Privacy policy
Preamble
With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to shortly as "Data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and especially on our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offering").
The terms used are not gender-specific.
As of: September 21, 2024
Table of Contents
- Preamble
- Controller
- Overview of Processing Activities
- Relevant Legal Bases
- Security Measures
- Transfer of Personal Data
- International Data Transfers
- Data Deletion
- Rights of Data Subjects
- Use of Cookies
- Transfer of Data to the Appropriate Approval Authority or the KBA
- Business Services
- Providers and Services Used in the Course of Business Activities
- Payment Processes
- Provision of the Online Offering and Web Hosting
- Special Notes on Applications (Apps)
- Acquisition of Applications through App Stores
- Blogs and Publication Media
- Contact and Inquiry Management
- Cloud Services
- Newsletters and Electronic Notifications
- Web Analysis, Monitoring, and Optimization
- Online Marketing
- Presence in Social Networks (Social Media)
- Plugins and Embedded Features and Content
- Management, Organization, and Tools
- Changes and Updates to the Privacy Policy
- Definition of Terms
Controller
H&B kfzPortal24 GmbH
Steinhöft 9
c/o Ruby Hans Workspaces
20459 Hamburg
Germany
Email Address: support@kfzportal24.de
Imprint: www.kfzportal24.de/impressum
Overview of Processing Activities
The following overview summarizes the types of processed data, the purposes of their processing, and refers to the affected individuals.
Types of Processed Data
- Inventory data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication, and process data.
- Image and/or video recordings.
- Event data (Facebook).
Categories of Data Subjects
- Customers.
- Employees.
- Interested parties.
- Communication partners.
- Users.
- Business and contractual partners.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Contact inquiries and communication.
- Security measures.
- Direct marketing.
- Range measurement.
- Tracking.
- Office and organizational procedures.
- Conversion measurement.
- Audience targeting.
- Administration and response to inquiries.
- Content Delivery Network (CDN).
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Information technology infrastructure.
Relevant Legal Bases
Relevant legal bases according to the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for a specific purpose or multiple specified purposes.
- Contractual performance and pre-contractual inquiries (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures requested by the data subject.
- Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.
National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. This includes the Law for the Protection against Misuse of Personal Data in Data Processing (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making, including profiling. Furthermore, state data protection laws of individual federal states may apply.
Security Measures
In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different likelihoods and severity of the threat to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation. We have also established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Furthermore, we consider data protection already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and by privacy-friendly default settings.
TLS/SSL Encryption (https): To protect user data transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is displayed in the URL when a website is secured by an SSL/TLS certificate.
Transfer of Personal Data
In the course of processing personal data, it may occur that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.
International Data Transfers
Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in connection with the use of services from third parties or the disclosure or transfer of data to other individuals, entities, or companies, this only occurs in accordance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this decision serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise secured, especially through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR). We will inform you about the basis for the third-country transfer with each provider from the third country, with adequacy decisions being the primary basis. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's information page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=en
EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as safe for certain companies in the USA under the adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in the context of data protection notices which service providers certified under the Data Privacy Framework we use.
Data Deletion
The data processed by us will be deleted or restricted in accordance with legal requirements as soon as the consent allowing for their processing is revoked or other permissions are no longer valid (e.g., if the purpose of processing this data has ceased to exist or they are not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person. In our privacy notices, we may provide users with further information on deletion and retention of data specific to each processing operation.
Rights of Data Subjects
Rights of data subjects under the GDPR: Data subjects have various rights under the GDPR, particularly deriving from Articles 15 to 21 GDPR:
- Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to Withdraw Consent: You have the right to withdraw consent given at any time.
- Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and additional information according to legal requirements.
- Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed according to legal requirements.
- Right to Erasure and Restriction of Processing: You have the right to obtain the erasure of personal data concerning you without undue delay or, alternatively, the restriction of processing according to legal requirements.
- Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to have that data transmitted to another controller according to legal requirements.
- Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Use of Cookies
Cookies are small text files or other storage markers that store information on devices and retrieve information from devices. For example, they may store login status in a user account, the contents of a shopping cart in an e-shop, viewed content, or functions used in an online offering. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings, as well as analyzing visitor flows.
Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not legally required. Consent is not necessary, in particular, when storing and retrieving information, including cookies, is essential to provide users with a telemedia service (our online offering) explicitly requested by them. Essential cookies typically include cookies with functions related to the display and functionality of the online offering, load balancing, security, storage of user preferences, and choices, or similar purposes related to providing the main and ancillary functions of the online offering requested by users. Revocable consent is clearly communicated to users and includes information about the specific use of cookies.
Data Protection Legal Bases: The legal basis for processing users' personal data through cookies depends on whether we ask users for consent. If users give consent, the legal basis for processing their data is the declared consent. Otherwise, data processed through cookies is based on our legitimate interests (e.g., in the economic operation of our online offering and improving its usability) or, if the use of cookies is necessary to fulfill our contractual obligations, the processing is based on the necessity to fulfill our contractual obligations. We clarify the purposes for which cookies are processed during this privacy policy or as part of our consent and processing processes.
Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:
- Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
- Persistent Cookies: Persistent cookies remain stored even after the device is closed. For example, login status can be saved, or preferred content can be displayed directly when the user revisits a website. The data collected with the help of cookies can also be used for audience measurement. If we do not provide explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are persistent and can be stored for up to two years.
General Notes on Revocation and Objection (Opt-Out): Users can revoke their given consents at any time and object to processing in accordance with legal requirements. For this purpose, users can restrict the use of cookies in their browser settings (which may also limit the functionality of our online offering). Objection to the use of cookies for online marketing purposes can also be made through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).
Additional Information on Processing, Procedures, and Services:
- Processing of Cookie Data Based on Consent: We use a consent management procedure: a procedure for obtaining, logging, managing, and revoking consents, especially for the use of cookies and similar technologies for storing, retrieving, and processing information on users' devices, and their processing. In this context, consents for the use of cookies, or those mentioned in the context of the consent management procedure, are obtained, managed, and revoked by users, and the consent declaration is stored to avoid repeated queries and to be able to prove the consent in accordance with legal obligations. Storage can be done server-side and/or in a cookie (so-called opt-in cookie or using similar technologies) to be able to assign the consent to a user or their device. Subject to individual information about providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. A pseudonymous user identifier is created, and the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used, are stored; Legal Bases: Consent (Art. 6(1)(a) GDPR).
- Cookiebot: Consent management procedure: a procedure for obtaining, logging, managing, and revoking consents, especially for the use of cookies and similar technologies for storing, retrieving, and processing information on users' devices, and their processing; Service Provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark; Website: https://www.cookiebot.com/de; Privacy Policy: https://www.cookiebot.com/de/privacy-policy/; Data Processing Agreement: Provided by the service provider; Additional Information: Stored data (on the service provider's server): The user's IP number in anonymized form (the last three digits are set to 0), date and time of consent, browser information, the URL from which the consent was sent, an anonymous, random, and encrypted key value, the user's consent status.
Transfer of Data to the Authorized Registration Authority or the Federal Motor Transport Authority (KBA)
In the course of using our deregistration service, we are authorized to transmit the information provided by you on your behalf to the registration authorities, the Federal Motor Transport Authority (KBA), or other authorities related to vehicle deregistration. We are also authorized to store the documents, data, and information transmitted by the registration authorities, the Federal Motor Transport Authority (KBA), or other authorities related to vehicle deregistration for processing purposes for 90 days and to transmit them to you by email.
Business Services
We process data of our contract and business partners, such as customers and prospects (collectively referred to as "contractual partners"), within the framework of contractual and similar legal relationships, as well as related measures and in the context of communication with contractual partners (or pre-contractually), for example, to respond to inquiries.
We process this data to fulfill our contractual obligations. This includes, in particular, the obligation to provide the agreed-upon services, any obligations to update, and remedy defects in warranty and other performance disruptions. In addition, we process the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations and the organization of the company. Furthermore, we process the data based on our legitimate interests in proper and business-like management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further processing, e.g., for marketing purposes, within the scope of this privacy policy.
The data necessary for the aforementioned purposes is communicated to contractual partners before or during data collection, e.g., in online forms, through special labeling (e.g., colors) or symbols (e.g., asterisks), or personally.
We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal reasons of archiving. The statutory retention period is ten years for tax-relevant documents as well as for commercial books, inventories, opening balances, annual financial statements, and the documents required for understanding these records, and six years for received commercial and business letters and copies of sent commercial and business letters. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent, or the booking document was created, and the record was made, or the other documents were created.
To the extent that we use third-party providers or platforms to provide our services, the terms and privacy policies of the respective third-party providers or platforms apply in the relationship between users and providers.
- Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Customers; Prospects; Business and contractual partners.
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Contact inquiries and communication; Office and organizational procedures; Management and response to inquiries.
- Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Online Shop, Order Forms, E-Commerce, and Delivery: We process the data of our customers to enable them to select, purchase, or order the chosen products, goods, and related services, as well as their payment and delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, freight, and shipping companies, to carry out the delivery or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required details are marked as such within the framework of the order, purchase, or similar ordering process and include the information required for delivery, provision, and billing, as well as contact information to be able to make any inquiries; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Offer of Software and Platform Services: We process the data of our users, registered and any test users (hereinafter uniformly referred to as "users"), to be able to provide our contractual services to them and, based on legitimate interests, to ensure the security of our offering and to be able to develop it further. The required details are marked as such within the framework of the order, purchase, or similar conclusion of a contract and include the information required for the provision of services and billing, as well as contact information to be able to make any inquiries; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Processing the de-registration requests: During the de-registration process, we transmit the data to the responsible registration authority via the interface of the Federal Motor Transport Authority (KBA). The interface and the authority process the data on our behalf. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- Optional transmission of your data to a selected insurance company: As an optional extra, we offer information to the insurance company. We send vehicle data (license plate and chassis number), the customer email address in CC, as well as the deregistration confirmation, which may contain information such as name and address, to the insurance company selected during the deregistration process. The content of the deregistration confirmation is not known to us in advance and is subject to the registration office. Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Verification processes: As part of our registration processes, we require a digital signature from the vehicle owner. For this we use the provider yousign. All data provided is processed, stored and used by the provider as described by their privacy policy. If the verification data is stored (optional), it is subject to yousign's data storage and GDPR. Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Translated with DeepL.com (free version)
Providers and Services Used in the Course of Business Activities
In the course of our business activities, we use additional services, platforms, interfaces, or plugins from third-party providers ("Services") while complying with legal requirements. The use of these services is based on our interests in the proper, lawful, and economical management of our business operations and internal organization.
- Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Contract data (e.g., subject matter of the contract, term, customer category).
- Data Subjects: Customers; Prospects; Users (e.g., website visitors, users of online services); Business and contractual partners.
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- sevDesk: Online software for invoicing, accounting, banking, and tax submission with document storage; Service Provider: sevDesk GmbH, Hauptstraße 115, 77652 Offenburg, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://sevdesk.de/; Privacy Policy: https://sevdesk.de/datenschutz/. Data Processing Agreement: https://sevdesk.de/datenschutz/.
Payment Methods
In the context of contractual and other legal relationships, based on legal obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and use additional service providers (collectively "payment service providers").
The data processed by the payment service providers include inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, sum, and recipient-related information. The information is required to process transactions. However, the entered data is only processed and stored by the payment service providers. In other words, we do not receive account or credit card-related information, but only information with confirmation or negative disclosure of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies. This transmission serves the purpose of identity and creditworthiness checks. For this, we refer to the terms and privacy policies of the payment service providers.
The terms and privacy policies of the respective payment service providers, which can be accessed within the respective websites or transaction applications, apply to payment transactions. We also refer to these for further information and the assertion of revocation, information, and other data subject rights.
- Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Customers; Prospects.
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.
- Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional Information on Processing, Procedures, and Services:
- Stripe: Payment services (technical integration of online payment methods); Service Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/de/privacy. Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF).
Provision of Online Services and Web Hosting
We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
- Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Content data (e.g., entries in online forms).
- Data Subjects: Users (e.g., website visitors, users of online services); Business and contractual partners.
- Purposes of Processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Content Delivery Network (CDN).
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Provision of Online Offer on Rented Storage Space: For providing our online offer, we use storage space, computing capacity, and software rented or otherwise obtained from a server provider (also called "web hoster"); Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, message about successful retrieval, browser type and version, user's operating system, referrer URL (previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to avoid overloading servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is exempted from deletion until the final clarification of the respective incident.
- ALL-INKL: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service Provider: ALL-INKL.COM - Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://all-inkl.com/; Privacy Policy: https://all-inkl.com/datenschutzinformationen/. Data Processing Agreement: Provided by the service provider.
- Amazon Web Services (AWS): Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://aws.amazon.com/service-terms/).
- Cloudflare: Content Delivery Network (CDN) - Service that helps deliver content of an online offer, especially large media files such as graphics or program scripts, faster and more securely using regionally distributed and internet-connected servers; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).
- Vercel: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities) as well as development environment; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Standard Contractual Clauses: https://vercel.com/legal/dpa; Data Processing Agreement: https://vercel.com/legal/dpa; Service Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA; Website: https://vercel.com. Privacy Policy: https://vercel.com/legal/privacy-policy.
Special Notes on Applications (Apps)
We process user data of our application to the extent necessary to provide users with the application and its functionalities, monitor its security, and further develop it. We may also contact users, in compliance with legal requirements, if communication is necessary for the administration or use of the application. In all other respects, we refer to the data protection information in this privacy policy.
Legal Bases: The processing of data necessary for providing the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of functions requires authorization from users (e.g., permissions for device functions). If the processing of data for the provision of application functionalities is not necessary but serves the security of the application or our business interests (e.g., collection of data for optimization or security purposes), it is based on our legitimate interests. If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on the consent.
- Processed Data Types: Master data (e.g., names, addresses); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter of the contract, term, customer category); Image and/or video recordings (e.g., photographs or video recordings of a person).
- Data Subjects: Users (
e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.
- Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Commercial Use: We process user data of our application, registered and any trial users (hereinafter uniformly referred to as "users") to provide them with our contractual services and, based on legitimate interests, to ensure the security and further development of our application. The required information is marked as such within the scope of the user, order, order, or similar contract conclusion and may include information required for performance and any invoicing, as well as contact information to be able to make inquiries; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Storage of a Universal and Unique Identifier (UUID): For the purpose of analyzing the use and functionality of the application and storing user settings, the application stores a so-called universal and unique identifier (UUID). This identifier is generated upon installation of this application (but is not associated with the device, so no device identification in this sense), remains stored between the start of the application and its updates, and is deleted when users remove the application from their device.
- Device Permissions for Access to Functions and Data: The use of our application or its functionalities may require user permissions to access certain functions of the devices used or to access data stored on the devices or accessible through the devices. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the device and software used by users. If there is a need for explanation, users can contact us. We point out that the denial or revocation of the respective permissions may affect the functionality of our application.
- Access to the Camera and Stored Recordings: In the course of using our application, image and/or video recordings (including audio recordings) of users (and of others, persons captured by the recordings) are processed by accessing the camera functions or stored recordings. Access to camera functions or stored recordings requires revocable permission from users. The processing of image and/or video recordings is only for providing the respective functionality of our application, as described to users, or its typical and expected functionality.
Acquisition of Applications via App Stores
Our application is acquired through specific online platforms operated by other service providers (so-called "App Stores"). In this context, the data protection guidelines of the respective App Stores apply in addition to our data protection information. This particularly applies to the methods used for reach measurement and interest-based marketing on the platforms, as well as any associated costs.
- Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Content data (e.g., entries in online forms).
- Data Subjects: Customers; Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Marketing.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Apple App Store: App and software sales platform; Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/app-store/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
Blogs and Publication Media
We use blogs or similar means of online communication and publication (hereinafter "publication medium"). Reader data is processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of this data protection information.
- Processed Data Types: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, phone, or via social media) and within existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to answer the contact inquiries and any requested measures.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional Information on Processing, Procedures, and Services:
- Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context to handle the reported matter; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
- WhatsApp Business: When users contact us via our WhatsApp channel, the data is stored and processed by WhatsApp (Meta Inc.). You can find Meta's privacy policy here Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Telephone: If users call us by telephone, the telephone calls are managed by our provider sipgate. Telephone calls are not stored beyond the call logs. You can find the data protection conditions of sipgate GmbH here Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
Cloud Services
We use software services accessible via the internet and executed on the servers of their providers (so-called "Cloud Services," also referred to as "Software as a Service") for the storage and management of content (e.g., document storage and management, exchange of documents, content, and information with specific recipients, or publication of content and information).
In this context, personal data may be processed and stored on the servers of the providers, to the extent that they are part of communication processes with us or are otherwise processed by us, as outlined in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, and other processes and their contents. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If, through the use of cloud services, we provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for the purpose of web analysis or to remember user settings (e.g., in the case of media control).
- Processed Data Types: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Customers; Employees (e.g., staff, applicants, former employees); Prospects; Communication partners; Users (e.g., website visitors, users of online services).
- Purposes of Processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.).
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Google Workspace: Cloud-based application software (e.g., text and spreadsheet processing, calendar and contact management), cloud storage, and cloud infrastructure services; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://workspace.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause). Additional Information: https://cloud.google.com/privacy.
Newsletter and Electronic Notifications
We send newsletters, emails, and other electronic notifications (hereinafter "Newsletter") only with the consent of the recipients or legal permission. If the contents of a newsletter are specifically described within the scope of registration, they are decisive for the users' consent. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter, or additional information if required for the purposes of the newsletter.
Double-Opt-In Procedure: The registration for our newsletter generally takes place in a so-called double-opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that nobody can register with someone else's email address. Newsletter registrations are logged to provide evidence of the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.
Deletion and Restriction of Processing: We can store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to be able to prove a formerly given consent. The processing of this data is limited to the purpose of possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose on a blocking list (so-called "blocklist").
The logging of the registration process is carried out based on our legitimate interests for the purpose of proving its proper course. If we commission a service provider with the dispatch of emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Contents:
Information about us, our services, actions, and offers.
- Processed Data Types: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Usage data (e.g., visited websites, interest in content, access times).
- Data Subjects: Communication partners.
- Purposes of Processing: Direct marketing (e.g., by email or postal); Reach measurement (e.g., access statistics, recognition of recurring visitors).
- Legal Bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
- Possibility of Objection (Opt-Out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to cancel the newsletter can be found either at the end of each newsletter or you can use one of the contact options provided above, preferably by email.
Additional Information on Processing, Procedures, and Services:
- Brevo: Email delivery and automation services; Service Provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.brevo.com/; Privacy Policy: https://www.brevo.com/legal/privacypolicy/. Data Processing Agreement: Provided by the service provider.
- Sendgrid: Email delivery and automation services; Service Provider: Sendgrid, 1801 California Street, Denver, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://sendgrid.com/en-us/; Privacy Policy: https://www.twilio.com/en-us/legal/privacy. Data Processing Agreement: Provided by the service provider.
Web Analytics, Monitoring, and Optimization
Web analytics (also referred to as "reach measurement") is used to evaluate the visitor traffic to our online offering and can include pseudonymous values such as behavior, interests, or demographic information about visitors, such as age or gender. With the help of reach analysis, we can, for example, determine the times at which our online offering or its functions or content are most frequently used or invite reuse. Likewise, we can track which areas need optimization.
In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online offering or its components.
Unless otherwise specified below, profiles, i.e., data combined for the purpose of a usage process, can be created for these purposes, and information can be stored and read from this information in a browser or on an end device. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed.
The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, clear data of users (such as email addresses or names) is not stored during web analytics, A/B testing, and optimization; only pseudonyms are stored. This means that we and the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.
- Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); Profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
- Security Measures: IP masking (pseudonymization of the IP address).
- Legal Bases: Consent (Art. 6(1)(a) GDPR).
Additional Information on Processing, Procedures, and Services:
- Google Analytics: We use Google Analytics to measure and analyze the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device to recognize which content users have accessed within one or multiple usage processes, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users with information from the usage of different devices are created, with cookies possibly being used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. They are not logged, not accessible, and not used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded for processing on Analytics servers; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Possibility of Objection (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying ads: https://myadcenter.google.com/personalizationoff. Additional Information: https://business.safety.google/adsservices/ (Types of processing and data processed).
- Sentry: We use Sentry to measure and analyze the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device to recognize which content users have accessed within one or multiple usage processes, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users with information from the usage of different devices are created, with cookies possibly being used. Sentry does not log or store individual IP addresses for EU users. Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. They are not logged, not accessible, and not used for any other purposes. When Sentry collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded for processing on Analytics servers; Service Provider: Sentry, Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://sentry.io/privacy/; Privacy Policy: https://sentry.io/privacy; Data Processing Agreement: https://sentry.io/legal/dpa/; Further Informationen: https://sentry.io/legal/ (Types of processing and data processed).
Online Marketing
We process personal data for the purposes of online marketing, which includes the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on potential user interests, as well as the measurement of their effectiveness.
For these purposes, user profiles are created and stored in a file (so-called "cookie") or similar methods are used to store information relevant to the user for the display of the aforementioned content. This information may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the computer system used, and information about usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.
The IP addresses of users are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, clear data of users (such as email addresses or names) is not stored in online marketing procedures; only pseudonyms are stored. This means that we and the providers of online marketing procedures do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.
The information in the profiles is usually stored in cookies or similar methods. These cookies can generally be read on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing procedure provider.
Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if users are members of a social network whose online marketing procedure we use, and the network connects the profiles of users with the aforementioned information. Please note that users may make additional agreements with the providers, for example, through consent during registration.
We generally only have access to aggregated information about the success of our advertisements. However, within the scope of so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, i.e., for example, to a conclusion of a contract with us. Conversion measurement is used solely for the analysis of the success of our marketing measures.
Unless otherwise stated, please assume that cookies used are stored for a period of two years.
- Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Event data (Facebook) ("Event data" are data that can be transmitted to Facebook, for example, via Facebook Pixel (via apps or other means) by us and relate to individuals or their actions; Data includes, for example, information about visits to websites, interactions with content, features, app installations, product purchases, etc.; event data is processed for the purpose of creating target groups for content and advertising information (custom audiences); event data does not include the actual content (such as written comments), login information, and contact information (i.e., no names, email addresses, and phone numbers). Event data is deleted by Facebook after a maximum of two years, and target groups formed from them are deleted with the deletion of our Facebook account).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Marketing; Profiles with user-related information (creation of user profiles); Conversion measurement (measurement of the effectiveness of marketing measures); Audience targeting. Provision of our online offering and user-friendliness.
- Security Measures: IP masking (pseudonymization of the IP address).
- Legal Bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
- Possibility of Objection (Opt-Out): We refer to the data protection notices of the respective providers and the opt-out options provided by the providers (so-called "opt-out"). If no explicit opt-out option has been specified, there is the possibility to disable cookies in the settings of your browser. However, this may restrict the functionality of our online offering. We therefore recommend the following opt-out options, which are summarized for specific areas:
a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-region: https://optout.aboutads.info.
Additional Information on Processing, Procedures, and Services:
- AdMob: Platform for displaying advertising content in mobile applications; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: https://admob.google.com/home/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adscontrollerterms/). Additional Information: Processing by Google as the data controller: https://business.safety.google/adscontrollerterms/.
- Google Ads and Conversion Measurement: Online marketing procedure for placing content and ads within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of ads, i.e., whether users have interacted with the ads and used the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF); Additional Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
- Google AdSense with non-personalized ads: We use the Google AdSense service with non-personalized ads, which helps to display ads within our online offering and for which we receive compensation for their display or other use; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF); Additional Information: Types of processing and data processed: https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
- Instagram Advertising: Placement of advertisements within the Instagram platform and evaluation of advertising results; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF); Possibility of Objection (Opt-Out): We refer to the privacy and advertising settings in the user's profile on the Instagram platform, as well as within Instagram's consent process and Instagram's contact options for exercising information and other data subject rights in Instagram's privacy policy; Additional Information: Event data of users, i.e., behavioral and interest-related information, is processed for the purposes of targeted advertising and audience building based on the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of data is the sole responsibility of Meta Platforms Ireland Limited, which includes the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Social Media Presences
We maintain online presences within social networks and process user data in this context to communicate with users active on these platforms or to provide information about us.
Please note that user data may be processed outside the European Union, which may pose risks to users as the enforcement of user rights could be more challenging.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests. These user profiles can, in turn, be used to display advertisements within and outside the networks that presumably match the users' interests. For these purposes, cookies are usually stored on users' computers, in which user behavior and interests are stored. Additionally, data may be stored in user profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged in).
For a detailed presentation of the respective processing methods and opt-out options, we refer to the privacy policies and information of the operators of the respective networks.
Even in the case of information requests and the assertion of data subject rights, we point out that these can be most effectively asserted with the providers. Only the providers have access to the data of users and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online forms); Marketing.
- Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Instagram: Social network; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
- LinkedIn: Social network; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa); Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out; Additional Information: We, together with LinkedIn Ireland Unlimited Company, are responsible for the collection (but not further processing) of visitor data for the purpose of creating "Page Insights" (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating systems, browser types, language settings, cookie data) and information from user profiles, such as job function, country, industry, hierarchy level, company size, and employment status. Privacy information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum"), https://legal.linkedin.com/pages-joint-controller-addendum, which regulates, in particular, the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill data subject rights (i.e., users can, for example, direct requests for information or deletion directly to LinkedIn). The rights of users (especially regarding information, deletion, objection, and complaint to the competent supervisory authority) are not limited by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and the transmission to Ireland Unlimited Company, a company based in the EU. The further processing of data is the sole responsibility of Ireland Unlimited Company, which includes the transmission of data to the parent company LinkedIn Corporation in the USA.
Plugins and Embedded Functions and Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can include graphics, videos, or maps, uniformly referred to as "content."
The integration always requires that the third-party providers of this content process the IP address of users, as they could not send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or functions. We make an effort to only use content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to evaluate information, such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on users' devices and may include technical information about the browser and operating system, referring websites, visit times, as well as other information about the use of our online offering, and may be linked with such information from other sources.
- Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness.
- Legal Basis: Consent (Art. 6(1)(a) GDPR).
Additional Information on Processing, Procedures, and Services:
- YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF). Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff.
Management, Organization, and Collaboration Tools
We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purpose of organizing, managing, planning, and providing our services. In selecting third-party providers and their services, we comply with legal requirements.
Within this framework, personal data may be processed and stored on the servers of third-party providers. This may include various data that we process in accordance with this privacy policy. Such data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes, and their contents.
If users are referred to the third-party providers or their software or platforms as part of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. Therefore, we kindly ask you to observe the privacy notices of the respective third-party providers.
- Processed Data Types: Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Communication partners; Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
- Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Information on Processing, Procedures, and Services:
- Jira: Web application for bug tracking, issue resolution, and operational project management; Service Provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.atlassian.com/software/jira; Privacy Policy: https://www.atlassian.com/legal/privacy-policy; Data Processing Addendum: https://www.atlassian.com/legal/data-processing-addendum; Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider). Additional Information: Data Transfer Impact Assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.
Change and Update of the Privacy Policy
We ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to check the information before contacting us.
Definitions
In this section, you will find an overview of the terms used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.
- Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that helps deliver content of an online offering, especially large media files such as graphics or program scripts, faster and more securely, using regionally distributed servers connected via the Internet.
- Conversion Measurement: Conversion measurement (also known as "visit action evaluation") is a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on users' devices within the web pages where the marketing measures take place and is then retrieved again on the target web page. For example, this allows us to track whether the ads we placed on other websites were successful.
- Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Profiles with User-Related Information: The processing of "profiles with user-related information," or simply "profiles," includes any form of automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). For profiling purposes, cookies and web beacons are often used.
- Reach Measurement: Reach measurement (also known as web analytics) is used to analyze the visitor flows of an online offering and can include the behavior or interests of visitors in specific information, such as content on websites. Using reach analysis, operators of online offerings can, for example, identify when users visit their websites and what content interests them. This allows them to better tailor the content of the websites to the needs of their visitors. Pseudonymous cookies and web beacons are frequently used for reach analysis to recognize returning visitors and obtain more precise analyses of the use of an online offering.
- Tracking: "Tracking" refers to the ability to trace the behavior of users across multiple online offerings. Typically, behavior and interest information concerning the used online offerings are stored in cookies or on servers of the providers of tracking technologies (so-called profiling). This information can then be used, for example, to display users advertisements that are likely to match their interests.
- Controller: The "controller" is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
- Processing: "Processing" is any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and practically includes every handling of data, whether it involves collecting, evaluating, storing, transmitting, or deleting.
- Target Audience Formation: "Target audience formation" (Custom Audiences) refers to the determination of target audiences for advertising purposes, such as displaying advertisements. For example, based on a user's interest in certain products or topics on the Internet, it can be inferred that the user is interested in advertisements for similar products or the online shop where they viewed the products. "Lookalike Audiences" refer to showing the contents considered suitable to users whose profiles or interests are presumed to correspond to those of the users for whom the profiles were created. Cookies and web beacons are usually used for the purpose of creating Custom Audiences and Lookalike Audiences.