Privacy Policy
Non-binding English convenience translation. Only the German-language version of this Privacy Policy is legally binding. In the event of any discrepancy or conflict between the German and English versions, the German version shall prevail.
Last updated: June 2026
1) Introduction and controller contact details
1.1 We are pleased that you are visiting our website and thank you for your interest. Below we inform you about the handling of your personal data when using this website and the associated license shop.
1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
XenPool GmbH
Am Egernfeld 35
85748 Garching bei München
Germany
Phone: +49 89 37954350
Email: kontakt@xenpool.de
Data protection contact: Stefan van Boxmer-Fischer
1.3 The ip·Solis software itself runs exclusively on-premises at the customer's site, within the customer's own Docker infrastructure. XenPool GmbH has no access to the operational data processed by the software. This privacy policy covers only the data processed in connection with the use of the website and shop.
2) Data protection officer
XenPool GmbH currently employs fewer than 20 persons who regularly process personal data in an automated manner. The appointment of a data protection officer is therefore not mandatory under Art. 37 GDPR in conjunction with § 38 BDSG. For data protection enquiries, please contact us directly at the address given in Clause 1.2.
3) Data collection when visiting our website
3.1 When you use our website for informational purposes only, we only collect the data that your browser transmits to our server (server log files):
- Website accessed
- Date and time of access
- Amount of data sent in bytes
- Source/referrer from which you reached the page
- Browser used and browser version
- Operating system used
- IP address used (where applicable, in anonymised form)
Processing is carried out pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. No tracking or analytics services are used. Retention period: 30 days.
3.2 For security reasons, this website uses SSL or TLS encryption. You can recognise an encrypted connection by the "https://" prefix and the padlock symbol in your browser's address bar.
4) Cookies and local storage
We use only technically necessary cookies:
- Session cookie (
__shop_session): Stores the logged-in state of the shop customer account. Expires at the end of the browser session or after 30 days at the latest. - Shopping cart (
cart_[locale]): Stored in the browser'slocalStorageand contains only the selected product slugs. No personal data.
As only technically necessary cookies are used, separate consent pursuant to § 25(2) TTDSG is not required. Processing is carried out pursuant to Art. 6(1)(b) GDPR for the performance of the contract.
No tracking or marketing cookies are used.
5) Contact and demo requests
When you contact us or submit a demo request, personal data (name, business email address, message, and optionally information about your IT environment) are processed solely for the purpose of handling and responding to your enquiry. Transmission is carried out exclusively by email via the Microsoft Graph API. No permanent storage in a database takes place.
Legal basis: Art. 6(1)(f) GDPR; additionally Art. 6(1)(b) GDPR where contact is aimed at concluding a contract.
6) Data processing when opening a customer account
Pursuant to Art. 6(1)(b) GDPR, personal data are collected when you provide them when opening a customer account: full name, business email address, company name and a password (stored exclusively as a hash; plaintext is never stored).
You may request deletion of your customer account at any time by contacting the address given in Clause 1.2.
7) Orders, billing address and VAT ID
7.1 For invoicing purposes, we collect company name, postal address and, optionally, the EU VAT ID (for the reverse charge procedure). The VAT ID is automatically transmitted to the European Commission's VIES database for validation. Legal basis: Art. 6(1)(b) and (c) GDPR.
7.2 When purchasing a license, we store order details and the generated invoice as a PDF document. Legal basis: Art. 6(1)(b) and (c) GDPR. Retention period: 10 years (§§ 147(1) AO, 257(1) HGB).
8) License issuance and .lic file
After receipt of payment, a cryptographically signed license file (.lic) is generated and delivered by email. This file contains only license-specific parameters: company name, licensee email address, license edition, term and an internal license ID. No end-user data or operational data from the deployed ip·Solis instance is collected. Legal basis: Art. 6(1)(b) GDPR. Retention period: Duration of the business relationship; license issuance metadata 10 years.
9) Data processing for contract performance — payment services
For processing payments in the shop, we use the following payment service provider:
Stripe
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
When you select a payment method and click "Pay now", your payment data are transmitted to Stripe pursuant to Art. 6(1)(b) GDPR. Card details and SEPA bank data are collected and processed exclusively by Stripe; XenPool GmbH does not receive or store any payment instrument data. We have concluded a data processing agreement with Stripe pursuant to Art. 28 GDPR.
10) Use of customer data for direct marketing
If you have provided us with your email address in connection with the purchase of a license, we reserve the right to occasionally send you information about similar products and services by email (§ 7(3) UWG). Processing is carried out pursuant to Art. 6(1)(f) GDPR.
You are entitled to object to the use of your email address for advertising purposes at any time by notifying the controller at the contact address given in Clause 1.2.
11) Tools and other service providers
11.1 Microsoft Azure (hosting and data storage)
All shop data is stored in Microsoft Azure Table Storage in a data centre within the European Union. Microsoft Ireland Operations Ltd. acts as a processor pursuant to Art. 28 GDPR. Legal basis: Art. 6(1)(b) and (f) GDPR.
11.2 Microsoft Graph (transactional emails)
We send automated emails via the Microsoft Graph API from our Microsoft 365 account. Legal basis: Art. 6(1)(b) GDPR.
11.3 DATEV (accounting)
DATEV eG, Paumgartnerstr. 6–14, 90429 Nuremberg, Germany
The provider processes our outgoing invoices. Legal basis: Art. 6(1)(c) GDPR in conjunction with § 238 HGB, and Art. 6(1)(f) GDPR. A data processing agreement with DATEV is in place.
11.4 European Commission — VIES
Where a EU VAT ID is provided, an automatic validation query is sent to the European Commission's VIES database. Legal basis: Art. 6(1)(c) GDPR.
12) Transfers to third countries
A transfer of personal data to third countries may occur in connection with Stripe payment processing, as Stripe Inc. is based in the United States. Stripe Inc. is certified under the EU–US Data Privacy Framework (Art. 45 GDPR) and has implemented EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
No further transfers of personal data to third countries take place.
13) Duration of storage of personal data
The duration of storage of personal data is determined by the applicable legal basis, the purpose of processing and any statutory retention periods.
| Data category | Retention period |
|---|---|
| Server log data | 30 days |
| Contact form messages | Until enquiry resolved |
| Account data (name, email, company) | Duration of business relationship |
| Invoice and order data | 10 years (§ 147 AO) |
| License metadata | 10 years (§ 147 AO) |
| Session cookies | End of session / max. 30 days |
14) Rights of the data subject
14.1 Applicable data protection law grants you the following data subject rights against the controller:
- Right of access pursuant to Art. 15 GDPR
- Right to rectification pursuant to Art. 16 GDPR
- Right to erasure pursuant to Art. 17 GDPR
- Right to restriction of processing pursuant to Art. 18 GDPR
- Right to notification pursuant to Art. 19 GDPR
- Right to data portability pursuant to Art. 20 GDPR
- Right to withdraw consent pursuant to Art. 7(3) GDPR
- Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
To exercise your rights, please contact: kontakt@xenpool.de. We endeavour to respond to requests within 30 days (Art. 12(3) GDPR).
14.2 RIGHT TO OBJECT: Where we process your personal data on the basis of a balancing of interests pursuant to our overriding legitimate interest, you have the right to object to such processing at any time with effect for the future on grounds relating to your particular situation. If you exercise your right to object, we will cease processing the data in question unless we can demonstrate compelling legitimate grounds that override your interests.
15) Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority at any time (Art. 77 GDPR).
The supervisory authority competent for XenPool GmbH (registered in Bavaria) is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 981 53-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de
16) Currency and amendments to this privacy policy
This privacy policy is current as of June 2026. We reserve the right to update this privacy policy from time to time to ensure it continues to meet current legal requirements. The current version is always available at this URL.