Privacy Policy

Status: April 2025

Rombey Capital GmbH (hereinafter “we” or “us”) takes the protection of your personal data very seriously. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) as well as current case law. Below, we provide you with clear and transparent information about the type, scope and purpose of data processing and your rights as a data subject.

1. Controller and contact

The controller within the meaning of the GDPR is Rombey Capital GmbH, Doverhahn 81, 41836 Hückelhoven. You can contact us for all data protection concerns as follows:

Postal address: Rombey Capital GmbH, Doverhahn 81, 41836 Hückelhoven, Germany
E-mail: [email protected]
Phone: 02433 9391844
Fax: 02433 3049986

2. Categories of personal data and data sources

We process personal data that we receive from you as part of our business relationship or that you provide to us, e.g. via our website or other communication channels. Depending on the type of relationship (e.g. prospective customer, customer as policyholder or borrower), this may include the following data in particular:

  • Master data: e.g. title, surname, first name, date/place of birth, marital status, address, contact details (telephone number, email address)

  • Identification data: e.g. ID data (ID card or passport number), tax identification number, other information required for identification purposes.

  • Contract and application data: Information that you provide to us in connection with the initiation or execution of contracts. This includes information on desired insurance or financial products, insurance or loan applications, insured risks, property or real estate data (for real estate loans), income and financial circumstances (for loans), existing contracts, claims notifications, bank details and payment data, tax and billing data, etc.

  • Special categories of data: If necessary for certain insurance policies, special categories of personal data may also be processed in accordance with Art. 9 para. 1 GDPR – in particular health data (e.g. information on pre-existing conditions for life or health insurance policies) or, if applicable, information on trade union/religious affiliation (e.g. for special tariffs). We only collect such data if it is necessary for the brokerage or management of corresponding contracts and either a legal permission exists or you have given us your express consent (Art. 9 para. 2 lit. a GDPR).

  • Communication data: Content of inquiries, conversations or correspondence (e.g. by email, contact form, post or telephone) as well as records of consultations or brokerage documentation (protocols) that we create on the basis of legal requirements (e.g. consultation protocol in accordance with Section 62 VVG for insurance policies).

  • Technical data when visiting the website: When you visit our website, data is automatically collected for technical reasons (server log files). This includes, for example, the IP address of the requesting device, date and time of access, pages/files accessed, browser type and version, operating system, referrer URL. As a rule, this technical access data does not allow your person to be identified directly and is evaluated exclusively to ensure trouble-free operation of the website and for IT security purposes.

As a rule, we collect the data directly from you. In some cases, however, we also obtain data from other sources if this is permitted. This may be the case, for example, if we obtain credit information from a credit agency (e.g. SCHUFA) in the course of arranging loans or if we use external comparison and quotation platforms to submit applications to insurers. We may also use information from publicly accessible sources (e.g. commercial register, land register, Internet) to the extent permitted, insofar as this is relevant to our services.

3. Purposes and legal bases of data processing

We process your personal data for specific purposes and on the basis of the relevant legal bases of the GDPR:

a) For the initiation and performance of contracts (Art. 6 para. 1 lit. b GDPR):
The data processing is carried out in order to provide you with our services as an insurance broker and as a real estate loan or loan broker. This includes in particular:

  • Advice and brokerage of insurance contracts: We process your data in order to process your request, assess risks, determine suitable insurance solutions and obtain offers from insurance companies. If a contract is concluded, we process your data for contract management, support and, in the event of a claim, to assist with claims settlement.

  • Procurement of real estate loans and credit: Your data (e.g. financial situation, financing requirements, property and creditworthiness data) are processed in order to obtain suitable loan offers from banks or financing institutions, to submit loan applications and to support the conclusion and subsequent execution of the contract. We may also use partner platforms or software (e.g. financing portals) to compare several offers. It may be necessary to carry out a credit check – see also point d) below.

  • Correspondence and customer service: We use your contact details to communicate with you in the context of contract initiation or execution, e.g. to answer inquiries, arrange appointments, send documents and information, queries about applications or claims, etc.

The processing of this data is necessary for the fulfillment of our contract with you or for the implementation of pre-contractual measures; without this data, we cannot prepare or execute the desired brokerage contract or conclusion of an insurance/loan agreement.

b) To fulfill legal obligations (Art. 6 para. 1 lit. c GDPR):
We are subject to various legal obligations that require the processing of your data. These include in particular:

  • commercial and tax law obligations: Legal retention periods and documentation obligations require the storage of certain data for a longer period of time (see section 8 Storage period below). For example, we must retain business records and tax-relevant documents in accordance with the German Commercial Code (HGB) and the German Fiscal Code (AO) for 6 to 10 years.

  • Insurance and trade law requirements: As an insurance broker and financial services provider, we are bound by the provisions of the Insurance Contract Act (VVG), the Trade Regulation Act (in particular Sections 34d, 34c, 34i GewO) and the supervision of the Chamber of Industry and Commerce (IHK). For example, we have to prepare advisory documentation and retain certain information.

  • Money laundering and sanctions check: In some cases, we must establish your identity (KYC check) in accordance with the German Money Laundering Act (GwG) and check whether money laundering or sanctions lists are relevant for higher amounts of money or certain transactions. A terrorism/sanctions list check may also be required before a contract is concluded.

  • Supervisory requirements: We may have to report data to supervisory authorities (e.g. BaFin or the competent supervisory authority for data protection) or enable audits. Insurers or banks are also subject to regulatory requirements, which we comply with in the brokerage process (e.g. creditworthiness check by the bank in accordance with Section 18a KWG).

In all these cases, we only process the data that is necessary to fulfill the respective legal obligation and rely on Art. 6 para. 1 lit. c GDPR as the legal basis.

c) On the basis of legitimate interests (Art. 6 para. 1 lit. f GDPR):
If necessary, we process your data beyond the actual contractual purposes to protect our legitimate interests or those of third parties. This only takes place if your legitimate interests are not overridden. Examples of such legitimate interests are:

  • Direct customer support and information: If you are already our customer, we may use your contact details to inform you about similar products and services (e.g. follow-up products, follow-up financing or insurance updates) as part of the existing business relationship, provided you have not objected to this. (However, we only send promotional emails if the legal requirements of Section 7 UWG are met or you have given your consent.)

  • Essertion and defense of legal claims: In the event of a dispute, we may use relevant data to preserve evidence and for legal defense (e.g. documentation of consultations, contractual documents, correspondence). This may also justify longer-term storage beyond the term of the contract in order to defend ourselves against any claims.

  • Guaranteeing IT security and operation: We process technical data to protect our systems and prevent misuse (e.g. detection of cyber attacks, logging of accesses). We also use organizational measures to prevent unauthorized persons from accessing data (see also section 7 Data security).

  • Business management and internal administration: For example, data may be used in a permissible manner to create anonymized evaluations, to further develop our consulting services, to train employees or as part of internal audits and compliance checks. We take care to use pseudonymized or aggregated data wherever possible.

  • Prevention and investigation of criminal offenses: Measures to prevent fraud, investigate cases of abuse or prevent criminal offenses (e.g. insurance fraud, financing fraud) may constitute a legitimate interest. This may also include comparisons with publicly available information if there is a specific reason to do so.

d) Based on your consent (Art. 6 para. 1 lit. a GDPR):
If you give us your consent, we will process your personal data for the purposes specified therein. This applies, for example:

  • Disclosure to third parties outside of contract processing: We ask for your permission if we wish to disclose your data to third parties in cases that are not covered by contract processing or legal obligations. For example, you could consent to us forwarding your contact details to a cooperation partner who offers a complementary product.

  • Commercial communication: Unless you are already a customer or certain forms of advertising are not permitted by law, we will obtain your express consent to send you newsletters or offers by email, telephone or messenger. You can of course revoke such consent at any time.

  • Processing of special data (health data): The processing of health data is required for certain insurance policies (e.g. life, health or disability insurance). We only process this sensitive data with your express consent in accordance with Art. 9 para. 2 lit. a GDPR – e.g. by signing a release from confidentiality and consent under data protection law. In such consent, we will inform you separately about the scope of data processing. Any disclosure of health data to insurers, doctors or experts will also only take place on the basis of your consent and any additional releases from confidentiality.

  • Credit information for loans: Before we arrange a loan agreement, we may obtain credit information (e.g. SCHUFA score) with your consent if this is useful for assessing your creditworthiness. In many cases, potential lenders obtain this information themselves; however, if we make a direct request, this will only be done with your prior consent or on the basis of legal permission.

A consent given is always voluntary and can be revoked by you at any time with effect for the future.

Withdrawal does not affect the lawfulness of the processing carried out up to that point.

4. Forwarding of data and recipients

Your personal data will always be treated confidentially by us. We only pass it on to third parties if and insofar as this is necessary to fulfill the stated purposes or you have consented or a legal basis permits or provides for this. Recipients of your data may include in particular:

  • Insurance companies and their partners: If you conclude an insurance contract through us or report a claim, we will transmit your data required for this purpose to the respective insurance company (or its branch or general agency). Depending on the line of business, it may also be necessary to provide data to reinsurers or service providers associated with the insurer (e.g. medical service providers for life insurance, claims adjusters, appraisers). The insurers then use the data under their own responsibility for risk assessment, contract fulfillment and claims processing. We ensure that only the necessary information is passed on.

  • Banks, building societies and financing institutions: As part of the loan brokerage process, we forward your financing request and the associated details to the lenders in question (e.g. banks, building societies or special financing partners). These recipients check the granting of the loan on the basis of the data received and usually carry out credit checks independently. We may use platforms or technical service providers that act as intermediaries between us and the credit institution (e.g. a financing portal) to submit your request; in this case too, your data will only be passed on for a specific purpose.</p

  • Credit reference agencies (credit bureaus): Data is only transferred to credit reference agencies such as SCHUFA Holding AG, CRIF Bürgel, Creditreform Boniversum or similar if this is necessary to check your creditworthiness before concluding a loan agreement and there is a corresponding legal basis. As a rule, the financial institution obtains the information. If, in exceptional cases, we obtain credit information ourselves (see section 3 d) above), we will inform you in advance and – if necessary – obtain your consent. Please note that the credit agencies themselves are responsible for the data processing they carry out; we will provide you with their data protection information separately in such a case (see e.g. SCHUFA information sheet in accordance with Art. 14 GDPR).

  • Data forwarding to partner company (Ellen Culpeck Insurance Broker GmbH): We work together with our cooperation partner Ellen Culpeck Insurance Broker GmbH, Lilienthalallee 100, 52511 Geilenkirchen, in the context of preparing offers for insurance policies. If your inquiry or your insurance needs can be better served by our partner, we will forward your personal data (e.g. name, contact details, details of desired insurance policies) to Ellen Culpeck Insurance Broker GmbH. The data will be passed on solely for the purpose of preparing and sending you a suitable insurance offer. Ellen Culpeck Insurance Broker GmbH processes the data received on its own behalf or on our behalf as part of order processing, but always only for the stated purpose and in accordance with the applicable data protection regulations. We have ensured through contractual agreements that your data protection is also safeguarded by our partner. The data transfer takes place for the implementation of pre-contractual measures at your request (Art. 6 para. 1 lit. b GDPR) in order to be able to submit a suitable offer to you in cooperation with our partner. If necessary, we also base the transmission on our legitimate interests (Art. 6 para. 1 lit. f GDPR), namely to provide you with the best possible insurance cover, also with the help of specialized partner companies. If required by law or requested by you, we will also obtain your express consent (Art. 6 para. 1 lit. a GDPR) before transferring your data. Of course, you can object to your data being passed on to our partner at any time with effect for the future.

  • Product providers and cooperation partners: We sometimes work with other partners to offer you a comprehensive range of financial and insurance products. For example, we may forward your request to a specialist broker or wholesaler if we are unable to offer a particular product directly. These partners process your data on our behalf or in joint responsibility for the preparation of offers. We ensure that all partners are contractually bound to data protection.

  • Broker pools and service providers for contract processing: In order to fulfill our contractual obligations as an insurance broker, we sometimes involve external partners. These are broker pools, broker associations or specialized service providers who support us in brokering and processing contracts. These include, for example, DEMV Deutscher Maklerverbund GmbH, Procheck 24 GmbH, Fonds Forum Handels- und Servicegesellschaft für Kapitalanlagen mbH, Qualitypool GmbH, eFonds24 GmbH, Jung, DMS & Cie. Pool GmbH, Fonds Finanz Maklerservice GmbH and SACHPOOL GmbH. Your data will only be passed on to these bodies if this is necessary for the execution of the brokerage contract. All of these service providers are contractually bound to confidentiality and compliance with data protection regulations.

  • Producer of broker software: We use professional software solutions for our activities (e.g. broker management programs, comparison calculators, rate information and analysis tools). This software is developed and provided by specialized companies. Examples include DEMV Systems GmbH, Smart InsurTech AG, Innosystems GmbH, MORGEN & MORGEN GmbH, Franke und Bornberg GmbH, Thinksurance GmbH, SOFTFAIR GmbH and Mr-Money Software GmbH. Insofar as the software providers potentially gain access to personal data in the context of support, hosting or maintenance, this is done exclusively for the fulfillment of the contract and on the basis of corresponding order processing contracts in accordance with Art. 28 GDPR.

  • External service providers (processors): We use carefully selected external service providers who provide services on our behalf and may have access to personal data. Examples include IT service providers (maintenance of hardware and software, hosting providers), cloud and data center providers, service providers for archiving/file storage, providers of customer management software (broker management program), newsletter mailing service providers, etc. We conclude order processing contracts with these processors in accordance with Art. 28 GDPR to ensure that your data is processed there just as securely and for the intended purpose.

  • Cloudflare: We use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany (Cloudflare) to increase the security and delivery speed of our website. This corresponds to our legitimate interest (Art. 6 para. 1 lit. f GDPR). A CDN is a network of globally distributed servers that is able to deliver optimized content to the website user. For this purpose, personal data may be processed in Cloudflare’s server log files. Cloudflare is the recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR not to operate a content delivery network ourselves. You have the right to object to the processing. Whether the objection is successful must be determined as part of a balancing of interests. The functionality of the website is not guaranteed without the processing. Your personal data will be stored by Cloudflare for as long as is necessary for the purposes described. Further information on objection and removal options vis-à-vis Cloudflare can be found at https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf. Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).

  • Typeform: We use the Typeform service from TYPEFORM S.L., Carrer Bac de Roda, 163 (Local), 08018 Barcelona, Spain (Typeform) for our contact forms. This enables us to provide you with an easy way to contact us. Mandatory fields are marked with an *. Typeform is the recipient of your personal data and acts as a processor for us. The processing of the data provided via the form is not required by law or contract. We cannot provide you with a contact form without your consent and the transmission of your personal data. However, you have the option of contacting us at the following email address: [email protected]. The data is stored exclusively for the purpose of sending inquiries and responding to them. The mandatory information is used to assign and respond to your request. In addition, Typeform collects the following personal data with the help of cookies: Information about your end device (IP address, device information, operating system, browser settings). Furthermore, usage data is collected, such as the date and time when you used the contact form. Typeform requires this data to ensure that the contact form is displayed and functions properly. This corresponds to the legitimate interest of Typeform (pursuant to Art. 6 para. 1 lit. f GDPR) and at the same time serves the execution of the contract (pursuant to Art. 6 para. 1 lit. b GDPR). Further information can be found at: https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data and at: https://admin.typeform.com/to/dwk6gt. The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent to the processing of your personal data at any time. The revocation can be made via the contact options provided. Your data will be processed for as long as the corresponding consent is available. The declaration of revocation does not affect the legality of the processing carried out up to that point. Your data will be deleted after processing has been completed, unless further storage is required by law.

  • Google Fonts (local hosting): This site uses so-called Google Fonts, which are provided by Google, for the uniform display of fonts. Google Fonts are installed locally. There is no connection to Google servers. You can find more information about Google Fonts at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://policies.google.com/privacy?hl=de.

  • Advisors and bodies within our corporate organization: This may include, for example our tax advisor or auditor (access to invoice data as part of their auditing and consulting activities), lawyers (in the event of a dispute), insurers as part of our own business insurance policies (e.g. disclosure of a claim involving your data) or debt collection service providers in the event of outstanding claims. Such recipients are also legally or contractually bound to confidentiality and data protection.

  • Authorities and public bodies: In the event of statutory duties to provide information, personal data may be passed on to authorized authorities, e.g. to tax authorities (for tax-relevant transactions), law enforcement authorities (upon request as part of an investigation), supervisory authorities (such as the responsible state data protection officer or the Chamber of Industry and Commerce, insofar as they have audit rights) or courts (as evidence in legal disputes). In such cases, the data will only be passed on in accordance with the legal requirements.

Your data will not be transferred to unauthorized third parties or for purposes other than those specified. In particular, we do not sell or disclose any data unless you have expressly consented to this.

5. Use of WhatsApp Business

We also offer you the option of contacting us via the WhatsApp Business messenger service. We use the service directly (without intermediary third-party providers). WhatsApp is used exclusively for general communication with you – for example, to clarify questions, answer inquiries or exchange documents.

When you communicate with us via WhatsApp, we receive in particular your cell phone number and the content you send us (e.g. text messages, images or documents). We process this data in order to process and respond to your request. Depending on the context of the conversation, we base the processing on Art. 6 para. 1 lit. b GDPR (contract initiation or fulfillment, if your request relates to a contract) or on Art. 6 para. 1 lit. f GDPR (our legitimate interest in efficient communication for general inquiries). Your data will only be used by us for the purpose for which you contact us via WhatsApp.

Please note that WhatsApp itself processes personal data when you use the service. The provider of the service is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. WhatsApp receives, for example, your telephone number and the content of the communication and processes this data under its own responsibility in accordance with its own terms of use and data protection guidelines. In particular, it is possible that data may be transferred to servers outside the EU (especially in the USA) and stored there. WhatsApp states that it uses suitable guarantees (such as EU standard contractual clauses) for international data transfers to ensure an adequate level of data protection. For further details, please refer to WhatsApp’s terms of use and privacy policy (available on the WhatsApp website)

We use WhatsApp Business on a dedicated business account and ensure that only contacts who have contacted us via WhatsApp are stored on the mobile device used. This prevents WhatsApp from gaining access to the contact details of people who do not use the service.

The use of WhatsApp is of course voluntary. If you do not wish to communicate via WhatsApp, you can always use alternative communication channels, in particular email or telephone. You will not suffer any disadvantages as a result of not using WhatsApp.

6. Data processing when using our social media sites

We maintain publicly accessible profiles on social networks and platforms in order to communicate with customers and interested parties and to provide information about our company. Specifically, we currently use the following social media channels:

  • Instagram: Operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. (Instagram privacy policy: see help.instagram.com)

  • X (formerly Twitter): Operated by X Corp. (USA) or in the EU by Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland. (Privacy policy of X/Twitter: see x.com)

  • YouTube: Operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. (YouTube/Google privacy policy: see policies.google.com)

Please note that we may be jointly responsible with the respective platform operator on these platforms in terms of data protection, insofar as we influence the data processing (joint controllership in accordance with Art. 26 GDPR, e.g. for statistical evaluations of usage data on our profiles).

However, the primary data processing when visiting the social media pages is carried out by the operators of the social networks. They collect and use your personal data (e.g. through cookies or similar technologies) for their own purposes, in particular to analyze your usage behavior for advertising and market research. We only have limited influence on this data processing.

Data processing by the platform operators: When you visit our profiles, the aforementioned companies may collect your IP address, device-specific information and your usage behavior on the platform, among other things. If you are logged into your respective account at the same time, the platform provider can assign the visit to your user account. Even if you do not have your own account or are not logged in, data may be collected, e.g. via cookies on your device. The platform operators may create user profiles from your usage behavior and use these for personalized advertising and market research, which may also be displayed outside the platform. For details, please refer to the privacy policies of the respective services (see links above). There you can also find out on what legal basis the providers process the data and how you can change existing advertising/privacy settings, for example.

Data processing by us on social media: If you contact us via social media (e.g. by writing us a message, responding to one of our posts or leaving a comment), we process the personal data collected in order to process your request. This includes your profile name, any other information you have made visible from your profile and, of course, the content of your message/comment. We use this data, for example, to respond to your request or to react to feedback. Depending on the context, the legal basis for this is Art. 6 para. 1 lit. b GDPR (if you make a request in relation to a contract or our services) or Art. 6 para. 1 lit. f GDPR (our legitimate interest in communicating with the public and raising our profile). We may also use publicly visible contributions from you on our pages (e.g. comments) within the scope of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, for example to respond to them or to quote them within the platform if necessary.

We also receive anonymized statistics from the platform operators about the use of our social media pages (so-called “insights”). These contain, for example, demographic information about visitors to our site (grouped by age or gender), reach and interaction figures, etc., but no direct personal references. This aggregated data helps us to understand which content is well received and how we can optimize our offering. We only have limited influence on the creation and processing of this insights data by the platform; it is largely carried out by the provider according to its rules.

Notes on risks and responsibility: We would like to point out that you use the aforementioned social media platforms and their functions at your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). If you do not want the operators to associate your usage behavior with your profile, you should log out of your account and delete any cookies before visiting our site. You can assert your rights to information, correction, deletion, restriction, etc. both against us and against the respective platform operator. Please note, however, that we do not have full access to the data stored by the platforms. The platform operator is usually in a better position to provide information or enforce your rights. However, we are happy to support you to the best of our ability.

Data transfer to third countries by social media: Some of the social media providers mentioned have their headquarters in the USA. It is therefore possible that personal data may be transferred to the United States or other third countries when using our social media presences. For the USA, there is currently an adequacy decision by the EU Commission under the new “EU-U.S. Data Privacy Framework” for certified companies; if a provider is not certified, we base the transfer on the standard contractual clauses of the EU Commission or your express consent. Nevertheless, we would like to point out that a lower level of data protection may prevail in third countries and that US authorities, for example, could access data without you as an EU citizen being entitled to the same legal remedies against this.

Storage period on social media: We delete or anonymize the communication data that we have received directly via social media as soon as the purpose has been fulfilled and there are no legal obligations to retain it. For example, an inquiry is deleted after it has been conclusively answered and no further storage is required. Publicly posted content generally remains on the platform until you delete it yourself or we remove it, if permitted. We have no influence on the storage period of the data collected by the social media providers. This depends on the terms of use of the respective service. Please contact Instagram, X or YouTube directly to find out how long your data is stored there and how you can arrange for it to be deleted.

7. Data security

We take appropriate technical and organizational security measures (TOMs) to protect your personal data from unauthorized access, loss, alteration or disclosure. These include, for example:

  • Secured server systems: Your data is stored on secure, protected server systems; we may use encrypted databases.

  • Access restrictions according to the need-to-know principle: Only authorized employees who need to know the data for the stated purposes are granted access to it. Our employees are also committed to confidentiality and data protection.

  • Encryption: Our website uses TLS encryption (recognizable by “https://” in the URL) to protect the transmission of confidential content (e.g. in the contact form). We also use common encryption methods for emails, provided your email provider supports this. Please note, however, that unencrypted e-mails on the Internet do not guarantee complete confidentiality – so please do not send us particularly sensitive information by unencrypted e-mail if possible.

  • Data backup and redundancy: We create regular backups in order to be able to reconstruct the data in the event of technical problems or data loss. This backup data is also stored securely.

  • Actuality and control: We always keep our security measures up to date with the latest technology and adapt them as soon as new risks are identified. Our systems are protected against attacks by firewalls, virus protection and monitoring.

Please note that 100% security can never be guaranteed for data transmissions on the internet. However, we secure our systems and processes to the best of our ability in accordance with legal requirements and the state of the art.

8. Storage duration and deletion

We do not store your personal data for longer than necessary. In principle, we process and store personal data for as long as is necessary for the respective purposes (fulfillment of contractual obligations or purposes for which you have given your consent). If the processing purpose no longer applies, we delete or anonymize your data as part of the regular deletion routines. However, we observe the following deadlines and retention obligations in particular:</p

  • Contractual and consultation documents: We retain data from our business relationship (contractual documents, applications, correspondence, consultation records, etc.) for the duration of the contract and beyond. After the end of the contract, the data is initially retained to the extent necessary in order to consider any warranty or liability claims. We retain relevant documents until the expiry of the regular limitation period for civil law claims. According to §§ 195 ff. BGB (beginning at the end of the year in which the claim arose). In individual cases, however, limitation periods can also be up to 30 years (absolute maximum period).

  • Retention under commercial and tax law: Irrespective of any statute of limitations, we are obliged to retain certain data for statutory periods. For example, contract documents, accounting records, invoices, proof of payment, business letters or e-mails must be archived for 6 or 10 years in accordance with the provisions of the German Commercial Code (HGB), the German Tax Code (AO) or the German Insurance Tax Act (Versicherungssteuergesetz). These periods begin at the end of the calendar year in which the document was created. During this time, the data is blocked (i.e. no longer actively used), but retained for auditing purposes and verification obligations. After the deadlines have expired, the data concerned is routinely deleted.

  • Bonitäts- und Vermittlungsanfragen (ohne Vertragsschluss): If you have made use of our offers without concluding a contract with an insurer or lender (e.g. pure offer preparation, advice without conclusion), we only store the collected data for as long as this is necessary for further support or a possible subsequent conclusion of a contract. If it is clear that no contract will be concluded and there is no further interest on your part, we will delete your data after 12 months at the latest (in the case of requests for quotations) or after completion of our consultation, provided that no other retention obligations apply.

  • Application documents: If you apply to us and are not hired, we will generally delete your application data no later than 6 months after completion of the application process. Data will only be stored for longer with your consent (inclusion in an applicant pool) or if we have to assume on the basis of concrete evidence that we need the data to defend against legal claims (then at the longest until the claim has been clarified).

  • Social media communication: As explained in section 6, we delete direct inquiries or messages on social media channels as soon as the conversation has ended and no further storage is required for reasons of proof. Public posts remain on the platform until you delete them or we remove them in accordance with our moderation rules.

In exceptional cases, further storage may be necessary, for example if required by law or official orders, in the event of ongoing legal disputes or if you have consented to longer storage.

9. Your rights as a data subject

As a data subject affected by data processing, you have a number of rights under the GDPR that you can assert against us:

  • Right to information (Art. 15 GDPR): You can request information about what personal data we have stored about you and how we process it.

    You can request information about what personal data we have stored about you and how we process it.

  • Right to rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate data or the completion of incomplete data

  • Right to erasure (Art. 17 GDPR): Under the conditions of Art. 17 GDPR, you can request the erasure of your personal data. This is the case, for example, if the data is no longer necessary for the purposes for which it was collected or if you withdraw your consent and there is no other legal basis. Please note that the right to erasure is subject to restrictions – for example, if we are legally obliged to retain the data or we need the data to assert legal claims. The restrictions pursuant to Sections 34 and 35 BDSG apply.

  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request that we only process your data to a limited extent (e.g. if you dispute the accuracy of the data, for the duration of the obligation to verify).

  • Right to data portability (Art. 20 GDPR): You have the right to receive the data that you have provided to us in a commonly used, machine-readable format or – where technically feasible – to request that it be transmitted to a third party.

  • Right to object (Art. 21 GDPR): You can object to the processing of your personal data, which we carry out on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR), at any time for reasons arising from your particular situation. If you object, we will no longer process the data concerned for these purposes unless we can demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. In particular, you can object to direct marketing at any time without giving reasons – in which case we will no longer use your data for advertising purposes. (For details on the right to object, see also section 10 below.)

  • Right to withdraw consent (Art. 7 (3) GDPR): If you have given us your consent, you can withdraw it at any time with effect for the future (see section 3 d above). An informal notification to us by email is sufficient. Withdrawal will not result in any disadvantages for you, except that we may no longer be able to provide certain services.

  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): If you believe that the processing of your personal data violates data protection law, you can lodge a complaint with a data protection supervisory authority. You can do this with the authority responsible for us (State Commissioner for Data Protection and Freedom of Information NRW in North Rhine-Westphalia) or any other data protection authority. The right to lodge a complaint is without prejudice to any other administrative or judicial remedies.

To assert your rights, you can contact us informally at any time (e.g. by email to our above address). Please specify which right you are requesting under the GDPR and provide as much detail as possible so that we can process your request efficiently. We will examine your request immediately and implement it in accordance with the legal requirements.

10. Right to object pursuant to Art. 21 GDPR

Individual right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR (data processing in the public interest or on the basis of legitimate interests). This also applies to profiling based on this. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Objection to processing of data for direct marketing: In cases where we process your personal data for the purpose of direct marketing (e.g. sending promotional emails to existing customers), you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to processing for direct marketing purposes, we will no longer use your personal data for these purposes.

The objection can be made informally and should preferably be addressed to: Rombey Capital GmbH, Doverhahn 81, 41836 Hückelhoven, e-mail: [email protected].

11. Up-to-dateness of and changes to this privacy policy

This privacy policy was last updated in April 2025. We regularly review it to ensure that it is up to date and complies with the applicable legal situation and current official requirements and court rulings. If necessary (e.g. in the event of legal changes to the GDPR/BDSG or if our range of services is expanded to include new data processing), we will amend this privacy policy accordingly.

The current version of the privacy policy is available on our website at rombey.capital/en/privacy-policy. We retain older versions for verification purposes.

Note: This privacy policy provides comprehensive information in accordance with Art. 13, 14 GDPR. If you have any questions or uncertainties regarding individual points, please do not hesitate to contact us. We will be happy to help you with how we implement data protection in our company.