Privacy policy


We appreciate your interest in Thalox AG, its products, and your visit to our website at One of our main priorities is the privacy of our customers and we want to make you feel comfortable with how we use and share your personal information. This Privacy Policy document contains the types of information that is collected and recorded at and how we use it. If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect at

Information we collect
If you contact us directly, we may receive additional information about you such as your company name, your name, e-mail address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide. This information is needed to get back to you. There is no intent to use this data provided other than to communicate with you about Thalox AG and its products and/or to improve the services we offer as stated below.

How we use your information
We use the information we collect i.e. to:

Provide, operate, and maintain our website
Improve, personalize, and expand our website
Understand and analyze how you use our website
Develop new products, services, features, and functionality
Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the website, and for marketing and promotional purposes
Send you e-mails
Find and prevent fraud

Log Files follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files could include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information to deliver an as relevant as possible experience to you.

Like any other website, uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information.

You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites.

In any shape or form we will not retain personal information in an identifiable format for longer than is necessary. The only exceptions to this are where:

the law requires us to hold your personal information for a longer period, or delete it sooner;
you exercise your right to have the information erased (where it applies) as stated below
and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.

GDPR Data Protection Rights
We finally would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – you have the right to request copies of your personal data. We may charge you a small fee for this service.
The right to rectification – you have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
The right to erasure – you have the right to request that we erase your personal data, under certain conditions.
The right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions.The right to object to processing – you have the right to object to our processing of your personal data, under certain conditions.
The right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

Children’s Information
Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity. does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.

Links to other websites
Our website may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites‚ so we encourage you to read their privacy statements. We are not responsible for the privacy policies and practices of other websites – even if you access them using links that we provide. We provide links to those websites solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

In addition, if you linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.

Third Parties and Social Plugins
Our websites may also contain third-party offers. If you click on any such offers, we will transfer the amount of data required to the appropriate provider e.g. the fact that you found the offer in question on our website and, if applicable, additional information that you have already provided for this purpose on our websites.

On our websites, whenever we use so-called “social plugins” from social networks like Facebook, Twitter and others, we incorporate them in the manner described below. When you visit our websites, social media plugins are deactivated. That means no information whatsoever is transferred to the operators of those networks. If you wish to use one of the networks, click on the appropriate plugin in order to be connected directly to that network’s server. If you have a user account with that network and are logged in at the moment you activate the plugin, the network will be able to detect your visit to our websites and assign it to your user account. If you wish to prevent that, please log off from the network before activating the social plugin. When you activate a social plugin, the network transfers the content thus made available directly to your browser, which incorporates it into our websites. In that situation, data transfers initiated and controlled by the respective social network may also take place. Your connection to a social network, the data transfers that take place between the network and your system, and your interactions on that platform are governed exclusively by the respective network’s data protection provisions. The social plugin will remain active until you deactivate it or delete your cookies. Whenever you click on the link to an offer or activate a social plugin, your personal information may be transferred to providers in countries outside the European Economic Area that, from the standpoint of the European Union (“EU”), do not guarantee an “appropriate level of protection” meeting EU standards for processing personal information. Please keep these circumstances in mind before you click on a link or activate a social plugin, thereby causing your data to be transferred.

Analysis of personal data and use of tools
We want the content of our websites to match your preferences as closely as possible, thereby improving what we offer you. To identify especially popular areas of our websites, we use the following analysis tools: Google Analytics and Adobe Analytics.

When we employ these analytics tools, information may be transferred to servers located outside the EU and processed there. Please note the following: From the standpoint of the European Union, the United States does not provide an “appropriate level of protection” meeting EU standards for the processing of personal information in general. However, an equivalent level of protection can be created for individual instances of processing by a company through certification under the EU-U.S. Privacy Shield Framework or other instruments (e.g. the EU’s so-called standard contractual clauses for the transfer of personal data).

If you do not wish us to use the abovenamed analytics tools to collect and analyze information about your visit to our websites, you may permanently object to the practice (opt out) at any time.

We will comply with your rejection by placing an opt-out cookie in your browser. This cookie will only indicate that you have opted out. Please note that, for technical reasons, an opt-out cookie affects only the browser in which it has been installed. If you delete the cookie or use a different browser or device, you will need to opt out again.

Below you will find information about the providers of the analytics tools and the respective opt-out procedures:

Google Analytics from Google Inc. (“Google”):

Google is certified under the EU-U.S. Privacy Shield Framework. You can prevent your information from being transferred as well as collected and processed by Google. Google provides information about this at the following link:

Adobe Analytics from Adobe Systems Inc. (“Adobe”)

Adobe is certified under the EU-U.S. Privacy Shield Framework.You can follow this link to opt out of analysis using Adobe Analytics:

We may use so-called targeting, retargeting and cookie-less technologies in order to tailor our online marketing (e.g. banner ads) more specifically to your needs and interest such as Adobe Target, Google Search Ad, Google Display & Video 360, Salesforce Data Management Platform and others. These are monitored and used when you visit other websites that work together with the providers of these (re-)targeting technologies, so as to inform you while meeting your interests as closely as possible.

When the above technologies are used, cookies on our websites and (in the case of retargeting) on the websites of others register your interest in our products and services. In the process, random identifiers (so-called cookie IDs) are used which are not brought into connection with your name, your address or similar information, even if this information is known to us (e.g. from an existing contractual relationship), unless you have consented to this.

You can manage and deactivate the use of cookies i.e. on the following websites for the technology providers listed there or in your browser:

Your ad choices

During the retargeting process, we may also collect information about your interest in the products and services of our retargeting partners. When these targeting and retargeting tools are used, some data may be transferred to servers located outside the EU and processed there. For legal reasons, the use of tracking and (re-) targeting technologies is sometimes only possible with your express consent – so called opt in. In other cases you can object to the use of such technologies if you wish – so called opt out.

We only use online marketing products with your express consent, which you can grant by clicking on the “Agree” button in the so-called Cookie Information Layer (“Opt-in”). We store this consent in a cookie on your device so that you are not asked for consent again each time you visit our websites, and for legal reasons, also on our servers with the IP address and a time stamp; we delete this information or restrict its processing if you withdraw your consent or 6 months at the latest after your last visit to our websites.

Should you change your mind at any time, you can withdraw your consent. To delete cookies set with your consent when visiting our websites after your consent to these online marketing products is withdrawn, please delete the cookies in your browser.

We may collect your preferences to send you Marketing information directly from us by E-Mail e.g when using our contact us form. We will only do so if you have consented to receiving such marketing information directly from us. We may contact you with targeted advertising delivered online through social media and platforms (operated by other companies) by using your personal information, or use your personal information to tailor marketing to improve its relevance to you, unless you object. We will only share your personal information with recommended third parties for them to contact you with marketing information about their products and services where you have indicated that you would like us to do so. Once shared, the relevant third party’s privacy policy will apply to their processing of your personal information, not ours. If you’d like to opt-out of receiving marketing from a third party after providing your consent, you can do so at any time by contacting the relevant third party directly.

Surely, you have the right to opt-out of our use of your personal information to provide Marketing to you in any of the ways described. Therefore from time to time, we may ask you to refresh your marketing preferences by asking you to confirm that you consent to continue receiving marketing information from us.

Changes to this Policy
We may review this policy from time to time and any changes will be notified to you by posting an updated version on our website. We recommend you regularly check for changes and review this policy when you visit our website. If you do not agree with any aspect of the updated policy, you must promptly notify us and cease using our services. This policy was last updated 20th October 2021.

By using our website, you hereby consent to our Privacy Policy and agree to its terms.

Contact Us / DSGVO Representative
If you have any questions, suggestions or complaints about the processing of your personal information or wish to contact us to amend/update your preferences with Thalox AG please contact the Data Protection coordinator. Data Protection coordinator:

Proliance GmbH
Dominik Fünkner

Leopoldstr. 21
80802 München



Other services and technologies used by this website:


  • Customer Service Agreement
    § 1 | Scope |

    (1) These General Terms and Conditions (hereinafter: “GTC”) apply to all contracts between Thalox AG, represented by the Executive Board, Erwin Marc Arnold, Schießhausstraße 155, 86633 Neuburg a.d. Donau, Germany (hereinafter: “Provider” or “Thalox”) and its customers (hereinafter: “Customer”), which have as their object the temporary provision of the software solution “thalox for  marketers” (hereinafter: “Software” or “Application”) as Software as a Service or extensions or further services thereto, even if this is not separately agreed again. Insofar as the application merely relies on services of third parties, in particular HubSpot Inc., HubSpot, Inc. 25 First Street, Cambridge, MA 02141 USA (hereinafter “HubSpot”) or is capable of cooperating with them, the services of third parties are not the subject of performance and are not covered by this agreement.

    (2) Unless expressly agreed otherwise, these GTC shall apply exclusively in the version valid at the time of conclusion of the contract.

    By accepting the offer, at the latest by registering an account on, the customer expressly agrees to these GTC and waives the assertion of his own deviating terms and conditions or terms and conditions of purchase and payment. Other terms and conditions do not apply even if Thalox does not expressly object to them in individual cases. Deviating terms and conditions of the customer shall only apply if they have been agreed separately, expressly and in writing. If the customer does not agree with this, he must immediately inform the supplier of this in writing.

    (3) Customers within the meaning of these GTC are exclusively entrepreneurs, i.e. any natural or legal person or partnership with legal capacity who, when concluding the contract, acts in the exercise of their commercial or independent professional activity. Conclusion of a contract with consumers is excluded.

    (4) Individual agreements made with the Customer in individual cases, in particular within the framework of the “Enterprise” variant (including ancillary agreements, supplements and amendments) shall in all cases take precedence over these GTC. Subject to proof to the contrary, a written contract or written confirmation by the Provider shall be authoritative for the content of such agreements.

    (5) Thalox is entitled to make changes to the service descriptions or these general terms and conditions and other conditions. Thalox will only make these changes for valid reasons, in particular due to new technical developments, changes in case law or other equivalent reasons. If the amendment significantly disturbs the contractual balance between the parties, the amendment shall not be made. Otherwise, changes require the consent of the customer

    § 2 | Subject matter of performance |

    (1) The subject matter of the contract is the provision of the application as well as the technical facilitation of the use of the application by means of browser access and the granting or procurement of rights of use to the application as well as the provision of storage space for the data generated by the customer through the use of the application and/or the data required for the use of the application (hereinafter: application data) by the provider to the customer against payment of the agreed fee.

    (2) The application establishes an interface to the third-party provider HubSpot and enables the evaluation of customer communication. This includes in particular

    • The creation of probability calculations regarding the reaction to the customer’s marketing measures (“engagement score”).
    • Evaluations of the customer segments in relation to the engagement score
    • Making proposals to increase the engagement score
    • Creation of graphical evaluations

    The object of the application is exclusively the evaluation of customer communication. The application itself does not select any marketing measures or content to be transmitted to customers. The application does not check the correctness or completeness of the content of the customer entries or any third-party data included. The calculated engagement score, reports, visualizations and other presentations are not advisory services or recommendations for action, but non-binding reports which the client can include at his own discretion as part of his planning. The remuneration listed in § 9 is paid exclusively for the technical provision or granting of rights of use to the software and does not constitute a consultancy fee.

    (3) The application is offered in four variants:

    (a) thalox for marketers Free (free of charge)

    (b) thalox for marketers StartUp (free of charge)

    (c) thalox for marketers Business

    (d) thalox for marketers Enterprise

    The content and scope of services of the respective variant as well as the permissible number of users can be found on the provider’s website at

    (4) The provision of third party services is not the subject of the service. Thalox does not assume any warranty for the functionality and maintenance of third-party services, in particular HubSpot or other platforms operated by third parties.

    (5) Insofar as the booking of the chargeable service is preceded by a free phase, the customer cannot assert any claims in this respect beyond the statutory liability claims. Multiple use of the test phase is excluded.

    § 3 | Registration and conclusion of contract |

    (1) Use of the application requires prior registration. There is no entitlement to the opening of a customer account. Only persons with unlimited legal capacity who are acting in the exercise of their commercial or independent professional activity are entitled to register. At the Provider’s request, the Customer must send the Provider proof of identity (e.g. a copy of his identity card) or state his VAT identification number and document his registration. Within the scope of registration, the Provider shall request the Customer’s data. The data required to create the user account must be provided by the customer completely and truthfully. After providing the data, the customer receives a verification code to the e-mail address provided by the customer. After confirmation of the e-mail address, registration for the application takes place by entering the deposited e-mail address and the password assigned by the customer himself. The customer is obliged to keep his password secret and not to disclose it to third parties under any circumstances.

    (2) After registration, the customer may use the software in the “Free” variant free of charge for 30 days.

    (3) Prior to the expiry of the 30-day period pursuant to para. 2, the customer shall be informed of the impending end of the free-of-charge usage period and shall be offered the option of switching to a paid variant. For this purpose, the customer will be requested to provide a billing address and a means of payment. During the ordering process, the process can be cancelled at any time by clicking on the “back” symbol (“< “). Once the information has been entered in full, the customer is shown an order overview. The contract is concluded by clicking on “Sign Up”.

    (4) Insofar as the customer’s personal or company details change, the customer himself is responsible for updating them. All changes must be communicated to the Provider via the input mask in the personal area or in text form.

    § 4 | Provision of the application |

    (1) The Provider shall keep the application in the version current at the time of conclusion of the contract available for use in accordance with the following provisions from the time of conclusion of the contract (§ 3) on one or more central data processing systems which it rents from third parties (hereinafter: server).

    (2) The Provider shall ensure that the provided application is

    • is suitable for the purposes resulting from the respective current service description,
    • is free of defects during the entire term of the contract,
    • in particular, is free of viruses and similar malware that would render the application unsuitable for use in accordance with the contract

    whereby the provider owes the care customary in the industry. In determining whether the provider is at fault, it must be taken into account that software cannot technically be created completely free of errors.

    (3) The security measures to be observed by the customer result from § 8 of these GTC.

    (4) Insofar as the Provider produces the application itself, it shall ensure that it always corresponds to the proven state of the art. If the Provider obtains parts of the application (e.g. plug-ins, etc.) from third parties, it shall keep the latest version of the respective part of the application that is generally available on the market at the time of conclusion of the contract ready for use by the Customer for no later than three months after the general market release by the manufacturer.

    Insofar as the provision of a new version or any other change results in the functionalities of the application, work processes of the Customer supported by the application and/or restrictions in the usability of previously generated data being impaired, the Provider shall notify the Customer of this in writing at least six weeks before such a change takes effect. If the Customer does not object to the change in writing within a period of two weeks from receipt of the change notification, the change shall become part of the contract. The Provider shall draw the Customer’s attention to the aforementioned deadline and the legal consequences of its expiry in the event of failure to exercise the option to object whenever changes are announced.

    (5) The Provider shall provide storage space on the server for storing the application data from the time the application is made available for operation.

    (6) The application and the application data are backed up on the server regularly, at least daily. The customer is responsible for compliance with any retention periods under commercial and tax law.

    (7) The transfer point for the application and the application data is the router exit of the data centre of the hosting provider commissioned by the Provider.

    (8) The Customer shall keep the Mozilla Firefox or Google Chrome browsers in the current version, or at least the previous version of the current version, ready for accessing the application. For changes to the Provider’s technical system, the objection solution of para. 4 subpara. 2 shall apply accordingly. The Provider shall not be responsible for the quality of the required hardware and software on the part of the Customer or for the telecommunications connection between the Customer and the Provider up to the transfer point.

    § 5 | Availability of the application |

    (1) The Provider owes the availability of the Application and the Application Data at the Delivery Point as agreed below. The contractual partners understand availability to mean the technical usability of the application and the application data at the delivery point for use by the customer.

    (2) The Provider shall make the application available to the Customer from the time of registration, but this shall exclude the agreed times of announced unavailability.

    (3) The available use shall also include the periods during

    • disruptions in or due to the condition of parts of the technical infrastructure required for the execution of the application, including third-party services, which are not to be provided by the Provider or its vicarious agents (§ 2 para. 4);
    • disruptions or other events that are not (partly) caused by the Provider or one of its vicarious agents, e.g. exceeding an agreed permitted load of the application;
    • insignificant reduction of the suitability for the contractual use;

    (4) Announced unavailability

    (a) Thalox is entitled during periods of announced unavailability to maintain, service, backup or otherwise work on the Application and/or servers. The Customer hereby agrees that there will be a scheduled unavailability every Wednesday from 8:00 p.m. to 11:00 p.m. throughout the term of the Agreement. In all other respects, announced unavailability and their expected duration shall be announced at least 7 days in advance. This period may be shortened in justified exceptional cases.

    (b) Use of the application during periods of announced unavailability

    If and to the extent that the customer can use the application during periods of announced unavailability, there shall be no legal claim to this. If the use of an application during times of announced unavailability results in a reduction or cessation of performance, the customer shall have no claim to liability for defects or damages. This shall also apply insofar as the customer uses a browser other than that specified in § 4 para. 8 or a version other than that recommended therein.

    (5) Troubleshooting

    Unless response and recovery times have been agreed separately, in the event of unplanned unavailability of the application the Provider shall ensure that the fault rectification is initiated within a reasonable time and that the Customer is informed of this. The Provider shall also ensure that the reported or noticed technical malfunction is remedied within a period of time appropriate to the extent of the malfunction.

    § 6 | Other Services of the Provider |

    (1) During the term of the contract, an electronic user manual for the application shall be available to the Customer for retrieval at If the application is updated, the user manual shall be adapted accordingly.

    (2) If the Provider provides third-party software as an application and no documentation in German/English is generally available from this third party, the Provider shall be entitled to provide only the documentation accessible to it.

    The customer shall be entitled to save, print and reproduce the documentation provided in reasonable numbers for the purposes of this contract, while maintaining existing property right notices. In all other respects, the restrictions on use of the documentation set out in §§ 7-8 of these GTC for the application shall apply mutatis mutandis.

    (3) Thalox provides customer support via a contact form. Thalox reserves the right to adjust the availability times and channels of the customer support. If the contractual partners agree on support response and recovery times in a service level agreement (SLA), this shall become part of the contract.

    (4) Further services of the Provider can be agreed at any time. In particular, support services can be agreed subsequently. Unless otherwise agreed, such further services shall be provided against reimbursement of the proven expenditure at the Provider’s general hourly rates.

    § 7 | Rights of use to and use of the application |

    (1) The customer shall receive simple (non-sublicensable and non-transferable) rights of use to the application, limited to the term of the respective contract, in accordance with the following provisions.

    (2) The customer uses the application exclusively on the server. The application shall not be physically transferred to the customer. The customer may only use the application for its own business activities by its own personnel.

    (3) The customer shall only use the application to the extent of the booked variant. The Provider reserves the right to assert claims in the event of additional use beyond the agreed use.

    (4) The customer is not entitled to make changes to the application. This does not apply to changes that are necessary for the correction of errors if the Provider is in default with the correction of the error, refuses to correct the error or is unable to correct the error due to the opening of insolvency proceedings.

    (5) If the Provider makes new versions, updates, upgrades or other new deliveries with regard to the application during the term, the above rights shall also apply to these.

    (6) The customer is not entitled to any rights not expressly granted to the customer above. In particular, the customer is not entitled to use the application beyond the agreed use or to have it used by third parties or to make the application accessible to third parties. Expecialy is not permitted to reproduce, sell or provide the application for a limited period of time, in particular not to rent or lend it.

    § 8 | Client’s obligations for safe use |

    (1) The customer shall take the necessary precautions to prevent the use of the application by unauthorized persons; in particular, the customer shall ensure that the passwords used contain at least 8 characters and are composed of upper case letters, lower case letters and numbers.

    (2) The customer is liable for ensuring that the application is not used for racist, discriminatory, pornographic purposes, purposes that endanger the protection of minors, politically extreme purposes or purposes that otherwise violate the law or official regulations or requirements, or that corresponding data, in particular application data, are created and/or stored on the server.

    (3) It is the responsibility of the customer to comply with the restrictions/obligations with regard to the rights of use pursuant to § 7, in particular he shall

    (a) not to retrieve or cause to be retrieved any information or data without authorization or to interfere or cause to be interfered with any programs operated by Thalox or to intrude or facilitate any such intrusion into Thalox’s data networks without authorization;

    (b) not misuse the exchange of electronic messages possible within the framework of the contractual relationship and/or using the application for the unsolicited sending of messages and information to third parties for advertising purposes;

    (c) indemnify Thalox against claims by third parties based on his unlawful use of the application or arising from data protection, copyright or other legal disputes caused by the customer that are connected with the use of the application;

    (d) oblige the Authorized End Users to comply in turn with the provisions of this Agreement applicable to them;

    (e) ensure that (e.g. when transmitting texts/data of third parties to the Provider’s server) he observes all rights of third parties to material used by him;

    (f) obtain the required consent of the respective data subject in accordance with Section 10 (2), insofar as he or she collects, processes or uses personal data when using the application and no statutory element of permission applies;

    (g) check data and information for viruses before sending them to Thalox and use state-of-the-art virus protection programs;

    (h) if it transmits data to generate application data using the Provider’s application, back it up regularly and in accordance with the significance of the data and make its own back-up copies to enable the reconstruction of the data and information in the event of loss;

    (i) if and insofar as the technical possibility to do so is made available to him by mutual agreement, regularly back up the application data stored on the server by download; the obligation of the Provider to back up data pursuant to Section 4 (6) remains unaffected.

    (4) Violation of the provisions under paras. 1 to 3 by the customer

    (a) If the customer violates the provisions in paragraph 1, – 3 for reasons for which he is responsible, Thalox may block the customer’s access to the application or the application data if the violation can be demonstrably remedied.

    (b) If the customer unlawfully violates paragraph 2 or 3, Thalox is entitled to delete the data or application data affected thereby. In the event of an unlawful violation by the user, the customer must immediately provide Thalox, upon request, with all information necessary to assert claims against the user, in particular the user’s name and address.

    If the customer continues to violate or repeatedly violates the provisions in paragraphs 1 to 3 despite a corresponding written warning from the provider, and if the customer is responsible for this, the provider may terminate the contract extraordinarily without observing a notice period.

    (c) In the event of breaches of duty by the Customer, Thalox may claim damages in accordance with § 12, unless the Customer is not responsible for the breach of duty

    (5) If and to the extent that a database, databases, a database work or database works are created on the Provider’s server during the term of the respective contract, in particular by compiling application data, as a result of activities of the Customer permitted under the contract, all rights thereto shall belong to the Customer. The customer shall remain the owner of the databases or database works even after the end of the contract.

    (6) The Customer is not entitled to transfer the software to third parties, in particular to sell or sublet it, without the Provider’s permission. Dependent use by the customer’s employees or other third parties subject to the customer’s right to issue instructions within the scope of the intended use and compliance with the agreed number of users is permitted.

    (7) The customer shall take suitable precautions to protect the application from unauthorised access by third parties. The contractually agreed number of users may not be exceeded. In particular, user accounts may not be used by several employees at the same time.

    § 9 | Charges |

    (1) The Provider shall charge a monthly flat fee for the services to be rendered for the granting of use with regard to the application and the provision of storage space, including data backup

    (2) Unless the Parties have reached an individual agreement on the remuneration within the framework of the “Enterprise” variant, the remuneration shall result from the overview available at

    (3) The respective lump sum shall accrue for each monthly billing period from operational provision and shall be due in advance on the first working day of the billing period. If the customer has justifiably terminated the contract extraordinarily, the flat rate shall be repaid pro rata temporis.

    (4) System changes to third party services (§ 2 para. 4) after conclusion of the contract (§ 3) shall not lead to the discontinuation of the obligation to pay remuneration.

    (5) Other services shall be provided by the Supplier on a time and material basis at the Supplier’s general list prices applicable at the time of the order.

    (6) Any separate remuneration shall be due 10 days after receipt of the invoice.

    (7) Remuneration shall be owed plus VAT at the statutory rate applicable from time to time.

    (8) The Customer agrees to the issuance of invoices in an electronic format and their electronic transmission (electronic invoices). Thalox is entitled to use payment service providers for the processing of payments and the issuing of invoices.

    § 10 | Data security, data protection |

    (1) The contracting parties shall observe the applicable data protection provisions, in particular those valid in Germany (in particular the Basic Data Protection Regulation and the Federal Data Protection Act) and shall oblige their employees deployed in connection with the contract and its performance to maintain data secrecy, insofar as they are not already generally obliged to do so.

    (2) If the customer collects, processes or uses personal data, he guarantees that he is entitled to do so in accordance with the applicable provisions, in particular those relating to data protection law, and in the event of a breach he indemnifies Thalox against claims by third parties.

    (3) The Provider shall collect and use personal data of the Customer only to the extent required for the performance of this Agreement. The customer agrees to the collection and use of such data to this extent.

    (4) The obligations under paragraphs 1 to 3 shall continue to exist as long as application data are within the sphere of influence of the Provider, even beyond the end of the contract.

    (5) Insofar as the transmitted data also contain personal data, the contracting parties shall conclude a commissioned data agreement in accordance with Art. 28 DSGVO. In the event of contradictions between these GTC and the agreement on commissioned data processing, the latter shall take precedence over the former.

    § 11 | Secrecy |

    (1) The Supplier undertakes to treat as confidential both itself and its employees and other vicarious agents with respect to all information obtained within the scope of the respective contractual relationship and designated as confidential or to be regarded as confidential under the circumstances.

    (2) The confidentiality obligation shall continue to apply after termination of the respective contract.

    (3) The duty of confidentiality shall not apply to such information which is

    • do not qualify as business secrets within the meaning of the GeschGehG
    • were demonstrably known to or made available to the provider before the customer became aware of them;
    • are demonstrably disclosed to the Provider in a lawful manner by third parties who are not subject to a duty of confidentiality after being informed by the Customer;
    • were in the public domain as a result of publications or for any other reason, or became so after they were brought to the public’s attention.

    (4) Notwithstanding the aforementioned provisions, the Provider shall be entitled to fulfil its statutory obligations to provide information also with regard to the information provided to it.

    (5) Provided that the customer gives prior consent in text form, Thalox is entitled to name the customer as a reference customer vis-à-vis third parties and to include the customer’s name and logo on its own Internet pages for the purpose of providing references. The authorisation exists beyond the termination of the contractual relationship until revoked by the customer.

    § 12 | Liability |

    (1) In the event of intent or gross negligence, the Provider shall be liable without limitation for all damage caused by it and its legal representatives or vicarious agents.

    (2) In the event of slight negligence, the Provider shall be liable without limitation in the event of injury to life, limb or health.

    (3) In all other respects, the Provider shall only be liable if it has breached a material contractual obligation. Material contractual obligations are those obligations which are of particular importance for the achievement of the purpose of the contract, as well as all those obligations which, in the event of a culpable breach, may lead to the achievement of the purpose of the contract being jeopardized. In these cases, liability is limited to compensation for the foreseeable, typically occurring damage. In this respect, it is again stated that according to § 2 para. 2 – 4 neither the provision and maintenance of third party services, nor the verification of input by the customer or other third parties are contractual obligations.  The provider’s strict liability for damages for defects existing at the time of conclusion of the contract is excluded; paras. 1 and 2 remain unaffected.

    (4) Insofar as data backup is not included in the Provider’s contractual catalogue of services, the Customer shall be responsible for regularly backing up its data. In the event of a loss of data for which the Provider is responsible, the Provider shall therefore be liable exclusively for the costs of restoring the service on the basis of and with the status of the Customer’s backup copy.

    (5) Thalox is not liable for an infringement of the rights of third parties by the customer, if and to the extent that this infringement results from a transgression of the rights of use granted under these GTC. In this case, the Customer shall indemnify Thalox upon first request against all claims of third parties.

    (6) Liability under the Product Liability Act and other mandatory statutory provisions shall remain unaffected.

    § 13 | Term, Termination |

    (1) The respective contractual relationship begins with the conclusion of the contract (§ 3). Unless otherwise agreed, paid variants of the application have a term of one month, beginning with the respective booking.

    (2) The contractual relationship shall be automatically extended by a further month unless terminated by one of the parties at the end of the respective term.

    (3) The right to terminate for good cause remains unaffected. Good cause shall be deemed to exist in particular if the respective other contracting party grossly breaches its contractual obligations in breach of contract and despite written warning and/or setting of a deadline. Good cause shall be deemed to exist in particular if the customer is in default with the payment of fees or significant parts thereof and does not pay the fees within a reasonable period of time even after a reminder or if an application for the opening of insolvency proceedings against the customer’s assets has been filed and/or such insolvency proceedings have been opened.

    (4) If the contractual relationship is terminated extraordinarily by the Provider due to a culpable breach of duty by the Customer, the Customer undertakes to compensate the Provider for the damage resulting from the extraordinary termination.

    (5) If notice of termination is not given via the button provided for this purpose in the customer profile, it must be given in text form.

    (6) After termination, access to the customer account will be blocked. Unless otherwise agreed, all customer data will be deleted one month after termination of the contract. It is the responsibility of the customer to save his customer data to his local system in a timely manner. Thalox is prepared to provide the customer with his data in electronic form within one month after termination of the contract. The expenses incurred as a result of this will be invoiced separately to the customer.

    (7) The customer is solely responsible for compliance with statutory retention obligations (e.g. due to tax regulations) with regard to his customer data.

    (8) Any use of the software after termination of the contractual relationship is not permitted.

    § 14 | Force majeure |

    Neither of the contracting parties shall be obliged to fulfil the contractual obligations in the event of and for the duration of force majeure. In particular, the following circumstances shall be considered as force majeure in this sense:

    • fire/explosion for which the contracting party is not responsible,
    • Pandemics,
    • Flooding,
    • War, mutiny, blockade, embargo,
    • industrial dispute lasting more than 6 weeks and not culpably brought about by the contractual partner,
    • technical problems of the internet that cannot be influenced by a contractual partner.

    Each contracting party shall immediately notify the other in writing of the occurrence of a case of force majeure.

    § 15 | Final Provisions |

    (1) German substantive law shall apply to all contractual relationships with Thalox to the exclusion of the UN Convention on Contracts for the International Sale of Goods.

    (2) The possible invalidity of individual provisions of these GTC shall not affect the validity of the remaining content of the contract.

    (3) If, in the practical application of the respective contract or these GTC, gaps arise which the contracting parties have not provided for, or if the ineffectiveness of a provision is established in a legally binding manner or by both contracting parties in agreement, they undertake to fill or replace this gap or ineffective provision in a factual and appropriate manner oriented to the economic purpose of the contract.

    (4) Insofar as these GTC or other contractual documents are also translated into other languages, this shall only serve as a reading aid. In the event of disputes or questions of interpretation, only the German version shall be used.

    (5) The exclusive place of jurisdiction for all contracts with Thalox is the district court responsible for 86633 Neuburg a.d. Donau, unless a norm mandatorily orders a different place of jurisdiction.

    — Status: December 2022 —

  • Data Processing
    Contract on commissioned processing







    as the responsible person (herein referred to as the “Principal“)

    and the

    Thalox AG

    represented by the Executive Board, Erwin Arnold,

    as contact person for data protection

    Schießhausstraße 155

    86633 Neuburg a.d.Donau

     (herein referred to as “Contractor“)


    The Client uses the SaaS solution “thalox for  marketers” operated by the Contractor. The Client wishes to commission the Contractor with the services specified in § 3. In the course of the performance of the contract, personal data may be processed. In particular, Art. 28 DSGVO imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties enter into the following agreement, the performance of which shall not be remunerated separately unless this is expressly agreed.

    § 1 | Definitions |

    (1) Pursuant to Art. 4 (7) DSGVO, the controller is the body which alone or jointly with other controllers determines the purposes and means of the processing of personal data.

    (2) Pursuant to Article 4 (8) of the GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.

    (3) Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    (4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offences or related security measures, and genetic data pursuant to Art. 4 (13) GDPR. 10 GDPR on criminal convictions and offences or related security measures as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.

    (5) According to Article 4 (2) of the GDPR, processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    (6) Pursuant to Article 4 (21) of the GDPR, the supervisory authority shall be an independent state body established by a Member State pursuant to Article 51 of the GDPR.

    § 2 | Indication of the competent data protection supervisory authority |

    (1) The competent supervisory authority for the principal shall be determined by the principal’s registered office.

    (2) The competent supervisory authority for the Contractor is the Bavarian State Commissioner for Data Protection.

    (3) The contracting authority and the contractor and, where appropriate, their representatives shall cooperate, on request, with the supervisory authority in the performance of their duties.

    § 3 | Formation of the contract, subject matter of the contract |

    (1) This agreement shall enter into force upon confirmation by the client in electronic form. For this purpose, the client shall set a corresponding check mark in the course of setting up his user account and thereby confirm the conclusion of the contract. The contract ends with the termination of the main contractual relationship.

    (2) The Contractor shall provide services for the Client in the form of making available a software platform on server capacities rented from third parties for use via the Internet. In doing so, the contractor may obtain access to personal data and process these exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by the contractor are set out in the main contract (and the associated service description). The Client shall be responsible for assessing the permissibility of the data processing.

    (3) The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract.

    (4) The provisions of this contract shall apply to all activities which are connected with the main contract and in the course of which the contractor and its employees or persons commissioned by the contractor come into contact with personal data originating from the client or collected for the client.

    (5) The term of this contract shall be based on the term of the main contract, insofar as no further obligations or rights of termination arise from the following provisions.

    § 4 | Right to issue instructions I

    (1) The contractor may only collect, process or use data within the framework of the main contract and in accordance with the client’s instructions; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. If the Contractor is obliged to carry out further processing by the law of the European Union or of the Member States to which it is subject, it shall inform the Client of these legal requirements prior to the processing.

    (2) The Client’s instructions shall initially be determined by this contract and may thereafter be amended, supplemented or replaced by the Client in writing or in text form by individual instructions (individual instructions). The Client is entitled to issue corresponding instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data. Unless otherwise agreed, the data protection officer of the Client shall be the person authorised to issue instructions. In the event of a change or a longer-term prevention of the appointed persons, the successor or representative shall be named to the contractual partner in text form without delay.

    (3) All instructions issued shall be documented by both the Client and the Contractor. Instructions that go beyond the performance agreed in the main contract shall be treated as a request for a change in performance.

    (4) If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall notify the Client thereof without delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The Contractor may refuse to carry out an instruction that is obviously unlawful.

    § 5 | Type of data processed, group of data subjects |

    (1) In the course of the performance of the main contract, the contractor may receive access to the following data, which is not mandatory but potentially personal:

    • Log files
    • Data of the client, in particular e-mail address, first and last name, company name, managing director/owner, address and telephone number
    • Data of the client’s customers, in particular first and last name, address, telephone number, e-mail address, as well as

    – contract data, if applicable

    – Communication content.

    (2) The persons concerned by the processing of personal data under this Agreement may include:

    • Users of the service, esp. employees or other vicarious agents of the Principal within the meaning of Section 26 (8) BDSG
    • Clients of the principal

    (3) In the course of the performance of the Main Contract, the Contractor may have access to special categories of personal data. These are:

    Insofar as it comes about in the above-mentioned ways, in particular insofar as it is contained in the communication content, the data may include personal data from which the racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, health data or data relating to the sex life or sexual orientation of a natural person are present, whereby their processing by the Principal is carried out in accordance with Article 9 (3) of the GDPR. These are:

    • Information on the existence of a disability
      • Information on hearing and visual aids
      • Allergies
      • Shoe and dress size
    § 6 | Protective Measures of the Contractor |

    (1) The Contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Client’s domain to third parties or expose it to their access. Documents and data shall be secured against access by unauthorised persons, taking into account the state of the art.

    (2) The Contractor shall organise the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organisational measures for the adequate protection of the Client’s data pursuant to Art. 32 DSGVO, in particular:

    • Measures to ensure the ability to ensure the confidentiality (Art. 32(1)(b) GDPR), integrity (Art. 32(1)(b) GDPR), availability and resilience of systems and services (Art. 32(1)(b) GDPR) in relation to processing on an ongoing basis:
      • Use of encryption technologies: Data transmission via HTTPS (TLS) or FTPS/SFTP
      • Access control through the use of secure passwords
    • Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident (Art. 32(1)(c) GDPR).
      • Regular creation of backups
    • A procedure for regularly reviewing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing (Art. 32(1)(d), Art. 25(1) GDPR).
    • Standard assurance that all systems are properly operational, including resilience checks, by hosting with an ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015 and CSA STAR CCM v3.0.1 certified host.

    The Contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.

    (3) The Contractor has appointed as contact person for data protection: Erwin Arnold, The Contractor shall publish the contact details of the contact person for data protection on its website.

    (4) The persons employed by the Contractor for data processing are prohibited from collecting, processing or using personal data without authorisation. The Contractor shall oblige all persons entrusted by it with the processing and fulfilment of this contract (hereinafter referred to as employees) accordingly (obligation to confidentiality, Art. 28 Para. 3 lit. b DSGVO) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and the contractor. Evidence of the obligations shall be provided to the Client in an appropriate manner upon request.

    § 7 | Information Duties of the Contractor |

    (1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of personal data by the Contractor, by persons employed by the Contractor within the scope of the contract or by third parties, the Contractor shall inform the Client immediately in writing or text form. The same shall apply to audits of the Contractor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

    1. a description of the nature of the personal data breach, including, where possible, the categories and number of individuals concerned, the categories concerned and the number of personal data records concerned;
    2. a description of the measures taken or proposed by the Contractor to remedy the breach and, where applicable, measures to mitigate its possible adverse effects.

    (2) The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences of the data subjects, inform the Client thereof and request further instructions.

    (3) The Contractor shall furthermore be obliged to provide the Client with information at any time insofar as the Client’s data is affected by a breach pursuant to paragraph 1.

    (4) Should the Client’s data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without delay, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall inform all competent bodies without delay that the decision-making authority over the data lies exclusively with the Client as the “responsible party” within the meaning of the GDPR.

    (5) The Contractor shall inform the Client without delay of any significant changes to the security measures pursuant to § 6 para. 2.

    (6) The Client shall be informed immediately of any change in the person of the contact person for data protection.

    (7) The Contractor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Principal, which shall contain all information pursuant to Art. 30 (2) of the GDPR. The directory shall be made available to the Client upon request.

    (8) The contractor shall cooperate to a reasonable extent in the preparation of the procedure directory by the principal. He shall inform the principal of the respective required information in an appropriate manner.

    § 8 | Control rights of the client |

    (1) The Client shall satisfy itself of the technical and organisational measures of the Contractor prior to the commencement of data processing and regularly thereafter. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or personally inspect the Contractor’s technical and organisational measures after timely coordination during normal business hours or have them inspected by a competent third party, provided that this third party is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor’s operating processes.

    (2) The Contractor undertakes to provide the Client, upon the Client’s verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the Contractor’s technical and organisational measures.

    (3) The Client shall document the inspection results and inform the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.

    (4) The Contractor shall provide the Client, at the Client’s request, with a comprehensive and up-to-date data protection and security concept for the commissioned processing as well as on persons authorised to access the data.

    (5) The Contractor shall provide the Client with evidence of the obligation of the employees pursuant to § 6 para. 4 upon request.

    § 9 | Use of subcontractors |

    (1) The contractually agreed services or the partial services described below shall be performed with the involvement of the subcontractors listed below:

    Name and address of the subcontractor Services provided by the subcontractor
    Amazon Web Services EMEA SARL, Branch Office Germany Marcel-Breuer-Str. 12, 80807 Munich, GermanyHosting of the contractual application
    Agileful Rheinsberger Str. 76/77, 220813 Berlin, GermanyIranian resources for software development in the field of AWS Backend and Machine Learning 

    Within the scope of its contractual obligations, the Contractor is authorised to establish further subcontracting relationships with subcontractors (“subcontractor relationship”). It shall inform the Client thereof without delay. The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Client can also exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors.

    (2) A subcontractor relationship within the meaning of these provisions does not exist if the contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Contractor for the Client and security services. Maintenance and testing services constitute subcontractor relationships subject to approval insofar as they are provided for IT systems that are also used in connection with the provision of services for the principal.

    § 10 | Requests and rights of data subjects |

    (1) The Contractor shall support the Client as far as possible with suitable technical and organisational measures in the fulfilment of the Client’s obligations pursuant to Articles 12-22 as well as 32 and 36 of the GDPR.

    (2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Contractor, the Contractor shall not react independently, but shall immediately refer the data subject to the Client and await the Client’s instructions.

    § 11 | Liability |

    (1) In the internal relationship with the contractor, the client alone shall be responsible to the data subject for compensation for damages suffered by a data subject due to inadmissible or incorrect data processing or use within the scope of the commissioned processing in accordance with the data protection laws.

    (2) The parties shall each release themselves from liability if a party proves that it is not responsible in any respect for the circumstance by which the damage occurred to an affected person.

    § 12 | Extraordinary Right of Termination |

    The Client may terminate the main contract in whole or in part without notice if the Contractor fails to fulfil its obligations under this contract, violates provisions of the GDPR with intent or gross negligence or is unable or unwilling to carry out an instruction of the Client. In the case of simple – i.e. neither intentional nor grossly negligent – violations, the Client shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.

    § 13 | Termination of the Main Contract |

    (1) The Contractor shall return to the Client after termination of the main contract or at any time upon the Client’s request all documents, data and data carriers provided to the Contractor or – at the Client’s request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany – delete them. This also applies to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence. Documents to be disposed of shall be destroyed using a document shredder in accordance with DIN 32757-1. Data carriers to be disposed of shall be destroyed in accordance with DIN 66399.

    (2) The Client shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.

    (3) The Contractor shall be obliged to treat as confidential any data of which it becomes aware in connection with the main contract, even after the end of the main contract. The present agreement shall remain valid beyond the end of the main contract for as long as the contractor has personal data at its disposal which were forwarded to it by the client or which it has collected for the client.

    § 14 | Final Provisions |

    (1) The Parties agree that the defence of the right of retention by the Contractor within the meaning of § 273 BGB is excluded. § Section 273 of the German Civil Code (BGB) with regard to the data to be processed and the associated data carriers is excluded.

    (2) Amendments and supplements to this agreement must be made in text form. This also applies to the waiver of this formal requirement. The priority of individual contractual agreements remains unaffected.

    (3) Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions in each case.

    (4) Insofar as these GTC or other contractual documents are also translated into other languages, this shall only serve as a reading aid. In the event of disputes or questions of interpretation, only the German version shall be used.

    (5) This agreement is subject to German law. The exclusive place of jurisdiction is Neuburg an der Donau.

    Status: December 2022

  • Accept Use Policy (AUP)

    This acceptable use policy covers the products, services, and technologies (collectively referred to as the “Products”) provided by Thalox AG under any ongoing agreement. It’s designed to protect us, our customers, and the general Internet community from unethical, irresponsible, and illegal activity.

    Thalox AG customers found engaging in activities prohibited by this acceptable use policy can be liable for service suspension and account termination. In extreme cases, we may be legally obliged to report such customers to the relevant authorities.

    This policy was last reviewed on December 2022.

    Fair use

    We provide our facilities with the assumption your use will be “business as usual”, as per our offer schedule. If your use is considered to be excessive, then additional fees may be charged, or capacity may be restricted.

    We are opposed to all forms of abuse, discrimination, rights infringement, and/or any action that harms or disadvantages any group, individual, or resource. We expect our customers and, where applicable, their users (“end-users”) to likewise engage our Products with similar intent.

    Customer accountability

    We regard our customers as being responsible for their own actions as well as for the actions of anyone using our Products with the customer’s permission. This responsibility also applies to anyone using our Products on an unauthorized basis as a result of the customer’s failure to put in place reasonable security measures.

    By accepting Products from us, our customers agree to ensure adherence to this policy on behalf of anyone using the Products as their end users. Complaints regarding the actions of customers or their end-users will be forwarded to the nominated contact for the account in question.

    If a customer — or their end-user or anyone using our Products as a result of the customer — violates our acceptable use policy, we reserve the right to terminate any Products associated with the offending account or the account itself or take any remedial or preventative action we deem appropriate, without notice. To the extent permitted by law, no credit will be available for interruptions of service resulting from any violation of our acceptable use policy.

    Prohibited activity

    Copyright infringement and access to unauthorized material

    Our Products must not be used to transmit, distribute or store any material in violation of any applicable law. This includes but isn’t limited to:

    • any material protected by copyright, trademark, trade secret, or other intellectual property right used without proper authorization, and
    • any material that is obscene, defamatory, constitutes an illegal threat or violates export control laws.

    The customer is solely responsible for all material they input, upload, disseminate, transmit, create or publish through or on our Products, and for obtaining legal permission to use any works included in such material.

    SPAM and unauthorized message activity

    Our Products must not be used for the purpose of sending unsolicited bulk or commercial messages in violation of the laws and regulations applicable to your jurisdiction (“spam”). This includes but isn’t limited to sending spam, soliciting customers from spam sent from other service providers, and collecting replies to spam sent from other service providers.

    Our Products must not be used for the purpose of running unconfirmed mailing lists or telephone number lists (“messaging lists”). This includes but isn’t limited to subscribing e-mail addresses or telephone numbers to any messaging list without the permission of the e-mail address or telephone number owner, and storing any e-mail addresses or telephone numbers subscribed in this way. All messaging lists run on or hosted by our Products must be “confirmed opt-in”. Verification of the address or telephone number owner’s express permission must be available for the lifespan of the messaging list.

    We prohibit the use of e-mail lists, telephone number lists or databases purchased from third parties intended for spam or unconfirmed messaging list purposes on our Products.

    This spam and unauthorized message activity policy applies to messages sent using our Products, or to messages sent from any network by the customer or any person on the customer’s behalf, that directly or indirectly refer the recipient to a site hosted via our Products.

    Unethical, exploitative, and malicious activity

    Our Products must not be used for the purpose of advertising, transmitting, or otherwise making available any software, program, product, or service designed to violate this acceptable use policy, or the acceptable use policy of other service providers. This includes but isn’t limited to facilitating the means to send spam and the initiation of network sniffing, pinging, packet spoofing, flooding, mail-bombing, and denial-of-service attacks.

    Our Products must not be used to access any account or electronic resource where the group or individual attempting to gain access does not own or is not authorized to access the resource (e.g. “hacking”, “cracking”, “phreaking”, etc.).

    Our Products must not be used for the purpose of intentionally or recklessly introducing viruses or malicious code into our Products and systems.

    Our Products must not be used for purposely engaging in activities designed to harass another group or individual. Our definition of harassment includes but is not limited to denial-of-service attacks, hate-speech, advocacy of racial or ethnic intolerance, and any activity intended to threaten, abuse, infringe upon the rights of, or discriminate against any group or individual.

    Other activities considered unethical, exploitative, and malicious include:

    1. Obtaining (or attempting to obtain) services from us with the intent to avoid payment;
    2. Using our facilities to obtain (or attempt to obtain) services from another provider with the intent to avoid payment;
    3. The unauthorized access, alteration, or destruction (or any attempt thereof) of any information about our customers or end-users, by any means or device; 
    4. Using our facilities to interfere with the use of our facilities and network by other customers or authorized individuals; 
    5. Publishing or transmitting any content of links that incite violence, depict a violent act, depict child pornography, or threaten anyone’s health and safety; 
    6. Any act or omission in violation of consumer protection laws and regulations; 
    7. Any violation of a person’s privacy.

    Our Products may not be used by any person or entity, which is involved with or suspected of involvement in activities or causes relating to illegal gambling; terrorism; narcotics trafficking; arms trafficking or the proliferation, development, design, manufacture, production, stockpiling, or use of nuclear, chemical or biological weapons, weapons of mass destruction, or missiles; in each case including any affiliation with others whatsoever who support the above such activities or causes.

    Unauthorized use of Thalox AG property

    We prohibit the impersonation of Thalox AG, the representation of a significant business relationship with Thalox AG, or ownership of any Thalox AG property (including our Products and brand) for the purpose of fraudulently gaining service, custom, patronage, or user trust.

    About this policy

    This policy outlines a non-exclusive list of activities and intent we deem unacceptable and incompatible with our brand.

    We reserve the right to modify this policy at any time by publishing the revised version on our website. The revised version will be effective from the earlier of:

    • the date the customer uses our Products after we publish the revised version on our website; or
    • 30 days after we publish the revised version on our website.