data transfer to third countries (outside the EU/EEA)
If personal data is transferred to bodies in so-called third countries, this only takes place in compliance with the requirements of Art. 44 et seq. GDPR. As a rule, EU standard contractual clauses are used for this or there is an adequacy decision by the European Commission. In exceptional cases, data may also be transferred on the basis of explicit consent.
1.4 Storage periods
We store personal data in accordance with the statutory provisions or your consent. We store the personal data until the purposes for which it was collected cease to apply (e.g. upon termination of a contractual relationship or through the last activity if there is no continuing obligation, or in the event of revocation of your consent for the specific data processing).
Data will only be stored beyond this if
- there are statutory retention obligations (e.g. according to AO and HGB);
- the data is still required to assert and exercise legal claims or to defend against legal claims, e.g. due to technological and forensic requirements to defend against attacks on our web servers and their prosecution;
- erasure would conflict with the legitimate interests of the data subjects; or
- another exception pursuant to Art. 17(3) GDPR applies.
1.5 Processing of declarations of consent
If the processing of personal data is based on consent (Art. 6(1)(a) GDPR), this consent is documented and stored. Consent is generally valid for a period of two years, unless it is revoked beforehand.
In order to fulfill the accountability obligation pursuant to Art. 5(2) GDPR, consent is also stored for a period of up to three additional years. This serves to prove that the processing was lawful. After this period has expired, the consent will be deleted, provided there are no other statutory retention obligations.
2 Website
2.1 Provision of the website
When this website is accessed, certain technical information is automatically processed in order to provide the website and ensure stable and secure operation. This includes, for example, IP address, date and time of access, browser type, operating system and pages accessed. This data is stored by the web server in log files. is processed on the basis of legitimate interests in accordance with Art. 6(1)(f) GDPR, in particular to ensure functionality, to analyze errors and to defend against attacks. The stored information is kept for a period of 30 days and then deleted, provided that there are no legal retention obligations to the contrary or longer storage is necessary to clarify security-relevant incidents. We use one or more hosting providers to make this website available.
2.2 Cookies & Co
Our website stores information in the terminal equipment of visitors (e.g. through cookies) or accesses information that is already stored there (e.g. IP addresses). Which information is affected in detail can be found in the following sections of this privacy policy.
This storage and access takes place on the basis of the following legal provisions:
- Absolutely necessary processes: Insofar as storage or access is absolutely necessary to provide an expressly requested telemedia service - for example to use a chatbot or to ensure IT security - processing is carried out in accordance with Section 25(2)(2) of the Telecommunications Digital Services Data Protection Act (TDDDG).
- Processes requiring consent: In all other cases, data is only stored or accessed with the consent of the data subject in accordance with Section 25(1) TDDDG.
The subsequent processing of the data collected in this way is governed by the provisions of the GDPR, as explained in more detail in the following sections.
Information on the cookies and similar technologies used can be found in the cookie banner.
2.3 Contact form
Information on data processing in connection with the contact form can be found in section 3.
3 Contact requests
When contacting us by email, telephone, post or via a contact form, the personal data transmitted will be processed in order to process and respond to the inquiry. Depending on the communication channel, this may include in particular the name, contact details, content of the message and technical metadata (e.g. IP address, time of the request).
The processing is carried out to carry out pre-contractual measures or to fulfill a contract in accordance with Art. 6(1)(b) GDPR or on the basis of a legitimate interest in accordance with Art. 6(1)(f) GDPR, for example for the efficient processing of inquiries and the maintenance of customer relationships.
For the provision and technical processing of contact inquiries, we use service providers as part of processing by processors in accordance with Art. 28 GDPR. These service providers are contractually obliged to comply with the applicable data protection regulations and to process the transmitted data exclusively in accordance with our instructions.
The data will only be stored for as long as is necessary to process the request and will then be deleted, provided that there are no legal obligations to retain it. Business communications are generally subject to a retention period of six years in accordance with applicable commercial and tax law.
4 Communication
We process personal data in the context of business communication, in particular to conduct video conferences, online meetings, for coordination via chat or calendar function and in the context of e-mail communication.
Processing is carried out for the initiation and execution of contractual relationships in accordance with Art. 6(1)(b) GDPR or on the basis of legitimate interests in accordance with Art. 6(1)(f) GDPR, for example for efficient communication and cooperation with business partners, customers and interested parties.
We use service providers as processors in accordance with Art. 28 GDPR for the provision and technical processing of digital communication services. They are contractually obliged to comply with data protection regulations and to process the data exclusively in accordance with our instructions.
Personal data will only be stored for as long as necessary to fulfill the respective purpose. If there are legal retention obligations, the storage period will be based on these requirements. Business communications are generally subject to a retention period of six years in accordance with applicable commercial and tax law provisions.
5 Job applications
More information about handling of job applications is available at https://westbridge-group.jobs.personio.de/privacy-policy?language=en.
7 Social Media
We operate publicly accessible profiles on social media platforms. The operators of these platforms regularly process personal data for advertising purposes or to analyze user behavior. This may involve the processing of data outside the European Union, which can pose risks for data subjects—such as difficulties in enforcing rights or access by government authorities.
When communicating via our social media profiles (e.g., through comments, messages, or reactions), we process the personal data provided in order to respond to inquiries or engage in communication. The legal basis for this processing is generally Art. 6(1)(f) GDPR (legitimate interest). If the communication is aimed at entering into or fulfilling a contract (e.g., inquiries about our services or job applications), the processing is based on Art. 6(1)(b) GDPR.
We do not have full control over the data processing carried out by the respective platform operators. Further information on how these platforms process personal data, as well as on data subject rights and privacy settings, can be found in the privacy policies of the respective providers. Details on individual providers are provided below.
7.1 LinkedIn
7.1 LinkedIn
We operate a page on LinkedIn, a social network provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, D02 FX04, Ireland.
In the context of this presence, there is a joint controllership pursuant to Art. 26 GDPR with the platform operator LinkedIn.
The corresponding agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum.
LinkedIn provides additional information on joint controllership, particularly regarding the roles and responsibilities of the parties involved, at: https://www.linkedin.com/help/linkedin/answer/a1338708?.
Apart from this, LinkedIn is solely responsible for data processing on the platform. LinkedIn’s privacy policy is available here: https://linkedin.com/legal/privacy-policy.