Login

Privacy Policy of AutoDo GmbH

The protection of your personal data is of high importance to AutoDo GmbH (AutoDo). With this Privacy Policy, we inform you about how we process personal data when you visit our websites, use our software-as-a-service services, communicate with us, or otherwise engage in a business relationship with us. This includes, in particular, the processing of data in the context of registration and use of our web applications, our customer support, and – where relevant – during application procedures.

We process personal data exclusively in accordance with applicable data protection regulations, in particular the General Data Protection Regulation (GDPR). We aim to transparently explain which data we collect, for what purposes we process it, how long we store it, and what rights you have regarding your data. Furthermore, we explain the technical and organizational measures we take to adequately protect your data.

This Privacy Policy applies to autodo.de and autodo.eu, including all subdomains.

1. Data Controller

AutoDo GmbH
Otto-Hahn-Straße 3
31303 Burgdorf
Germany
Phone: +49 5136 977-0

2. Contact Details of the Data Protection Officer

scope & focus Service-Gesellschaft mbH
Leonhardtstraße 2
30175 Hannover
Germany

You can reach our external Data Protection Officer at: datenschutz@autodo.de. Any data subject may contact our Data Protection Officer directly at any time with questions or suggestions regarding data protection.

3. Purposes and Legal Bases of Data Processing

Personal data is only processed if it serves a specific purpose and is based on a legal basis.

The purposes and legal bases depend on the respective interaction.

3.1. Visiting the Websites & Using the Web Applications

3.1.1 Server Data / Log Files

When accessing our websites, the following data is automatically processed:

  • Browser type and version
  • Operating system
  • Date and time of access
  • IP address (anonymized)
  • URL of the visited page
  • Referrer URL
  • Device information

Purpose of processing: Operation, security, misuse detection, optimization of the websites.

Legal basis for processing: Art. 6 (1) lit. f GDPR (legitimate interest).

3.2 Cookies & Consent Management

Our websites use cookies. Cookies are small text files stored on your device containing information. Some cookies are technically necessary, while others are used for analyzing user behavior or for marketing purposes. You can change or withdraw your consent at any time in the cookie settings.

List of domains and the respective cookies used:

Domain Cookies used
autodo.eu ADCMP, ADSID, OPC, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
autodo.de ADCMP, ADSID, OPC, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
jobs.autodo.de ad-cookieconsent, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
jobs.autodo.eu ad-cookieconsent, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
signin.autodo.eu authAutoDoSystem, xnctxEpLDDbDcOu1eM26, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
amo.autodo.eu
admin.autodo.eu
desktop.autodo.eu
mobile.autodo.eu
service.autodo.eu		 SESSYW, autodo-opc, autodo-components, autodo-adsystem-plugin-accordion, contacts-started, last-opened-process, autodo-adsystem-widget-actions-v3, autodo-adsystem-prefill-form, viewstate-navigation-aktiv, data-protection-popup, viewstate-navigation-status-XXXXX, request-ffa-intern, cmsintromessage, myWidgets, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr
campaign-manager.autodo.eu o00solUSHlnRi1CnnS19, MATOMO_SESSID, _pk_id, _pk_ref, _pk_cvar, _pk_ses, _pk_hsr

List of domains and local storage used:

Domain Cookies used
amo.autodo.eu
admin.autodo.eu
desktop.autodo.eu
mobile.autodo.eu
service.autodo.eu		 DataTables_XXXXX, adnsop, adnssc

List of domains and session storage used:

Domain Cookies used
amo.autodo.eu
admin.autodo.eu
desktop.autodo.eu
mobile.autodo.eu
service.autodo.eu		 adCommonSetting

The purposes of the cookies used by us are set out in the overview below:

Cookie Name Provider / Domain Purpose Storage Duration Type Legal Basis
ADSID, SESSYW, authAutoDoSystem First-party domain This cookie is a session-based storage variable that is technically required to store the user’s current decisions for the active session Expires at the end of the session HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
ADCMP, ad-cookieconsent First-party domain This cookie is used to record and store the user’s consent 365 days HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
OPC First-party domain This cookie stores the open or closed state of tabs or accordion elements, as well as the screen width 7 days HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
MATOMO_SESSID First-party domain A nonce to help prevent CSRF security issues when using the opt-out feature 14 days HTTP cookie / Statistics Consent (Article 6(1)(a) GDPR)
_pk_id First-party domain This cookie is used to store specific information about the user, including a unique visitor identifier 13 months HTTP cookie / Statistics Consent (Article 6(1)(a) GDPR)
_pk_ref First-party domain This cookie is used to store attribution data, namely the referring source that initially led the user to the website 6 months HTTP cookie / Statistics Consent (Article 6(1)(a) GDPR)
_pk_cvar, _pk_ses, _pk_hsr First-party domain This cookie is used to temporarily store visit-related data for the duration of the session 30 minutes HTTP cookie / Statistics Consent (Article 6(1)(a) GDPR)
autodo-opc First-party domain This cookie stores the open or closed state of tabs or accordion elements, as well as the screen width 3 months HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
autodo-components First-party domain This cookie stores the open or closed state of tabs or accordion components 365 days HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
autodo-adsystem-plugin-accordion First-party domain This cookie stores the open or closed state of tabs or accordion components Expires at the end of the session HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
contacts-started First-party domain Stores data relating to the use of the AutoDo application „lead management“ 10,8 hours HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
last-opened-process First-party domain Stores the most recently accessed record 1 day HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
autodo-adsystem-widget-actions-v3 First-party domain Stores origin and destination data to allow users to return to the previous state Expires at the end of the session HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
autodo-adsystem-prefill-form First-party domain Stores end customer information to automatically pre-populate further forms Expires at the end of the session HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
xnctxEpLDDbDcOu1eM26 First-party domain Stores the encrypted authentication data of the user 1 week HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
viewstate-navigation-aktiv First-party domain Stores the active state of menu navigation items 1 day HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
data-protection-popup First-party domain Stores the user’s consent provided via the data protection notice window 1 day HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
viewstate-navigation-status-XXXXX First-party domain Stores the current state of the corresponding navigation menu entry 1 day HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
request-ffa-intern First-party domain Stores the search input entered in the vehicle management module 1 day HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
cmsintromessage First-party domain Stores the display status of the CMS intro message Expires at the end of the session HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
o00solUSHlnRi1CnnS19 First-party domain Stores the encrypted authentication data of the user 1 week HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
myWidgets First-party domain Stores the display status of widgets (visible or hidden) 900 days HTTP cookie / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
DataTables_XXXXX First-party domain Stores the current state of the page’s data table Persistent Local storage / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
adnsop First-party domain Stores the current state of the left-hand navigation menu Persistent Local storage / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
adnssc First-party domain Stores the current state of the left-hand navigation menu Persistent Local storage / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)
adCommonSetting First-party domain Stores the open or closed states of tabs and collapsible elements Expires at the end of the session Session storage / Technically necessary Legitimate interests (Article 6(1)(f) GDPR)

3.2.1 Technically Necessary Cookies

AutoDo Consent Management

This is a service for managing consents.

Purpose of Processing

The following list outlines the purposes of data collection and processing. Consent is valid only for the specified purposes. The collected data may not be used or stored for any purposes other than those listed below.

  • Compliance with legal obligations
  • Storage of consent

Technologies Used

The following list contains all technologies used by this service to collect data. Typical technologies include cookies and pixels placed in the browser.

  • Local storage
  • Cookies

Data Collected

The following list of analytical data does not include any personal data. Data processing is carried out exclusively on our own systems without the use of cookies or subprocessors. Third parties do not have access to this data or the associated logs. Appropriate safeguards are always ensured for the use of digital identities and login credentials.

  • Browser information
  • Opt-in and opt-out data
  • Website URL
  • Website page path
  • Geographic location (not traceable to individuals)
  • Date and time of visit
  • Device information

Legal Basis for Processing

The required legal basis for the processing of data is: Art. 6 (1) sentence 1 lit. c GDPR

Place of Processing

European Union (consent database located in Germany/Hannover).

Retention Period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted once it is no longer required for the stated processing purposes.

  • The data will be deleted as soon as it is no longer required for the purposes of processing.

Stored Information

  • ADCMP
    This cookie is used to store the consents granted by users.
    Type: Cookie
    Duration: 365 days

  • ADSID, SESSYW
    This cookie is a session storage variable that is technically necessary to store the user’s current preferences for the active session.
    Type: Cookie
    Duration: Expires at the end of the session

  • autodo-opc
    This cookie stores information about whether tabs or accordion elements are expanded or collapsed.
    Type: Cookie
    Duration: 3 months

  • autodo-components
    This cookie stores information about whether tabs or accordion elements are expanded or collapsed.
    Type: Cookie
    Duration: 365 days

  • autodo-adsystem-plugin-accordion
    This cookie stores information about whether tabs or accordion elements are expanded or collapsed.
    Type: Cookie
    Duration: Expires at the end of the session

  • DataTables_XXXX
    This local storage entry stores information about the state of the lists (DataTables) used on the page.
    Type: Local storage
    Duration: Persistent

  • adnsop
    This local storage entry stores information about the state of the navigation menu.
    Type: Local storage
    Duration: Persistent

  • adnssc
    This local storage entry stores information about the scroll position of the navigation menu.
    Type: Local storage
    Duration: Persistent

  • adCommonSetting
    This local storage entry stores information about the states of tabs and accordion elements.
    Type: Session storage
    Duration: Expires at the end of the session

ADanalytics
ADanalytics tracks the website to ensure that it is technically accessible and usable. This concerns essential core functions such as navigation and correct display in your browser.

Purpose of Processing
The following list sets out the purposes of data collection and processing:

  • Anonymous web analytics for the improvement of our website

Technologies Used
The following list contains all technologies used by this service to collect data. Typical technologies include cookies and pixels placed in the browser.

  • Anonymous tracking

Data Collected
The following list of analytical data does not contain any personal data. Data processing is carried out exclusively on our own systems without the use of cookies or subprocessors. Third parties do not have access to this data or the associated logs. Appropriate safeguards are always ensured for the use of digital identities and login credentials.

  • Browser information
  • Website URL
  • Website page path
  • Geographic location (not traceable to individuals)
  • Date and time of visit
  • Device information
  • Anonymized IP address

Legal Basis for Processing
The required legal basis for the processing of data is: Article 6(1) sentence 1 lit. f GDPR

Place of Processing
European Union (the consent database is located in Germany/Hannover)

Retention Period
The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted once it is no longer required for the stated processing purposes.

  • The data will be deleted as soon as it is no longer required for the purposes of processing.

Stored Information
No cookies are stored.

3.2.2 Analytics and Statistics Cookies

ADanalytics Tag Manager
These cookies enable anonymous evaluation of user behavior on our website in order to improve the quality of the website and its content.

Purpose of Processing
The following list sets out the purposes of data collection and processing:

  • Anonymous web analytics for the improvement of our website

Technologies Used
The following list contains all technologies used by this service to collect data. Typical technologies include cookies and pixels placed in the browser.

  • Local storage
  • Cookies

Data Collected
The following list of analytical data does not include any personal data. Data processing is carried out exclusively on our own systems without the use of cookies or subprocessors. Third parties do not have access to this data or the associated logs. Appropriate safeguards are always ensured for the use of digital identities and login credentials.

  • Browser information
  • Website URL
  • Website page path
  • Geographic location (not traceable to individuals)
  • Date and time of visit
  • Device information
  • Anonymized IP address
  • User behavior
  • Interaction data

Legal Basis
The required legal basis for the processing of data is: Article 6(1) sentence 1 lit. a GDPR

Place of Processing
European Union (the consent database is located in Germany/Hannover)

Retention Period
The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted once it is no longer required for the stated processing purposes.

  • The data will be deleted as soon as it is no longer required for the purposes of processing.

Stored Information

  • _pk_id
    This cookie is used to store certain details about the user, such as the unique visitor ID.
    Type: Cookie
    Duration: 13 months

  • _pk_ref
    This cookie is used to store attribution information, i.e. the referrer that was originally used to access the website.
    Type: Cookie
    Duration: 6 months

  • _pk_cvar
    This cookie is used to temporarily store visit-related data.
    Type: Cookie
    Duration: 30 minutes

  • _pk_ses
    This cookie is used to temporarily store visit-related data.
    Type: Cookie
    Duration: 30 minutes

  • _pk_hs
    This cookie is used to temporarily store visit-related data.
    Type: Cookie
    Duration: 30 minutes

3.3 Newsletter

We inform our business customers about news related to our SaaS offering and occasionally about special messages such as seasonal greetings. If you have a user account in the AutoDo system, you can manage your newsletter settings there directly.

For individual campaigns (e.g. Christmas greetings), we additionally use the external service Newsletter2Go, which acts as a processor pursuant to Art. 28 GDPR. We transmit only the data necessary for this purpose (email address, opt-in status). Dispatch takes place via the double opt-in procedure. We also store your IP address as well as the date and time of registration in order to document the registration process and prevent misuse.

You may withdraw your consent at any time with effect for the future via your user account, or the contact methods listed in this Privacy Policy.

Legal basis: Art. 6 (1) lit. a GDPR (consent)

3.4 Contact Form

If you use our contact form or contact us by email, we process the personal data you provide (e.g. name, contact details, message content) to handle your request.

Legal basis:

  • Art. 6 (1) lit. f GDPR (communication and responding to your request)
  • Art. 6 (1) lit. b GDPR (pre-contractual measures or performance of a contract)

We use the cloud-based ticketing system YouTrack Cloud by JetBrains s.r.o. Processing is carried out exclusively on the basis of a data processing agreement pursuant to Art. 28 GDPR.

JetBrains operates the servers used for YouTrack Cloud within the European Economic Area (EEA). No transfer to third countries takes place.

Your data will be used solely for processing your request and deleted afterwards, unless statutory retention obligations apply.

3.5 Registration & Use of Our Web Applications

In the context of registration and the subsequent use of our web applications, we process the personal data required to create, provide, and operate your user account. This includes, in particular, login credentials (e.g., username and password) as well as contact and communication data. The specific data collected can be seen from the respective input forms in the registration and login areas

We use this data to manage your user account, to provide the contractually agreed functionalities, and to communicate with you in connection with the use of our services. Such communication may include, in particular, information about functional changes, technical adjustments, or other registration- or service-related information.

Two-Factor Authentication (2FA)

To enhance the security of your user account, we require the use of two-factor authentication (2FA). As part of the 2FA process, we additionally process the data necessary to perform the second authentication factor. This may include, in particular:

  • Your email address (in the case of email-based verification)
  • Data from an authenticator service (e.g., randomly generated codes)
  • The date and time and the result of the 2FA verification

This data is processed exclusively for the purpose of carrying out and documenting the authentication process and serves to ensure the confidentiality and integrity of your account and the data within our system.

The legal basis for processing in the context of registration, account management, and two-factor authentication is Article 6(1)(b) GDPR, as the processing is necessary for the performance of pre-contractual measures and/or for the performance of the user agreement.

4. Application Procedure (Job Site / Applicant Management)

In the context of your application, we process only the personal data that you provide to us via the application form or during the application process. This includes, in particular:

  • Identity and contact data (e.g., name, email address, telephone number)
  • Information contained in your CV, in particular education and employment history as well as qualifications
  • Application documents such as cover letters, certificates, or work samples
  • Links to professional profiles on social networks (optional)
  • Technical usage data that may be collected when visiting the application website

The processing of this data is based on the following legal grounds:

  • Article 6(1)(b) GDPR in conjunction with Section 26 BDSG (German Federal Data Protection Act) for the purpose of carrying out the application procedure and deciding on the establishment of an employment relationship
  • Article 6(1)(a) GDPR where you voluntarily provide additional information or consent to specific processing activities

If, during the application process, you provide us with particularly sensitive data within the meaning of Article 9 GDPR (e.g., data concerning severe disability or health), this is done on a voluntary basis. The legal basis for processing such data is Article 9(2)(a) GDPR.

Job advertisements can be shared via various social networks. Separate buttons are provided for each network. After clicking one of these buttons, you will be redirected to the respective social network and taken to its login page. These buttons are not plug-ins and do not directly transmit personal data to the operators of the social networks.

Currently, job advertisements can be shared on the following social networks:

The legal basis for this processing is Article 6(1)(f) GDPR (legitimate interests) for the statistical analysis and measurement of the reach of job advertisements.

You can find information on how the above-mentioned social networks process your personal data by visiting the links provided. We have no influence over the processing of your personal data by these social networks.

For the administration and processing of applications, we use the applicant management system of Artrevolver GmbH (heyrecruit). Processing is carried out exclusively on our behalf and on the basis of a data processing agreement pursuant to Article 28 GDPR.

Applicant data will be deleted no later than six months after rejection. A longer retention period will only apply if you have given your explicit consent to the storage of your data in a talent pool.

5. Processing of Customer and Contract Data

In the context of the business relationship, we process in particular:

  • Customer master data
  • Contact data
  • Communication data
  • Banking and billing data
  • Vehicle data (within the scope of our services)

The processing of this data is based on the following legal grounds:

  • Performance of contractual obligations: Article 6(1)(b) GDPR
  • Legal obligations (e.g. tax laws): Article 6(1)(c) GDPR
  • Legitimate interests (e.g. IT security, fraud prevention): Article 6(1)(f) GDPR
  • Consent: Article 6(1)(a) GDPR

This data is stored for the duration of the contractual relationship and thereafter in accordance with applicable statutory retention periods.

6. Recipients of Data

We disclose personal data only to the extent necessary to fulfill contractual or legal obligations or on the basis of our legitimate interests.

In particular, this includes the following categories of recipients:

  • Support and ticketing systems
  • Domain providers
  • Data destruction and disposal service providers
  • Applicant management system providers
  • Email and communication service providers
  • Marketing service providers
  • Lawyers, tax advisors, and auditors
  • Public authorities

Where we engage service providers as processors within the meaning of Article 28 GDPR, we have concluded appropriate data processing agreements to ensure the protection of your data.

7. Transfer to Third Countries

As a rule, no transfer of data to countries outside the European Economic Area (EEA) takes place, unless expressly stated otherwise or permitted by law.

8. Rights of Data Subjects

As a data subject, you have various rights that provide you with transparency and control over your personal data. These rights include in particular:

  • Right of Access, Rectification and Erasure
    Within the scope of the applicable legal provisions, you have the right at any time to obtain information (Article 15 GDPR) about your stored personal data, its origin and recipients, and the purpose of the data processing. Where applicable, you have the right to rectification (Article 16 GDPR) of your data. You also have the right to erasure of your data, provided that the requirements of Article 17 GDPR are met and no statutory retention obligations or other legal grounds prevent deletion.

  • Right to Restriction of Processing
    If you have obtained restriction of processing of your personal data, such data – with the exception of storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.

  • Right to Data Portability
    Pursuant to Article 20 GDPR, you have the right to receive the data that we process automatically on the basis of your consent or in fulfillment of a contract, in a structured, commonly used, and machine-readable format, and to have those data transmitted to yourself or to another controller. Where you request the direct transfer of the data to another controller, this will only be carried out where technically feasible.

  • Right to Object to Processing in Specific Cases and to Direct Marketing
    If data processing is based on Article 6(1)(e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data.
    If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims (objection pursuant to Article 21(1) GDPR).
    Where your personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes. If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection pursuant to Article 21(2) GDPR).

  • Withdrawal of Consent
    You may withdraw any consent you have given at any time without formal requirements. The lawfulness of the data processing carried out prior to the withdrawal remains unaffected.

  • Right to Lodge a Complaint with a Supervisory Authority
    In the event of violations of the GDPR, you have the right pursuant to Article 77 GDPR to lodge a complaint with a competent supervisory authority. This right exists without prejudice to other administrative or judicial remedies. A list of supervisory authorities can be found at:
    https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
    You may, however, lodge your complaint with any supervisory authority, regardless of jurisdictional rules.

9. Automated Decision-Making & Profiling

No automated decision-making within the meaning of Art. 22 GDPR takes place.

10. Security of Processing

AutoDo implements appropriate technical and organizational security measures to protect personal data against loss, misuse, unauthorized access, or destruction. These measures are continuously reviewed and improved.

11. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to reflect changes in legal or technical requirements. The latest version of this Privacy Policy shall apply.

Version 2.0 | April 2026