Skip navigation links


Open-Xchange Privacy Policy for the Website

(Last updated: December 2019)

We are pleased that you have chosen to visit this website and are interested in our product. The protection of your personal information during your visit to our website is important to us. We undertake to protect your privacy and to treat your data confidentially and in accordance with applicable law, particularly the General Data Protection Regulation (GDPR). With this Privacy Policy, we would like to inform you which categories of your personal data will be collected and processed by Open-Xchange during your visit. We also would like to share the purposes these data will be used for. Changes of legal circumstances or internal corporate processes can make it necessary to adjust this privacy policy (rights are accordingly reserved) from time to time. If possible please re-read this Privacy Policy each time you visit our website.

1. Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Although you can basically use this website without disclosing your identity to us, during your visit to this website some personal data will be collected in order to provide you with certain features and functionalities of the website. The collected data is described in detail in the respective sections below.

The following processing activities can be found on our website:

1.1 Logfiles

On the occasion of your visit and use of this website and every time you request a file, our web server saves data about these accesses in a report file. The set of data contains the following information:

  1. domain name or IP-address of the remote host,
  2. result of the access (file transferred; file not found etc.)
  3. date and time of the access
  4. amount of transferred data
  5. browser type and version
  6. operating system
  7. used language and name of the internet service provider
  8. website from which the file was accessed
  9. saved cookies for the accessed domain
  10. device identifier
  11. IP address

We collect these logfiles solely to provide the service (website functionalities; e.g. retention of your session) and due to legitimate interests, such as system security, troubleshooting and to optimize our web presence (e.g. improvement of the user friendliness of our website). The legal basis this processing activity can be seen in Art. 6 par. 1 lit. f GDPR. Furthermore, we generally do not transfer any of the information mentioned above to third parties, unless we are required to do so by applicable law or have a valid legal basis for such transfer, such as your consent.

However, in certain cases we have to comply with inquiries made by third parties and transfer your information to them, e.g. transfer to the law enforcement authorities if a crime is suspected. For this purpose, Art. 6 par. 1 lit. c-e GDPR is the general legal basis since processing the data is either a legal obligation, mandatory to protect your vital interests (e.g. prevent data abuse) or the processing is carried out in the public interest or in the exercise of the public duties of an official authority.

1.2 Cookies

Our website uses technically required cookies in order to make visiting our website attractive for you and to enable the use of certain functions. Cookies are small text files that are stored on your computer or device. Most of the cookies used by us will be deleted from your hard disk after the end of the browser session (so-called session cookies). When you first enter our website, you will see a pop-up cookies permission banner seeking your consent to use of non-technically required cookies as required by law (please see more details below No.1.3).

From this banner, you will also be able to access our cookies management tool where you can change your cookie settings for our website.

Following applicable law all data is saved exclusively in a pseudonymized form (at most) without any direct personal reference. This enables us to update our website to address your individual preferences.

You can also prevent the storage of cookies on your computer or device by making the appropriate changes to your browser settings so that cookies are not accepted or so that you are notified before accepting cookies. However, this can limit functionality of our website and our services.

There is always a link present with which you can object to cookies from other providers or third parties. If you declare your objection, the providers set an opt-out cookie that prevents any further data being recorded on your computer or device. If you would like to retain your right to objection, you should not delete the opt-out cookie. You will have to complete the opt-out process again if this cookie is deleted later, e.g. by deleting or clearing your browser settings. Furthermore, you can manage data collection and storage by many other services. More details are cited here: or


Our website uses the web analytics tool ‘Piwik Pro’. Piwik Pro uses cookies which are placed on the hard drive of your device. These enable us to analyze the visitor’s usage of our website. For this purpose, the generated information in the cookie (including the abbreviated anonymized IP-address) is transmitted to our server and stored to enable us to optimize the usage of our website. In this process, your IP-address is being anonymized immediately, so that you remain fully anonymous to us. The information generated by the cookie about your use of this website will not be disclosed to third parties.

You may preclude the usage of cookies by selecting the appropriate settings in your browser, in this case it may occur, however, that you may not be able to use all functions of this website.

If you have given your consent first but later wish to opt out for the future, you may do so by clicking on the link below at any time. In this case a so called opt-out-cookie will be placed within your browser so that Piwik Pro will not collect any session data.

Opt-out from PIWIK PRO analytics Please keep in mind that in the event that you delete your cookies, this opt-out-cookie will also be deleted, and you may have to reactivate it.

2. Rights to information, rectification, erasure and restriction of processing

Upon request, we will confirm what kind of personal data of yours, if any, is currently stored on our servers, the purpose of storing as well as the envisaged period for which the personal data will be stored and, if any, the recipients to whom the personal data have been or will be disclosed. You will find our contact details below.

If your personal data we have stored on our servers is out-of-date or inaccurate, we will correct it promptly upon your request. Additionally, you have the right to have incomplete data completed.

If requested, we will promptly erase your personal data, unless prohibited by law, and then we will restrict the respective data. Besides we will delete your personal data if it is no longer necessary in relation to the purposes for which they were collected and stored, if you withdraw consent on which the processing is based or if the personal data have to be deleted for compliance with a legal obligation in Union or Member State law to which we are subject to.

Furthermore, you have the right to request restriction of processing if the accuracy of personal data is contested for a period enabling us to verify the accuracy of the personal data, if the processing is unlawful, if we do not need the personal data anymore for the purposes of the processing but they are required by you for the establishment, exercise or defense of legal claims or if you objected the processing as long as the verification if legitimate grounds of us override yours is pending.

3. Right to lodge a complaint with a supervisory authority

Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

4. Right to object

You have the right to object at any time to processing of personal data on grounds relating to your particular situation which is based on point (e) or (f) of Article 6(1) (task carried out in public interest or processing in purpose of legitimate public interest) or if the personal data is processed for direct marketing purposes. If you have objected we will no longer process the personal data unless on our side legitimate interest for the processing prevail your interests or for the purpose of establishment, exercise or defense of legal claims. If you have objected to the processing of personal data due to direct marketing purposes we will no longer process this personal data for those purposes. To declare your objection, you may submit a message to the addresses stated below under No.8.

5. Right to data portability

Upon request, we will provide you with the personal data you have provided to us in a structured commonly used and machine-readable format and ensure you will be able to transmit those data to another controller.

6. Links to other websites

Our website contains hyperlinks to websites of other parties. These websites may possibly use cookies or collect personal data. As we have no influence on whether these parties adhere to our privacy policy or not we cannot point out the relevant aspects. This privacy policy is only valid for our website. Links to other websites from this site are not included.

7. Data security

We are always seeking to process your personal data by taking all technical and organisational possibilities in a way so that it is not accessible to third parties. If you contact us e.g. via e-mail, full data security cannot be guaranteed. We recommend sending confidential information by letter post only.

8. Contact

Please feel free to address data protection related questions or suggestions at any time. Please contact the address below via written letter. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to revocation, deletion or rectification.

You may contact the data protection department under:

Open-Xchange AG
Hohenzollernring 72
50672 Cologne
E-Mail: datenschutz(at)

You can also contact our Data Protection Officer:

Mrs. Dr. Jana Jentzsch
Jentzsch-IT Rechtsanwaltsgesellschaft mbH
Alsterarkaden 13
20354 Hamburg 
Email: info(at)



Open-Xchange Privacy Policy for the OX COI Messenger

We are pleased that you have chosen to download and install our OX COI Messenger (hereinafter referred to as “App”). The protection of your personal data is an important topic for us and we will protect your privacy and treat your data confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable law.

With this Privacy Policy, we inform you about the types of your personal data we collect and the purposes it will be used for. Since changes of the laws, jurisdiction or our corporate procedures may require an adjustment of this Privacy Policy, we reserve the right to change it without further notice. This makes it necessary to regularly re-read this document to keep track of the changes. Possible changes will not affect the legal basis of any data processing and collection. In case the legal basis changes, we will inform you proactively in the respective situation while using the App, asking for your consent.

Scope of the data collection and processing

As a rule, personal data is only processed for the purpose of providing the service of the App. This refers to data that is technically necessary for the operation of the service (e.g. user name or e-mail address).

In addition, your data will only be processed and used for other purposes if there is a legal legitimation or if you have consented to its use. Your data will not be processed if these conditions are not met.

Please note that the App is designed to access a third-party e-mail service that has set up a user account with an individual e-mail mailbox on its server for you (hereinafter “Service Provider”). Please check with your service provider about how they handle your data. This privacy policy only describes the processes in the App itself.

Personal data

Personal data are any information about personal or factual circumstances of an identified or identifiable natural person. Anonymized or statistical data which could not be related to you or could only be related to you with disproportionate effort are not personal data.

Collection and processing operations

In the following sections we will guide you through the individual processing procedures, explain the respective purpose and the corresponding legal basis.

Log-In data

To establish a connection, the App first asks for your Email address and your password.

The App will then attempt to connect to the specified server of your Service Provider. Please note that the connection is usually logged on the contacted server. Please contact the service provider to determine the scope of the personal data and their handling of the logged data.

If the connection is successful, the App takes over the previously collected e-mail address and asks for the corresponding password in order to transmit both information to the Service Provider and initiate a so-called session. This session serves to grant you access to your e-mail inbox. The service provider then sends an identifier to your device to identify several related requests on your part and associate them with your session. The transmission of the data is necessary for the provision of the core function of the App and is based on Art. 6 Para. 1 lit. b) GDPR.

After successful log-in, the App stores the specified log-in data together with the server information in an access-protected area of the device. This data storage is based on your consent, which you give by pressing the log-in button (6 para. 1 lit. a) GDPR). For information on how to handle the data in the access-protected area of your device, please check the operating instructions and privacy policy of the device manufacturer and the provider of the installed operating system. There you will also find information on how long the data will be stored. Usually, you can also delete the data manually in the device settings. Otherwise, the data will be deleted if you uninstall the App, if your service provider rejects the initial log-in, or if you log-out of the App manually.

Contact data from the address book

The App provides you with an option to import your contacts. For this the App requests access to the data that you have stored in your address book on the device. This enables you to use the e-mail addresses stored there within the App. You can either grant or deny access in a query of the operating system of your device. The access is not necessary for the App to work - you can also deactivate the access later in the settings of your operating system. If you grant access by making the appropriate selection in the query, you give us your consent to data processing within the meaning of Art. 6 Para. 1 lit. a) GDPR.

User generated data

The main feature of the App is the ability to access a compatible e-mail-box from your service provider and to chat in real-time. The e-mails and messages stored there typically contain personal data such as names, e-mail addresses, and sensitive, sometimes highly personal data about you or others. E-mail or message attachments, such as photos, videos, audio files and documents, can also contain sensitive and highly personal data. Please always keep in mind that you are solely responsible for which e-mails or messages you send and which e-mails or messages sent and received you permanently store in your e-mailbox at your Service Provider or in the inbox of the App.

This processing procedure serves to guarantee the functionality of the App in accordance with its intended use and is based on Art. 6 para. 1 lit. b) GDPR. The data will be deleted on your device if you uninstall the App. Usually you can also delete the data in the settings of the device. If required contact your Service Provider to find out how to delete mail data at your Service Provider.

Cookies and tracking

The App does not use any tracking mechanisms that record your user behavior and does not leave any cookies on your device.


You can enable push notifications to get notified about new features. When your Service Provider provides a COI compliant email service, such notifications are transmitted in an encrypted way from your Service Provider to the App. Communication data such as the sender, subject or text of a message is encrypted at your Service Provider, then transmitted in an encrypted form to the service operated by Open-Xchange and hosted on German servers (hereinafter “Push Service”). The Push Service forwards the encrypted data to Google Firebase Cloud Messaging Service and/or Apple Push Notification Service which in turn forward the data to the App. At the App the communication is decrypted and shown to you on your device screen without the need to open the App.

By activating the push functionality, you consent to your Service Provider transmitting this data to the service (Art. 6 para. 1 lit. a) GDPR). Please read the privacy statements of Google, Inc., Apple, Inc. and your Service Provider for more information.

When the push functionality is activated, a unique key is generated to uniquely identify your mobile device, which is then transferred to your Service Provider. This is the only way your Service Provider and the Firebase Cloud Messaging or Apple Push Notification Service can identify your device and deliver push notifications.

This processing operation is necessary to make the push function available and finds its legal basis in Art. 6 para. 1 lit. b) GDPR.

When your Service Provider does not provide a COI-compatible e-mail-service, then the app can only query data in regular intervals. If you enable this feature, you can still get informed about new incoming messages, but such notifications will not be shown as quickly.

You can disable notifications at any time in the App’s settings.

External Hyperlinks

The App itself or the e-mails may contain links to external websites that use cookies and/or tracking mechanisms. We have no control over this. We therefore cannot inform about this. Please refer to the privacy policy of the respective operator of the external website. This privacy statement only describes the data processing operations within the App.

Rights of data subjects

Please note in the following that the data displayed in the App is not stored on our servers, but on the servers of your Service Provider. The data stored in the App or on your device is also outside our control. If you would like to assert your rights from the General Data Protection Regulation in connection with the use of the App, we will still be happy to support you. In the first step, we will check your request to see whether we are the responsible party for your request or whether you would have to address your request to your service provider. In the following we will inform you about your rights, which you can exercise by sending a message to the address given below at section 6.

Right of access by the data subject

Upon request, we will confirm whether we process data about you and, if necessary, provide information on which categories of data are processed for which purpose, how long storage is intended and to which recipients the data is or was transferred to for which purpose (Art. 15 GDPR).

Right to rectification

If, while using the app, you discover that your personal data is outdated or otherwise incorrect, please contact us. If we are responsible, we will correct the data immediately upon your request. We also complete incomplete data if this is necessary and reasonable taking into account the purposes of the data processing (Art. 16 GDPR).

Right to erasure („Right to be forgotten“)

Upon request, we will delete your data immediately within the scope of our responsibility, if we are not prevented from doing so by legal storage periods. In this case, we will restrict access to the data accordingly. We will also delete your data, if available, if the purpose of the processing no longer applies or you withdraw your consent on which the processing is based on. Please note that it is easier for you to delete the data within the App yourself by selecting the functions described above on your device.

Right to restriction of processing

If your data is incorrect or is being processed unlawfully, you also have the right to obtain the restriction of processing these data for a period enabling us or the responsible party to verify the accuracy of the data or lawfulness of the processing. (Art. 18 GDPR). We will then, within the scope of our responsibility, ensure that the data is blocked accordingly.

Right to lodge a complaint

Furthermore, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is contrary to the General Data Protection Regulation.

Right to data portability

You also have the right to obtain your personal data in a structured, common and machine-readable format in order to transfer them to another controller (Art. 20 GDPR).


Please feel free to address data protection related questions or suggestions at any time. Please find our contact details below. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to access, rectification, erasure, restriction or data portability.

You may contact the data protection department under:

Open-Xchange AG
Data Protection
Hohenzollernring 72
50672 Köln
E-Mail: privacy(at)

You can also contact our Data Protection Officer:

JENTZSCH IT Rechtsanwaltsgesellschaft mbH
Dr. Jana Jentzsch
Alsterarkaden 13
20354 Hamburg