en | de

Privacy policy

Highest security standards

From 25 May 2018, the EU General Data Protection Regulation (GDPR) will apply. The new statutory regulation pertaining to the processing of personal data is meant to strengthen the protection of personal data. The security of your data is our top priority. Therefore, we are ensuring the proper implementation of the General Data Protection Regulation. For further questions please contact our data protection officer (see imprint for contact).


For the transmission of data from the server to the user, we use the asymmetric encryption method RSA with the key size of 2048 bit (SSL encryption). This is the security standard used by most banks today. As with online banking, you can use Onexma under maximum security conditions.

Server location only in Germany

We only use only servers hosted in Germany for the Onexma application, databases and data storage. No data or components for data transmission are stored or used outside of Germany. The only exception to this is the provision of apps for mobile phones, which are provided by the corresponding app stores and stored on foreign servers. No user or billing data will be transmitted to third parties here either.

Two-factor authentication

You can provide more protection for your Onexma account with the optional two-factor authentication. This two-step verification requires an additional PIN for authentication in addition to the user's personal password. The second factor is, for example, generated via the Google Authenticator app on one’s smartphone.

Your data is your property

Your data stored at Onexma is your property. You have the option of exporting your data yourself at any time. Of course, this also applies in the event of cancellation. Through various reports and export functions, such as the export of scanned documents, the backup and the possibility of "taking with" all the data is guaranteed. We process your data exclusively as part of software delivery. The data are not used for any other purposes and, in particular, not disclosed to third parties.

Access control through roles and authorisations

An integrated role and authorisation concept regulates in detail which employee in your company can access which data records. This ensures that only authorised users have access to specific areas. The assignment of roles and authorisations can be individually specified and implemented by the company itself.

Daily data backup

At Onexma, an internal backup as well as on a second server is done at least once a day. Thus, your data is automatically backed up by us daily.

Data protection policy

1. General
This data protection policy clarifies the nature, scope and purpose of the collection and use of personal data by the responsible provider Onexma Ltd. & Co. KG, Rudolf-Diesel-Str. 4, 63322 Roedermark, Tel. +49 69/175545990, Fax +49 69/175545999, email: Data privacy and security are of utmost importance to us. Your data is therefore kept strictly confidential. In no case will your data be evaluated or passed on to third parties. Data is only stored when using the application and when logging in (IP numbers). Registered users will NOT be evaluated by means of Google Analytics or similar analysis tools.

Contact details of the data protection officer:, PROLIANCE GmbH
Leopoldstraße 21, 80802 Munich

Companies in the tariff business receive a contract processing agreement on request. Additional costs may apply for this. The storage of the personal data of employees is not absolutely necessary for the use of Onexma travel expense reports. You can thus use many functions without specifying real names or personal email addresses. Furthermore, in the course of order processing, companies receive documentation for all users with extended authorisations.

2. Information, deletion, limitation of processing, right of withdrawal and correction
You can receive information about your personal data stored by us as well as the origin, the recipient and the purpose of data collection and data processing at any time and free of charge. In addition, you have the right to request the correction, limitation or deletion of your data. Furthermore, you have the right to revoke your consent at any time. For further information or questions on personal data, you can contact us at the address stated in the imprint at any time.

3. Data processing by visiting our website
When you visit our websites, it is a technical necessity for data to be transmitted to our web server via your internet browser. The following data is recorded during an ongoing connection for communication between your internet browser and our web server:
• Visited domain
• Date and time of the request
• Page from which the file was requested
• Access status (file transfer, file not found, etc.)
• Web browser and operating system used
• IP address of the requesting computer
• Transmitted data amount

We collect the listed data in order to ensure smooth connection of the website and to facilitate comfortable website utilisation by the users. In addition, the log file serves the purposes of evaluation of system security and stability as well as administrative purposes. The legal basis for the temporary storage of data or log files is Art. 6 para. 1 lit. f GDPR.

For technical security reasons, in particular to ward off attacks on our web server, these data may be temporarily stored by us. An inference on individual persons is not possible on the basis of these data. After seven days at the latest, the data is anonymised by shortening the IP address at the domain level, so that it is no longer possible to connect it to the individual user. There is no evaluation of these data except for statistical purposes in an anonymous manner. There is no merger of these data with data from other data sources.

To secure this site against attacks and to optimize the load times CloudFlare is used. Cloudflare is a certified participant in the EU-US Privacy Shield Framework. Cloudflare has undertaken to handle all personal data held by Member States of the European Union (EU) in accordance with the Privacy Shield Framework in accordance with its applicable principles. Cloudflare collects statistical information about your visit to this website. The access data include: name of the retrieved web page, file, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type and version, user's operating system, referrer URL (previously visited page), IP address and the requesting one provider. Cloudflare uses the log data for statistical analysis for the purpose of operation, security and optimization of the offer. The collected raw data are reported there i.d.R. deleted within 4 hours, at the latest after 3 days. Here you will find [information about the data collected] there and about [security & privacy] at CloudFlare.

4. Contact form/E-mail
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided, will be stored in order to process the request and in the case of follow-up questions. We will not share this information without your consent.

5. Registration/E-mail
You have the possibility to register for certain services provided on our website and to create a user profile. We collect and use the following personal data in the course of the registration and setup:
• First name, surname, title
• Email address of the user
• Date and time of registration
Additionally, voluntary information can be provided (e.g. postal address, telephone number, etc.). Your user account gives you the opportunity to use other parts of our website and to log in for the offers you have purchased. Legal basis of data processing is with consent - Art. 6 par. 1 lit. a GDPR or Art. 6 para. 1 lit. b GDPR - insofar as processing is required to provide the requested services. Your data will be deleted as soon as the user account is deleted on our website and there are no statutory storage requirements. A change and/or deletion of your user account, including the data you provided, can usually be done directly in your user account after logging in, or by sending an appropriate message to our support department.

6. Cookies
We use so-called cookies to better customise our website to you needs. "Cookies" are small text files that are stored in the memory of your internet browser. The cookies on our website are used, among other things, to recognise your language, functions of your browser and your device and to thus simplify, for example, the date entry and selection lists. Most of the cookies we use are so-called session cookies, which are automatically deleted after the browser has been closed. Other cookies remain stored on your device until you delete them, or the memory expires. These cookies allow us to recognise your browser the next time you visit our website.

Cookies are partly used to simplify website processes by saving settings (for example, previously selected options). Insofar as cookies implemented by us to process personal data, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the conclusion of the contract or in accordance with Art. 6 para. 1 lit. f GDPR for safeguarding our legitimate interests in the best possible functionality of the website, as well as a customer-friendly and effective configuration of the page visit.
Please note that disabling cookies may limit the functionality of this website.

7. Integration of services and contents of third parties
It may occur that third-party content, such as videos from YouTube, maps from Google Maps, RSS feeds or graphics from other websites are integrated into this online offer. This assumes that the providers of this content (hereinafter referred to as "third-party provider") detect the IP address of the users, because without the IP address, they would not be able to send the content to the browser of each user. The IP address is therefore required for the display of this content. We make an effort to only use content whose respective providers use the IP address solely for the delivery of the content. However, we have no influence on whether the third-party provider uses the IP address, for example, for statistical purposes. If we become aware of this, we will inform users about it.

8. Data protection policy for the use of Google Analytics
As of 25/05/2018 this website does not use Google Analytics.

9. Use of our Facebook page
When you visit our websites at, a direct connection is established between your browser and the Facebook server. Facebook receives the information that you have visited our Facebook page with your IP address. If you click on the Facebook "Like-Button" while you are logged into your Facebook account, you can link the contents of our pages to your Facebook profile. As a result, Facebook can ascribe the visit to our pages to your user account. We would like to point out that we, as the provider of the pages, are not aware of the content of the data transmitted and their use by Facebook. For more information, see the Facebook privacy policy at If you do not want Facebook to link your visit to our pages with your Facebook user account, please log out of your Facebook user account.

10. Duration of storage of personal data
The duration of the storage of personal data is determined by the relevant statutory storage periods (e.g. from commercial law and tax law). After expiry of the respective period, the corresponding data are routinely deleted. Insofar as data are required for contract fulfilment of initiation or if we have a legitimate interest in the continued storage, the data will be deleted if they are no longer required for these purposes or if you utilise your right of revocation or objection.

May 2018