Our Principles
We collect as little personal data as we reasonably can. Where we must collect it, we prefer to keep it on infrastructure we control, within the European Union, and to delete it on a schedule rather than on request.
Every processing activity in this document is reducible to one of four bases: a contract with you, a legal obligation on us, a legitimate interest we can articulate, or your explicit consent.
The Controller
The data controller for the purposes of Art. 4(7) GDPR is:
- Controller
- Task Venture Capital GmbH
- Address
- Eickedorfer Vorweide 24, 28879 Grasberg, DE
- [email protected]
- Phone
- +49 4208 893989 0
A Data Protection Officer is not formally required under § 38 BDSG given the scale of processing, but all privacy correspondence is reviewed by the managing director personally.
What We Process
Categorised broadly, and mapped to the legal basis on which we rely:
| Category | Examples | Basis | Retention |
|---|---|---|---|
| Contact | Name, email, message body | Art. 6(1)(b) / (f) | 24 months |
| Contractual | Billing address, invoices, tax ID | Art. 6(1)(b) | 10 years (§ 147 AO) |
| Server logs | IP address, user-agent, URL, timestamp | Art. 6(1)(f) | Security retention window |
| Analytics | Anonymous or aggregated page counts | Consent or legitimate interest | As configured per service |
| Recruiting | Applications voluntarily sent | Art. 6(1)(b) pre-contract | 6 months post decline |
Words We Use
Defined terms appear throughout this document with their statutory meanings. The most relevant:
- Personal data
- Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
- Processing
- Any operation performed on personal data, from collection through deletion, as defined in Art. 4(2) GDPR.
- Controller
- The party that decides why and how personal data is processed. That is us.
- Processor
- A party acting on the controller's documented instructions. Our processor obligations are described in the DPA.
Your Rights
The GDPR grants you distinct rights with respect to your personal data. We honour each without charge and without interrogation.
- Access. A copy of what we hold, in a legible format.
- Rectification. Correction of inaccurate or incomplete data.
- Erasure. Deletion, subject to statutory retention.
- Restriction. A pause on processing pending resolution of a dispute.
- Portability. A structured export you can hand to another controller.
- Objection. A veto over processing based on legitimate interests.
- Withdrawal. Revocation of consent at any time, without effect on prior processing.
- Complaint. A right to lodge complaints with the competent supervisory authority.
To exercise any right, email [email protected]. We respond within one month.
Transfers Outside the EU
Our default posture is to keep data within the EU. Where a processor operates outside the EU, we rely on lawful transfer mechanisms such as the Standard Contractual Clauses combined with supplementary technical measures.
The current list of sub-processors and their jurisdictions appears in the Data Processing Addendum.
Security
We implement appropriate technical and organisational measures in the sense of Art. 32 GDPR. In practice:
- Transport encryption on public endpoints.
- Access controls and named owners for operational datasets.
- Regular access reviews and prompt off-boarding.
- Encrypted backups where persistent storage is involved.
If we become aware of a personal data breach meeting the threshold of Art. 33 GDPR, we notify the supervisory authority without undue delay and, where required, affected data subjects directly.