Skip to main content
  • Data protection policy

We at Paycy-one GmbH take the protection of your personal data seriously and would like to inform you about the collection, processing and use of your data.

Below we provide you with an overview of the type, scope, purpose, duration and legal basis of the processing of your data by us (see Article 13 and 14 GDPR).

1. General information

This part is always relevant for you.

2. Visiting websites

This part is relevant for you if you use our internet offer.

3. Business customers and partners

This part is relevant for you if you want to work with us as a customer, service provider, supplier or similar partner, are already in an ongoing business relationship with us or have been in the past.

1 General information

  • 1.1 Controller

    Paycy-one GmbH, Moorfuhrtweg 13, 22301 Hamburg
    Phone: +49 40 227433-0
    Fax: +49 40 227433-1333
    E-Mail: sales(at)

    If you have any further questions regarding the processing of your personal data, please contact us directly at sales(at)

  • 1.2 Processing purposes and legal basis

    In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

  • Article 6 para. 1 sent. 1 lit. (a) GDPR ("consent"): if the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that they consent to the processing of personal data relating to them for one or more specific purposes

  • Article 6 para. 1 sent. 1 lit. (b) GDPR: if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Article 6 para. 1 sent. 1 lit. (c) GDPR: is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records)
  • Article 6 para. 1 sent. 1 lit. (d) GDPR: if processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Article 6 para. 1 sent. 1 lit. (e) GDPR: if processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 6 para. 1 sent. 1 lit. (f) GDPR ("legitimate interests"): if processing is necessary for the purposes of the legitimate (especially legal or commercial) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a child)

For the processing operations carried out by us, we indicate below the applicable legal basis in each case. Processing may also be based on several legal bases.

1.3 Terms

  • "Processor" (Article 4 (8) GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In particular, a processor is not a third party in the sense of data protection law.

  • "Third party" (Article 4 (10) GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other group-affiliated legal persons.

  • "Consent" (Article 4 (11) GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

  • "Personal data" (Article 4 (1) GDPR) is any information relating to an identified or identifiable natural person ("subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).

  • "Controller" (Article 4 (7) GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • "Processing" (Article 4 (2) GDPR) means any operation which is performed on personal data, whether or not by automated (i.e. technology-based) means. This includes, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, as well as the alteration of a purpose or intended purpose on which a data processing operation was originally based.

1.4 Contact

If you contact us, the information of the inquiring persons is processed. As a matter of course, we will use the personal data transmitted to us in this way exclusively for the purpose you provide it for when contacting us.

The answering of contact requests in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to answer (pre-)contractual requests (Article 6 para. 1 sent. 1 lit. (b) GDPR) and otherwise on the basis of legitimate interest in answering the requests (Article 6 para. 1 sent. 1 lit. (f) GDPR).

1.5 Data deletion and storage period

For the processing operations we carry out, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. Your data will only be stored on our servers in Germany and within the European Union, subject to any transfer in accordance with the regulations of the individual tools. However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is stipulated by legal regulations to which we are subject as the responsible party. If the storage period prescribed by legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

1.6 Data security

We protect your data using technological and organisational security measures to prevent accidental or wilful manipulation, loss, destruction or access by unauthorised persons. Our security measures, such as data encryption, are regularly enhanced in accordance with the newest technological developments.

1.7 Cooperation with order processors

We use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). They will only act on our instructions and have been contractually obliged to comply with the data protection provisions in accordance with Article 28 GDPR.

If personal data from you is passed on by us to our affiliated companies or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.

1.8 Your rights

Right to access information

In terms of Article 15 the GDPR, you always have the right receive information about the origin, recipient, purpose and duration of data processing of the data retained by us in respect of you. You can submit a request by post or e-mail to the addresses provided above.

Right to request the rectification of inaccurate data

You have the right to demand the rectification of your personal data without undue delay if it is inaccurate (Article 16 of the GDPR). In this regard, please contact us via the contact addresses above.

Right to erasure

You have a right to the erasure (“right to be forgotten”) of your personal data without undue delay if one of the legal grounds in terms of Article 17 of the GDPR applies. Such grounds are, for example, if the personal data is no longer necessary for the purposes for which is was originally processed, if you have withdrawn your consent and there is no other legal basis for the processing, if you object to the processing and there are no overriding reasons for processing.

In order to assert your right to erasure, please contact us via the contact addresses provided above.

Right to data portability

You have the right to data portability in terms of Article 20 of the GDPR. You have the right to receive the data concerning you, which you provided us with, in a conventional, structured and machine-readable format and to have this data transferred to another controller, such as another service provider. This is subject to the conditions that the processing is based on consent or on a contract and can be carried out using automated procedures. In order to assert your above-mentioned right, please make contact us via the contact addresses provided above.

Right to the restriction of processing

You have the right to restrict processing if one of the conditions applies in accordance with the provisions of Article 18 of the GDPR. Thereafter, the restriction of processing may be required, in particular, if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of the personal data instead or if the data subject objects to the processing pursuant to Article 21 para. 1 GDPR pending verification of whether our legitimate grounds override your rights. In order to assert your above-mentioned right, please make contact us via the contact addresses provided above.

Right to object

You have the right to object, at any time, in terms of Article 21 GDPR on grounds relating to your particular situation to the processing of your personal data which is based, i.a., on Article 6 para. 1 lit. (e) or (f) GDPR. In which event, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the purpose of asserting, pursuing or defending a legal claim. In order to assert your above-mentioned right, please make contact us via the contact addresses provided above.

Right to lodge a complaint

You have the right to lodge a complaint in terms of Article 77 GDPR with the competent supervisory authority if you are of the opinion that the processing of your personal data is unlawful:

Free and Hanseatic City of Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information

2. Visiting websites

2.1 Information on the collection of personal data

When you visit our websites, our web servers automatically save the following data:

  • Information about the browser type and version used
  • The operating system of the user
  • The Internet service provider of the user
  • The IP address of the user
  • Date and time of when the site was accessed
  • External websites from which the system of the user with accesses our website
  • External websites accessed by the system of the user from our website

 2.2 Purpose and legal basis of data processing

The data is saved to ensure the functionality of the website. The data is also used to optimise the website and to safeguard the security of our IT systems. We also process this data to detect and track misuse. In this regard, the legal basis is Article 6, subparagraph 1, point (f) of the General Data Protection Regulation (GDPR). Our legitimate interest in processing the data is to ensure that our website functions properly and to safeguard the transactions processed by means thereof.

Your personal data will however be processed if you provide it to us, for example, in the context of a request or placing an order for information or registering for a newsletter. This is based on the provisions of Article 6 para. 1 lit. (a) GDPR.

2.3 Duration of data processing

The data is stored in the log files of our servers for seven days and then deleted automatically.

In this regard, the data is not evaluated for marketing purposes.

2.4 Automated data collection on our websites

2.4.1 Cookies

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard disk by means of a specific string of characters, and through which the body that sets the cookie receives certain information. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you. Cookies may contain data that makes it possible to recognise the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user. A distinction is made between session cookies, which are deleted again as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

  • Technical cookies: these cookies are mandatory to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes nor do they store which websites you have visited.

  • Performance cookies: these cookies collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users.

  • Advertising cookies, targeting cookies: these cookies are used to offer the website user tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers. Advertising and targeting cookies are stored for a maximum of 13 months.

  • Sharing cookies: these cookies are used to improve the interactivity of our website with other services (e.g. social networks). Sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent pursuant to Article 6 para. 1 sent. 1 lit. (a) GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to third parties if you have given your express consent to do so in accordance with Article 6 para. 1 sent. 1 lit. (a) GDPR.

2.5 Tools used on the website

The website uses the consent management service Usercentrics from Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany (Usercentrics).

This enables us to obtain and manage the consent of website users for data processing. The processing is necessary to fulfill a legal obligation to which we are subject (Art. 6 para. 1 sentence 1 lit. c GDPR). The following data is processed for this purpose

  • Date and time of access
  • Browser information
  • Device information
  • Geographical location
  • Cookie preferences
  • URL of the page visited

The functionality of the website cannot be guaranteed without this processing.

Usercentrics is the recipient of your personal data and acts as a processor for Paycy-one GmbH.

The processing takes place in the European Union. Further information on objection and removal options vis-à-vis Usercentrics can be found at:


We use YouTube on our website. This is a video portal of YouTube LLC, 901 Cherry Ave, 94066 San Bruno, CA, USA, hereinafter referred to as "YouTube".

YouTube is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter referred to as "Google".

We use YouTube in connection with the Privacy Enhanced Mode function to show you videos. This is based on the provisions of Article 6 para. 1 lit. (f) GDPR. Our legitimate interest lies in improving the quality of our website. According to YouTube, the Privacy Enhanced Mode function ensures that the data described in more detail below is only transmitted to the YouTube server when you actually start a video. Without this Privacy Enhanced Mode, a connection to the YouTube server in the USA is established as soon as you call up one of our Internet pages on which a YouTube video is embedded.

This connection is necessary in order to be able to display the respective video on our website via your Internet browser. In the course of this, YouTube will at least record and process your IP address, the date and time and the website you visited. In addition, a connection is established to Google's advertising network Google Marketing Platform.

If you are logged into YouTube at the same time, YouTube will assign the connection information to your YouTube account. If you wish to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.

For the purpose of functionality and to analyse user behaviour, YouTube permanently stores cookies on your end device via your Internet browser. If you do not agree to this processing, you have the option of preventing the storage of cookies by means of a setting in your Internet browser.

Google provides further information on the collection and use of data as well as your rights and protection options in this regard at the following URL:

3. Business customers and partners

If you or your organisation have a business relationship with us (in particular customers, prospective customers, partners, service providers and suppliers), we retain the relevant data about you. We would like to inform you about this in addition.

The respective data processed especially includes the contact data, such as your name, company, position, address, telephone number, e-mail address, as well as information about the respective business relationship, such as the contractual relationship and its processing (current and completed orders, invoices, payments).

Your data is processed for different purposes and is based on different legal grounds. Insofar as the processing of your personal data is necessary for the initiation or implementation of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful pursuant to Article 6 para. 1 lit. (b) GDPR. The processing includes in particular the communication for the planning, implementation, administration and billing of the contractually defined services. If necessary and required by law, we process your data beyond the actual contractual purposes for the fulfilment of legal obligations pursuant to Article 6 para. 1 lit. (c) GDPR, e.g. for the fulfilment of retention obligations pursuant to the Commercial Code and the Fiscal Code of Germany.

If you give us your express consent to process personal data for specific purposes (e.g. transfer to third parties, evaluation for marketing purposes or advertising), this processing is lawful on the basis of your consent pursuant to Article 6 para. 1 lit. (a) GDPR. Consent that was given can be revoked any time with effect for the future.

In addition, processing may be carried out to protect the legitimate interests of us or third parties in accordance with Article 6 para. 1 lit. (f) GDPR. If necessary, we will inform you separately, stating the legitimate interest, insofar as this is required by law.

Your data will only be stored in our systems for as long as this is permissible under applicable law, in particular as long as this is necessary for the performance of the contract in connection with the applicable retention obligations. Furthermore, we will delete your data if you request this or revoke your consent to processing. In these cases, we will check whether the data can be deleted or only a restriction of processing can be made due to legal requirements.

We only pass on your personal data within our company to those areas and persons who need this data to fulfil contractual and legal obligations or to implement our legitimate interest.

Paycy-one GmbH will only transfer data relating to the use of the services to third parties in accordance with the applicable statutory provisions if there is a legal obligation to do so (such as disclosures to public authorities) or if this is necessary for the enforcement of our rights (such as claims arising from a contractual relationship).

In addition, we will only disclose data to external service providers in such instances where this is necessary for the provision of products and services and a contractual agreement has been concluded. These instruction-bound service providers or processors will only use the data in terms of a contract for the purpose of performing their obligations.

Under no circumstances will the collected data be sold. Our employees are obliged to maintain and safeguard the confidentiality of the personal data provided to us.

As a matter of principle, there is no regular transfer of personal data to a third country (states outside the European Union or the European Economic Area) or an international organisation. In cases where we communicate with you via Microsoft Teams, data transfer to the USA is not excluded. In that case, the transfer is covered by the conclusion of standard data protection clauses as well as by supplementary safeguards.

Furthermore, there may be cases in which a transfer is necessary for the fulfilment of the contract or – at your request – for the implementation of pre-contractual measures, the transfer is required by law or you have given us your consent.

Status and amendment of the data protection policy

Please note that we update this data protection policy from time to time so that it always complies with the most recent legal requirements and covers all our content. The latest version applies subject to the following update notice.

Your statutory rights to information, rectification, restriction, erasure and to raise an objection shall remain unaffected by any such amendment.

Last update: 20/04/2023