Name and Address of the Data Controller

The data controller under the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other data‑protection provisions, is:

Railware, Andrea Hinz
Außener Straße 56
66701 Beckingen
Germany
E‑mail: [email protected]
Website: railware.de, railservizz.de, kontrollraum.io, kontrollraum.dev, kontroll.zone

Railware is a sole proprietorship and has no employees. Therefore a data protection officer is not required.

Our Short Summary for You

We do not send you newsletters by email or post. If you receive any, they are not from us! Exceptions are order and shipping confirmations from the shop, change notifications from our RailServizz, and invoices to our subscribers.

We do not share personal data with third parties, unless it is strictly necessary to fulfil the offered functions.

We do not use cookies for analytics. Hence no info banner is required. We use cookies only during your stay in the webshop. Your browser gives you full control over cookies.
We store your address for processing in our webshop. Upon request it will be deleted. As a payment service we use PayPal. We have an agreement in place. During the payment process we forward you to PayPal and transmit the data necessary for fulfilment. This process is outside our control. Please also see the PayPal privacy policy.

When you log in to protected areas of our server, contact details and password are suggested – this is a function of your browser. This behaviour can be changed in its settings.

There is a ten‑year retention obligation for tax authorities. Therefore we are obliged to keep delivery notes, invoices, credit notes and correspondence. Your data is also retained if, e.g., required as evidence by other authorities.

When purchasing software, we protect your user licence and our legitimate interests with a hardware dongle. It contains, in strongly encrypted form, your name – visible only to the licensed programme – and the connection between you and the software. Also a strongly encrypted licence code, the licensed product ID and software version. These are stored encrypted for updates and upgrades. You also gain access to our protected Wiki system.

The ticket system is for communication with you. We store personal data. These are deleted after 30 days when you or we close the ticket.

We gladly fulfil our informational obligations. Please submit your request in writing. Telephone or email enquiries cannot be answered for privacy reasons.

Your personal data is deleted when you request it. This is done after a check by an automated process. Note that we can no longer provide you with updates or upgrades, as no link between you and a user licence can be established.

A good information page for customers is Deine‑Daten‑Deine‑Rechte.

The Part Required by the Data Protection Regulation

Scope of Processing Personal Data

We process personal data of our users only insofar as it is necessary to provide the website and its content and services. Processing is usually done only with the user’s consent. An exception applies where prior consent cannot be obtained for legitimate reasons and processing is required or permitted by statutory provisions.

Legal Basis for Processing Personal Data

Where we obtain the data subject’s consent for a processing operation, Article 6 (1) (a) of the GDPR is the legal basis.

Processing personal data that is necessary to fulfil a contract, where the data subject is a party, uses Article 6 (1) (b). This also applies to pre‑contractual measures.

Processing required by a legal obligation to which our company is subject uses Article 6 (1) (c).

When vital interests of the data subject or another natural person require processing, Article 6 (1) (d).

When processing serves a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override that interest, Article 6 (1) (f).

Deletion and Retention

Personal data of the data subject is deleted or blocked when the purpose of storage ceases. Storage may continue if mandated by EU or national law. Deletion also occurs when a statutory retention period expires, unless necessary for contract fulfilment.

Provision of the Website and Server Logfiles

Each visit to our website automatically captures data and information from the user’s computer.

Data collected:

Browser type and version
Operating system
Internet service provider
IP address
Date and time of access
Websites from which the user’s system reached our site
Websites accessed via our site

These are stored in our server logfiles only. They are not combined with other personal data.

Legal basis for temporary storage of logfiles is Article 6 (1) (f).

Temporary storage of the IP address is necessary to deliver the website. It must be kept for the session.

Logfiles are stored to ensure website functionality, optimisation, and security of our IT systems. No marketing analysis is performed.

Our legitimate interest under Article 6 (1) (f) applies.

Data is deleted when no longer needed. For website provision, after session ends. Logfile data is deleted after 30 days via an automated process.

This is essential for operation, so the user cannot object.

Use of Cookies

Our website uses cookies. Cookies are small text files stored by the browser. A cookie contains a string that uniquely identifies the browser upon return.

We use cookies so that the shop can assign items to a user during an order.

Stored cookie data:

Shopping cart
Temporary random ID
Remembered search terms

No link to the user is possible. They are not stored with other personal data.

Data collected via necessary cookies is not used for profiling.

Our legitimate interest under Article 6 (1) (f) applies.

Cookies are stored locally and sent to us. You have full control. You can disable or limit via browser settings. Cookies can be deleted automatically or manually. If disabled, some website functions may be unavailable.

License Registration

On our site we offer users the possibility to register by providing personal data. The data is entered into a form and sent to us and stored. No sharing with third parties. Data collected:

First and last name
Street and house number
ZIP and city
Country
E‑mail address

At registration time we also store:

IP address
Date and time of registration

Consent for processing is obtained.

Legal basis with consent: Article 6 (1) (a).

If registration is required to fulfil a contract or pre‑contractual measures, Article 6 (1) (b).

Registration is necessary for certain content and services on the site:

Access to technical descriptions for licensed customers
Shop login to place orders, view previous orders or change address
Registration is required for contract fulfilment or pre‑contractual measures

Other data processed during submission prevent abuse and ensure security.

Data is deleted when no longer needed.

You may cancel registration at any time and change stored data.

RailServizz Ticket System

Our site contains a contact form for electronic contact. Data entered is sent to us and stored.

Data collected:

First and last name
Software used and version
Technology used
OS
Question or issue description
E‑mail address

At message send time we also store:

IP address
Date and time of registration

Consent is obtained and referenced in this privacy statement.

No data is forwarded to third parties. It is used only for conversation.

Legal basis with consent: Article 6 (1) (a).

The data from the form is used solely for answering your questions. The required e‑mail is used only for processing.

Other data processed during sending prevent abuse and secure our IT systems.

Data is deleted when no longer needed. For form data and e‑mail data, this is when the conversation ends. Closed when ticket closed by us or user.

You may revoke consent at any time. Written objection can be raised. The conversation cannot continue.

Explicit consent to store is required. Otherwise the process stops. Revocation can be written. Phone or e‑mail revocation is not possible for privacy reasons.

All data stored during contact is deleted in this case.

Rights of the Data Subject

Right of Access

You may request confirmation whether personal data relating to you is processed by us. If so, you can ask for:

The purposes for which data is processed
Categories of personal data processed
Recipients or categories of recipients to whom data has been or will be disclosed
Intended retention period or criteria for determining it
Whether you have a right to rectification, deletion, restriction, or objection
Whether you have a complaint right with a supervisory authority

You also have the right to be informed if data is transferred to a third country or international organisation, and to receive information about adequate safeguards under Article 46.

Right to Rectification

You have the right to rectify or complete data that is incorrect or incomplete. The controller must rectify immediately.

Right to Restriction

You may restrict processing if:

You dispute accuracy for a period allowing verification
Processing is unlawful and you refuse deletion but want restriction
The controller no longer needs data for processing purposes but you need it for legal claims
You object under Article 21 (1) and it’s not clear whose legitimate interests prevail

Restricted data may only be processed with your consent or for legal claims or to protect rights, etc.

You will be notified before restriction ends.

Right to Erasure

You may request erasure. The controller must erase if:

Data is no longer necessary
You revoke consent and no other legal basis exists
You object under Article 21 (1) and no overriding legitimate interest exists
Data was unlawfully processed
Erasure is required by law
Data was collected under Article 8 (1)

Right does not apply if necessary for:

Freedom of expression
Legal obligations under EU or national law
Public interest tasks
Public health
Archival, scientific or statistical purposes
Legal claims

Right to Notification

If you request rectification, deletion or restriction, the controller must notify all recipients who have received your data unless impossible or disproportionate.

You have the right to be informed about recipients.

Right to Data Portability

You may obtain your data in a structured, common, machine‑readable format, and transmit it to another controller, provided:

Processing is based on consent or contract
Processing uses automated means

You also may request direct transfer between controllers if technically possible.

Right does not apply for tasks in public interest or public authority.

Right of Objection

You may object at any time to processing of your data based on Article 6 (1) (e) or (f), including profiling.

The controller stops processing unless it can prove compelling legitimate interests or legal claims.

If data is used for direct marketing, you may object at any time. This also applies to profiling linked to marketing.

If you object, data is no longer processed for that purpose. You may exercise the right via automated means when using information society services, independent of Directive 2002/58/EC.

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

Automated Decision‑Making with Profiling

You may not be subject to a decision based solely on automated processing that has legal effect unless:

Necessary for contract conclusion or fulfilment
Permitted by EU or national law and includes adequate safeguards
With explicit consent

Decisions cannot rely on special categories under Article 9 (1) unless certain conditions apply.

Controllers must take measures to safeguard rights, e.g., right to intervene, express view, challenge.

Right to File a Complaint

You may file a complaint with a supervisory authority, especially in your country of residence, workplace or where alleged violation occurred, if you believe processing violates the GDPR.

The authority will inform you of the status and outcome, including a right to judicial remedy under Article 78.