Privacy Policy
Introduction
With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all data processing activities conducted by us, both in the course of providing our services and, in particular, on our websites, mobile applications, and external online presences such as our social media profiles (hereinafter collectively referred to as the “online offering”).
The terms used are not gender-specific.
Date: September 27, 2022
Table of Contents
- Introduction
- Person in charge
- Contact Data Protection Officer
- Processing Overview
- Relevant Legal Bases
- Security Measures
- Transfer of Personal Data
- Data Processing in Third Countries
- Data Deletion
- Use of Cookies
- Business Services
- Providers and Services used in Business Operations
- Payment Methods
- Provision of Online Offering and Web Hosting
- Registration, Login, and User Account
- Blogs and Publishing Media
- Contact and Inquiry Management
- Chatbots and Chat Functions
- Video Conferences, Online Meetings, Webinars, and Screen Sharing
- Audio Content
- Application Processes
- Cloud Services
- Newsletters and Electronic Notifications
- Promotional Communication via Email, Mail, Fax, or Telephone
- Contests and Competitions
- Surveys and Questionnaires
- Web Analysis, Monitoring, and Optimization
- Online Marketing
- Social Media Presences (Social Media)
- Plugins and Embedded Functions and Content
- Change and Update of the Privacy Policy
- Rights of Data Subjects
- Definition of Terms
Person in charge
BARC GmbH
Berliner Platz 7
97080 Würzburg
Authorized Representatives:
Carsten Bange
Email Address:
[email protected]
Imprint:
https://barc.com/en/imprint/
Contact Data Protection Officer
Alexander Seeliger
[email protected]
Processing Overview
The following overview summarizes the types of data processed, the purposes of their processing, and refers to the data subjects involved.
Types of Processed Data
- Master Data.
- Payment Data.
- Location Data.
- Contact Details.
- Content Data.
- Contract Data.
- Usage Data.
- Meta/Communication Data.
- Applicant Data.
- Image and/or Video Recordings.
Special Categories of Data
- Health Data.
- Religious or Philosophical Beliefs.
Categories of Data Subjects
- Customers.
- Employees.
- Prospective Customers.
- Communication Partners.
- Users.
- Applicants.
- Contest and Competition Participants.
- Business and Contract Partners.
- Students & Participants.
Purposes of Processing
- Provision of contractual services and customer support.
- Contact inquiries and communication.
- Security measures.
- Direct marketing.
- Range measurement.
- Tracking.
- Office and organization procedures.
- Remarketing.
- Conversion measurement.
- Click tracking.
- Management and response to inquiries.
- Application processes.
- Conducting contests and competitions.
- Firewall.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Information technology infrastructure.
Relevant Legal Bases
Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our place of residence or business. Should more specific legal bases be applicable in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for a specific purpose or purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary to comply with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Application procedures as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR) – Where special categories of personal data in the sense of Art. 9(1) GDPR (e.g., health data, such as disability status) are requested from applicants as part of the application process, their processing is carried out in accordance with Art. 9(2) lit. b GDPR so that the data subject may exercise their rights and fulfill their obligations under labor law, social security and social protection law, provided that it is in the interests of the data subject to provide such data. In the case of special categories of data on a voluntary basis, the processing is carried out in accordance with Art. 9(2) lit. a GDPR.
In addition to the data protection regulations of the General Data Protection Regulation (GDPR), there are national data protection regulations in Germany. This notably includes the Act for the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains specific provisions concerning the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making on an individual basis, including profiling. Furthermore, it regulates data processing for employment-related purposes (§ 26 BDSG), especially with regard to the initiation, execution, or termination of employment relationships and employee consent. Moreover, regional data protection laws of individual federal states may also be applicable.
Security Measures
In accordance with the legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as the access, input, disclosure, availability, and separation of data. We have also established procedures to ensure the exercise of data subject rights, data deletion, and the response to data threats. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and data protection-friendly default settings.
TLS Encryption (https): To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g., SSL) via HTTPS.
Transfer of Personal Data
In the course of our data processing, we may transfer or disclose data to other entities, companies, legally independent organizational units, or individuals. These recipients may include, for example, providers of IT services responsible for specific tasks or providers of services and content integrated into a website. In such cases, we ensure that the transfer or disclosure complies with the legal requirements and is supported by contractual agreements designed to protect your data.
Data Transfer Within the Organization: We may transfer personal data to other units within our organization or grant them access to this data. When such transfer is for administrative purposes, it is based on our legitimate business and organizational interests or is carried out where necessary to fulfill our contractual obligations or when we have obtained your consent.
Data Processing in Third Countries
In the event that we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing occurs within the use of third-party services or the disclosure or transfer of data to other individuals, entities, or companies, such processing will only take place in compliance with legal requirements.
Subject to explicit consent or a contractually or legally required transfer, we will only process or have the data processed in third countries with an acknowledged level of data protection, contractual commitments via the so-called standard data protection clauses of the EU Commission, in the presence of certifications, or binding corporate rules (Articles 44 to 49 of the GDPR, information provided by the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de.
Data Deletion
The data processed by us will be deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked or other permissions expire (e.g., when the purpose of processing this data is no longer applicable or they are not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.
In our privacy policy, we can provide users with further information regarding the deletion and storage of data specifically relevant to the respective processing processes.
Use of Cookies
Cookies are small text files or other storage markers that store information on devices and read information from devices. For example, they may save login status in a user account, the content of a shopping cart in an e-shop, the accessed content, or the functions used in an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings and for creating visitor flow analyses.
Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not legally required. Consent is not required, in particular, if storing and reading information, including cookies, is essential to provide users with a telemedia service that they expressly requested (i.e., our online offering). Revocable consent is clearly communicated to users and includes information about the respective cookie usage.
Data Protection Legal Basis Information: The legal basis on which we process users’ personal data using cookies depends on whether we request user consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g., in the operation of our online offering in terms of business management and improving its usability) or, if the use of cookies is necessary in fulfilling our contractual obligations, when cookies are necessary to fulfill our contractual obligations. We provide information about the purposes for which we process cookies in this privacy policy and as part of our consent and processing procedures.
Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:
- Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
- Permanent Cookies: Permanent cookies remain stored even after closing the device. For example, they can save login status or display preferred content directly when a user revisits a website. Data collected from users via cookies can also be used for measuring reach. If we do not provide explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.
General Information on Revocation and Objection (Opt-Out): Users can revoke their consents at any time and also object to processing in accordance with legal requirements under Article 21 of the GDPR. Users can also declare their objection by configuring their browser settings, e.g., by deactivating the use of cookies (which may also limit the functionality of our online services). Objection to the use of cookies for online marketing purposes can also be declared on the websites https://optout.aboutads.info and https://www.youronlinechoices.com.
Cookie Settings / Objection Option:
You can adjust your settings here: https://barc.com/de/#consent-change
- Processed Data Types: Meta/Communication Data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness.
- Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR).
Additional Information on Processing Procedures, Procedures, and Services:
- Processing of Cookie Data Based on Consent: We use a cookie consent management process in which users’ consent to the use of cookies, as well as the processing and providers mentioned within the framework of the cookie consent management process, can be obtained from users and managed and revoked by them. The consent statement is stored so that it does not have to be repeated, and consent can be proven in accordance with legal obligations. Storage can be done on the server side and/or in a cookie (so-called opt-in cookie or using comparable technologies) to be able to assign the consent to a user or their device. Subject to individual information about cookie management service providers, the following information applies: The duration of the consent storage can be up to two years. In this case, a pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers) as well as the browser, system, and device used.
- Real Cookie Banner: Cookie Consent Management; Service Provider: devowl.io GmbH, Tannet 12, 94539 Grafling, Germany; Legal Bases: Legitimate Interests (Article 6(1)(f) GDPR); Website: https://devowl.io/de/wordpress-real-cookie-banner/; Privacy Policy: https://devowl.io/de/datenschutzerklaerung/.
Business Services
We process data of our contractual and business partners, such as customers and prospects (collectively referred to as “contractual partners”), in the context of contractual and similar legal relationships, as well as related measures and in the context of communication with contractual partners (or pre-contractual), for example, to respond to inquiries.
We process this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any updating obligations, and rectification of warranty and other performance disruptions. Furthermore, we process the data to safeguard our rights and for the purpose of administrative tasks associated with these obligations, as well as business organization. Additionally, we process the data based on our legitimate interests in proper and efficient business management and security measures to protect our contractual partners and our business operations from misuse, safeguarding their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the scope of applicable law, we only disclose data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, such as for marketing purposes, in this privacy policy.
We will inform the contractual partners, whether they are obligated to provide the requested data before or within the scope of data collection, e.g., in online forms, using special labels (e.g., colors) or symbols (e.g., asterisks), or personally.
We delete the data after the expiration of statutory warranty and comparable obligations, i.e., fundamentally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be archived for legal reasons. The legal retention period for relevant tax documents, as well as commercial books, inventories, opening balances, annual financial statements, the necessary instructions for understanding these documents, and organizational documents, is ten years. The retention period for incoming commercial and business letters and copies of outgoing commercial and business letters is six years. The retention period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent, or the booking voucher was created, and the record was made or the other documents were created.
To the extent that we use third-party providers or platforms to provide our services, the terms and privacy policies of the respective third-party providers or platforms apply to the relationship between users and the providers.
- Processed data types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Special categories of personal data: Health data (Art. 9 Para. 1 GDPR); Religious or philosophical beliefs (Art. 9 Para. 1 GDPR); Data revealing racial and ethnic origin (Art. 9 Para. 1 GDPR).
- Data subjects: Customers; Prospects; Business and contractual partners; Students/Participants.
- Purposes of processing: Provision of contractual services and customer service; Security measures; Contact inquiries and communication; Office and organizational procedures; Management and response to inquiries; Conversion measurement (measuring the effectiveness of marketing campaigns); Profiles with user-related information (creating user profiles).
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR); Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR); Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
Further information on processing processes, procedures, and services:
- Customer Account: Contractual partners can create an account within our online offering (e.g., customer or user account, hereinafter “customer account”). If the registration of a customer account is necessary, contractual partners will also be notified of this, as well as the required details for registration. Customer accounts are not public and cannot be indexed by search engines. As part of registration, as well as subsequent logins and usage of the customer account, we store the IP addresses of the customers along with the access times to prove the registration and prevent potential misuse of the customer account. When customers have terminated their customer account, the data related to the customer account will be deleted unless it must be retained for legal reasons. It is the responsibility of the customers to secure their data upon termination of the customer account; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Economic Analysis and Market Research: For business reasons and to be able to recognize market trends, customer and user wishes, we analyze the data we have about business transactions, contracts, inquiries, etc. Among the group of affected persons can be contractual partners, interested parties, customers, visitors, and users of our online offering. The analyses serve the purpose of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). If available, we can also consider the profiles of registered users along with their details, e.g., regarding the services they have used. The analyses are for our use only and are not disclosed externally unless it involves anonymous analyses with summarized, anonymized values. Furthermore, we respect the privacy of users and process the data for analysis purposes as pseudonymously as possible and, if feasible, anonymously (e.g., as summarized data); Legal bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
- Shop and E-Commerce: We process customer data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as payment and delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, freight, and shipping companies to carry out delivery, or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required details are marked as such within the scope of the order or comparable acquisition process and include the information required for delivery, provision, and billing, as well as contact information to be able to inquire with customers if necessary; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- WooCommerce: WordPress plugin with functionalities for operating online shops; Service provider: Automattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://automattic.com; Privacy Policy: https://automattic.com/privacy.
- Educational and Training Services: We process the data of the participants in our educational and training programs (uniformly referred to as “trainees”) to be able to provide our training services to them. The data processed in this context, the type, scope, purpose, and necessity of their processing is determined by the underlying contractual and training relationship. The processing methods also include performance assessment and the evaluation of our services as well as those of the instructors. In the course of our activities, we may also process special categories of data, including information about the trainees’ health and data indicating their ethnic origin, political opinions, religious or philosophical beliefs. For this, we obtain explicit consent from the trainees where necessary and process special categories of data only if it is necessary for providing training services, for health care purposes, social protection, or protection of the vital interests of the trainees; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Coaching: We process the data of our clients as well as interested parties and other principals or contractual partners (uniformly referred to as “clients”) to provide our services to them. The data processed, the type, scope, purpose, and necessity of their processing are determined by the underlying contract and client relationship. Within the scope of our activities, we may also process special categories of data, including information about the clients’ health, possibly related to their sexual life or sexual orientation, as well as data revealing their racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership. For this, we obtain explicit consent from the clients where necessary, and process special categories of data only if it serves the clients’ health, the data is publicly available, or other legal permissions exist. To fulfill our contractual obligations, protect vital interests, or if required by law, or if we have the client’s consent, we disclose or transfer the clients’ data to third parties or agents, such as authorities, billing companies, as well as in the field of IT, office or similar services; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Consulting: We process the data of our clients, as well as interested parties and other principals or contractual partners (uniformly referred to as “clients”) to provide our contractual or pre-contractual services, especially consulting services. The data processed, the type, scope, purpose, and necessity of their processing are determined by the underlying contract and business relationship. If necessary for our contract fulfillment, for the protection of vital interests, or as required by law, or if we have the client’s consent, we disclose or transfer the client’s data to third parties or agents, such as authorities, subcontractors, or service providers in the field of IT, office or similar services; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Online Courses and Online Training: We process the data of the participants in our online courses and online training programs (uniformly referred to as “participants”) to be able to provide our course and training services to them. The data processed in this context, the type, scope, purpose, and necessity of their processing is determined by the underlying contractual relationship. The data includes, in principle, information about the courses and services used, and, as part of our service offering, the personal specifications and results of the participants. The processing methods also include performance evaluation and the evaluation of our services, as well as those of the course and training instructors; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Business Consulting: We process the data of our customers, clients, as well as interested parties and other principals or contractual partners (uniformly referred to as “customers”) to be able to provide our contractual or pre-contractual services, especially consulting services. The data processed, the type, scope, purpose, and necessity of their processing are determined by the underlying contract and business relationship. If necessary for our contract fulfillment, the protection of vital interests, or as required by law, or if we have the customer’s consent, we disclose or transfer the customer’s data to third parties or agents, such as authorities, courts, or service providers in the field of IT, office, or similar services; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Events and Activities: We process the data of the participants in the events, activities, and similar activities we offer or host (hereinafter uniformly referred to as “participants” and “events”) to enable them to participate in the events and take advantage of the services or actions associated with participation. If we process health-related data, religious, political, or other special categories of data in this context, it is done in an obvious manner (e.g., for thematically oriented events or serves the purpose of healthcare, safety, or is done with the participants’ consent). The information required for the performance and billing of the services is marked as such in the context of the order or similar conclusion of the contract and includes the information required for the provision and billing of services, as well as contact information to be able to make inquiries. To the extent that we have access to information from end customers, employees, or other individuals, we process this information in accordance with legal and contractual requirements; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- Brokerage Services: We process the information provided by interested parties in the context of a brokerage request for the purpose of establishing, implementing, and possibly terminating a contract for the mediation of offers from providers of the products or services requested by the interested party. We use the contact information of interested parties to specify their request via the agreed or otherwise permissible communication channel (e.g., telephone or email) and to suggest suitable providers or offers based on the specified request. We may also inquire about the success of our brokerage service at a later date in accordance with legal requirements. We record the entries in the online form sent by interested parties to prove the existence of the contractual relationship and the consent of the interested parties in accordance with legal accountability obligations (Art. 5 Para. 2 GDPR). This information is stored for a period of three to four years if we need to prove the original request (e.g., to demonstrate the legitimacy of contacting interested parties); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
Providers and Services used in Business Operations
In the context of our business activities, we use additional services, platforms, interfaces, or plugins from third-party providers (hereinafter referred to as “services”), in compliance with legal requirements. Their use is based on our interests in the proper, lawful, and economical management of our business operations and internal organization.
- Processed data types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Contract data (e.g., subject of the contract, duration, customer category).
- Affected individuals: Customers; Prospects; Users (e.g., website visitors, users of online services); Business and contract partners; Employees (e.g., employees, applicants, former employees).
- Purposes of processing: Provision of contractual services and customer service; Office and organizational procedures.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing procedures, methods, and services:
- DATEV: Software for accounting, communication with tax consultants and authorities, and document storage; Service provider: DATEV eG, Paumgartnerstr. 6 – 14, 90429 Nuremberg, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: DATEV; Privacy policy: DATEV Data Protection; Data processing agreement: Provided by the service provider.
Payment Methods
In the context of contracts and other legal relationships, in accordance with legal obligations or based on our legitimate interests, we offer efficient and secure payment options to the data subjects. To this end, we use additional service providers alongside banks and credit institutions (collectively referred to as “payment service providers”).
The data processed by the payment service providers may include master data, such as names and addresses, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related information. This information is necessary to carry out the transactions. However, the data provided is processed and stored only by the payment service providers. Therefore, we do not receive any account or credit card-related information, but only information confirming or negating the payment. Data may be transmitted to credit agencies by the payment service providers for identity and credit checks. We refer to the terms and privacy policies of the payment service providers for further information.
The general terms and conditions and privacy policies of the respective payment service providers apply to payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these terms and policies for additional information and the exercise of withdrawal, information, and other data subject rights.
- Processed data types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject of the contract, duration, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Affected individuals: Customers; Prospects.
- Purposes of processing: Provision of contractual services and customer service.
- Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional information on processing procedures, methods, and services:
- PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: PayPal; Privacy policy: PayPal Privacy.
- Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: Stripe; Privacy policy: Stripe Data Privacy.
Provision of Online Offering and Web Hosting
We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and features of our online services to the user’s browser or device.
- Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta/communication data (e.g., device information, IP addresses); Content data (e.g., entries in online forms).
- Affected individuals: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment, such as computers, servers, etc.); Security measures; Firewall.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing procedures, methods, and services
- Provision of Online Offering on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from an appropriate server provider (also called “web hoster”); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
- Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed web pages and files, date and time of access, transmitted data volumes, message about successful access, browser type and version, user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid overloading servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the utilization and stability of servers. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident is finally clarified.
- Email Delivery and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders as well as other information related to email delivery (e.g., the involved providers) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails on the Internet are generally not sent in encrypted form. Emails are usually encrypted during transmission but not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and the recipient on our server. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
- Wordfence: Firewall and security as well as error detection functions; Service provider: Defiant, Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: Wordfence; Privacy policy: Wordfence Privacy Policy; Standard contractual clauses (ensuring the level of data protection when processing data in third countries): Wordfence Standard Contractual Clauses.
Registration, Login, and User Account
Users can create a user account. During the registration process, users are provided with the necessary mandatory information, which is processed for the purpose of providing the user account based on the fulfillment of a contract. The processed data includes, in particular, login information (username, password, and an email address).
In the course of using our registration and login functions, as well as the user account, we store the IP address and the timestamp of the respective user’s actions. This storage is based on our legitimate interests as well as the interests of users in protection against misuse and unauthorized use. In general, this data is not disclosed to third parties, except when it is necessary to enforce our claims or when there is a legal obligation to do so.
Users can be informed via email about operations relevant to their user account, such as technical changes.
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and customer service; Security measures; Management and response to inquiries; Provision of our online offering and user-friendliness.
- Legal Bases: Fulfillment of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Additional Notes on Processing Procedures, Procedures, and Services:
- Registration with Real Names: Due to the nature of our community, we request users to use our services only with their real names. The use of pseudonyms is not permitted; Legal Basis: Fulfillment of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- KNACK: Online database software for the creation of portals and applications; Service Provider: EVENLY ODD, INC., 759 WOODCREST AVE., LITITZ, PA, 17543, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.knack.com/; Privacy Policy: https://www.knack.com/privacy-shield; Standard Contractual Clauses (Ensuring the level of data protection when processing in third countries): https://www.knack.com/gdpr.
Blogs and Publishing Media
We use blogs or similar means of online communication and publication (hereinafter referred to as “publishing media”). Reader data is processed for the purposes of the publishing medium only to the extent necessary for its display and communication between authors and readers or for security reasons. For further information on the processing of visitors to our publishing medium, please refer to our privacy policy.
- Processed Data Types: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and customer service; Feedback (e.g., collecting feedback via online forms); Provision of our online offering and user-friendliness; Security measures; Management and response to inquiries.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Notes on Processing Procedures, Procedures, and Services
- Comments and Contributions: When users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone leaves illegal content in comments and contributions (e.g., insults, prohibited political propaganda). In this case, we may be held responsible for the comment or contribution and are therefore interested in the identity of the author. Furthermore, based on our legitimate interests, we reserve the right to process user information for spam detection. On the same legal basis, we reserve the right to store users’ IP addresses during polls and use cookies to prevent multiple voting. The information provided by users in comments and contributions, such as personal information, contact information, and content details, is permanently stored by us until users object; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Profile Pictures from Gravatar: Profile pictures – Within our online offering and especially in the blog, we use the Gravatar service. Gravatar is a service where users can register and upload profile pictures and their email addresses. When users leave posts or comments with the respective email address on other online presences (especially in blogs), their profile pictures may be displayed alongside the posts or comments. For this purpose, the email address provided by users is encrypted and sent to Gravatar for the sole purpose of checking whether a profile is stored for it. This is the only purpose of transmitting the email address. It is not used for other purposes but is deleted afterward. The use of Gravatar is based on our legitimate interests, as it allows authors of posts and comments to personalize their contributions with a profile picture. By displaying the images, Gravatar obtains users’ IP addresses, as this is necessary for communication between a browser and an online service. If users do not want a user image associated with their email address to appear in the comments, they should use an email address that is not registered with Gravatar when commenting. We also note that it is possible to use an anonymous or no email address if users do not wish to transmit their own email address to Gravatar. Users can completely prevent the transmission of data by not using our comment system.
Contact and Inquiry Management
When contacting us (e.g., via contact form, email, phone, or through social media) and within the context of existing user and business relationships, the information provided by inquiring individuals is processed as far as necessary to respond to inquiries and take any requested actions.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Managing and responding to inquiries; Feedback (e.g., collecting feedback via online forms); Providing our online offering and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Further Information on Processing Procedures, Procedures, and Services:
- Contact Form: When users contact us through our contact form, email, or other communication channels, we process the data provided to us for the purpose of addressing the specific request; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
- HubSpot: Customer management and process and sales support with personalized customer care through multi-channel communication, i.e., managing customer inquiries from various channels and offering analysis and feedback functions; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://legal.hubspot.com/dpa.
Chatbots and Chat Functions
We offer online chat and chatbot functions as a means of communication (collectively referred to as “chat services”). A chat is a real-time online conversation. A chatbot is software that answers users’ questions or informs them through messages. When you use our chat functions, we may process your personal data.
If you use our chat services within an online platform, your identification number within the respective platform is additionally stored. We can also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations through the chat services and log registration and consent processes to meet legal requirements.
Users are informed that the respective platform provider may learn whether and when users communicate with our chat services, as well as technical information about the users’ devices and, depending on their device settings, location information (so-called metadata) for the purposes of optimizing the services and ensuring security. Moreover, the communication metadata via chat services (e.g., information about who communicated with whom) may be used by the respective platform providers in accordance with their terms for marketing or displaying personalized advertising.
If users agree to receive regular messages from a chatbot, they have the option to unsubscribe from messages at any time. The chatbot informs users how they can unsubscribe from messages and the associated data will be deleted from the directory of message recipients.
We use the information mentioned above to operate our chat services, such as personalizing user interactions, answering their inquiries, providing requested content, and improving our chat services (e.g., training chatbots to respond to frequently asked questions or identifying unanswered queries).
Legal Basis Notes: We use chat services based on user consent when we have obtained prior consent for processing their data within the scope of our chat services (applicable when users are asked for consent, e.g., for a chatbot to send them regular messages). When we use chat services to respond to user inquiries about our services or company, this is done as part of contractual and pre-contractual communication. Otherwise, we use chat services based on our legitimate interests in optimizing chat services, their cost-effectiveness, and enhancing the user experience.
Revocation, Objection, and Deletion: You can withdraw your consent at any time or object to the processing of your data within our chat services.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Direct marketing (e.g., via email or postal mail).
- Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Procedures, Procedures, and Services:
- HubSpot: Chatbot and assistance software as well as related services; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://legal.hubspot.com/dpa.
Video Conferences, Online Meetings, Webinars, and Screen Sharing
We use platforms and applications of other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as “conference”). When selecting conference platforms and their services, we adhere to legal requirements.
Data Processed by Conference Platforms: During participation in a conference, conference platforms process the following personal data of participants. The extent of processing depends on the data requested in the context of a specific conference (e.g., provision of access data or real names) and optional information provided by participants. In addition to processing for the purpose of conducting the conference, the data of participants may also be processed by the conference platforms for security purposes or service optimization. Processed data includes personal data (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, information about professional position/function, IP address of internet access, information about participants’ devices, their operating system, browser, and its technical and language settings, information about content-related communication processes (e.g., chat entries), as well as audio and video data, along with the use of other available functions (e.g., polls). Communication content is encrypted to the extent provided technically by the conference providers. If participants are registered as users with the conference platforms, additional data may be processed in accordance with the agreement with the respective conference provider.
Logging and Recordings: If text inputs, participation results (e.g., from polls), as well as video or audio recordings are logged, participants are transparently informed in advance, and, if necessary, their consent is obtained.
Data Protection Measures by Participants: Please refer to the privacy policies of the conference platforms for details on the processing of your data by these platforms. Also, within the settings of the conference platforms, ensure optimal security and data protection settings for your specific needs. During a video conference, please also ensure data and personal privacy in the background of your recording (e.g., through communication with roommates, locking doors, and using background blurring functions, if technically available). Links to conference rooms and access data should not be shared with unauthorized third parties.
Legal Basis Notes: If, in addition to the conference platforms, we also process user data and request user consent for the use of conference platforms or specific functions (e.g., consent for recording conferences), the legal basis for processing is this consent. Our processing may also be necessary for the fulfillment of our contractual obligations (e.g., participant lists, processing conversation results, etc.). Otherwise, user data is processed based on our legitimate interests in efficient and secure communication with our communication partners.
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Communication partners; Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and customer support; Contact inquiries and communication; Office and organizational procedures.
- Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Procedures, Procedures, and Services:
- Hubilo: Software for online conferences; Service provider: Hubilo Technologies Inc., 505 Montgomery Street, 10th floor, San Francisco, CA 94111, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubilo.com/; Privacy Policy: https://www.hubilo.com/privacy-policy; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://www.hubilo.com/gdpr.
- Zoom: Software für Webinare; Dienstanbieter: Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600
San Jose, CA 95113, USA; Rechtsgrundlagen: Berechtigte Interessen (Art. 6 Abs. 1 S. 1 lit. f) DSGVO); Website: https://explore.zoom.us/de; Datenschutzerklärung: https://explore.zoom.us/de/privacy/; - Cvent: Software for event registration; Service provider: c/o TMF Deutschland AG, Thurn-und-Taxis-Platz 6, 60313 Frankfurt am Main, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cvent.com/; Privacy Policy: https://www.cvent.com/en/privacy-policy; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://www.cvent.com/de/gdpr-de.
Audio Content
We use hosting and analysis services provided by service providers to offer our audio content for listening or download and to obtain statistical information about the retrieval of audio content.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, detection of returning visitors); Conversion measurement (measurement of the effectiveness of marketing measures); Profiles with user-related information (creation of user profiles); Provision of our online offering and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Procedures, Procedures, and Services:
- Spotify: Spotify – music hosting and widget; Service provider: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.spotify.com/de; Privacy Policy: https://www.spotify.com/de/legal/privacy-policy.
Application Processes
The application process requires applicants to provide us with the data necessary for their evaluation and selection. The required information is determined by the job description or, in the case of online forms, by the information provided there.
Generally, the required information includes personal information, such as name, address, contact details, and evidence of the qualifications required for a position. Upon request, we are happy to provide additional information about the data needed.
If provided, applicants can submit their applications to us through an online form. Data is transmitted to us encrypted according to the state of the art. Applicants can also submit their applications via email. However, please note that emails sent over the internet are generally not encrypted. While emails are typically encrypted in transit, they are not encrypted on the servers where they are sent and received. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and our server.
For the purpose of applicant search, submission of applications, and selection of applicants, we may, in compliance with legal requirements, use applicant management or recruitment software and services provided by third-party vendors.
Applicants are welcome to contact us regarding the submission of their applications or send their applications by mail.
Processing of Special Categories of Data: If special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data, such as disability status or ethnic origin) are requested from applicants in the context of the application process to allow the data controller or the data subject to exercise their rights arising from employment law and social security and social protection law, their processing will be carried out according to Art. 9(2)(b) GDPR. In the case of protecting the vital interests of applicants or other persons, or for purposes of occupational medicine, the assessment of employee capability, medical diagnosis, care, or treatment in the health or social sector, the processing will be based on Art. 9(2)(c) GDPR. If the special categories of data are disclosed voluntarily as part of an application, their processing is based on the consent of the data subject according to Art. 9(2)(a) GDPR.
Data Deletion: Data provided by applicants can be further processed for the purposes of the employment relationship if the application is successful. Otherwise, if the application for a job offer is not successful, the data of the applicants will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are free to do at any time. Deletion will occur, subject to legitimate revocation by applicants, no later than six months after the application is received to allow us to answer any follow-up questions regarding the application and to meet our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for reimbursement of travel expenses are archived in accordance with tax regulations.
Inclusion in an Applicant Pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process, and can be revoked at any time for the future.
Duration of Data Retention in the Applicant Pool in Months: 6
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Applicant data (e.g., personal information, postal and contact addresses, documents and information included in applications, such as cover letters, CVs, certificates, and other information about the applicant relevant to specific positions or provided voluntarily by applicants).
- Data Subjects: Applicants.
- Purposes of Processing: Application process (initiation and, if applicable, subsequent implementation and possible subsequent termination of the employment relationship).
- Legal Bases: Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR).
Cloud Services
We use software services accessible over the internet and executed on the servers of their providers (referred to as “cloud services” or “Software as a Service”) for the following purposes: document storage and management, calendar management, email delivery, spreadsheets and presentations, document, content, and information sharing with specific recipients or publishing web pages, forms, or other content and information, as well as chats and participation in audio and video conferences.
Within this framework, personal data may be processed and stored on the servers of the providers to the extent that they are part of communication processes with us or are otherwise processed by us, as explained in this privacy policy. This data may include, in particular, user master data and contact information, data related to processes, contracts, and other content. Cloud service providers also process usage data and metadata for security purposes and service optimization.
If we use cloud services to provide forms, documents, and content to other users or publicly accessible websites, providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g., media control).
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses); Image and/or video recordings (e.g., photographs or video recordings of a person).
- Data Subjects: Customers; Employees (e.g., employees, applicants, former employees); Prospective customers; Communication partners; Users (e.g., website visitors, users of online services); Business and contractual partners.
- Purposes of Processing: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical equipment, such as computers, servers, etc.); Provision of contractual services and customer support.
- Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing Procedures, Procedures, and Services:
- Adobe Creative Cloud: Applications and cloud storage for photo editing, video editing, graphic design, and web development; Service provider: Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/creativecloud.html; Privacy Policy: https://www.adobe.com/de/privacy.html; Data Processing Agreement: Provided by the service provider; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): Included in the data processing agreement.
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent Company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- ownCloud (Self-hosted): Cloud storage service with data processing and storage taking place on a server managed by us; Service provider: ownCloud GmbH, Rathsbergstr. 17, 90411 Nuremberg, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://owncloud.com/de/; Privacy Policy: https://owncloud.com/privacy-statement/.
- Amazon Web Services (AWS): Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): Included in the data processing agreement.
Newsletters and Electronic Notifications
We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or a legal permission. If, within the scope of signing up for the newsletter, its contents are specifically described, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us.
For registration for one of our newsletters, it is generally required to provide your email address as well as further information, such as name and gender for personal address, areas of interest for specifying relevant topics. Double opt-in procedure: Registration for our newsletter is generally performed in a double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that nobody can register with someone else’s email address. Newsletter registrations are logged to prove the registration process according to legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.
Deletion and Restriction of Processing: We can store the email addresses that have been unsubscribed for up to three years based on our legitimate interests before deleting them to prove that consent was given in the past. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we keep the email address solely for this purpose in a blocklist (so-called “blocklist”).
The logging of the registration procedure is carried out based on our legitimate interests for the purpose of proving its proper course. If we engage a service provider to send emails, this is done based on our legitimate interests in an efficient and secure mailing system.
Contents:
Information about us, our services, promotions, and offers.
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Meta/communication data (e.g., device information, IP addresses); Usage data (e.g., visited web pages, interest in content, access times).
- Data Subjects: Communication partners; Users (e.g., website visitors, users of online services).
- Purposes of Processing: Direct marketing (e.g., by email or postal); Provision of contractual services and customer support.
- Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
- Opt-out Option: You can cancel the receipt of our newsletter at any time, i.e., revoke your consent, or object to further receipt. You can find a link to unsubscribe from the newsletter at the end of each newsletter or use one of the contact options provided above, preferably email, for this purpose.
Additional Information on Processing Procedures, Procedures, and Services:
- Measurement of Open and Click Rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server, or if we use a mail service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system is collected, as well as your IP address and the time of the retrieval. This information is used for the technical improvement of our newsletter based on technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until deleted. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open rates and click rates and the storage of the measurement results in user profiles and their further processing are based on the consent of the users. Separate revocation of the measurement of success is unfortunately not possible; in this case, the entire newsletter subscription must be canceled, or objections must be raised. In this case, the stored profile information will be deleted; Legal Bases: Consent (Art. 6(1)(a) GDPR).
- Condition for the Use of Free Services: The consent to the sending of mailings may be made a condition for the use of free services (e.g., access to certain content or participation in certain promotions). If users wish to use the free service without registering for the newsletter, we ask them to contact us.
- HubSpot: Email marketing platform; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://legal.hubspot.com/dpa.
- Zapier: Import of email addresses to the used shipping service providers from other platforms or other sources; Service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://zapier.com; Privacy Policy: https://zapier.com/privacy; Standard Contractual Clauses (ensuring the level of data protection when processing in third countries): https://zapier.com/tos (part of the terms and conditions).
Promotional Communication via Email, Mail, Fax, or Telephone
We process personal data for the purpose of promotional communication, which can be conducted through various channels, such as email, telephone, mail, or fax, in accordance with legal requirements.
Recipients have the right to revoke granted consents at any time or to object to promotional communication at any time.
After revocation or objection, we store the data necessary to demonstrate the previous authorization for contact or delivery for up to three years after the end of the year in which the revocation or objection was made based on our legitimate interests. The processing of this data is limited to the purpose of potential defense against claims. Based on the legitimate interest of permanently considering the revocation or objection of users, we also store the data necessary to prevent further contact (e.g., depending on the communication channel, the email address, telephone number, name).
- Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, telephone numbers).
- Data Subjects: Communication partners.
- Purposes of Processing: Direct marketing (e.g., via email or postal).
- Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Contests and Competitions
We process personal data of participants in contests and competitions only in compliance with relevant data protection regulations, to the extent that processing is contractually necessary for the provision, execution, and handling of the contest, participants have consented to the processing, or processing serves our legitimate interests (e.g., the security of the contest or the protection of our interests against abuse, such as the capture of IP addresses when submitting contest entries).
If, as part of the contests, participants’ contributions are published (e.g., in the context of a vote or presentation of contest entries or winners, or in contest-related reports), we would like to point out that participants’ names may also be published in this context. Participants can object to this at any time.
If the contest takes place within an online platform or a social network (e.g., Facebook or Instagram, hereinafter referred to as the “online platform”), the terms of use and data protection regulations of the respective platforms also apply. In these cases, we would like to inform you that, with regard to the information provided by participants as part of the contest, we are responsible, and inquiries regarding the contest should be directed to us.
The data of the participants will be deleted as soon as the contest or competition is completed and the data is no longer required to inform the winners or to address follow-up questions related to the contest. In general, the data of participants will be deleted at the latest six months after the end of the contest. Data of winners may be retained for a longer period to answer inquiries about prizes or to fulfill prize services. In this case, the retention period depends on the nature of the prize and may be up to three years, for example, to handle warranty claims. Furthermore, participants’ data may be retained for a longer period, for instance, in the form of contest reports in online and offline media.
If data was collected for other purposes as part of the contest, their processing and retention period are determined by the data protection information related to that use (e.g., in the case of newsletter subscriptions as part of a contest).
- Processed Data Types: Inventory data (e.g., names, addresses); Content data (e.g., entries in online forms); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Contest and competition participants.
- Purposes of Processing: Execution of contests and competitions.
- Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Surveys and Questionnaires
We conduct surveys and questionnaires to gather information for the specific survey or questionnaire purpose communicated at the time. The surveys and questionnaires we conduct (hereinafter referred to as “surveys”) are evaluated anonymously. Personal data is only processed to the extent necessary for the provision and technical execution of the surveys (e.g., processing of the IP address to display the survey in the user’s browser or using cookies to allow the user to resume the survey).
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Communication partners; Participants.
- Purposes of Processing: Feedback (e.g., collecting feedback via online forms).
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing Procedures, Processes, and Services:
- Tivian: Conducting online surveys; Service Provider: Tivian XI GmbH, Christophstr. 15-17, 50670 Cologne, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: Tivian; Privacy Policy: Tivian Privacy Policy.
- KNACK: Conducting online surveys and collecting self-disclosures; Service Provider: EVENLY ODD, INC., 759 WOODCREST AVE., LITITZ, PA, 17543, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: KNACK; Privacy Policy: KNACK Privacy Shield; Standard Contractual Clauses (ensuring an adequate level of data protection when processing data in third countries): KNACK GDPR.
Web Analysis, Monitoring, and Optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate visitor traffic to our online services. It can encompass behavioral, interest, or demographic information about visitors, such as age or gender, as pseudonymous values. Through reach analysis, we can, for example, determine the times when our online services or their functions or content are most frequently used or invite reuse. We can also identify areas that require optimization.
In addition to web analysis, we may use testing procedures to test and optimize different versions of our online services or their components.
Unless otherwise specified below, profiles, which means data combined for a usage process, may be created for these purposes, and information may be stored in and read from a browser or a device. The collected data may include visited web pages and the elements used on those pages, as well as technical information such as the web browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data, we may also process location data.
The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization through IP address truncation) to protect users. Generally, no clear user data (such as email addresses or names) is stored in the context of web analysis, A/B testing, and optimization. Instead, pseudonyms are used, so neither we nor the providers of the software we use know the actual identity of users, only the information stored in their profiles for the purposes of the respective processes.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Remarketing; reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles); tracking (e.g., interest/behavior-based profiling, use of cookies); providing our online services and user-friendliness. Security Measures: IP masking (pseudonymization of IP address).
- Legal Bases: Consent (Art. 6(1)(a) GDPR).
Additional Information on Processing Procedures, Processes, and Services:
- Google Analytics: Web analysis, reach measurement, and user flow measurement; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: Google Analytics; Privacy Policy: Google Analytics Privacy Policy; Data Processing Agreement: Google Ads Data Processing Terms; Standard Contractual Clauses (ensuring an adequate level of data protection when processing data in third countries): Google Ads Data Processing Terms; Opt-Out Option: Opt-Out Plugin, Ad Display Settings; Further Information: Google Ads Services (Types of processing and processed data).
- Google Universal Analytics: Reach measurement and web analysis – We use Universal Analytics, a version of Google Analytics, to perform user analysis based on a pseudonymous user identification number. This identification number does not contain clear data, such as names or email addresses. It is used to associate analysis information with a user, for example, to recognize which content users accessed during a session or whether they returned to our online service. Pseudonymous user profiles are created from different device usage data, and cookies may be used. Analytics provides high-level location data by capturing the following metadata through IP geolocation: “City” (and the derived latitude and longitude of the city), “Continent,” “Country,” “Region,” “Subcontinent” (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data through domains and servers within the EU. Users’ IP addresses are not logged and are truncated by the last two digits by default. The IP address truncation takes place on EU servers for EU users. Additionally, all sensitive data collected from EU users is deleted before being captured through EU domains and servers; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: Google Marketing Platform; Terms and Conditions: Google Ads Data Processing Terms; Privacy Policy:
Google Privacy Policy; Opt-Out Option: Opt-Out Plugin, Ad Display Settings; Further Information: Google Ads Services (Types of processing and processed data). - Google Analytics 4: We use Google Analytics to perform user analysis based on a pseudonymous user identification number. This identification number does not contain clear data, such as names or email addresses. It is used to associate analysis information with a device to recognize which content users accessed within one or multiple usage processes, which search terms they used, whether they accessed them again, or interacted with our online service. Usage time and duration, sources of users referring to our online service, and technical aspects of their devices and browsers are also stored. Pseudonymous user profiles are created from different device usage data, and cookies may be used. Analytics provides high-level location data by capturing the following metadata through IP geolocation: “City” (and the derived latitude and longitude of the city), “Continent,” “Country,” “Region,” “Subcontinent” (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data through domains and servers within the EU. Users’ IP addresses are not logged and are truncated by the last two digits by default. The IP address truncation takes place on EU servers for EU users. Additionally, all sensitive data collected from EU users is deleted before being captured through EU domains and servers; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: Google Marketing Platform; Privacy Policy: Google Privacy Policy; Data Processing Agreement: Google Ads Data Processing Terms; Standard Contractual Clauses (ensuring an adequate level of data protection when processing data in third countries): Google Ads Data Processing Terms; Opt-Out Option: Opt-Out Plugin, Ad Display Settings; Further Information: Google Ads Services (Types of processing and processed data).
- Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags via an interface and to integrate other services into our online service (please refer to the further information in this privacy policy). The Tag Manager itself (which implements the tags) does not create user profiles or store cookies, for example. Google only receives the user’s IP address, which is necessary to run Google Tag Manager; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: Google Marketing Platform; Privacy Policy: Google Privacy Policy; Data Processing Agreement: Google Ads Data Processing Terms; Standard Contractual Clauses (ensuring an adequate level of data protection when processing data in third countries): Google Ads Data Processing Terms; Further Information: Google Ads Services (Types of processing and processed data).
- Hotjar: We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
Online Marketing
We process personal data for the purposes of online marketing, which includes the promotion of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential user interests, as well as the measurement of its effectiveness.
For these purposes, user profiles are created and stored in a file (referred to as a “cookie”) or similar methods are used to store information relevant to the user for displaying the aforementioned content. This information may include viewed content, visited web pages, online networks used, as well as communication partners and technical details such as the user’s browser, computer system, usage times, and functions used. If users have consented to the collection of their location data, this data may also be processed.
IP addresses of users are also stored. However, we use available IP masking techniques (i.e., pseudonymization through IP address truncation) to protect users. In general, no clear user data (such as email addresses or names) is stored within online marketing processes; instead, pseudonyms are used. This means that neither we nor the providers of online marketing processes know the actual identity of users, only the information stored in their profiles.
The information in the profiles is typically stored in cookies or similar methods. These cookies can generally be read on other websites that use the same online marketing process and can be analyzed for content display purposes, complemented with additional data, and stored on the server of the online marketing process provider.
In exceptional cases, clear data can be associated with the profiles. This happens, for example, if users are members of a social network that uses our online marketing process, and the network connects user profiles with the information mentioned above. Please note that users can make additional agreements with the providers, e.g., through consent during registration.
We generally only have access to aggregated information regarding the success of our advertisements. However, through conversion tracking, we can determine which of our online marketing processes have led to a so-called conversion, for example, a contract with us. Conversion tracking is used solely for analyzing the success of our marketing measures.
Unless stated otherwise, please assume that cookies used are stored for a period of two years.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Marketing; Profiles with user-related information (creating user profiles); Conversion tracking (measuring the effectiveness of marketing measures); Click tracking.
- Security Measures: IP masking (pseudonymization of IP address).
- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
- Opt-out Options: Please refer to the data protection notices of the respective providers and the opt-out options provided for each provider (so-called “opt-out”). If no explicit opt-out option is specified, there is the option to disable cookies in your browser settings. However, this may limit the functionality of our online offering. We recommend the following opt-out options, which are offered for specific regions: a) Europe: Your Online Choices. b) Canada: Your Ad Choices. c) USA: About Ads Choices. d) Cross-region: Opt Out About Ads.
Additional Information on Processing Procedures, Processes, and Services:
- UTM Parameters: Analysis of sources and user actions based on an extension of referring web addresses with an additional parameter, the “UTM” parameter. For example, a UTM parameter “utm_source=platformX &utm_medium=video” can tell us that a person clicked the link on platform X within a video. UTM parameters provide information about the source of the link, the medium used (e.g., social media, website, newsletter), the type of campaign or content of the campaign (e.g., post, link, image, and video). With this information, we can evaluate our visibility on the internet or the effectiveness of our campaigns; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Social Media Presences (Social Media)
We maintain online presences within social networks and process user data for the purpose of communicating with active users and providing information about us.
We would like to inform you that, as a result, user data may be processed outside the European Union. This may pose risks to users, as it could, for example, make it more difficult to enforce user rights.
Furthermore, user data is typically processed within social networks for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests. These user profiles can, in turn, be used to display advertisements within and outside of the networks that are likely to correspond to users’ interests. For these purposes, cookies are usually stored on users’ computers in which user behavior and interests are stored. In addition, data can be stored in user profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged into them).
For a detailed description of the respective processing methods and opt-out options, we refer you to the privacy policies and information provided by the operators of the respective networks.
In the case of information requests and the exercise of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to user data and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online forms); Marketing.
- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Additional Information on Processing Procedures, Processes, and Services:
- Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Instagram; Privacy Policy: Instagram Privacy Policy.
- Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called “Fanpage”). This data includes information about the types of content users view or interact with, or actions taken by them (see “Things you and others do and provide” in Facebook’s data policy: Facebook Data Policy), as well as information about the devices used by users (e.g., IP addresses, operating systems, browser type, language settings, cookie data; see “Device Information” in Facebook’s data policy: Facebook Data Policy). As explained in Facebook’s data policy under “How do we use this information?” Facebook also collects and uses information to provide analysis services, so-called “Page Insights,” to page operators so that they can gain insights into how people interact with their pages and the associated content. We have entered into a special agreement with Facebook (“Information about Page Insights,” Facebook Page Insights), which regulates, among other things, the security measures Facebook must comply with, and in which Facebook has agreed to fulfill the data subjects’ rights (i.e., users can address requests for information or deletion directly to Facebook). The rights of users (especially the right to information, deletion, objection, and complaint to the relevant supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights” (Facebook Page Insights); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Facebook; Privacy Policy: Facebook Privacy Policy; Standard Contractual Clauses (ensuring data protection level when processing data in third countries): EU Data Transfer Addendum; Further Information: Agreement on Joint Responsibility: Joint Responsibility Agreement. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of data is the sole responsibility of Meta Platforms Ireland Limited, especially regarding the transfer of data to the parent company, Meta Platforms, Inc., in the USA (based on standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: LinkedIn; Privacy Policy: LinkedIn Privacy Policy; Data Processing Agreement: LinkedIn Data Processing Agreement; Standard Contractual Clauses (ensuring data protection level when processing data in third countries): LinkedIn Data Processing Agreement; Opt-Out Option: LinkedIn Opt-Out.
- Twitter: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, Parent Company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Privacy Policy: Twitter Privacy Policy, (Settings: Twitter Personalization Settings).
- YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Privacy Policy: Google Privacy Policy; Opt-Out Option: Google Ads Settings.
- Xing: Social network; Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Xing; Privacy Policy: Xing Privacy Policy.
Plugins and Embedded Functions and Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). This may include graphics, videos, or maps, collectively referred to as “content.”
The integration always requires that the third-party providers of this content process the IP address of the users since they could not send the content to their browsers without the IP address. The IP address is thus necessary for the display of this content or functions. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic to the pages of this website. Pseudonymous information may also be stored in cookies on the users’ devices, containing technical information about the browser and operating system, referring websites, visit times, and other information about the use of our online offering, as well as combined with such information from other sources.
- Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta/communication data (e.g., device information, IP addresses); Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Location data (information about the geographic location of a device or person).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness; Provision of contractual services and customer service; Profiles with user-related information (creation of user profiles).
- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Additional Information on Processing Procedures, Processes, and Services:
- Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., functional libraries that we use for the presentation or user-friendliness of our online offering). In this process, the respective providers collect the IP address of users and can process it for the purpose of transmitting the software to users’ browsers, as well as for security, evaluation, and optimization of their offering. – We integrate software into our online offering that we retrieve from servers of other providers (e.g., functional libraries that we use for the presentation or user-friendliness of our online offering). In this process, the respective providers collect the IP address of users and can process it for the purpose of transmitting the software to users’ browsers, as well as for security, evaluation, and optimization of their offering; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
- Google Fonts (Provided on Our Server): Fonts (“Google Fonts”) for a user-friendly presentation of our online offering; Service Provider: Google Fonts are hosted on our server, and no data is transmitted to Google; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
- Google Maps: We integrate maps from the “Google Maps” service provided by Google. Processed data may include, in particular, users’ IP addresses and location data; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Google Maps Platform; Privacy Policy: Google Privacy Policy.
- Google Maps APIs and SDKs: Interfaces to Google’s maps and location services that allow, for example, the addition of address inputs, location determination, distance calculations, or the provision of additional information on locations and other places; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Google Maps Platform; Privacy Policy: Google Privacy Policy.
- reCAPTCHA: We integrate the “reCAPTCHA” function to determine whether inputs (e.g., in online forms) are made by humans and not automatically acting machines (so-called “bots”). Processed data may include IP addresses, information about operating systems, devices, or browsers used, language settings, location, mouse movements, keystrokes, dwell time on web pages, previously visited websites, interactions with reCaptcha on other websites, as well as cookies and results of manual detection processes (e.g., answering questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering against abusive automated crawling and spam; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Google reCAPTCHA; Privacy Policy: Google Privacy Policy; Opt-Out Option: Opt-Out Plugin: Google Opt-Out Plugin, Settings for Displaying Advertisements: Google Ads Settings.
- YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Website: YouTube; Privacy Policy: Google Privacy Policy; Opt-Out Option: Opt-Out Plugin: Google Opt-Out Plugin, Settings for Displaying Advertisements: Google Ads Settings.
- Vimeo: Video content; Service Provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Website: Vimeo; Privacy Policy: Vimeo Privacy Policy; Opt-Out Option: Please note that Vimeo may use Google Analytics, and we refer to the privacy policy (Google Privacy Policy) and opt-out options for Google Analytics (Google Opt-Out Plugin) or Google’s settings for data use for marketing purposes (Google Ads Settings.
Change and Update of the Privacy Policy
We kindly ask you to regularly check the content of our privacy policy. We adapt the privacy policy whenever changes to the data processing we perform make it necessary. We will inform you as soon as changes require your cooperation (e.g., consent) or any other individual notification.
If in this privacy policy, we provide addresses and contact information of companies and organizations, please note that addresses may change over time, and we recommend verifying the details before contacting them.
Rights of Data Subjects
According to the GDPR, you, as a data subject, have various rights, particularly arising from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data concerning you, which is carried out based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to Withdraw Consent: You have the right to withdraw your consent at any time.
- Right to Information: You have the right to obtain confirmation as to whether personal data concerning you are being processed, and, where that is the case, access to the personal data and further information and a copy of the data in line with legal requirements.
- Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you in line with legal requirements.
- Right to Erasure and Restriction of Processing: You have the right to obtain the erasure of personal data concerning you without undue delay or alternatively, in line with legal requirements, to obtain the restriction of processing.
- Right to Data Portability: You have the right to receive the personal data concerning you that you provided to us, in line with legal requirements, and to request their transmission to another controller.
- Complaint to a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Definition of Terms
In this section, you will find an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are primarily defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are intended to aid understanding. The terms are sorted alphabetically.
- Firewall: A firewall is a security system that protects a computer network or an individual computer from unwanted network access.
- Click Tracking: Click tracking allows tracking user movements within an entire online offering. Since the results of these tests are more accurate when user interactions can be tracked over a certain period (e.g., to determine if a user returns), cookies are usually stored on users’ computers for these testing purposes.
- Conversion Measurement: Conversion measurement (also referred to as “visit action evaluation”) is a method for determining the effectiveness of marketing measures. Typically, a cookie is stored on users’ devices within the websites where marketing activities are performed and is then retrieved on the target website. For example, this allows us to track whether the ads we have placed on other websites have been successful.
- Personal Data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Profiles with User-Related Information: The processing of “profiles with user-related information,” or simply “profiles,” includes any form of automated processing of personal data that uses these personal data to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the type of profiling, this may include different information about demographics, behavior, and interests, such as interaction with websites and their content, etc.).
- Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate visitor flows of an online offering and may involve the behavior or interests of visitors in specific information, such as website content. With the help of reach analysis, website owners can, for example, determine when visitors visit their website and what content interests them. As a result, they can better tailor the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis to recognize repeat visitors and to obtain more accurate analyses of the use of an online offering.
- Remarketing: “Remarketing” or “retargeting” occurs when it is noted, for advertising purposes, which products a user was interested in on a website in order to remind the user of these products on other websites, e.g., in advertisements.
- Location Data: Location data is generated when a mobile device (or another device with the technical prerequisites for location determination) connects to a cell, a WLAN, or similar technical means and functions for determining location. Location data is used, for example, to display map functions or other location-dependent information.
- Tracking: “Tracking” is used to describe the monitoring of user behavior across multiple online offerings. Typically, behavioral and interest information regarding the online offerings used is stored in cookies or on the servers of providers of tracking technologies (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to correspond to their interests.
- Controller: A “controller” is a natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
- Processing: “Processing” is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, or combination, restriction, erasure, or destruction of personal data.
Date | Version | Consents |
---|