Privacy Notice

Version effective 19 June 2026

1. General Information

We take the confidentiality and protection of your personal data very seriously. We process your personal data only insofar as permitted under the statutory dataprotection provisions, in particular the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

This Privacy Notice provides information about how we, Aginom Partnerschaft mbB (“aginom”), process your personal data, in particular when

• you visit our website (see section 3.1),

• you contact or correspond with us or we communicate with you based on your personal data received from third parties (see section 3.2),

• you use our services (see section 3.3),

• you communicate with us by video/audio conference or online chats (see section 3.4), or

• we use artificial intelligence tools (see section 3.5).

This Privacy Notice contains the general information on our processing of personal data. Please also take note of any specific notices that we may provide for individual collection or processing operations carried out using specific technologies or in connection with particular processes.

Unless already stated specifically for the respective processing operation in section 3, you will find below (in sections 4–6) information that applies to all operations regarding the duration of storage, cooperation with processors, disclosure to third parties and to third countries, as well as your rights.

We may update this Privacy Notice at any time. The version published on this website is the current version.

Should you have any questions about this Privacy Notice or how we handle your personal data, please email us (info@aginom.com).

2. Controller

The controller responsible for the processing is:

Aginom Partnerschaft mbB Unter den Nussbäumen 16 65779 Kelkheim (Taunus) Germany Phone: +49 6195 806 9000 Email: info@aginom.com

3. Data Collection and Processing

3.1 Website Visit

3.1.1 Description and scope of data processing

When you access our website www.aginom.com, the following technical information is automatically collected and anonymized immediately upon collection:

• Referrer (previously visited website)

• Requested webpage or file

• Browser type and version

• Operating system used

• Device type used

• Date and time of access

• IP address in anonymized form (used only to determine the location of access)

The above data is stored in log files. This information does not allow us to draw any conclusions about your person, nor will we attempt to identify you by combining it with any other information. The visitor’s IP address is transmitted when a page is requested, then anonymized immediately after transmission and processed without personal reference.

In addition, the above data is processed by a website analytics tool (SiteAnalytics) in the form of tracking and logging: The data is determined either by a pixel or by a log file. To protect personal data, SiteAnalytics does not use cookies. SiteAnalytics stores no personal data of website visitors, so that no conclusions can be drawn about individual visitors.

The website is provided with TLS (Transport Layer Security) encryption via an SSL (Secure Socket Layer) certificate. You can recognize whether an individual page of our website is transmitted in encrypted form by the closed depiction of the key or lock symbol in the lower status bar of your browser or by the secure protocol reference at the beginning of the URL displayed (“https://[…]” instead of “http://[…]”).

Our website includes links to external services (e.g., LinkedIn). When you follow such a link, you leave our pages; the respective provider is solely responsible for any data processing on their site.

The content and data associated with our website resides in data centers located in Germany and is hosted by a service provider that has its seat and its headquarters in Germany. We have concluded a dataprocessing agreement with this provider in accordance with Art. 28 GDPR.

Where Google Fonts are used on the website, they are stored locally on the web server hosted for us, i.e. without data transfers to Google.

3.1.2 Purpose of data processing

The data collected is used to enable smooth connection establishment, to ensure the security and stability of our offering and to provide website visitors with the highest possible level of quality.

In SiteAnalytics the data is also used for statistical analysis and technical optimization of the web offering.

3.1.3 Legal basis of data processing

The legal basis for data processing are our legitimate interests pursuant to Art. 6 (1) (f) GDPR, which are (i) ensuring the technical functionality, integrity, availability, quality and IT security of our website (including protection against attacks, abuse and unauthorized access); (ii) enabling a reliable connection between the website and your device; and (iii) the statistical analysis and technical optimization of our web offering.

3.1.4 Special information regarding cookies

Our website uses only cookies that are necessary to provide basic functions. These cookies are not used for advertising or tracking. Specifically, we set a session cookie to link your visit technically (this is deleted when you close your browser) and a languageselection cookie (wp-wpml_current_language) that stores your chosen language throughout the session (and that expires at the end of the session). These cookies are indispensable for operating the website and are exempt from consent under Section 25 (2) no. 2 of the German Telecommunications Digital Services Data Protection Act (Telekommunikations-Digitale-Dienste-Datenschutz-Gesetz – TDDDG). The data is processed on the basis of our legitimate interest (Art. 6 (1) (f) GDPR) in providing the website in a technically stable, secure and languageappropriate manner. You can, of course, delete or block cookies at any time via your browser settings. Please note, however, that the website will not function fully without these necessary cookies.

For more in-depth information about cookies and how they work and store data, you may refer to Wikipedia’s entry for “HTTP Cookie”.

3.2 Contact and communication

3.2.1 Description and scope of data processing

Our website lists an email address that you can use for initial contact, and it may also refer to e-mail addresses of individuals working at aginom. You may also correspond with us in general by email. If you send us an email, the personal data transmitted with the email is stored and processed according to the purpose of your communication. (An engagement for legal advice or representation or any other contractual relationship is created only by express acceptance of an engagement by the firm aginom. In that case the provisions set out in section 3.3 apply to the further processing of your personal data.)

From time to time, we may receive your personal data not from you directly but from a (prospective) client or others — for example where you are introduced to us as an additional contact for a matter or from publicly accessible sources, opposing parties, courts, or public authorities. In these cases, the data we process are typically your name, professional function, and business contact details, together with any information arising from the matter itself. Where we use your data to communicate with you, we make this privacy notice available to you at the latest when we first contact you.

Please note: Communication by unencrypted email entails security risks. This also applies to invoices we send to you by e-mail. Unauthorized third parties could, among other things, gain knowledge of the transmitted content or modify the message or its attachments. We therefore recommend the use of secure communication channels for transmitting confidential information—please feel free to contact us about this. Otherwise, we assume that you agree to mutual email communication with aginom without special electronic signature or encryption procedures.

3.2.2 Purpose of data processing

We process your personal data to handle the enquiry or matter in accordance with the respective purpose of that communication or matter, respectively.

3.2.3 Legal basis of data processing

The legal basis for processing the data transmitted by email is Art. 6 (1) (f) GDPR. Our legitimate interests are: (i) receiving, reviewing and responding to enquiries directed at the firm; (ii) collaborating with employees, officers and other representatives of clients for the purposes of an engagement or matter, (iii) documenting the correspondence to demonstrate compliance with our professional duties and for evidentiary purposes; and (iv) operating and maintaining the firm’s general contact channels in an organized and reliable manner. To the extent the communication aims at concluding a contract or relates to an existing contractual relationship with you, Art. 6 (1) (b) GDPR (precontractual measures or performance of contract) serves as the legal basis.

3.3 Provision of Our Services

3.3.1 Description and scope of data processing

Once a contract for the provision of services by aginom is concluded—or in the course of initiating such a contract—we collect additional personal data. We employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties, taking into account the state of the art, implementation costs, and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its likelihood and impact) for the data subjects. Our security measures are continuously improved in line with technological developments.

We are happy to provide you with further details upon request.

3.3.2 Purpose of data processing

We collect this data in order to

• identify you as our (potential) client and contractual partner or as an employee, officer or other representative of a (potential) client and contractual partner,

• check whether any conflict of interest exists that would prevent us from accepting an engagement,

• advise or represent you or the company you represent appropriately, and generally to fulfil our contractual obligations to you or the company you represent,

• correspond with you,

• issue invoices,

• handle any potential liability claims and assert any claims against you or the company you represent,

• comply with legal obligations, and

• carry out general administrative activities such as accounting, knowledge management and electronic file keeping.

3.3.3 Legal basis of data processing

Where our client is a company or other organization and you are its employee, officer, or other representative or contact person, the contract for legal services is concluded with that organization and not with you personally. We process your personal data on the basis of our legitimate interests pursuant to Art. 6 (1) (f) GDPR — namely, our interest and that of our client in performing the engagement, in identifying and communicating with the persons acting for our client, and in conducting the conflict-of-interest check — and the corresponding interests of our client. We assume you would reasonably expect this processing in your professional capacity.

Where you are our client and contractual partner as a natural person, we process your personal data on the basis of Art. 6 (1) (b) GDPR, because the processing is necessary to take steps at your request prior to entering into the engagement (including the conflict-of-interest check) and to perform the resulting contract for legal services. Providing the data needed to identify you and to carry out the engagement is, in this case, a precondition for concluding and performing the contract; without it we cannot accept or carry out the mandate.

We are also partially obliged by law to process data (Art. 6 (1) (c) GDPR). For certain types of engagement (in particular real-estate transactions, the formation or administration of companies, and the handling of client funds), anti-money-laundering law requires us to identify our clients and the persons acting on their behalf and to retain the corresponding records. These duties currently arise under the German Money Laundering Act (Geldwäschegesetz – GwG) and, from 10 July 2027, primarily under the directly applicable EU Anti-Money Laundering Regulation (Regulation (EU) 2024/1624). Moreover, under Section 50 of the German Federal Code for Lawyers (Bundesrechtsanwaltsordnung – BRAO) we are professionally obliged to maintain legal files and may use electronic data processing for this purpose.

Otherwise, the processing of your personal data for administrative purposes is based on Art. 6 (1) (f) GDPR, as it serves our legitimate interest in operating our law firm, in particular

• maintaining orderly internal accounting, billing and electronic file-keeping;

• running internal knowledge management (including matter precedents and know-how systems) for the quality and consistency of our advice;

• running firm-wide conflict-of interest screening across all current and historic client matters and maintaining the associated conflicts database, insofar as this goes beyond the matter-specific conflict check carried out under Art. 6 (1) (b) GDPR in relation to the individual engagement; and running onboarding procedures;

• the assertion of, and defense against, actual or threatened legal and professional-liability claims;

• IT security and the protection of confidential information entrusted to us; and

• complying with certain professional-conduct standards under the BRAO and the BORA) that, while binding on us as a matter of professional ethics, may not in every case constitute a “legal obligation” within the meaning of Art. 6 (1) (c) GDPR – in particular, obligations relating to professional training and continuing education (s. Section 43a (6) BRAO), professional indemnity record-keeping (s. Section 51 BRAO), and the maintenance of trust-account records beyond the statutory retention period (s. Section 4 BORA).

3.3.4 Disclosure of data to third parties

We do not transmit your personal data to third parties for purposes other than those listed below.

Where necessary pursuant to Art. 6 (1) (b) GDPR for handling engagements for legal services and other contractual relationships with you, your personal data is disclosed to third parties. This includes, in particular, disclosure to opposing parties and their representatives (especially their lawyers) as well as courts and other public authorities for the purpose of correspondence and to assert and defend your rights and, where applicable, to arrange cost coverage with your legal expenses insurer. The recipients may use the disclosed data solely for the purposes stated. Attorneyclient confidentiality remains unaffected.

We process engagementrelated data and files electronically using cloud storage services. Such services act as processors on our behalf and are contractually obliged pursuant to Art. 28 GDPR to process your data solely according to our instructions and to implement appropriate security measures. Our primary service provider for the storage of engagement-related data is a German entity that has its seat and headquarters in Germany. The server location is in Germany, and the provider is certified to ISO 27001.

We may also use artificial-intelligence-based tools to support the provision of our services (for example for research, drafting and document analysis). Such use may involve the processing of personal data relating to you. For details on such processing, the safeguards we apply and your options to object, please see section 3.5 below.

3.4 Video and Audio Conferences / Online Chats

3.4.1 Description and scope of data processing

To conduct video or audio conferences and/or online chats, in each case as agreed with you, we use suitable communication software and services provided by external vendors. This generally requires processing the following personal data:

• Name,

• Email address,

• if applicable, telephone number,

• meeting ID or other sessionspecific identifier,

• if used by you, the video and/or audio data stream relating to your communication and that of other participants in the conference,

• if used by you, text communication (chat) data, any files you upload and data displayed on your screen if you actively use the “share screen” function.

3.4.2 Purpose of data processing

We collect and process these data solely to communicate about the subject (as stated in the meeting invitation or otherwise agreed).

3.4.3 Legal basis of data processing

Data processing is carried out in the context of contract initiation or performance pursuant to Art. 6 (1) (b) GDPR where the client is a natural person, otherwise pursuant to Art. 6 (1) (f) GDPR (legitimate interest). Where Art. 6 (1) (f) GDPR is the applicable legal basis, our specific legitimate interest is to enable efficient and reliable audio and/or video communication with representatives of (prospective) clients, business contacts, opposing parties, courts and authorities, and to do so by means of established, widely-spread and secure communication services.

3.4.4 Recordings and further processing

We do not record, transcribe, automatically summarize or otherwise further process the above data without your prior consent (and that of all other participants). Each service uses different methods to indicate the activation and deactivation options for the respective functionality. Please pay attention to the relevant notices.

Otherwise, your data is stored only to the extent technically necessary for the respective session.

3.4.5 Notes on individual providers

In particular, we use the following services for communication and provide the following additional information. Please note that we have no control over any data collection by the respective provider itself (e.g., your login or account information for the relevant service).

Microsoft Teams: This service is provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in Microsoft’s privacy statement: https://privacy.microsoft.com/en-us/privacystatement.

Zoom: This service is provided by Zoom Communications Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. Details on data processing can be found in Zoom’s privacy policy: https://explore.zoom.us/en/privacy/.

The use of both Microsoft Teams and Zoom may involve data transfers outside the EU or EEA, including transfers to the USA. Both companies are certified under the EUUS Data Privacy Framework (DPF). The DPF is an arrangement between the European Union and the USA that is intended to ensure compliance with European dataprotection standards for data processing in the USA. Each company certified under the DPF undertakes to comply with these standards. Further information is available from the provider: https://www.dataprivacyframework.gov/.

Data transfers to the USA are additionally based on the EU Commission’s standard contractual clauses, to which both companies refer in their respective privacy notices.

There is a data processing agreement between aginom and Zoom, as well as between aginom and Microsoft, according to Article 28 GDPR.

We use Microsoft Teams and Zoom primarily, because this corresponds to the preference of most of our clients. We are open to using an alternative provider or communication channel of your preference, particularly if you require or wish to further reduce any residual risk of access by authorities outside the EU. Please contact us at any time so that we can meet your requirements, especially with regard to the provider’s registered office and server location.

3.5 Use of Artificial Intelligence (AI) Tools

3.5.1 Description and scope of data processing

In the course of providing our services and operating our firm, we use artificial-intelligence-based tools (such as large language model (LLM)-based generative-AI chatbots, assistants, agents and AI-supported search tools, collectively “AI Tools”).

We use AI Tools, in particular, for the following processing operations:

• legal research and the review of statutes, case-law and publicly available materials;

• the drafting, summarization, translation and editing of documents, memoranda and correspondence;

• the analysis of factual material in connection with a client engagement (which may include personal data of the client, of opposing parties and of other natural persons);

• knowledge-management and the production of internal precedents and templates; and

• the technical and administrative support of our firm’s operations.

Depending on the specific tool and use case, the processing may include any of the personal data described in sections 3.1 to 3.4 above, including name, contact details, content of correspondence and—where you have entrusted us with a matter—matter-related personal data.

In many cases, we can avoid the processing of personal data entirely when using AI Tools. Where this is not the case, by default with respect to AI Tools that are not hosted in infrastructure controlled by us (or on our behalf in the European Union with appropriate safeguards including a data processing agreement under Art. 28 GDPR), we pseudonymize personal data (either manually or in an automated form) before it is submitted to any such AI Tool, by replacing direct identifiers (such as names, contact details and other directly identifying information) with internal reference codes. The key that re-associates these references with the underlying individuals is solely held by us and is not disclosed to the provider of such AI Tool.

Our usage of AI Tools may involve the use of services of third party providers that may be established in third countries (in particular the United States) and associated third country transfers. See Section 6 below for further information on data privacy aspects of such transfers.

(For the avoidance of doubt, our legal obligation as attorneys to ensure professional secrecy (including in relation to the identity of client that is a company) remains unaffected and may require additional measures.)

3.5.2 Purpose of data processing

We use AI Tools to provide our services efficiently, to manage our firm’s operations effectively and, where relevant to a particular engagement, to perform our contractual obligations to you.

3.5.3 Legal basis of data processing

Where AI Tools are used in the context of an engagement with a natural person and the usage of AI Tools is necessary for performing or initiating the engagement purpose (e. g. where the use of artificial intelligence is expressly requested by the client), the legal basis is Art. 6 (1) (b) GDPR (performance of contract / pre-contractual measures).

Otherwise (in particular for general administrative or research use, or where it is required for an engagement with a client that is not a natural person, or where the usage of such tool is useful but not strictly necessary for performing a specific engagement), the legal basis is Art. 6 (1) (f) GDPR. Our specific legitimate interests are: (i) operating our firm efficiently and competitively; (ii) improving the quality, consistency and turn-around-time of our advice; and (iii) keeping our internal knowledge-management and document-generation processes up to date with the state of the art.

We have assessed these interests against your interests, fundamental rights and freedoms and have concluded that our legitimate interests are not overridden by your interests or rights. In reaching this conclusion, we have taken into account, in particular, that we minimize the processing of personal data through AI Tools, that we pseudonymize personal data before it is submitted to certain AI Tools that pose heightened risks to the confidentiality of the personal data (as described in Section 3.5.1 above), that we limit our use of AI Tools to providers offering appropriate contractual and technical safeguards and that we practice human oversight as part of our processes.

Where the use of an AI Tool on a specific engagement would, in our professional judgement, no longer meet this standard (for instance, because it would involve highly sensitive client data on infrastructure for which our standard safeguards are not sufficient), or where prohibited by applicable law, we will not use the AI Tool, or we will seek your prior informed consent.

3.5.4 No model training

We will not use, and will not permit any AI Tool provider to use, your personal data for training or fine-tuning AI models, unless you have separately consented to this.

3.6 No automated decision-making and profiling

• We do not use any personal data collected from you in a procedure for automated decisionmaking (including profiling).

4. Duration of storage and deletion of data

Your personal data are deleted or blocked as soon as they are no longer required to achieve the purpose for which they were collected and unless statutory regulations (especially retention obligations) require longer storage.

Visitor data collected when the website is accessed are stored for eight weeks and then deleted.

If aginom is engaged to provide services, the personal data we collect are stored until the statutory retention period expires (for lawyers six years after the end of the calendar year in which the engagement was terminated) and then deleted, unless we are obliged to store them for a longer period pursuant to Art. 6 (1) (c) GDPR due to tax and commercial retention and documentation obligations (under the German Commercial Code, Criminal Code or Fiscal Code), the storage is necessary for the assertion of claims or the defense against (threatened) claims (Art. 6 (1) (f) GDPR), or you have given your consent to store your data beyond this pursuant to Art. 6 (1) (a) GDPR.

5. Cooperation with processors

We employ other service providers in the areas of IT, logistics, telecommunications and payment services to conduct our business in addition to those expressly mentioned in this Privacy Notice. They act solely on our instructions and have been contractually obliged pursuant to Art. 28 GDPR to comply with dataprotection regulations.

6. Transfer of personal data to third countries

In the course of our business relationship, your personal data may be disclosed or made available to thirdparty companies, which may also be located outside the European Economic Area (EEA), i.e., in third countries. Such processing occurs exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis Art. 6 (1) (b) or (f) in conjunction with Art. 44 et seq. GDPR). We will inform you of the details of any disclosure at the relevant points.

The European Commission has recognized some third countries as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and copies of the decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). This includes also the so-called DPF with the United States of America (as described in Section 3.4.5 above). https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

In some third countries to which personal data may be transferred, there may be no consistently high level of data protection due to missing legislation. Where this is the case, we ensure that data protection is adequately covered, for example through binding corporate rules, the European Commission’s standard contractual clauses for the protection of personal data pursuant to Art. 46 (1), (2)(c) GDPR (the 2021 standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915), certificates or recognized codes of conduct. Where required, we have conducted a Transfer Impact Assessment and have implemented supplementary technical/organizational/contractual measures, (including, as available: pseudonymization of personal data before transfer, contractual prohibition of AI model training on our inputs, zero-data-retention configurations, using deployment options that keep processing within the EU/EEA, for example by routing through EU-region endpoints or using EU-based intermediaries).

Please contact us if you require further information on this subject, or if you require data processing options avoiding any third country transfers.

7. Your rights

With regard to all scenarios covered by this Privacy Notice, you have the right to:

• request information pursuant to 15 GDPR about the personal data we process concerning you;

• request without undue delay the rectification of inaccurate or completion of your personal data stored by us pursuant to 16 GDPR;

• request the erasure of your personal data stored by us pursuant to 17 GDPR;

• request the restriction of processing of your personal data pursuant to 18 GDPR;

• receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or request their transmission to another controller pursuant to 20 GDPR;

object to the processing pursuant to 21 GDPR if the processing is based on Art. 6 (1) (f) GDPR. When exercising such an objection, please explain the reasons why we should not process your data as we have done. If your objection is justified, we will examine the circumstances and either stop or adjust the data processing or demonstrate our compelling legitimate grounds for continuing the processing. If you object to the storage of your data in the context of an email correspondence, the conversation cannot be continued and the provision of any services by us may thus become impossible;

• withdraw your consent at any time pursuant to 7 Abs. 3 GDPR, with the result that we may no longer continue any data processing that was based on this consent in the future;

• lodge a complaint with a supervisory authority pursuant to 77 GDPR. You can normally contact the supervisory authority at your usual place of residence, place of work or our registered office. The competent supervisory authority for the state of Hessen, which is also responsible for our registered office, is:

Hessian Commissioner for Data Protection and Freedom of Information P.O. Box 3163 65021 Wiesbaden Phone: +49 611 14080 Fax: +49 611 1408900 Email: Poststelle@datenschutz.hessen.de

Date of last update: 19 June 2026