1 General information

The controller for the processing of personal data is: Westbridge Advisory GmbH, Barckhausstr. 12-14, 60325 Frankfurt am Main, Germany, reachable at contact@westbridge-advisory.com.
Our data protection officer can be contacted at datenschutz@westbridge-advisory.com.
This data protection declaration applies to the processing of personal data where reference is made to this declaration in the respective context.

Data subjects have, insofar as they fulfill the legal requirements,

• Right on access in accordance with Art. 15 GDPR
• Right to rectification of incorrect data in accordance with Art. 16 GDPR
• Right to erasure of their data in accordance with Art. 17 GDPR
• Right to restriction of processing in accordance with Art. 18 GDPR
• Right to object to certain processing in accordance with Art. 21 GDPR
• Right to withdraw consent granted in accordance with Art. 7(3) GDPR
• Right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR

1.3.1 Processors (Art. 28 GDPR)

For certain technical and organizational tasks, we use service providers who process personal data on our behalf. These so-called processors are contractually obliged to process data exclusively in accordance with the documented instructions, to take appropriate security measures and not to pass on any data to unauthorized third parties. Examples of this are hosting service providers, IT support or providers of form and communication services.

1.3.2 Affiliates

Sofern eine Weitergabe an ein Unternehmen innerhalb unserer verbundenen Unternehmensgruppe erfolgt, geschieht dies ausschließlich, wenn dies zur Erreichung des jeweiligen Zwecks erforderlich ist – etwa zur Bearbeitung einer Anfrage von Interessierten.
Die folgenden Gesellschaften gehören zur Westbridge Gruppe:

Westbridge Advisory GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Westbridge Advisory International AG
Bahnhofstraße 10
8001 Zürich
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Westbridge Energy GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

agradblue GmbH
Poststraße 9a
20354 Hamburg
T +49 40 890 60060
E info@agradblue.com

Quantrefy GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

Magnolia Consulting GmbH
Barckhausstraße 12-14
60325 Frankfurt am Main
T +49 (0) 69 9897286 50
E contact@westbridge-advisory.com

The controller responsible for data processing in the context of communication processes is the company with which you have contact or a contract. Sections 3-6 of this privacy policy apply accordingly to this company.

1.3.3 Sharing with third parties (e.g. authorities, courts)

In certain cases, disclosure to third parties may be necessary, for example
• if this is necessary for the performance of contractual measures or is in our legitimate interest,
• for the fulfillment of legal obligations,
• in the context of administrative or court proceedings,
• in response to requests from other supervisory authorities or public bodies.
Recipients may also be bodies against which a request or complaint is directed.

1.3.4 Data transfer to third countries (outside the EU/EEA)

If personal data is transferred to bodies in so-called third countries, this only takes place in compliance with the requirements of Art. 44 et seq. GDPR. As a rule, EU standard contractual clauses are used for this or there is an adequacy decision by the European Commission. In exceptional cases, data may also be transferred on the basis of explicit consent.

1.4 Storage periods

We store personal data in accordance with the statutory provisions or your consent. We store the personal data until the purposes for which it was collected cease to apply (e.g. upon termination of a contractual relationship or through the last activity if there is no continuing obligation, or in the event of revocation of your consent for the specific data processing).

Data will only be stored beyond this if

• there are statutory retention obligations (e.g. according to AO and HGB);
• the data is still required to assert and exercise legal claims or to defend against legal claims, e.g. due to technological and forensic requirements to defend against attacks on our web servers and their prosecution;
• erasure would conflict with the legitimate interests of the data subjects; or
• another exception pursuant to Art. 17(3) GDPR applies.

1.5 Processing of declarations of consent

If the processing of personal data is based on consent (Art. 6(1)(a) GDPR), this consent is documented and stored. Consent is generally valid for a period of two years, unless it is revoked beforehand.
In order to fulfill the accountability obligation pursuant to Art. 5(2) GDPR, consent is also stored for a period of up to three additional years. This serves to prove that the processing was lawful. After this period has expired, the consent will be deleted, provided there are no other statutory retention obligations.

When this website is accessed, certain technical information is automatically processed in order to provide the website and ensure stable and secure operation. This includes, for example, IP address, date and time of access, browser type, operating system and pages accessed. This data is stored by the web server in log files. is processed on the basis of legitimate interests in accordance with Art. 6(1)(f) GDPR, in particular to ensure functionality, to analyze errors and to defend against attacks. The stored information is kept for a period of 30 days and then deleted, provided that there are no legal retention obligations to the contrary or longer storage is necessary to clarify security-relevant incidents. We use one or more hosting providers to make this website available.

Our website stores information in the terminal equipment of visitors (e.g. through cookies) or accesses information that is already stored there (e.g. IP addresses). Which information is affected in detail can be found in the following sections of this privacy policy.

This storage and access takes place on the basis of the following legal provisions:

• Absolutely necessary processes: Insofar as storage or access is absolutely necessary to provide an expressly requested telemedia service - for example to use a chatbot or to ensure IT security - processing is carried out in accordance with Section 25(2)(2) of the Telecommunications Digital Services Data Protection Act (TDDDG).
• Processes requiring consent: In all other cases, data is only stored or accessed with the consent of the data subject in accordance with Section 25(1) TDDDG.
  The subsequent processing of the data collected in this way is governed by the provisions of the GDPR, as explained in more detail in the following sections.

Information on the cookies and similar technologies used can be found in the cookie banner.

Information on data processing in connection with the contact form can be found in section 3.

When contacting us by email, telephone, post or via a contact form, the personal data transmitted will be processed in order to process and respond to the inquiry. Depending on the communication channel, this may include in particular the name, contact details, content of the message and technical metadata (e.g. IP address, time of the request).

The processing is carried out to carry out pre-contractual measures or to fulfill a contract in accordance with Art. 6(1)(b) GDPR or on the basis of a legitimate interest in accordance with Art. 6(1)(f) GDPR, for example for the efficient processing of inquiries and the maintenance of customer relationships.
For the provision and technical processing of contact inquiries, we use service providers as part of processing by processors in accordance with Art. 28 GDPR. These service providers are contractually obliged to comply with the applicable data protection regulations and to process the transmitted data exclusively in accordance with our instructions.

The data will only be stored for as long as is necessary to process the request and will then be deleted, provided that there are no legal obligations to retain it. Business communications are generally subject to a retention period of six years in accordance with applicable commercial and tax law.

We process personal data in the context of business communication, in particular to conduct video conferences, online meetings, for coordination via chat or calendar function and in the context of e-mail communication.
Processing is carried out for the initiation and execution of contractual relationships in accordance with Art. 6(1)(b) GDPR or on the basis of legitimate interests in accordance with Art. 6(1)(f) GDPR, for example for efficient communication and cooperation with business partners, customers and interested parties.

We use service providers as processors in accordance with Art. 28 GDPR for the provision and technical processing of digital communication services. They are contractually obliged to comply with data protection regulations and to process the data exclusively in accordance with our instructions.

Personal data will only be stored for as long as necessary to fulfill the respective purpose. If there are legal retention obligations, the storage period will be based on these requirements. Business communications are generally subject to a retention period of six years in accordance with applicable commercial and tax law provisions.

More information about handling of job applications is available at https://westbridge-group.jobs.personio.de/privacy-policy?language=en.

We operate publicly accessible profiles on social media platforms. The operators of these platforms regularly process personal data for advertising purposes or to analyze user behavior. This may involve the processing of data outside the European Union, which can pose risks for data subjects—such as difficulties in enforcing rights or access by government authorities.

When communicating via our social media profiles (e.g., through comments, messages, or reactions), we process the personal data provided in order to respond to inquiries or engage in communication. The legal basis for this processing is generally Art. 6(1)(f) GDPR (legitimate interest). If the communication is aimed at entering into or fulfilling a contract (e.g., inquiries about our services or job applications), the processing is based on Art. 6(1)(b) GDPR.
We do not have full control over the data processing carried out by the respective platform operators. Further information on how these platforms process personal data, as well as on data subject rights and privacy settings, can be found in the privacy policies of the respective providers. Details on individual providers are provided below.

7.1 LinkedIn

We operate a page on LinkedIn, a social network provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, D02 FX04, Ireland.
In the context of this presence, there is a joint controllership pursuant to Art. 26 GDPR with the platform operator LinkedIn.

The corresponding agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum.
LinkedIn provides additional information on joint controllership, particularly regarding the roles and responsibilities of the parties involved, at: https://www.linkedin.com/help/linkedin/answer/a1338708?.
Apart from this, LinkedIn is solely responsible for data processing on the platform. LinkedIn’s privacy policy is available here: https://linkedin.com/legal/privacy-policy.