Privacy policy
Responsible body
Maschinenfabrik Reinhausen GmbH
Falkensteinstraße 8
93059 Regensburg
Germany
Phone: +49 (0) 941 4090-0
E-Mail: info@reinhausen.com
Web: www.reinhausen.com
Data protection officer
Christian Volkmer (Projekt 29 GmbH & Co. KG)
Ostengasse 14, 93047 Regensburg
Germany
Phone: +49 (0)941 2986 930
E-Mail: anfragen@projekt29.de
Information Requirements
Information requirements in accordance with Art. 13 GDPR
We take data protection seriously
Protection of your personal data is very important to us. Therefore, we always handle personal information that you enter on our portal with strict confidentiality and in accordance with the data protection provisions, particularly the German General Data Protection Regulation (GDPR) and German Federal Data Protection Act (new version of FDPA).
When you visit our website, our web servers save the IP address of your Internet service provider, the website from which you visit us, the pages you visit on our site and the date and duration of the visit by default. This information is absolutely necessary for the technical transmission of websites and secure server operation. This data is not evaluated on a personalized level.
If you send us data using a contact form, this data is saved on our servers as part of our data backup. We use your data exclusively for handling your requests. Your data is handled with strict confidentiality. It is not transferred to third parties.
Personal data
Personal data is data related to you. This includes, for example, your name, mailing address and e-mail address. You do not need to disclose any personal data in order to visit our website. However, in some cases, we require your name and address as well as other information to be able to provide you with the requested service.
The same applies if we send informational materials upon your request or respond to your inquiries. In this context, only data that you have sent to us of your own accord is stored, and we will always notify you of this.
When you use one of our services, we generally collect only data that is necessary to be able to provide you with this service. Provision of any additional information to us is completely voluntary. We process personal data in order to be able to offer you our service or to pursue our commercial goals.
Automatically saved data
Server log files
The provider of the pages automatically collects and stores information in server log files that your browser transfers to us automatically. These include:
- Date and time of the request
- Name of the requested file
- Page from which the file was requested
- Access status (file transmitted, file not found, etc.)
- Web browser and operating system used
- Complete IP address of the requesting computer
- Transmitted data volume
This data is not merged with any other data sources. Processing takes place in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in improving the stability and function of our website. For reasons of technical security, particularly to prevent attempted attacks on our web server, this data is stored by us for a short time. This data cannot be traced back to individual persons. After seven days at the latest, the data is anonymized by abbreviating the IP address at the domain level so that it is no longer possible to trace it back to the individual user. The data (in anonymized form) is also used for statistical purposes. No comparison with other databases or forwarding to third parties, in whole or in part, takes place.
Cookies
When you visit our website, we may save information on your computer in the form of cookies. Cookies are small files that are transmitted from an Internet server to your browser and saved on the hard drive. We only save your Internet Protocol address in this process – no personal data. The information stored in the cookies lets the website recognize you automatically when you next visit, making the site easier for you to use. The legal basis for the use of cookies is the legitimate interest in accordance with Art. 6 Para. 1 of the GDPR.
Of course, you are also able to visit our website without accepting cookies. If you do not want your computer to be recognized upon your next visit, you can also opt out of using cookies by changing the settings in your browser to "Block cookies." The procedure for this can be found in the user guide of your personal browser. If you opt out of using cookies, however, it may lead to limitations to the use of some areas of our website.
Which cookies do we use?
We have summarized and described all cookies used on this website for you. Download a description of the cookies used on this website (PDF)
Google Tag Manager
We use Google Tag Manager on our website, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that allows us to manage website tags via a user interface. The Tag Manager itself does not process any personal data, in particular it does not create any user profiles, does not store any cookies and does not carry out any analyses of its own. It is only used to manage and display other tools (e.g. tracking or statistics tools). However, these tools may themselves collect data under certain circumstances - you can find information on this in the relevant sections of this privacy policy.
When using the Tag Manager, your IP address may be transmitted to servers of the parent company Google LLC in the USA. There is currently no adequacy decision by the EU Commission for the USA. Transmission therefore takes place on the basis of EU standard contractual clauses and, if necessary, your consent, if required.
The Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the technically error-free and efficient integration and management of third-party services on our website.
Further information: https://policies.google.com/privacy.
Google Analytics (4)
This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the website visitor.
Google Analytics also allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the data records collected and uses machine learning technologies for data analysis.
Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there. The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.
Google Ads
For advertising purposes in Google search results (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”)) and on third-party websites, the so-called Google Remarketing Cookie is set when you visit our website. This cookie automatically collects and processes data (IP address, time of visit, device and browser information, as well as information about your use of our website) and uses a pseudonymous Cookie ID and the pages you have visited to enable interest-based advertising. Further data processing will only take place if you have activated the "personalized advertising" setting in your Google account. If you are logged into Google during your visit to our website in this case, Google will use your data together with Google Analytics data to create and define audience lists for cross-device remarketing. The legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR. You can revoke your consent at any time.
YouTube in enhanced privacy mode
We use the provider YouTube to embed videos. The videos are embedded in enhanced privacy mode. Like most websites, YouTube uses cookies to collect information about visitors to their website. YouTube uses these, among other things, to collect video statistics, prevent fraud, and improve user-friendliness. This also leads to a connection to the Google DoubleClick network. When you start the video, it could trigger further data processing operations. We have no influence over this. For more information about YouTube's privacy practices, please refer to their privacy policy at: http://www.youtube.com/t/privacy_at_youtube.
Honeypot Captcha
To ensure sufficient data security when submitting forms, we use the Honeypot service in certain cases. This primarily serves to distinguish whether the input is made by a natural person or abusively by automated, machine processing.
Security
We have taken technical and administrative security precautions to protect your personal data against loss, destruction, manipulation and unauthorized access. All our employees and service providers working for us are obliged to comply with the applicable data protection laws.
Whenever we collect and process personal data, it is encrypted before it is transmitted. This means that your data cannot be misused by third parties. Our security precautions are subject to a continuous improvement process and our data protection declarations are constantly being revised. Please ensure that you have the latest version.
Data subject rights
You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing as well as a right to data portability and to complain in accordance with the requirements of data protection law.
Right to information:
You can request information from us as to whether and to what extent we process your data.
Right to rectification:
If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.
Right to erasure:
You can demand that we erase your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations.
Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.
Right to restriction of processing:
You can request that we restrict the processing of your data if
- you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data
- the processing of the data is unlawful, but you oppose the erasure of the data and request the restriction of their use instead
- we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
- you have objected to the processing of the data.
Right to data portability:
You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that
- we process this data on the basis of your revocable consent or for the performance of a contract between us, and - this processing is carried out by automated means.
If technically feasible, you can request that we transfer your data directly to another controller.
Right of objection:
If we process your data for legitimate interests, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.
Right of appeal:
If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions you may have. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.
If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.
Changes to this privacy policy
We reserve the right to change our privacy policy if this should be necessary due to new technologies. Please ensure that you have the latest version. If fundamental changes are made to this privacy policy, we will announce these changes on our website.
All interested parties and visitors to our website are welcome to contact our data protection officer regarding data protection issues.
Christian Volkmer (Projekt 29 GmbH & Co. KG)
Ostengasse 14, 93047 Regensburg
Germany
Phone: +49 (0)941 2986 930
E-Mail: anfragen@projekt29.de
Privacy Notice Supplement MR
Scope
These provisions supplement the main privacy policy of Maschinenfabrik Reinhausen GmbH (see “Privacy Policy” link in the Shopware footer). They explain the processing of personal data that occurs only when a user interacts with the AI‑powered nexwise Product Wizard, a sandboxed iframe embedded in the customer’s Shopware 6 storefront. If any statement here conflicts with the main policy, this addendum prevails for Product Wizard processing.
Controller & Contact
The controller remains Maschinenfabrik Reinhausen GmbH; full postal details appear in the primary policy. All requests related to the Product Wizard should be directed to privacy@nexwise.ai (see § 9).
For the Product Wizard, nexwise.ai acts solely as our processor pursuant to Art. 28 GDPR (a data-processing agreement is in place). The mailbox privacy@nexwise.ai is operated by the processor to intake and coordinate data-subject requests strictly on the controller’s instructions. Maschinenfabrik Reinhausen GmbH remains the controller and the final addressee for all rights requests.
Processing Activity
Name: Product Wizard – AI‑assisted product consultation
Beschreibung: Interactive chat‑based guidance, quotation generation, webshop purchase-facilitation, sales contact.
Purposes & Legal Bases
| Purpose | Legal basis (Art. 6 GDPR) | Comments |
|---|---|---|
| Provide real‑time, product‑specific answers and redirect to product pages | 6 (1)(b) | Necessary for requested service |
| Email quotations on explicit request | 6 (1)(b) | User triggers email; no unsolicited marketing (§ 7 UWG soft‑opt‑in) |
| Forward inquiries to technical sales | 6 (1)(b) | Manual human follow‑up |
| Analyse conversation and search behaviour to improve UX | 6 (1)(f) | Legitimate interest assessment |
| Review raw logs (role‑based) to enhance model quality; no LLM fine‑tuning | 6 (1)(f) | Logs held max 30 days by model provider; 14 days in LangSmith; 12 months in nexwise DB |
| Ensure IT security & prevent abuse | 6 (1)(f) | Essential to comply with Art. 32 GDPR |
Categories of Data Subjects
Prospective or existing B2B customers and other professional visitors to the Shopware shop. The Wizard is not directed at minors (§ 6). Art. 8 GDPR therefore does not apply.
Categories of Personal Data
| Category | Examples | Source |
|---|---|---|
| Chat content | All user‑entered text | Wizard chat UI |
| Identification | Name, business e‑mail, phone | Contact form |
| Company | Company name, VAT, addresses | Contact form |
| Interaction signals | Button clicks, rating selections | Wizard UI |
| Technical log data | IP address, user‑agent, referrer, HTTP headers | Edge / server logs |
| User feedback | Free‑text comments, stars | Feedback widget |
IMPORTANT: Do not enter any special-category personal data (Art. 9 GDPR) in the chat or other free-text fields (e.g., health data, religious or political beliefs, trade-union membership, genetic/biometric data, or sexual orientation).
Cookies & Local Storage
Because the Wizard runs in a sandboxed iframe, it cannot read or set first‑ or third‑party cookies; any Shopware cookies remain untouched.
Storage & Deletion
| Data | Retention | Deletion / Anonymisation Method |
|---|---|---|
| Wizard conversation logs | ≤ 12 months | Hard delete or irreversible hash within 30 days after expiry |
| LLM prompts & completions (Azure OpenAI / Google GenAI) | ≤ 30 days | Automatic purge by provider |
| LangSmith trace logs | ≤ 14 days | Auto‑purge EU instance |
| Vercel edge / access logs | ≤ 3 days | Rolling overwrite |
| MongoDB audit logs | ≤ 30 days | Ops‑level purge |
Recipients & International Transfers
| Processor | Function | Region | Safeguard |
|---|---|---|---|
| Vercel Inc. | Front‑end hosting & edge functions | FRA1 (Frankfurt) | SCCs + encryption |
| Google Cloud Ireland Ltd. | Back‑end containers & embeddings | europe‑west3 (Frankfurt) | DPA + SCCs |
| Microsoft Ireland Operations Ltd. | Azure OpenAI inference | Germany West Central | DPA + SCCs |
| MongoDB Atlas | Database cluster | eu-central-1 (Frankfurt) | DPA + SCCs |
| LangChain Inc. | LangSmith observability | EU data residency option | Custom DPA + SCCs |
All storage locations are in the EEA. Because several suppliers are US‑headquartered, the remote‑access risk constitutes a restricted transfer under Chap. V GDPR; Standard Contractual Clauses plus encryption, access logging and EU‑only support teams are in place, consistent with EDPB Recommendations 01/2020 and the Schrems II ruling.
Data‑Subject Rights (Art. 12‑22 GDPR)
You may access, rectify, erase, restrict, port or object to the processing of your data and may withdraw consent at any time. Send requests to privacy@nexwise.ai from the mailbox you used in the Wizard. You also have the right to lodge a complaint with the Bavarian State Data Protection Authority (BayLDA).
The Product Wizard does not make decisions that produce legal or similarly significant effects about you, and it does not perform profiling within the meaning of Art. 4(4) GDPR. It generates non-binding B2B product suggestions based solely on your current chat input and the shop catalogue/price list; contract conclusion and pricing follow the standard Shopware checkout. We do not create persistent user profiles across sessions. If features falling under Art. 22 are introduced in the future, we will provide prior notice and implement appropriate safeguards (human review, the right to obtain an explanation, and the right to contest the decision).
IT Security & Data‑Protection by Design
Data are encrypted in transit (TLS 1.3) and at rest (AES‑256). Role‑based access control, audit logging, key rotation and periodic penetration tests align with Art. 32 GDPR. A Data‑Protection Impact Assessment (DPIA) concluded that residual risks are low after these measures.
Version & Change Management
Last updated: 17th September 2025. Prior versions are archived for three years.