General Terms and Conditions

Preamble

Introfy GmbH ("Introfy") specializes in the placement of potential employees ("candidates") with companies ("employers") through the Introfy platform ("platform"). These General Terms and Conditions ("GTC") govern the contractual basis for the use of the platform by both candidates and employers ("users").

1. Use of the Platform

1. The use of the platform as a candidate can be done via web application or mobile application, while the use as an employer is exclusively via a web application.
2. The use of the platform requires a user's registration ("Registration"). By registering, the contract is concluded with Introfy. Registration as a candidate is done by entering a mobile phone number, setting a password, and then confirming by entering a verification code sent to the mobile phone number. Registration as an employer is done by providing an email address and subsequently filling out a registration form, which is made available via a link in an email sent to the specified address. Incorrect entries can be identified if the user does not receive corresponding feedback from Introfy (via verification SMS or email).
3. Only natural persons who are personally seeking an employer are eligible to register as a candidate. Registration and use on behalf of a third party or a fictitious person is prohibited. Providing false information during registration and/or within the candidate account is also prohibited.
4. To Register as an Employer, Companies Are Authorized That Are Seeking Additional Employees; Only an Authorized Representative of the Company Is Entitled to Register a Company. Use for a Third Party or a Fictitious Person Is Prohibited. Also Prohibited Is the Provision of False Information During Registration and/or in the Employer Account.
5. Introfy may refuse registration on the platform without providing reasons. Introfy reserves the right to verify the authenticity of registration requests and to condition the completion of the registration on this verification. This does not affect Introfy's right to randomly check the authenticity of existing accounts at any time and to delete them if there is a violation of the previous provisions.
6. Users are required to keep their access data secure and, in particular, not to provide it to third parties.
7. Although user content is stored and made available on the platform, the scope of services from Introfy does not include cloud storage, so Introfy is not obligated to keep the user content permanently available.
8. Use of the platform by minors is prohibited.
9. The contract language is German. The contract text will not be stored by Introfy after the conclusion of the contract with the respective user, but it is accessible to the user on the website.

2. Contact Between Candidates and Employers

1. An employer can create a job description for an open position, in which the requirements for the position are defined by the employer ("Job Description").
2. For the respective job description, the employer can search for candidates on the platform and send a contact request ("request") to interesting candidates. Candidates are only shown to employers if the candidates have set their account to "active."
3. The employers commit to not contacting candidates they learn about through the platform via any other means than a request. Any violation of this will result in a contractual penalty amounting to three times the placement fee (see price list). This does not affect the assertion of further claims for damages, nor Introfy's right to the placement fee (see clause 4.4.), in case of a successful placement circumventing the request, as well as any potential contractual penalty according to clause 3.4. for failing to report the successful placement. Additionally, Introfy reserves the right in this case to immediately terminate the contractual relationship with the employer and delete the employer account.
4. Candidates can accept requests from employers ("Acceptance"). In this case, the employer receives access to the candidate's contact details, allowing the employer to contact the candidate at their own responsibility. Subsequent negotiation talks take place outside the platform directly between the respective candidate and the respective employer ("Negotiation Talks").

3. Successful Mediation

1. If a contractual relationship between candidates and employers (e.g., permanent employment, freelance) is established through the services of Introfy, it constitutes a "Successful Placement."
2. A successful placement is considered when a contractual relationship between the candidate and the employer is established within 24 months after acceptance of the candidate, provided that the employer cannot prove that the contractual relationship occurred independently of Introfy's services.
3. The employer is obligated to report a successful placement to Introfy without delay - but no later than within 2 weeks - via the web portal.
4. If the employer fails to notify the successful placement in a timely manner, a contractual penalty amounting to three times the placement fee (see price list) is payable to Introfy. This does not affect any additional compensation claims, nor the actual claim for the placement fee (see section 4.4.).

4. Fees

1. The use of the services is free for candidates.
2. Employers pay a fee for each request according to the price list ("Request Fee").
3. In the event of a successful placement, the employer is obliged to pay an additional fee according to the price list ("placement commission").

5. Privacy

1. Introfy processes users' personal data in accordance with data protection regulations.
2. As a data protection officer, Introfy processes personal data only to the extent necessary for the contractual obligation towards the respective user.
3. The upload of user content is carried out at the user's own responsibility. In this regard, Introfy acts as the user's data processor. In this respect, the data processing agreement attached here as Appendix 1 (DPA) serves as the basis for data processing by Introfy, insofar as the user is obliged to conclude a data processing agreement.

6. Contract Duration and Termination

1. The Usage Agreement between Introfy and the User is for an indefinite period of time.
2. The parties may terminate the usage agreement at any time with a notice period of 1 month without stating reasons.
3. The termination has no impact on fees incurred subsequently due to a successful mediation, nor the obligation to report a successful mediation, nor the imposed contractual penalty in the event of failing to report the successful mediation.
4. This does not affect the statutory right to extraordinary termination.

7. Liability

1. Introfy is liable according to the statutory provisions for damages to life, body, and health resulting from a culpable breach of duty. Furthermore, Introfy is liable according to the statutory provisions for other damages resulting from intentional or grossly negligent breaches of contract. To the extent that the scope of the Product Liability Act is applicable, Introfy is fully liable in accordance with its provisions.
2. If damage is based on the slightly negligent violation of a significant contractual obligation, that is, an obligation whose fulfillment makes the proper execution of the contract possible in the first place, whose violation endangers the achievement of the contract's purpose, and which users can regularly trust to be observed, then Introfy's liability is limited to the foreseeable and contract-typical damage.
3. Further liability claims against Introfy do not exist.

8. Miscellaneous

1. Should individual provisions of these terms and conditions be invalid or incomplete, the validity of the remaining conditions remains unaffected.
2. German substantive law applies, excluding German conflict of laws and the UN Convention on Contracts for the International Sale of Goods. To the extent that an agreement on the place of jurisdiction is permissible, the place of jurisdiction is Hamburg.
3. We do not participate in dispute resolution proceedings before a consumer arbitration board and we are not obliged to do so. Pursuant to Article 14, paragraph 1 of Regulation (EU) 524/2013 on online dispute resolution for consumer disputes (ODR Regulation), we are legally required to inform you about the European Online Dispute Resolution platform (ODR platform) of the European Commission. You can access it at https://ec.europa.eu/odr.

Appendix 1: AVV

Preamble

The Contractor (Introfy) processes personal data on behalf of the Principal (User) within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation ("GDPR"). This Data Processing Agreement ("Agreement") specifies the data protection obligations of the contracting parties that arise from the order data processing described in the main contract. This Agreement applies to all activities related to the main contract in which employees of the Contractor or third parties commissioned by the Contractor may come into contact with personal data provided by the Principal.

1. Definitions

1. Personal data are all the information provided by the client that relate to an identified or identifiable natural person ("data subject"); a natural person is considered identifiable if they can be identified directly or indirectly, in particular by associating it with an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Art. 4 No. 1 GDPR).
2. Processing refers to any operation or set of operations performed on personal data, with or without the aid of automated processes, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (Art. 4 No. 2 GDPR).
3. Instructions are all directions given by the client to the contractor, which prompt the contractor to process personal data. The instructions are initially defined by the main contract and may subsequently be amended, supplemented, or replaced by the client through individual instructions ("Individual Instructions").

2. Subject of the Contract, Responsibility

The contractor processes the personal data on behalf of the client. The client is solely responsible for compliance with the legal provisions of data protection laws, in particular for the legality of sharing personal data with the contractor and the legality of processing, as the "Controller" according to Art. 4 No. 7 GDPR.

3. Duration

The duration of this contract corresponds to the term of the main contract. The right to extraordinary termination remains unaffected.

4. Scope, Nature, and Purpose of the Intended Processing of Personal Data

The scope, nature, and purpose of the processing of personal data by the contractor on behalf of the client are specifically described in the main contract.

5. Type of Data

The subject of the processing of personal data includes the following types/categories of data (list/description of the data categories):

• Personal data that the user provides themselves, particularly including work-related personal data in various formats (text, image, video).

6. Circle of Those Affected

The circle of affected individuals whose personal data is processed includes:

• User and User-Designated Third Parties.

7. Correction, Deletion, Blocking, and Release of Data

1. The client may request the correction, deletion, blocking, and release of personal data at any time during and after the termination of this contract or the main contract within the framework of a lawful individual instruction.
2. The client determines the measures for the return of the provided data carriers and/or the deletion of stored personal data after the termination of the contract either contractually or through individual instructions.

8. Technical and Organizational Measures

1. The Contractor will take technical and organizational measures to adequately safeguard personal data against misuse and loss, in accordance with the requirements of Articles 24 and 32 of the GDPR. This includes, in particular, where appropriate,

   • Prevent unauthorized access to data processing systems where personal data is processed and used (access control).

   • to prevent data processing systems from being used by unauthorized persons (access control),

   • ensuring that individuals authorized to use a data processing system can only access data subject to their access authorization and that personal data cannot be read, copied, altered, or removed without authorization during and after processing (access control),

   • To ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it can be verified and established to which entities a transmission of personal data is intended through data transmission facilities (forwarding control),

   • to ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, altered, or removed in data processing systems (input control),

   • Ensure that personal data can only be processed according to the instructions of the client (contract control),

   • To ensure that personal data is protected against accidental destruction or loss (availability control),

   • Ensure that data collected for different purposes can be processed separately (separation control).

   • The Pseudonymization and Encryption of Personal Data,

   • The ability to ensure the confidentiality, integrity, availability, and resilience of systems and services related to processing on an ongoing basis.

   • The ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident,

   • A procedure for the regular review, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

2. The technical and organizational measures are subject to technological advancements and development. In this respect, the contractor is allowed to implement alternative adequate measures. The security level of the defined measures must not be compromised. Significant changes that may affect the integrity, confidentiality, or availability of personal data must be documented.

9. Directives

1. The client has the right to issue individual instructions regarding the nature, scope, and procedure of processing personal data to the contractor at any time. Individual instructions must be given in writing.
2. The contractor may process personal data only within the framework of the main contract, this contract, and individual instructions, unless the contractor is obligated to process the personal data under Union law or the law of the member states.
3. Regulations regarding any compensation for additional expenses arising from individual instructions given by the client to the contractor remain unaffected.
4. The contractor must inform the client of any exceptions to the duty to follow instructions due to applicable law for the contractor, unless this law specifically prohibits such notification due to an important public interest.

10. Other Rights and Obligations of the Contractor

1. The contractor appoints a data protection officer, if legally required, who can perform his duties in accordance with Articles 37, 38, 39 of the GDPR. The contact details of the data protection officer will be provided to the client upon request for the purpose of direct communication.
2. The contractor ensures that employees involved in the processing of personal data are bound to data confidentiality (Art. 29 GDPR) and have been instructed in the data protection provisions of the GDPR. The obligation of data confidentiality continues even after termination of the activity.
3. The contractor informs the client in the event of serious disruptions to operations, suspected data protection violations, or other irregularities in the processing of personal data. This also applies to any inspection actions and measures taken by the supervisory authority pursuant to Articles 51-59 GDPR or investigations pursuant to Articles 83, 84 GDPR.

4. It is known that under Art. 33 of the GDPR, the contractor may have information obligations in the event of unlawful transmission or acquisition of certain personal data. Therefore, such incidents must be reported to the principal immediately, regardless of the cause. The contractor's report to the principal must include the following information in particular:

   • A Description of the Nature of the Personal Data Breach, Where Possible Including the Categories and Approximate Number of Individuals Affected, the Affected Categories, and the Approximate Number of Affected Personal Data Records;

   • A description of the measures taken or proposed by the contractor to remedy the personal data protection breach and, if applicable, measures to mitigate its possible adverse effects.

   The Contractor Shall Take Appropriate Measures to Secure the Data and Mitigate Possible Adverse Consequences for Affected Parties.

5. The contractor is obligated to provide information to the client at any time, to the extent that their data and documents are affected by a breach of personal data protection. The contractor shall carry out the data protection-compliant destruction of material based on an individual assignment by the client at the client's expense. In special cases, to be determined in writing by the client, storage or handover will take place.
6. The processing of data in private homes (telecommuting or home office work by the contractor's employees) is permitted by the client. As far as data is processed in a private home, the contractor ensures that the measures in accordance with Art. 32 of the GDPR are also secured for telecommuting and home office work.
7. Insofar as the contractor provides services under this contract that are not compensated by the main contract, the contractor may demand reasonable compensation.

11. Rights and Obligations of the Client

1. The client is solely responsible for assessing the permissibility of processing personal data and for safeguarding the rights of the data subjects.
2. The client must inform the contractor immediately and comprehensively in writing if, during the review of the contract results, they find errors or irregularities regarding data protection regulations.
3. The client is subject to the information obligations resulting from Art. 33 GDPR.

12. Requests of Data Subjects

1. If the client is obliged under applicable data protection laws to provide information to an individual regarding the processing of their personal data, the contractor will assist the client, as necessary, in providing this information, provided the client has requested the contractor to do so in writing.
2. The Contractor will inform the Client if Data Subjects exercise their data subject rights against the Contractor.

13. Cooperation with the Supervisory Authority

The client and the contractor, and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of their duties.

14. Duties of Control of the Principal

The client verifies the technical and organizational measures of the contractor before beginning data processing and regularly thereafter, and documents the results. For this purpose, the client may obtain self-assessments from the contractor or conduct an audit at their own expense. In the case of an audit, the client also bears the costs of the contractor's employees who must participate in the audit.

15. Subcontractor

1. The Engagement of Subcontractors is possible within the scope of this contract and the activities specified in Sections 3, 4, 5, 6, provided that the contractor ensures that the subcontractor assumes the obligations of this contract towards the contractor. In particular, the confidentiality, data protection, and data security requirements outlined in this contract apply.
2. The client shall be granted control and inspection rights in accordance with Section 14. Upon written request, the client is entitled to obtain information from the contractor about the essential content of the contract and the implementation of the subcontractor's data protection obligations, if necessary also by reviewing the relevant contract documents.
3. The contractor is entitled to engage subcontractors, provided they meet the requirements as per Sections 15.1 and 15.2, and the contractor informs the client of this and the client does not object in writing within seven days.

16. Confidentiality Agreement

The Contractor is obligated to maintain confidentiality when processing personal data. The Contractor agrees to adhere to the same confidentiality rules as are incumbent on the Client. The Client is obligated to inform the Contractor in writing of any special confidentiality rules.

17. General Provisions, Information Obligations, Written Form Clause, Choice of Law

1. If personal data held by the contractor is at risk due to seizure or confiscation, insolvency or settlement proceedings, or other events or actions by third parties, the contractor must inform the client immediately. The contractor will promptly inform all parties responsible in this context that the sovereignty and ownership of the personal data belongs solely to the client as the "controller" within the meaning of the GDPR.
2. The processing of personal data takes place exclusively within the territory of the Federal Republic of Germany, in a member state of the European Union, or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only be carried out if the specific conditions of Art. 44, 45, 46 GDPR are met. Insofar as the processing is carried out by a subcontractor, the client hereby gives their consent.
3. Amendments and additions to this contract and all its components – including any representations by the contractor – require a written agreement and explicit indication that they are an amendment or addition to this contract. This also applies to the waiver of this formal requirement.
4. German law applies, with the exception of conflict of laws.
5. The place of jurisdiction is the one resulting from the main contract.