Privacy Policy
How we handle your personal data – transparently and in line with the GDPR.
1) Introduction and contact details of the controller
1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we inform you about how we handle your personal data when you use our website. Personal data is any data by which you can be personally identified.
1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is CIRO GmbH, Maischer Str. 10, 85386 Eching, Germany, phone: 017623433294, e-mail: [email protected]. The controller responsible for the processing of personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
2) Data collection when visiting our website
2.1 When you use our website for informational purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to our server (so-called “server log files”). When you access our website, we collect the following data that is technically necessary for us to display the website to you:
- The website you visited
- Date and time of access
- Amount of data sent in bytes
- Source/reference from which you reached the page
- Browser used
- Operating system used
- IP address used (where applicable: in anonymized form)
Processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. We do, however, reserve the right to subsequently review the server log files should there be concrete indications of unlawful use.
2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to us), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the string “https://” and the lock symbol in your browser bar.
3) Hosting & content delivery network
Cloudflare
We use a content delivery network from the following provider: Cloudflare Inc., 101 Townsend St. San Francisco, CA 94107, USA.
This service enables us to deliver large media files such as graphics, page content or scripts faster via a network of regionally distributed servers. Processing is carried out to safeguard our legitimate interest in improving the stability and functionality of our website pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with the provider that ensures the protection of our visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
4) Cookies
In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called “session cookies”), while others remain on your device for longer and enable us to save page settings (so-called “persistent cookies”). In the latter case, you can find the storage period in the overview of the cookie settings of your web browser.
If individual cookies we use also process personal data, processing is carried out in accordance with Art. 6(1)(b) GDPR either to perform the contract, in accordance with Art. 6(1)(a) GDPR in the case of consent given, or in accordance with Art. 6(1)(f) GDPR to safeguard our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the visit.
You can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them, or you can exclude the acceptance of cookies for certain cases or in general.
Please note that the functionality of our website may be limited if cookies are not accepted.
5) Contacting us
5.1 Google Gemini
To provide autonomous customer support, we have integrated an artificial intelligence software solution from the following provider on this website: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Data may also be transmitted to: Google LLC, USA.
Via an API-based integration, visitors can submit enquiries by text input regarding offers, website functionalities, placed orders and the exercise of contractual rights, which are then answered and processed by the provider's language models.
For this purpose, the provider's software may collect personal data from you in order to compare it with your order history, assign the input to a specific order, automatically check your request and then resolve it by autonomously initiating processing operations.
The collection and further processing of personal data is carried out exclusively to handle your specific request. The processing of your inputs for the purpose of training and further developing the provider's AI language models is expressly prohibited.
Data processing is carried out on the basis of our legitimate interest in the effective support of our visitors, in the optimal marketing of our offer and in the automation of customer support to relieve operations pursuant to Art. 6(1)(f) GDPR.
Personal data collected will be deleted, subject to conflicting statutory retention periods, when the provider's software determines, in accordance with automated mathematical-statistical procedures, a final clarification of the matter.
We have concluded a data processing agreement with the provider that ensures the protection of your data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
You can find further legal information and Google's privacy provisions at https://support.google.com/gemini/answer/13594961?hl=en
5.2 WhatsApp Business
We offer you the option of contacting us via the messaging service WhatsApp provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this we use the so-called “Business version” of WhatsApp.
If you contact us via WhatsApp in connection with a specific transaction (for example, a placed order), we store and use the mobile phone number you use with WhatsApp as well as – if provided – your first and last name in accordance with Art. 6(1)(b) GDPR to handle and respond to your request. On the same legal basis, we may ask you via WhatsApp to provide further data (order number, customer number, address or e-mail address) in order to assign your enquiry to a specific transaction.
If you use our WhatsApp contact for general enquiries (e.g. regarding the range of services, availability or our website), we store and use the mobile phone number you use with WhatsApp as well as – if provided – your first and last name in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in the efficient and timely provision of the requested information.
Your data is always only used to respond to your request via WhatsApp. It is not passed on to third parties.
Please note that WhatsApp Business gains access to the address book of the mobile device we use for this purpose and automatically transfers phone numbers stored in the address book to a server of its parent company Meta Platforms Inc. in the USA. To operate our WhatsApp Business account, we use a mobile device whose address book exclusively stores the WhatsApp contact details of those users who have also contacted us via WhatsApp.
This ensures that every person whose WhatsApp contact details are stored in our address book has already consented, upon first use of the app on their device by accepting the WhatsApp terms of use, to the transfer of their WhatsApp phone number from the address books of their chat contacts in accordance with Art. 6(1)(a) GDPR. A transfer of data of users who do not use WhatsApp and/or have not contacted us via WhatsApp is thus excluded.
Please refer to WhatsApp's privacy notices for the purpose and scope of data collection and the further processing and use of the data by WhatsApp, as well as your related rights and settings options for protecting your privacy: https://www.whatsapp.com/legal/?eea=1#privacy-policy
In the context of the processing operations mentioned above, data may be transferred to servers of Meta Platforms Inc. in the USA.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
5.3 When you contact us (e.g. via contact form or e-mail), personal data is processed exclusively for the purpose of handling and responding to your request and only to the extent necessary for this.
The legal basis for processing this data is our legitimate interest in responding to your request pursuant to Art. 6(1)(f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6(1)(b) GDPR. Your data will be deleted when it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.
5.4 Brevo
For sending transactional e-mails, i.e. event-related messages triggered by a specific user interaction (such as conclusion of a contract, registration or password reset), we use this provider: Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.
On the basis of our legitimate interest in effective and user-friendly e-mail communication, we pass on the data you provide when carrying out such a user action to this provider pursuant to Art. 6(1)(f) GDPR so that it can handle the mailing on our behalf.
We have concluded a data processing agreement with the provider that protects the data of our visitors and prohibits disclosure to third parties.
5.5 seven.io
For sending transactional SMS messages, i.e. event-related short messages triggered by a specific user interaction (such as two-factor authentication, phone number verification or time-critical notifications), we use this provider: seven communications GmbH, Zirkusweg 2, 20359 Hamburg, Germany.
On the basis of our legitimate interest in effective and secure communication, we pass on the data you provide when carrying out such a user action (in particular mobile phone number and SMS content) to this provider pursuant to Art. 6(1)(f) GDPR so that it can handle the SMS dispatch on our behalf. Insofar as the SMS dispatch serves the performance of the contract (e.g. two-factor authentication), processing is carried out on the basis of Art. 6(1)(b) GDPR.
We have concluded a data processing agreement with the provider that ensures the protection of your data and prohibits unauthorized disclosure to third parties. Your data is not transferred to third countries.
6) Data processing when opening a customer account
In accordance with Art. 6(1)(b) GDPR, personal data will continue to be collected and processed to the extent necessary in each case if you provide it to us when opening a customer account. You can find out which data is required to open an account from the input mask of the relevant form on our website.
You can delete your customer account at any time by sending a message to the controller's address mentioned above. After deletion of your customer account, your data will be deleted provided that all contracts concluded through it have been fully processed, no statutory retention periods conflict, and we have no legitimate interest in continued storage.
7) Use of customer data for direct advertising
7.1 Subscription to our e-mail newsletter
If you subscribe to our e-mail newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your e-mail address. Providing further data is voluntary and is used to be able to address you personally. For sending the newsletter, we use the so-called double opt-in procedure, which ensures that you only receive newsletters once you have expressly confirmed your consent to receiving the newsletter by clicking a verification link sent to the specified e-mail address.
By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6(1)(a) GDPR. In doing so, we store the IP address assigned by your internet service provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your e-mail address at a later point in time. The data collected by us when you subscribe to the newsletter is used strictly for the intended purpose.
You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by sending a corresponding message to the controller named at the outset. After unsubscribing, your e-mail address will be deleted from our newsletter distribution list without delay, unless you have expressly consented to further use of your data or we reserve the right to use the data beyond this, which is permitted by law and about which we inform you in this declaration.
7.2 Brevo
Our e-mail newsletters and other promotional e-mail communications are sent via this provider: Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.
On the basis of our legitimate interest in effective and user-friendly e-mail marketing, we pass on the data you provide upon registration to this provider pursuant to Art. 6(1)(f) GDPR so that it can handle the mailing on our behalf.
We reserve the right, exclusively on the basis of your express consent pursuant to Art. 6(1)(a) GDPR, to additionally carry out a statistical performance analysis of mail campaigns using web beacons or tracking pixels in the e-mails sent, which can measure open rates and specific interactions with the newsletter content. In doing so, device information (e.g. time of access, IP address, browser type and operating system) is also collected and evaluated, but not combined with other data sets.
You can revoke your consent to mail tracking at any time with effect for the future.
We have concluded a data processing agreement with the provider that protects the data of our visitors and prohibits disclosure to third parties.
8) Data processing for contract execution
8.1 To process the contract, we work with the following service provider(s), who support us in whole or in part in carrying out concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.
8.2 Use of payment service providers (payment services) – Stripe
One or more online payment methods from the following provider are available on this website: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
If you select a payment method from the provider in which you make advance payment (e.g. credit card payment), the payment data you provided during the ordering process (including name, address, bank and payment card information, currency and transaction number) as well as information about the content of your order will be passed on to the provider in accordance with Art. 6(1)(b) GDPR. In this case, your data is passed on exclusively for the purpose of payment processing with the provider and only to the extent necessary for this.
If you select a payment method in which the provider makes advance payment (e.g. purchase on account or in instalments, or direct debit), you will also be asked during the ordering process to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, e-mail address, telephone number, and, where applicable, data on an alternative means of payment).
To safeguard our legitimate interest in determining the solvency of our customers, we forward this data to the provider pursuant to Art. 6(1)(f) GDPR for the purpose of a credit check. On the basis of the personal data you provide and further data (such as shopping cart, invoice amount, order history, payment experiences), the provider checks whether the payment option you have selected can be granted with regard to payment and/or default risks.
The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, among other things but not exclusively, address data.
You can object to this processing of your data at any time by sending a message to us or to the provider. However, the provider may still be entitled to process your personal data insofar as this is necessary for contractual payment processing.
8.3 Account information service (open banking) – finAPI
For the automated allocation of incoming rent payments, we use the account information service of the following provider: finAPI GmbH, Adams-Lehmann-Straße 44, 80797 Munich, Germany.
finAPI is an account information service provider (AISP) licensed by BaFin pursuant to Section 1(33) ZAG and is subject to the supervision of the Federal Financial Supervisory Authority.
If you activate the automatic rent reconciliation function, a read-only connection to your bank account is established via finAPI. In doing so, only account transactions (booking date, amount, purpose of use, name of the payer) are retrieved in order to automatically allocate incoming rent payments to the respective tenants. No write access to your account takes place.
The connection to your bank account is established via the PSD2 interface provided by your bank. You must actively authorize the connection via strong customer authentication (SCA) with your bank and can revoke this authorization at any time via your online banking or via the CIRO platform.
Processing is carried out in accordance with Art. 6(1)(a) GDPR (consent through active account connection) and (b) GDPR (performance of the contract). Account transaction data is processed exclusively for the purpose of rent allocation and is not used for other purposes.
finAPI stores the retrieved account data only for the duration of the active account connection. After the connection is terminated or the SaaS contract ends, the data stored at finAPI is deleted in accordance with its retention policies. Allocation results stored at CIRO are subject to the deletion concept (duration of the SaaS contract).
We have concluded a data processing agreement with finAPI that ensures the protection of your data and prohibits unauthorized disclosure to third parties. Your data is not transferred to third countries.
8.4 Google Gemini
To provide our services, we use artificial intelligence software from the following provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Information provided by you within the framework of a contractual relationship may be fed into the provider's software in order to organize, analyze, aggregate, modify, evaluate or process it for the provision of our service.
Information may also be transmitted to: Google LLC, USA.
The collection and further processing of this information is carried out strictly for the purpose of fulfilling the contract. Processing for the purpose of training and further developing the provider's AI language models is expressly prohibited.
Insofar as personal data is also the subject of processing, this is carried out on the basis of our legitimate interest in the efficient design of our services and the optimal use of available resources and technologies pursuant to Art. 6(1)(f) GDPR. If the personal data is data of third parties whose processing you have entrusted to us, this processing on our behalf is secured by concluding a data processing agreement with us, which specifies the measures taken to protect this data as well as your control and access rights.
We, for our part, have concluded a data processing agreement with the provider that ensures the protection of personal data processed via the provider and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
You can find further legal information and Google's privacy provisions at https://support.google.com/gemini/answer/13594961?hl=en
8.5 Electronic cancellation option for continuing obligations with consumers
Consumers who have entered into contracts for paid continuing obligations (e.g. subscription contracts) on this website have the option of cancelling these via an electronic button in accordance with the applicable notice periods.
Pressing the button leads to a confirmation page on which the consumer can provide further details about the cancellation, identify themselves unambiguously and then declare their cancellation electronically.
The collection of personal data and its transmission to us is carried out in accordance with Art. 6(1)(b) GDPR and only to the extent that it is necessary for the proper handling of the cancellation. Also on the basis of Art. 6(1)(b) GDPR, the personal data provided is used to confirm the receipt of the cancellation declaration and the time of cancellation electronically in text form. A further legal basis for processing is Art. 6(1)(c) GDPR. We are legally obliged to provide an electronic cancellation option for consumer contracts concluded by means of electronic commerce regarding paid continuing obligations.
8.6 Electronic withdrawal function for distance contracts
Consumers who conclude contracts on this website for which a statutory right of withdrawal exists have the option of declaring the withdrawal via an electronic withdrawal function in accordance with the applicable withdrawal provisions.
When using the withdrawal function, in addition to information identifying the contract to be withdrawn, further personal information such as the consumer's first and last name and e-mail address must be provided or confirmed.
The collection of this information and its transmission to us is carried out in accordance with Art. 6(1)(b) GDPR and only to the extent that it is necessary for the proper handling of the withdrawal. Also on the basis of Art. 6(1)(b) GDPR, the personal data provided is used to confirm the receipt of the withdrawal declaration by e-mail. A further legal basis for processing is Art. 6(1)(c) GDPR. We are legally obliged to provide an electronic withdrawal function for paid consumer distance contracts.
9) Web analytics services
Amplitude
This website uses the web analytics service of the following provider: Amplitude, Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103, USA.
The service enables a statistical evaluation of the use of new functions and content of the website by serving test variants to certain user groups. In this way, in the interest of improving the attractiveness of our website, it can be traced which variants are preferred by users. For this purpose, the service uses cookies, i.e. small text files that are stored on your device and enable an analysis of your use of a website. The information collected by cookies about your use of the website is generally transmitted to a server of the provider and stored and processed there.
All processing operations described above, in particular the setting of cookies for storing and reading information on the device you use to access the website, are only carried out if you have given us your express consent to do so in accordance with Art. 6(1)(a) GDPR. Without your consent, the service will not be used during your use of the website. You can revoke any consent you have given at any time with effect for the future. To exercise your revocation, please deactivate this service via the “cookie consent tool” provided on the website.
We have concluded a data processing agreement with the provider that ensures the protection of our visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
10) Tools and miscellaneous
10.1 Cloudflare
For security purposes, this website uses the service of the following provider: Cloudflare, Inc., 101 Townsend St. San Francisco, CA 94107, USA.
The provider protects the website and the associated IT infrastructure from unauthorized third-party access, cyberattacks and from viruses and malware. We collect users' IP addresses as well as, where applicable, further data on your behavior on our website (in particular URLs accessed and header information) in order to detect and defend against illegitimate page access and threats. In doing so, the collected IP address is compared with a list of known attackers. If the collected IP address is identified as a security risk, the provider can automatically block it from accessing the page. The information collected in this way is transmitted to a server of the provider and stored there.
The data processing operations described are carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interests in protecting the website from harmful cyberattacks and in safeguarding structural and data integrity and security.
We have concluded a data processing agreement with the provider that ensures the protection of our visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
10.2 Sentry
This website uses a service for the automatic transmission of error reports from the following provider: Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
In the event of technical complications or functionality impairments in connection with the operation of the website, the service sends automatic error reports to the provider that contain information about the respective error source and its origin. Both server information and usage parameters such as the IP address, the browser used, time stamps and the URL accessed are transmitted in this process.
Depending on the origin of the error, error reports may under certain circumstances also contain further personal customer data that we have collected and stored in the course of concluding contracts (in particular first and last name, address, e-mail address). This is always conceivable when the error occurs in connection with software-based processing of customer data.
Insofar as the information transmitted in this way also includes personal data, processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in an efficient analysis of error causes to improve the reliability and functionality of our website.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
11) Rights of the data subject
11.1 Applicable data protection law grants you the following data subject rights (rights to information and intervention) vis-à-vis us as the controller with regard to the processing of your personal data, whereby reference is made to the legal basis cited for the respective conditions of exercise:
- Right of access pursuant to Art. 15 GDPR;
- Right to rectification pursuant to Art. 16 GDPR;
- Right to erasure pursuant to Art. 17 GDPR;
- Right to restriction of processing pursuant to Art. 18 GDPR;
- Right to notification pursuant to Art. 19 GDPR;
- Right to data portability pursuant to Art. 20 GDPR;
- Right to withdraw consent given pursuant to Art. 7(3) GDPR;
- Right to lodge a complaint pursuant to Art. 77 GDPR.
11.2 Right to object
IF WE PROCESS YOUR PERSONAL DATA WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE THE PROCESSING OF THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE THE PROCESSING OF THE DATA CONCERNED FOR DIRECT ADVERTISING PURPOSES.
12) Duration of storage of personal data
The duration of storage of personal data is determined by the respective legal basis, the purpose of processing and – where applicable – additionally by the respective statutory retention period (e.g. commercial and tax retention periods).
In the case of processing personal data on the basis of express consent pursuant to Art. 6(1)(a) GDPR, the data concerned is stored until you revoke your consent.
If statutory retention periods exist for data processed within the framework of legal or quasi-legal obligations on the basis of Art. 6(1)(b) GDPR, this data is routinely deleted after the retention periods have expired, provided it is no longer required for the performance or initiation of the contract and/or we have no legitimate interest in continued storage.
In the case of processing personal data on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object pursuant to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
In the case of processing personal data for the purpose of direct advertising on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object pursuant to Art. 21(2) GDPR.
Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data is otherwise deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.
Last updated: 26.06.2026