Data Protection Policy

Updated March 14, 2022

Data Protection Policy

Thank you for visiting our website. The protection and confidentiality of your personal data is of particular importance for StepStone.

In this document we will inform you about the processing of personal data in connection with the services we offer at (referred to as “Platform”) or services that incorporate this Data Protection Policy. Personal data comprises all information that relates to an identified or identifiable natural person (Article 4 (1) GDPR). This includes information such as your name, e-mail address, postal address, or telephone number. Information that is not directly associated with your identity, e. g. the number of users of an Internet site, does not fall within this scope.

1. Who is responsible for the processing of your personal data?

The data controller (hereinafter referred to as “StepStone” or “we”) in the sense of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

StepStone GmbH

Völklinger Straße 1

40219 Düsseldorf

T +49 211 93693-0

F +49 211 93493-5900



You can contact our data protection as follows:

StepStone GmbH

Völklinger Straße 1

40219 Düsseldorf

T: +49 (0) 211 93493-0


3. Purposes and legal basis of the data processing and period for which data will be stored in the context of a general use of our Platform and services

In the following we inform you about the different purposes for which we process personal data, on which legal basis such processing takes place, and for how long we store the data.

Insofar as we obtain the consent of the data subject for processing personal data, Art. 6 (1) (a) EU General Data Protection Regulation (GDPR) is the legal basis for the processing of personal data. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as the use of this Platform or the services offered therein, Art. 6 (1) (b) GDPR will be the legal basis. This also applies to processing operations required to carry out pre-contractual actions. If processing of personal data is required to fulfil a legal obligation that our company is subject to, Art. 6 (1) (c) GDPR is the legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights, and freedoms of the data subject do not prevail over the first interest, Art. 6 (1) (f) GDPR is the legal basis for processing.

The personal data of the data subject will be stored for as long as the purpose for which the personal data has been collected continues.

3.1 General access to our Platforms

With each access to our Platform, we collect data and information from the accessing device and store this data and information in the log files of the server. We may collect (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (known as referrers), (4) the sub-web pages that are accessed on our website (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used to defend any attacks against our IT systems. For security purposes, i. e. to be able to reconstruct an eventual attack against our Platform, we store such data including the IP address for 14 days and then anonymize or delete such data. The IP address is required during the connection to transfer the contents of our Platform to your device. The legal basis for the processing and storage of the IP address is a legitimate interest as per Article 6 (1) (f) GDPR. The legitimate interest for the transmission of the IP address is that it is required to display the contents of the Platform; without transmission of the IP address, it is not possible to display the content of the Platform. The legitimate interest for the temporary storage is our security interests.

3.2 Optimization of search and recommendation functions

We may also store information about your usage patterns on our Platform in order to create statistical models to make our Platform more user-friendly. In this context we also save your IP address in a pseudonymized form (that means that a natural person can no longer be identified based purely on the information in the statistical model) to exclude automated accesses (bots) to our Platform when creating the statistical models. Legal basis for this purpose is Art. 6 (1) (f) GDPR. Our legitimate interest is to ensure the functionality of the statistical model to improve our services. The pseudonymized IP address is deleted after one year.

3.3 Contact form and e-mail contact

Our Platform provides contact forms that can be used to contact us electronically. The contact forms will ask you to provide personal information, such as your name and contact details. In some cases, and in addition to your contact information, you may enter your enquiry directly into a free form field.

By clicking the “Send” button, you consent to the transmission to us of the data entered in the input form. In some cases, you may receive an email confirming the receipt of your enquiry. Depending on your enquiry, your request will be forwarded within the StepStone organisation to find the correct contact partner for your request.

We save the date and time of your contact. Alternatively, contact via the e-mail address provided is possible. In this case, the user’s personal data transmitted along with e-mail and our response will be stored. The personal data voluntarily transmitted to us in this context is used to process your inquiry and to contact you as needed. The legal basis for the transmission of the data is Art. 6 (1) (a) GDPR. The data will be used for this purpose until the specific conversation with you has ended. The conversation will be deemed ended when it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

3.4 Use of data processors for hosting and securing our Platform, administrative, troubleshooting, and support services

We use data processors, which we list below, to provide our services. The legal basis for using these data processors is legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest lies in the execution of our business activities, particularly to provide the services described in this Data Protection Policy or in the Terms and Conditions. No conflicting interest is apparent because we have entered into a data processing agreement with the respective processors under Art. 28 GDPR.

3.4.1 Hosting

We use data processors to host our Platform and for back-up services, meaning that personal data that is stored on our Platform is transferred to these data processors. These data processors are Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA (who processes data solely in the EU), StepStone Continental Europe GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany and StepStone N.V., Koningsstraat 47 Rue Royale, 1000 Brussels Belgium. These data processors will store the data for the same duration as it is stored on our Platform for the various purposes defined in this Data Protection Policy.

3.4.2 Administrative, troubleshooting, and support services

We use StepStone Services sp. Z o.o., ul. Domaniewska 50, 02-672 Warsaw, Poland, for administrative, troubleshooting, and support servicesStepStone Services sp. z o.o will only process your personal data in exceptional cases, e. g. if needed to rectify technical issues. In such cases personal data will only be stored to the extent and for the duration that is necessary.

3.4.3 Web application firewall

We use Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany as part of its technical and organizational protection measures as a web application firewall and therefore delivers content to website visitors via Akamai to protect its systems.

4. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the rights pursuant to Article 12 et seq. GDPR against the data controller. These rights include, among others, the right of access, the right to rectification, the right to restriction of processing, the right to erasure, the right to data portability, the right to object, the right to revoke the declaration of consent under data protection law, the right to non-automated decision-making in individual cases, including profiling, and the right to lodge a complaint with a supervisory authority. Further information can be found in the GDPR, available at

5. Amendment of the data protection policy; amendment of purpose

We reserve the right to amend this Data Protection Policy in consideration of stipulations under data-protection law. You will always be able to locate the current version here or another corresponding, easily locatable point of our website or app. If we are intending to process your data for other purposes, i.e. those for which it was collected, we will notify you about this in advance in compliance with the statutory provisions.