Privacy policy

1. Data controller

Bürklin GmbH & Co. KG
Grünwalder Weg 30
D-82041 Oberhaching
Phone: +49 89 55875-0
Email: [email protected]

2. Data Protection Officer

You can contact our external data protection officer at:

Projekt 29 GmbH & Co. KG
Ostengasse 14
D-93047 Regensburg
Phone: +49 941 298693-0
Email: [email protected]
Website: www.projekt29.de

3. What personal data do we process?

We process data that we have received in the context of contract initiation, contract fulfilment, on the basis of consent, or within the framework of your business relationship with us. When you use one of our services, we generally only collect the data necessary to provide the respective service.

3.1 Categories of personal data

3.2 Other data processed

• Contract data, order data, sales and document data, customer and supplier history
• Advertising and sales data
• Electronic communication data (e.g. IP address, login details)
• Data from customer conversations and business relationships
• Analytical data from customer needs and customer potential analyses
• Documentation of declarations of consent (e.g. newsletter consent)
• Photographs taken at events

4. Legal basis for processing

We process your data in accordance with the GDPR and the Federal Data Protection Act (BDSG):

5. Recipients of your data

Where we engage service providers in the context of data processing on our behalf, we remain responsible for the protection of your data. All data processors are contractually obliged to treat your data confidentially and to process it exclusively for the purpose of providing the service.

Recipients of your data may include, in particular:

• IT service providers (hosting, maintenance, security)
• Email and marketing service providers (Brevo, Inxmail, HubSpot, Qualtrics)
• Payment service providers (Payone, Concardis)
• Delivery service providers (UPS, Dachser)
• Analytics and tracking services (Google, PiwikPro, Jentis, Microsoft)
• EDI service providers (e. g. MyOpenFactory)
• Credit reference agencies (Creditreform)
• Public authorities and courts (where required by law)
• Banks, insurance companies and external auditors

6. Retention period

We generally store your data until the business relationship ends or until the applicable statutory retention periods expire (e.g. under the German Commercial Code or the German Fiscal Code: usually 6 or 10 years). In addition, we store data until the conclusion of any legal disputes in which the data is required as evidence.

7. Data transfer to third countries

Some of the services we use are based outside the European Union (in particular the USA). Data is only transferred on the basis of an adequacy decision by the European Commission, EU standard contractual clauses, appropriate safeguards or your express consent. Where relevant, we will indicate this separately for each service.

8. Online shop and e-commerce

8.1 Intershop e-commerce platform

Our online shop is based on the Intershop e-commerce solution. As part of the enquiry or ordering process, your order and customer data (name, address, email, payment details) are processed on the Intershop platform. Credit card details are tokenised and stored anonymously. Processing is carried out for the purpose of contract performance in accordance with Article 6(1)(b) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the above-mentioned provider.

8.2 Registration on the website

You can register on our online shop to create a customer account. The following data is collected in the process: name, address, telephone number, email address, date of birth and, where applicable, bank details. In addition, your IP address and the date and time of registration are stored to prevent misuse. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures) and Article 6(1)(f) GDPR (prevention of misuse).

8.3 Processing of orders via collection boxes

For the contactless collection of orders, we use a system provided by Pitney Bowes Deutschland GmbH, Heussstraße 25, 63263 Neu-Isenburg. In this process, your name and email address are transmitted to Pitney Bowes so that you are automatically informed when your order is ready for collection. Processing is carried out in accordance with Article 6(1)(b) of the GDPR. A data processing agreement has been concluded with Pitney Bowes in accordance with Article 28 of the GDPR. Data processing takes place on servers in Ireland (EU).

The provider’s privacy policy: pitneybowes.com/en/privacy/

9. Payment service providers

9.1 Payone

We use the payment service provider Payone GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, to process credit card payments and PayPal transactions. As part of the payment process, the data required for this (name, e , payment details, order information) is transmitted to Payone. Processing takes place for the purpose of contract fulfilment in accordance with Article 6(1)(b) of the GDPR.

The provider’s privacy policy: payone.com/datenschutz

9.2 PayPal

For payments via PayPal, you will be redirected to the website of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal payments are processed via our payment service provider Payone. The data required for payment processing (name, email address, payment details) is transmitted to PayPal. Processing is carried out for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR.

The provider’s privacy policy: paypal.com/de/webapps/mpp/ua/privacy-full

9.3 Concardis (Nets/Nexi Group)

Until the full transition to Payone is complete, we will continue to use the payment service provider Concardis GmbH (now Nets/Nexi Group) for certain payment methods. As part of the transition, refunds and complaints can still be processed via Concardis/Nexi until June 2026. Processing is also carried out for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

10. Credit checks

In cases where we provide payment in advance (e.g. purchase on account), we may, to safeguard our legitimate interests, obtain a credit report from Creditreform München Ganzmüller, Groher & Kollegen KG, Machtlfinger Straße 13, D-81379 Munich.

The report may contain probability values (score values) based on mathematical and statistical methods. The legal basis is Article 6(1)(f) of the GDPR.

11. Delivery service providers

We work with various shipping service providers to dispatch orders, in particular UPS and Dachser. We provide them with the data required for delivery (name, delivery address, email address for tracking notifications where applicable, telephone number for arranging delivery dates). Processing is carried out for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR.

12. CRM, marketing and communication

12.1 HubSpot CRM

We use HubSpot CRM from HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA, to manage customer relationships, email communication and sales processes. In doing so, contact details (name, email, company, telephone number) and interaction data are stored. Processing is carried out on the basis of our legitimate interest in efficient customer service in accordance with Article 6(1)(f) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, HubSpot, Inc. is certified under the Data Privacy Framework Programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: hubspot.com/data‑privacy

12.2 Brevo (formerly Sendinblue)

We use Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin) to send newsletters and marketing emails. During the registration process, your email address, name and IP address are stored. The service also enables us to carry out analyses (e.g. open rates, click behaviour) to optimise our newsletter. ’s processing is based on your consent in accordance with Article 6(1)(a) of the GDPR. The data is processed on servers in Germany. You can withdraw your consent at any time by clicking on the unsubscribe link in the newsletter.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

The provider’s privacy policy: brevo.com/de/legal/privacypolicy

12.3 Qualtrics

We use Qualtrics (Qualtrics LLC, 333 W. River Park Drive, Provo, UT 84604, USA) for surveys and market analysis. Surveys are sent out and evaluated directly via Qualtrics. In doing so, the data you provide in the survey and your email address are processed. Processing is carried out on the basis of your consent (Article 6(1)(a) GDPR) or our legitimate interest in market research (Article 6(1)(f) GDPR).

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

The transfer of data to the USA is based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Qualtrics LLC is certified under the Data Privacy Framework Programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: qualtrics.com/privacy‑statement

12.4 Advertising by email (direct marketing)

We are entitled, subject to the legal requirements of Section 7(3) of the Unfair Competition Act (UWG), to use the email address you provided when concluding the contract for direct marketing of our own similar goods or services. You may object to this use at any time without incurring any costs other than the transmission costs in accordance with standard rates. Each email contains an unsubscribe link.

13. Cookies and consent management

When you visit our website, cookies may be stored on your device. Cookies are small text files that are assigned to your browser and through which certain information flows.

We use technically necessary cookies without your consent on the basis of our legitimate interest (Art. 6(1)(f) GDPR). These are necessary for the operation of the website (e.g. session cookies, shopping basket).

We only use analytics and marketing cookies with your explicit consent (Art. 6(1)(a) GDPR, Section 25(1) TDDDG). You can change your settings at any time via our cookie banner.

13.1 Clickskeks (Consent Management)

We use the consent management service Clickskeks to manage your cookie consents. Clickskeks stores your consent decision so that it does not need to be requested again every time you visit the page. Processing is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR) and the legal obligation to obtain verifiable consent (Art. 6(1)(c) GDPR).

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

14. Web analytics and tracking

14.1 Jentis Server‑Side Tracking

We use Jentis (Jentis GmbH, Vienna, Austria) for server-side tracking. With server-side tracking, data is not sent directly from the user’s browser to third-party providers, but is first processed via our server (first-party context). This allows for better control over the data that is passed on. Jentis also operates its own tag manager, through which the analytics tools described below are integrated. In Essential Mode, tracking data is processed anonymously, so that no conclusions can be drawn about individual persons.

We have concluded a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

14.2 PiwikPro

We use PiwikPro as our web analytics tool. Processing takes place either with or without cookies, integrated via Jentis server-side tracking or the Jentis Tag Manager. The legal basis is your consent (Art. 6(1)(a) GDPR). Without consent, data is collected exclusively in anonymised form in Essential Mode.

Data collected includes: web pages visited, referrer URL, duration of visit, frequency of visits and subpages. We do not sell or market this data to third parties under any circumstances.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

14.3 Google Analytics (GA4)

We use Google Analytics 4 (GA4) provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. GA4 analyses usage behaviour on our website (page views, duration of visit, origin, devices). The data is aggregated under a user ID and may be transferred to servers operated by Google LLC in the USA. The IP address is truncated prior to storage (IP anonymisation). The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG.

We have concluded a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider. Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Google is certified under the Data Privacy Framework Programme and thus fulfils the guarantees for secure data exchange.

Browser plugin: You can prevent data collection by Google Analytics: tools.google.com/dlpage/gaoptout

The provider’s privacy policy: policies.google.com/privacy

14.4 Google Tag Manager

We use Google Tag Manager to manage tracking and analytics tags on our website. Google Tag Manager itself does not collect any personal data, and does not set any cookies. It merely enables the triggering of other tags, which may in turn collect data.

14.5 Google Signals & E-commerce Measurement

We use Google Signals as part of Google Analytics. If you have enabled personalised advertising in your Google account, demographic data and location information will be collected and used for cross-device analysis and personalised advertising.

We also use Google Analytics e-commerce measurement to analyse purchasing behaviour (orders, order values, conversions) and to optimise our marketing campaigns.

14.6 Microsoft Clarity

We use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) for user analysis. Clarity collects pseudonymised usage data such as mouse movements, scrolling behaviour and clicks using a pseudonymous user ID. The IP address is masked. Processing is carried out on the basis of your consent (Art. 6(1)(a) GDPR).

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Microsoft Corporation is certified under the Data Privacy Framework programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: privacy.microsoft.com

Opt‑Out: choice.microsoft.com

14.7 PowerBI

We use Microsoft PowerBI for internal business analyses. This typically involves the processing of aggregated company data such as company names, turnover and orders. Processing is carried out on the basis of our legitimate interest in business management (Article 6(1)(f) GDPR).

15. Online advertising and remarketing

15.1 Google Ads & Remarketing

We use Google Ads for advertising purposes in Google search results and on third-party websites. When you visit our website, a remarketing cookie is set, which generates a pseudonymous cookie ID and enables interest-based advertising based on the pages you have visited. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Google LLC is certified under the Data Privacy Framework Programme and thus meets the guarantees for secure data exchange.

15.2 Google Enhanced Conversions

We use the ‘Enhanced Conversions’ feature of Google Ads. In this process, hashed customer data (e.g. email address) is transmitted to Google to improve conversion measurement and target advertisements more precisely. The data is irreversibly encrypted (SHA-256 hashing) prior to transmission. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR.

15.3 Customer Match lists

We use Customer Match lists as part of our Google Ads advertising activities, including for Similar Audiences and remarketing. To do this, lists containing encrypted account data (e.g. email addresses) are uploaded to Google Ads. Google checks which data is already known and assigns these users to a target audience list. Once the Customer Match lists have been created, the encrypted account data is automatically deleted – Google therefore does not receive any new address data. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR.

The provider’s privacy policy: business.safety.google/privacy

15.4 Microsoft Bing Universal Event Tracking (UET)

We use Bing UET (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA). When you access our website via Bing Ads, a cookie is set and a UET tag records pseudonymised data on your usage behaviour (duration of visit, pages visited, referral source). Microsoft can analyse your behaviour across devices through cross-device tracking. The legal basis is your consent (Art. 6(1)(a) GDPR). The data is stored for a maximum of 180 days.

We have concluded a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Microsoft Corporation is certified under the Data Privacy Framework programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: privacy.microsoft.com

Opt‑Out: account.microsoft.com

16. Technical Services and Security

16.1 Cloudflare

Our website uses services provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, as a Content Delivery Network (CDN) and for protection against attacks. In doing so, access data (in particular IP addresses) is routed via Cloudflare servers. The legal basis is our legitimate interest in the security and availability of our website (Art. 6(1)(f) GDPR).

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Cloudflare, Inc. is certified under the Data Privacy Framework programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: cloudflare.com/privacypolicy

16.2 Microsoft Azure (Hosting)

Our website and systems are hosted on the Microsoft Azure cloud platform (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA). All data generated in connection with the use of the website is processed on Azure servers. The legal basis is Article 6(1)(f) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Microsoft Corporation is certified under the Data Privacy Framework Programme and thus meets the guarantees for secure data exchange.

16.3 New Relic (Monitoring)

We use New Relic, Inc., 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA, for performance monitoring of our Intershop platform. This involves the processing of technical data (e.g. loading times, error logs, IP addresses). The legal basis is our legitimate interest in system stability (Art. 6(1)(f) GDPR).

We have concluded a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, New Relic, Inc. is certified under the Data Privacy Framework Programme and thus meets the guarantees for secure data exchange.

16.4 Google reCAPTCHA

To protect against automated abuse (bots, crawlers), we use Google reCAPTCHA (Google Ireland Ltd. / Google LLC, USA). In doing so, IP addresses, mouse movements and other technical data may be transmitted to Google. The legal basis is our legitimate interest in the security of our website (Article 6(1)(f) GDPR).

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Google LLC is certified under the Data Privacy Framework programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: policies.google.com/privacy

16.5 SSL/TLS encryption

For security reasons, our website uses SSL or TLS encryption. You can recognise an encrypted connection by ‘https://’ in the address bar and the padlock symbol in your browser. When encryption is enabled, the data you transmit to us cannot be read by third parties.

16.6 Collection of access data and log files

Every time our website is accessed, our system automatically collects data and information from the accessing computer (server log files): name of the webpage accessed, date and time, amount of data transferred, browser type and version, operating system, IP address, requesting provider and referrer URL. The IP address is stored for the duration of the session to enable the website to be delivered. The legal basis is Article 6(1)(f) of the GDPR.

17. External services and integrations

17.1 YouTube

We use YouTube in enhanced privacy mode to embed videos. YouTube may set cookies and collect data for the purpose of compiling video statistics. When a video is played, further data processing operations may be triggered over which we have no control.

The provider’s privacy policy: youtube.com/privacy

17.2 Google Maps

When using Google Maps, you will be redirected to Google’s website and will leave our online shop. Data (IP address, location data) may be transmitted to Google.

Terms of use: google.com/help/terms_maps

17.3 Yumpu (PDF page-turning software)

We use Yumpu (i-magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland) to present our Bürklin Quarterly as a digital flipbook. When viewing the flipbook, your browser establishes a connection to Yumpu servers, whereby standard server data (IP address, browser type, time) is transmitted. Yumpu may set additional cookies. The legal basis is our legitimate interest in an appealing presentation (Art. 6(1)(f) GDPR).

The provider’s privacy policy: yumpu.com/de/info/privacy_policy

17.4 Pressebox

Our website contains links to our profile on Pressebox, an external press portal. By clicking on the link, you will leave our website; Pressebox’s privacy policy applies.

17.5 WordPress‑Magazin

Unser Online‑Magazin wird über eine WordPress‑Installation bereitgestellt, die über einen Reverse Proxy in unsere Website eingebunden ist. Das Tracking im Magazin‑Bereich erfolgt über die oben beschriebenen Analyse‑Tools.

18. Electronic Data Interchange (EDI)

For the electronic transmission of business documents (orders, invoices, delivery notes), we use various EDI service providers, e.g. MyOpenFactory. In doing so, order-related data, including names, addresses and prices, is transmitted. Processing takes place for the purpose of contract performance in accordance with Article 6(1)(b) of the GDPR.

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned providers.

19. Automation software

19.1 Retool

We use Retool (Retool, Inc., San Francisco, USA) for internal automation processes. In certain scenarios, personal data may be processed:

• Trade fair voucher requests: Customer data is transferred from Brevo to Retool, enriched there and sent back to Brevo. In this case, customer data is stored in a Retool database.
• Mass email campaigns: Excel files containing contact details are temporarily uploaded to Retool and are not stored permanently after processing.

The legal basis is the performance of a contract (Art. 6(1)(b) GDPR) or our legitimate interest (Art. 6(1)(f) GDPR).

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

Data transfers to the USA are based, among other things, on the EU Commission’s Standard Contractual Clauses. Furthermore, Retool, Inc. is certified under the Data Privacy Framework programme and thus meets the guarantees for secure data exchange.

The provider’s privacy policy: retool.com/privacy

19.2 Make.com

We also use Make.com (Celonis SE) as an automation platform. Make.com allows different systems to be connected and workflows to be automated, during which personal data may be processed. The legal basis is our legitimate interest in efficient business processes (Article 6(1)(f) GDPR).

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with the aforementioned provider.

The provider’s privacy policy: make.com/en/privacy‑notice

20. Job applications and human resources management

20.1 Personio

We use Personio (Personio SE & Co. KG, Munich) to manage applications. Your application data (CV, cover letter, references, contact details) is processed there. Processing is carried out in accordance with Article 6(1)(b) of the GDPR (pre-contractual measures) and Section 26 of the BDSG (Employment Data Protection Act).

We have entered into a data processing agreement (DPA) in accordance with Article 28 of the GDPR with the aforementioned provider.

A separate privacy policy also applies to applications, which can be viewed directly on the Personio website: buerklin‑gmbh‑co‑kg.jobs.personio.com/privacy‑policy

21. Contact

When you contact us (via the contact form, email, telephone or social media), your details will be processed to handle your enquiry and in the event of follow-up questions.

• Data processed: Master data (name, address), contact details (email, telephone), content data
• Legal basis: Art. 6(1)(b) GDPR (contractual/pre-contractual enquiries) and Art. 6(1)(f) GDPR (legitimate interest)

22. Your rights as a data subject

Under the GDPR, you have the following rights:

To exercise your rights, please contact our Data Protection Officer (see Section 2). In case of doubt, we may request additional information to verify your identity.

23. Data security

We have implemented comprehensive technical and organisational measures to protect your personal data against loss, destruction, manipulation and unauthorised access. All employees and service providers working on our behalf are bound by the applicable data protection laws. Personal data is encrypted during transmission. Our security measures are continuously reviewed and adapted to the state of the art.

24. Changes to this Privacy Policy

We reserve the right to amend this privacy policy to ensure it remains in line with current legal requirements and technical developments. Please ensure that you have the latest version available at . We will announce any fundamental changes on our website.

Last updated: May 2026