Privacy Policy

Privacy Policy

Preamble

 

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to shortly as "data") that we process, the purposes for which we process them, and the extent of such processing. This privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and particularly on our websites, within mobile applications, and in external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Effective Date: August 15, 2023

 

Table of Contents

 

• Preamble
• Data Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• Rights of Data Subjects
• Use of Cookies
• Business Services
• Use of Online Platforms for Marketing and Sales Purposes
• Providers and Services Used in the Course of Business Activities
• Payment Processing
• Provision of the Online Offering and Web Hosting
• Special Notes on Applications (Apps)
• Registration, Sign-In, and User Accounts
• Blogs and Publishing Media
• Contact and Inquiry Management
• Communication via Messenger
• Chatbots and Chat Functions
• Push Notifications
• Video Conferences, Online Meetings, Webinars, and Screen Sharing
• Cloud Services
• Newsletters and Electronic Notifications
• Promotional Communication via Email, Mail, Fax, or Telephone
• Contests and Competitions
• Surveys and Polls
• Web Analysis, Monitoring, and Optimization
• Online Marketing
• Offering an Affiliate Program
• Customer Reviews and Rating Processes
• Social Media Presences (Social Media)
• Plugins and Embedded Features and Content
• Change and Update of the Privacy Policy
• Definitions

 

Data Controller

Hakan Cirag / LaClass

Ida-Dehmel-Ring 8

68309 Mannheim

Email Address:

hakan.cirag@laclass.de

Impressum (Legal Notice):

https://laclass.de/en/pages/legal-notice

 

Relevant Legal Bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Moreover, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contractual Performance and Pre-Contractual Inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the data controller is subject.
• Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special regulations, in particular regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. In addition, data protection laws of the individual federal states (Landesdatenschutzgesetze) may apply.

Note on the Applicability of GDPR and Swiss Data Protection Act: These data protection notices serve both to provide information under the Swiss Federal Data Protection Act (Schweizer DSG) as well as the General Data Protection Regulation (GDPR). For this reason, please note that due to the broader geographical application and comprehensibility, the terms of the GDPR are used. Specifically, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are used instead of the terms "treatment" of "personal data," "overriding interest," and "particularly worthy of protection personal data" used in the Swiss DSG. However, the legal meaning of the terms will continue to be determined by the Swiss DSG within the scope of the applicability of the Swiss DSG.

 

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects affected.

Types of Processed Data

• Master Data.
• Payment Data.
• Location Data.
• Contact Data.
• Content Data.
• Contract Data.
• Usage Data.
• Meta, Communication, and Process Data.
• Event Data (Facebook).

Categories of Affected Persons

• Customers.
• Employees.
• Prospects.
• Communication Partners.
• Users.
• Contest and Competition Participants.
• Business and Contractual Partners.
• Participants.
• Depicted Persons.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Contact inquiries and communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Conversion measurement.
• Audience targeting.
• Affiliate tracking.
• Management and response to inquiries.
• Conducting contests and competitions.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

 

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihoods and severity of threats to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation of the data concerned. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data breaches. We also consider the protection of personal data in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection, through technology design and privacy-friendly default settings.

TLS encryption (https): To protect the data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

 

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include service providers or providers of services and content who are entrusted with IT tasks or integrated into a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements with the recipients of your data to protect your data.

 

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing/transferring data to other individuals, entities, or companies, this only occurs in compliance with legal requirements.

Subject to explicit consent or contractually or legally required transfers (see Art. 49 GDPR), we process or have data processed in third countries only with an acknowledged level of data protection (Art. 45 GDPR), compliance with contractual obligations using the European Commission's standard contractual clauses (Art. 46 GDPR), or in the presence of certifications or binding internal data protection regulations (see Art. 44 to 49 GDPR, Information page of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the European Commission has also recognized the level of data protection as safe for certain companies in the USA, based on the adequacy decision of July 10, 2023. The list of certified companies and further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We inform you in the context of the privacy policy which of our service providers are certified under the Data Privacy Framework.

Disclosure of personal data abroad: According to Swiss data protection law (DSG), we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 Swiss DSG). If the Federal Council does not establish adequate protection, we take alternative security measures. These may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal data protection regulations recognized in advance by the FDPIC or a competent data protection authority of another country.

According to Art. 16 of the Swiss DSG, exceptions for the disclosure of data abroad can be granted if certain conditions are met, including the consent of the data subject, contract fulfillment, public interest, protection of life or physical integrity, publicly available data, or data from a legally required register. These disclosures always comply with legal requirements.

 

Rights of Data Subjects

Rights of data subjects under the GDPR: Data subjects have various rights under the GDPR, particularly as outlined in Articles 15 to 21 of the GDPR:

• Right to object: Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If personal data is processed for direct marketing purposes, data subjects have the right to object to the processing of their personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: Data subjects have the right to withdraw consent they have given at any time.
• Right to information: Data subjects have the right to obtain confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to the personal data and information regarding its processing, according to the legal requirements.
• Right to rectification: Data subjects have the right to obtain the rectification of inaccurate personal data concerning them.
• Right to erasure and restriction of processing: Data subjects have the right, subject to legal requirements, to obtain the erasure of personal data concerning them without undue delay, or alternatively, to obtain the restriction of processing.
• Right to data portability: Data subjects have the right to receive the personal data concerning them, which they have provided, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.

Rights of data subjects under the Swiss DSG: Data subjects have the following rights in accordance with the provisions of the Swiss DSG:

• Right to information: Data subjects have the right to obtain confirmation as to whether personal data concerning them is being processed and to receive the information necessary for exercising their rights under this law and ensuring transparent data processing.
• Right to disclosure or transmission of data: Data subjects have the right to request the disclosure of their personal data that they have provided to us in a common electronic format.
• Right to rectification: Data subjects have the right to request the rectification of incorrect personal data concerning them.
• Right to object, erasure, and destruction: Data subjects have the right to object to the processing of their data and to request the erasure or destruction of their personal data, in accordance with the provisions of the Swiss DSG.

 

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and retrieve information from end devices. For example, they store login status in a user account, shopping cart contents in an online shop, accessed content, or used functions of an online offer. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offers, as well as for analyzing visitor flows.

 

Consent Notes: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless not required by law. Consent is not necessary, in particular, if storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (our online offer) explicitly requested by them. Essential cookies usually include cookies with functions related to displaying and operating the online offer, load balancing, security, storing user preferences and choices, or similar purposes related to providing the main and secondary functions of the requested online offer. Revocable consent is clearly communicated to users and contains information about the respective cookie usage.

 

Notes on Data Protection Legal Bases: The legal basis for processing users' personal data through cookies depends on whether we ask users for consent. If users give their consent, the legal basis for processing their data is the declared consent. Otherwise, data processed through cookies is based on our legitimate interests (e.g., in the operational management of our online offer and improving its usability) or, if necessary to fulfill our contractual obligations, the use of cookies to fulfill our contractual obligations. We clarify the purposes for which we process cookies in this privacy policy or as part of our consent and processing procedures.

 

Storage Duration: Regarding storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also known as Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their end device (e.g., browser or mobile application).
• Persistent Cookies: Persistent cookies remain stored even after the end device is closed. For example, the login status can be stored, or preferred content can be displayed directly when the user revisits a website. Similarly, data collected from users through cookies can be used for measuring reach. If we do not provide explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and can have a storage duration of up to two years.

 

General Notes on Revocation and Objection (so-called "Opt-Out"): Users can revoke their given consents at any time and object to processing in accordance with legal requirements. For this purpose, users can restrict the use of cookies in their browser settings (which may also restrict the functionality of our online offer). Objection to the use of cookies for online marketing purposes can also be made through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

 

Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times).

Affected Individuals: Users (e.g., website visitors, users of online services).

Purposes of Processing: Provision of our online offer and user-friendliness.

Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

 

Further Notes on Processing Procedures, Methods, and Services:

• Processing of Cookie Data Based on Consent: We use a procedure for cookie consent management in which users' consents for the use of cookies, or the processing and providers mentioned in the context of the cookie consent management procedure, are obtained, managed, and revoked by users. The consent declaration is stored to avoid the need to repeat the request and to be able to prove the consent in accordance with legal obligations. Storage can be done server-side and/or in a cookie (so-called Opt-In Cookie or similar technologies) to assign the consent to a user or their device. Subject to individual information provided by cookie management service providers, the following notes apply: The storage duration of the consent can be up to two years. A pseudonymous user identifier is created in this process and stored together with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and used end device; Legal Basis: Consent (Art. 6(1)(a) GDPR).

 

• Cookie Opt-Out: In the footer of our website, you will find a link through which you can change your cookie settings and revoke corresponding consents; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

 

• Google Analytics in Consent Mode: In consent mode, Google processes users' personal data for measurement and advertising purposes based on user consent. Consent is obtained from users within the scope of our online services. If user consent is entirely missing, data is processed only on an aggregated (i.e., not individually assigned and summarized) level. If consent only covers statistical measurement, no personal data of users is processed for displaying ads or measuring ad success (so-called "conversion"); Legal Basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/analytics/answer/9976101?hl=en.

 

Business Services

We process data of our contractual and business partners, such as customers and prospects (collectively referred to as "contractual partners"), as part of contractual and similar legal relationships, as well as related measures and in the context of communication with contractual partners (or pre-contractually), for example, to respond to inquiries.

 

We process this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed-upon services, any updating obligations, and remedies for warranty and other performance disruptions. Furthermore, we process the data to protect our rights and for the purposes of administrative tasks associated with these obligations and organizational matters. Additionally, we process the data based on our legitimate interests in proper and business-like management as well as security measures to protect our contractual partners and business operations from misuse, data compromise, secrets, information, and rights (e.g., involving telecommunications, transportation, and other support services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under applicable law, we only disclose contractual partner data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Further processing, such as for marketing purposes, will be communicated to contractual partners within the scope of this privacy policy.

 

The data necessary for the aforementioned purposes will be shared with contractual partners before or during the data collection process, for example, in online forms, through special markings (e.g., colors), symbols (e.g., asterisks, etc.), or in person.

 

We delete the data after the expiration of statutory warranty and comparable obligations, generally after 4 years, unless the data is stored in a customer account, for example, as long as it needs to be retained for legal archiving reasons. The statutory retention period for tax-relevant documents, as well as for commercial books, inventories, opening balance sheets, annual financial statements, the required operating instructions for understanding these documents, and other organizational documents and booking records, is ten years. In the case of received business and commercial letters and copies of sent business and commercial letters, the retention period is six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement, or the management report was prepared, the business or commercial letter was received or sent, or the booking record was created, or the record was made, or the other documents were created.

 

Where we use third-party providers or platforms to provide our services, the terms and privacy notices of the respective third-party providers or platforms apply to the relationship between users and providers.

 

• Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, telephone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timing of events, identification numbers, consent status).
• Data Subjects: Customers; Prospects; Business and contractual partners.
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Contact inquiries and communication; Office and organizational procedures; Managing and responding to inquiries; Conversion measurement (measuring the effectiveness of marketing measures); Profiling with user-related information (creating user profiles).
• Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

 

Further Notes on Processing Procedures, Methods, and Services:

 

• Customer Account: Customers can create an account within our online offer (e.g., customer or user account, abbreviated as "customer account"). If the registration of a customer account is required, customers will be notified accordingly, as well as about the required information for registration. Customer accounts are not public and cannot be indexed by search engines. In the context of registration and subsequent logins and uses of the customer account, we store the IP addresses of customers along with the access times to be able to prove registration and prevent potential misuse of the customer account. If the customer account is terminated, the data of the customer account will be deleted after the termination date, unless they need to be retained for other purposes or due to legal requirements (e.g., internal storage of customer data, order processes, or invoices). It is the responsibility of customers to secure their data upon termination of the customer account; Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

• Customer Loyalty Program / Customer Card: We process customer data within the scope of our customer loyalty program in order to fulfill the services provided to participating customers within the framework of the customer loyalty program. For this purpose, the information collected from customers, if necessary and marked as such, is stored in a profile of the customers. The profile also contains information about the use of the customer loyalty program as well as the utilization of the associated services and benefits, and only if necessary for the aforementioned purposes, it may be disclosed to third parties (e.g., service providers). Customer profiles are deleted after participation is terminated and only archived to the extent required by legal storage purposes or for the fulfillment of legal (up to 11 years for tax-related records from the end of the year of their creation) or contractual claims (up to three years from the end of the year of termination); Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

• Economic Analysis and Market Research: For operational reasons and to recognize market trends, wishes of contractual partners and users, we analyze the data available to us about business transactions, contracts, inquiries, etc., where contractual partners, prospects, customers, visitors, and users of our online offer may be part of the affected group. The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). If available, we may also consider the profiles of registered users and their information, e.g., on services used. The analyses are for our use only and are not disclosed externally, unless they are anonymous analyses with summarized, i.e., anonymized values. Furthermore, we respect the privacy of users and process the data for analysis purposes as pseudonymously as possible and, if feasible, anonymously (e.g., as summarized data); Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

 

• Shop and E-Commerce: We process the data of our customers to enable them to select, purchase, or order the chosen products, goods, and associated services, as well as to facilitate payment and delivery, or execution. If necessary for the execution of an order, we use service providers, especially postal, shipping, and transport companies, to carry out delivery or execution to our customers. For payment processing, we use the services of banks and payment service providers. The necessary details are marked as such during the order or comparable purchasing process and include the information required for delivery, provision, and billing, as well as contact information to be able to make any inquiries; Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

In the context of using online platforms for marketing and distribution purposes

We offer our services on platforms operated by other service providers. In this context, in addition to our privacy policy, the privacy policies of the respective platforms apply. This particularly applies to payment processing and the use of methods for measuring reach and interest-based marketing on the platforms.

 

- Processed Data Types: Master Data (e.g., names, addresses); Payment Data (e.g., bank account details, invoices, payment history); Contact Data (e.g., email, telephone numbers); Contract Data (e.g., contract subject, duration, customer category); Usage Data (e.g., visited websites, interest in content, access times); Meta, Communication, and Process Data (e.g., IP addresses, time indications, identification numbers, consent status).

- Affected Individuals: Customers.

- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Marketing.

- Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

 

Further information on processing procedures, methods, and services:

 

- Amazon: Online marketplace for e-commerce; Service Provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.amazon.de/; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010. Basis for third-country transfer: EU-US Data Privacy Framework (DPF).

- eBay: Online marketplace for e-commerce; Service Provider: eBay Marketplaces GmbH, Helvetiastrasse 15/17, 3005 Bern, Switzerland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.ebay.de/. Privacy Policy: https://www.ebay.de/help/policies/member-behavior-policies/datenschutzerklrung?id=4260.

- Shopify: Platform for offering and conducting e-commerce services. Services and processes conducted in connection with them include online shops, websites, their offers and content, community elements, purchase and payment processes, customer communication, as well as analysis and marketing; Service Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.de. Privacy Policy: https://www.shopify.de/legal/datenschutz.

 

In the course of our business operations, we use additional services, platforms, interfaces, or plugins from third-party providers ("Services") while adhering to legal requirements. The use of these services is based on our interests in the proper, lawful, and economical management of our business operations and internal organization.

 

- Processed Data Types: Master Data (e.g., names, addresses); Payment Data (e.g., bank account details, invoices, payment history); Contact Data (e.g., email, telephone numbers); Content Data (e.g., entries in online forms); Contract Data (e.g., contract subject, duration, customer category).

- Affected Individuals: Customers; Interested parties; Users (e.g., website visitors, users of online services); Business and contractual partners.

- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.

- Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

 

Further information on processing procedures, methods, and services:

 

- Billbee: Order processing, payment reconciliation, inventory management, and customer data management; Service Provider: Billbee GmbH, Arolser Straße 10, 34477 Twistetal, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.billbee.io/. Privacy Policy: https://www.billbee.io/datenschutz/.

- Lexoffice: Online software for invoicing, accounting, banking, and tax filing with document storage; Service Provider: Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.lexoffice.de; Privacy Policy: https://www.lexoffice.de/datenschutz/. Data Processing Agreement: https://www.lexoffice.de/auftragsverarbeitung/.

 

Payment Methods

In the context of contractual and other legal relationships, legal obligations, or based on our legitimate interests, we offer efficient and secure payment options to individuals. We utilize various service providers, collectively referred to as "payment service providers." These providers process data including customer information such as names, addresses, bank details, credit card numbers, passwords, transaction-specific details, and more. This data is necessary to complete transactions, and it is processed and stored solely by the payment service providers. Consequently, we do not receive account or credit card-related information; we only receive confirmation or negative confirmation of payment. In certain cases, payment service providers may transmit data to credit reporting agencies for identity and credit checks. We refer you to the terms and privacy policies of the payment service providers for more information.

 

- Processed Data Types: Master Data (e.g., names, addresses); Payment Data (e.g., bank account details, invoices, payment history); Contract Data (e.g., contract subject, duration, customer category); Usage Data (e.g., visited websites, interest in content, access times); Meta, Communication, and Process Data (e.g., IP addresses, time indications, identification numbers, consent status); Contact Data (e.g., email, phone numbers).

- Affected Individuals: Customers. Interested parties.

- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.

- Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

Further information on processing procedures, methods, and services:

- Amazon Payments: Payment services (technical integration of online payment methods); Service Provider: Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://pay.amazon.de/. Privacy Policy: https://pay.amazon.de/help/201212490.

- American Express: Payment services (technical integration of online payment methods); Service Provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.americanexpress.com/de. Privacy Policy: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html.

- Apple Pay: Payment services (technical integration of online payment methods); Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.

- Giropay: Payment services (technical integration of online payment methods); Service Provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.giropay.de. Privacy Policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/.

- Google Pay: Payment services (technical integration of online payment methods); Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://pay.google.com/intl/de_de/about/. Privacy Policy: https://policies.google.com/privacy.

- Klarna: Payment services (technical integration of online payment methods); Service Provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.klarna.com/de. Privacy Policy: https://www.klarna.com/de/datenschutz.

- Mastercard: Payment services (technical integration of online payment methods); Service Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.mastercard.de/de-de.html. Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.

- Shop Pay (Shopify): Payment services (technical integration of online payment methods); Service Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.shopify.de. Privacy Policy: https://www.shopify.de/legal/datenschutz.

- Visa: Payment services (technical integration of online payment methods); Service Provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, GB; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.visa.de. Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

 

Provision of Online Offerings and Web Hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit content and features to the user's browser or device.

- Processed Data Types: Usage Data (e.g., visited websites, interest in content, access times); Meta, Communication, and Process Data (e.g., IP addresses, time indications, identification numbers, consent status); Content Data (e.g., entries in online forms); Master Data (e.g., names, addresses); Payment Data (e.g., bank account details, invoices, payment history); Contact Data (e.g., email, phone numbers); Contract Data (e.g., contract subject, duration, customer category).

- Affected Individuals: Users (e.g., website visitors, users of online services); Customers.

- Purposes of Processing: Provision of our online offerings and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); Security measures; Provision of contractual services and fulfillment of contractual obligations.

- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods, and services:

- Provision of Online Offerings on Rented Storage Space: We use storage space, computing capacity, and software obtained from a corresponding server provider (also referred to as "web host") to provide our online offerings; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

- Collection of Access Data and Log Files: Access to our online offerings is logged through "server log files." Server log files may include the address and name of accessed web pages and files, date and time of access, transferred data volumes, messages about successful access, browser type and version, user's operating system, referrer URL (previously visited page), and typically IP addresses and the requesting provider. Server log files can be used for security purposes, such as preventing server overload (particularly in the case of abusive attacks, e.g., DDoS attacks), and to ensure server load and stability; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data necessary for evidentiary purposes is exempt from deletion until the respective incident is conclusively resolved.

- Email Sending and Hosting: The web hosting services we use also encompass email sending, reception, and storage. For these purposes, recipient and sender addresses, along with further information regarding email dispatch (e.g., involved providers), as well as the content of respective emails, are processed. The aforementioned data can also be processed for the purpose of detecting spam. Please note that emails sent over the internet are generally not encrypted. While emails are often encrypted during transport, they are not encrypted on servers from which they are sent and received (unless an end-to-end encryption method is used). Therefore, we cannot assume responsibility for the transmission path of emails between the sender and our server; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

- Shopify: Platform offering and performing e-commerce services. This includes online shops, websites, their offerings and content, community elements, purchase and payment processes, customer communication, analysis, and marketing; Service Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.de. Privacy Policy: https://www.shopify.de/legal/datenschutz.

- Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Parent Company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for Transfers to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

 

Special Notes on Applications (Apps)

We process user data for our application as necessary to provide users with the application and its functionalities, monitor its security, and further develop it. Additionally, we may contact users in accordance with legal requirements if communication is necessary for administrative or application usage purposes. For further details on processing user data, please refer to the privacy policy in this privacy statement.

 

Legal Bases: Processing data necessary for providing the functionalities of the application serves the fulfillment of contractual obligations. This applies even if providing functions requires user authorization (e.g., device function permissions). If data processing for providing the functionalities of the application is not necessary but serves the application's security or our business interests (e.g., data collection for optimizing the application or security purposes), it is based on our legitimate interests. If users explicitly consent to the processing of their data, processing of data covered by the consent is based on that consent.

 

- Processed Data Types: Master Data (e.g., names, addresses); Meta, Communication, and Process Data (e.g., IP addresses, time indications, identification numbers, consent status); Payment Data (e.g., bank account details, invoices, payment history); Contract Data (e.g., contract subject, duration, customer category).

- Affected Individuals: Users (e.g., website visitors, users of online services).

- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.

- Legal Bases: Consent (Art. 6(1)(a) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

 

Additional information on processing procedures, methods, and services:

-Commercial Use: We process user data for our application, including registered and potential test users (hereinafter collectively referred to as "users"), in order to provide them with our contractual services and, based on legitimate interests, ensure the security and further development of our application. The necessary information is indicated as such within the framework of usage, order, purchase, or comparable contract conclusion and may include the information required for service provision and potential invoicing, as well as contact information for conducting any necessary communications. Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

Registration, Login, and User Accounts:

 

Users have the option to create a user account. During registration, users are provided with necessary mandatory information, which is processed for the purpose of establishing the user account in accordance with contractual obligations. The processed data includes essential login information (username, password, and email address).

 

As part of using our registration, login features, and user accounts, we record the IP address and timestamp of each user action. This storage is based on our legitimate interests and the users' interests in safeguarding against misuse and unauthorized use. Generally, this data is not shared with third parties, except when necessary for pursuing our claims or as required by law.

 

Users can receive email notifications regarding activities relevant to their user accounts, such as technical changes.

 

Processed Data Types: Basic data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., inputs in online forms); metadata, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).

 

Data Subjects: Users (e.g., website visitors, users of online services).

 

Processing Purposes: Provision of contractual services and fulfillment of contractual obligations; security measures; management and response to inquiries; provision of our online offerings and user convenience.

 

Legal Basis: Contractual performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

 

Additional Information on Processing Procedures, Methods, and Services:

 

- Registration with Real Names: Due to the nature of our community, users are required to use their real names when utilizing our service. The use of pseudonyms is not permitted.

 

- Non-Public User Profiles: User profiles are not publicly visible or accessible.

 

- No Obligation to Retain Data: Users are responsible for securing their data before the contract's termination. We have the authority to permanently delete all user data stored during the contract period.

 

Blogs and Publishing Media:

 

We employ blogs or equivalent means of online communication and publication (referred to as "publication medium"). Reader data is processed for the sole purpose of presenting the publication medium, enabling communication between authors and readers, and ensuring security. Refer to the information on processing visitor data within the context of this privacy policy for further details.

 

Processed Data Types: Basic data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., inputs in online forms); usage data (e.g., visited websites, interest in content, access times); metadata, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).

 

Data Subjects: Users (e.g., website visitors, users of online services).

 

Processing Purposes: Provision of contractual services and fulfillment of contractual obligations; feedback collection (e.g., via online forms); provision of our online offerings and user convenience; security measures; management and response to inquiries.

 

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

 

- Comments and Contributions: When users leave comments or other contributions, their IP addresses can be stored based on our legitimate interests. This is done for our protection in case someone leaves unlawful content in comments or contributions (insults, prohibited political propaganda, etc.). In such cases, we could be held responsible for the comment or contribution and thus have an interest in identifying the author. Furthermore, we reserve the right, based on legitimate interests, to process users' data to detect spam. Similarly, we may store users' IP addresses and use cookies for the duration of surveys to prevent multiple votes. Information provided in comments and contributions, including contact and website information, as well as content-related details, will be stored by us permanently until users object. **Legal Basis:** Legitimate Interests (Art. 6(1)(f) GDPR).

 

Contact and Inquiry Management:

When contacting us (e.g., via post, contact form, email, phone, or social media) or within existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary for responding to contact inquiries and any requested actions.

 

- Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

- Concerned Individuals: Communication partners.

- Processing Purposes: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online forms). Providing our online services and user-friendliness.

- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR). Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data provided in this context to handle the submitted request; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR).

 

Communication via Messengers:

We use messengers for communication purposes and therefore request that you pay attention to the following information about the functionality of messengers, encryption, the use of communication metadata, and your options for objection.

 

You can also contact us through alternative means, such as phone or email. Please use the contact information provided to you or the contact information provided within our online offerings.

 

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication contents (i.e., the content of the message and attached images) are encrypted end-to-end. This means that the content of the messages is not viewable, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message contents.

 

However, we would also like to inform our communication partners that although the messenger providers cannot view the content, they can determine when communication partners are communicating with us and can process technical information about the communication partner's device, as well as location information (known as metadata), depending on the settings of their device.

 

Notes on Legal Bases:

- If we ask communication partners for permission before communicating with them via messengers, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, we use messengers in relation to our contractual partners and as a contractual measure during the initiation of contracts, as well as for other interested parties and communication partners based on our legitimate interests in rapid and efficient communication and meeting the needs of our communication partners regarding communication via messengers. Furthermore, we would like to inform you that we will not transmit the contact details provided to us to messengers without your consent for the first time.

 

Revocation, Objection, and Deletion:

- You can revoke your consent at any time and object to communication with us via messengers at any time. In the case of communication via messengers, we delete the messages in accordance with our general deletion policies (i.e., after the end of contractual relationships, in the context of archiving requirements, etc.), and otherwise as soon as we can assume that any inquiries from communication partners have been answered, if no reference back to a previous conversation is to be expected and deletion does not conflict with legal retention obligations.

 

Reserving the Right to Refer to Other Communication Channels:

- Finally, we would like to point out that for reasons of security, we reserve the right not to answer inquiries via messengers. This is the case, for example, if contract-related details require special confidentiality or if a response via messenger does not meet formal requirements. In such cases, we will refer you to more appropriate communication channels.

 

- Processed Data Types: Contact details (e.g., email, phone numbers); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Content data (e.g., inputs in online forms).

- Concerned Individuals: Communication partners.

- Processing Purposes: Contact inquiries and communication. Direct marketing (e.g., via email or postal mail).

- Legal Bases: Consent (Art. 6(1)(a) GDPR). Legitimate Interests (Art. 6(1)(f) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- Instagram: Message sending via the social network Instagram; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.

- Facebook Messenger: Facebook Messenger with end-to-end encryption (end-to-end encryption of Facebook Messenger requires activation unless it is already enabled by default); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Addendum: https://www.facebook.com/legal/terms/dataprocessing. Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).

- Microsoft Teams: Microsoft Teams - Messenger; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent Company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter. Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

- WhatsApp: WhatsApp Messenger with end-to-end encryption; Service Provider: WhatsApp Ireland Limited, 4 Grand Canal Quay, Dublin 2, D02 KH28, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal. Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF).

 

Chatbots and Chat Functions:

We offer online chat and chatbot functionalities as communication options ("Chat Services"). A chat is a real-time online conversation, and a chatbot is a software that answers users' questions or provides them with information through messages. When you use our chat functions, we may process your personal data.

 

If you use our Chat Services within an online platform, your identification number within the respective platform will also be stored. Additionally, we may collect information about which users interact with our Chat Services and when. Furthermore, we store the content of your conversations via Chat Services and log registration and consent processes to comply with legal requirements.

 

We inform users that the respective platform provider may learn when users communicate with our Chat Services and may collect technical information about the users' devices and, depending on their device settings, location information (known as metadata) for the purposes of optimizing the respective services and ensuring security. Metadata of communication via Chat Services (e.g., information about who communicated with whom) could also be used by the respective platform providers, according to their provisions (referenced for further information), for marketing purposes or displaying tailored advertisements to users.

 

If users agree to receive regular messages with information from a chatbot, they have the option to unsubscribe from the messages for the future. The chatbot will instruct users on how to unsubscribe using specific terms. Upon unsubscribing from chatbot messages, user data will be deleted from the list of message recipients.

 

The above information is used to operate our Chat Services, such as addressing users personally, responding to their inquiries, delivering requested content, and improving our Chat Services (e.g., teaching chatbots responses to frequently asked questions or identifying unanswered inquiries).

 

Notes on Legal Bases:

- We use Chat Services based on user consent if we have obtained users' permission to process their data within the scope of our Chat Services (this applies to cases where users are asked for consent, e.g., for a chatbot to send them regular messages). If we use Chat Services to respond to users' inquiries about our services or company, this is done for contractual and pre-contractual communication. In other cases, we use Chat Services based on our legitimate interests in optimizing Chat Services, their business efficiency, and enhancing users' positive experience.

 

Revocation, Objection, and Deletion:

- Users can revoke their consent at any time or object to the processing of their data within the scope of our Chat Services.

 

- Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., contract subject, duration, customer category).

- Concerned Individuals: Communication partners. Customers.

- Processing Purposes: Contact inquiries and communication; Direct marketing (e.g., via email or postal mail). Provision of contractual services and fulfillment of contractual obligations.

- Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate Interests (Art. 6(1)(f) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- shopify: Platform through which e-commerce services are offered and conducted. The services and processes performed in connection with them include online shops, websites, their offers and content, community elements, purchase and payment processes, customer communication, as well as analysis and marketing; Service Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.de. Privacy Policy: https://www.shopify.de/legal/datenschutz.

 

Push Notifications:

With user consent, we can send users so-called "push notifications." These are messages displayed on users' screens, devices, or browsers, even when our online service is not actively being used.

 

To sign up for push notifications, users must confirm the browser's or device's request to receive push notifications. This consent process is documented and stored. Storage is necessary to determine whether users have consented to receiving push notifications and to provide evidence of such consent. For these purposes, a pseudonymous identifier of the browser (known as a "push token") or the device ID of an end device is stored.

 

Push notifications may be necessary for fulfilling contractual obligations (e.g., relevant technical and organizational information for using our online service) and otherwise, unless specifically mentioned below, are sent based on user consent. Users can change their receipt of push notifications at any time using the notification settings of their respective browsers or devices.

 

Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

Concerned Individuals: Communication partners.

Processing Purposes: Provision of our online services and user-friendliness; Reach measurement (e.g., access statistics, recognition of recurring visitors); Direct marketing (e.g., via email or postal mail).

Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- Push Notifications with Promotional Content: The push notifications we send may include promotional information. Promotional push notifications are processed based on user consent. If the contents of the promotional push notifications are specifically described as part of the consent to receive them, these descriptions are binding for user consent. Our newsletters also contain information about our services and us; Legal Basis: Consent (Art. 6(1)(a) GDPR).

- Analysis and Success Measurement: We statistically analyze push notifications to determine whether and when they were displayed and clicked. This information is used for the technical improvement of our push notifications based on technical data, target groups, their retrieval behavior, or retrieval times. This analysis also includes determining whether push notifications are opened, when they are opened, and whether users interact with their content or buttons. Although this information can be assigned to individual recipients of push notifications for technical reasons, it is neither our intention nor, if applicable, that of the push notification service provider, to monitor individual users. Instead, the analyses help us recognize user usage patterns and adjust our push notifications to them or send different push notifications according to users' interests. The analysis of push notifications and success measurement is based on the explicit consent of users, which is given when agreeing to receive push notifications. Users can object to the analysis and success measurement by unsubscribing from push notifications. Unfortunately, a separate revocation of analysis and success measurement is not possible; Legal Basis: Consent (Art. 6(1)(a) GDPR).

 

Video Conferences, Online Meetings, Webinars, and Screen Sharing:

We use platforms and applications from other providers ("Conference Platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings ("Conferences"). When selecting Conference Platforms and their services, we adhere to legal requirements.

 

Data Processed by Conference Platforms:

During participation in a Conference, Conference Platforms process the following personal data of participants. The extent of processing depends on the data required for a specific Conference (e.g., access data or clear names) and optional information provided by participants. In addition to processing for the purpose of conducting the Conference, participant data may also be processed by Conference Platforms for security purposes or service optimization. Processed data includes personal information (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, information about professional position/function, the IP address of the internet connection, information about participants' devices, their operating system, browser, technical and language settings, information about content communication processes (e.g., chat inputs), audio and video data, and the use of other available functions (e.g., surveys). Communication contents are encrypted to the extent technically provided by the Conference providers. If participants are registered as users with the Conference Platforms, additional data may be processed in accordance with the agreement with the respective Conference provider.

 

Logging and Recordings:

If text inputs, participation results (e.g., from surveys), as well as video or audio recordings are logged, participants are transparently informed in advance and, where necessary, asked for consent.

 

Participant Privacy Measures:

Please refer to the privacy notices of the Conference Platforms for details on the processing of your data by them. Choose optimal security and privacy settings within the Conference Platforms' settings. Also, ensure data and personal privacy during a video conference (e.g., by informing roommates, locking doors, and using background blur where technically possible). Links to conference rooms and access data must not be shared with unauthorized third parties.

 

Legal Bases:

- If we process user data in addition to the Conference Platforms and ask users for their consent to the use of Conference Platforms or specific functions (e.g., consent to recording conferences), the legal basis for processing is this consent. Our processing may also be necessary for fulfilling our contractual obligations (e.g., in participant lists, when working with conversation results, etc.). Furthermore, user data is processed based on our legitimate interests in efficient and secure communication with our communication partners.

 

Processed Data Types: Master data (e.g., names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

Concerned Individuals: Communication partners; Users (e.g., website visitors, users of online services); Depicted individuals.

Processing Purposes: Provision of contractual services and fulfillment of contractual obligations; Contact inquiries and communication; Office and organizational procedures.

Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- Microsoft Teams: Conference and communication software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Parent Company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter. Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

 

Cloud Services:

We use software services accessible over the internet and executed on the servers of their providers (so-called "cloud services," also referred to as "Software as a Service") for the storage and management of content (e.g., document storage and management, document exchange, sharing content and information with specific recipients, or publishing content and information).

 

Processed Data Types: Master data (e.g., names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

Concerned Individuals: Customers; Employees (e.g., staff, applicants, former employees); Prospects; Communication partners.

Processing Purposes: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).

Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).

 

Further Notes on Processing Processes, Procedures, and Services:

- Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Parent Company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

 

Newsletter and Electronic Notifications:

We only send newsletters, emails, and other electronic notifications ("Newsletters") with the consent of recipients or a legal permission. If the contents of a newsletter are described specifically during the subscription process, these contents are decisive for obtaining user consent. Our newsletters generally contain information about our services and us.

 

Subscription Process and Double-Opt-In:

To subscribe to our newsletters, providing your email address is generally sufficient. However, we may request additional information such as a name for personal addressing in the newsletter, if necessary for the purposes of the newsletter. Subscription to our newsletter typically follows a double-opt-in procedure. This means that after signing up, you will receive an email requesting confirmation of your subscription. This confirmation is necessary to prevent someone from subscribing with unauthorized email addresses. Newsletter subscriptions are logged to comply with legal requirements. This includes storing the time of subscription, the confirmation time, and the IP address. Changes to data stored by the mailing service provider are also logged.

 

Deletion and Restriction of Processing:

We can store unsubscribed email addresses for up to three years based on our legitimate interests, in order to prove a previously given consent. Processing of this data is limited to the purpose of potential defense against claims. Individual requests for deletion are possible at any time, provided the prior existence of consent is confirmed. In case of obligations to permanently consider objections, we reserve the right to store the email address solely for this purpose in a blocklist.

 

Content and Legal Bases:

Newsletters contain information about us, our services, promotions, and offers.

- Processed Data Types: Master data (e.g., names, addresses); Contact details (e.g., email, phone numbers); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Usage data (e.g., visited websites, interest in content, access times).

- Concerned Individuals: Communication partners.

- Processing Purposes: Direct marketing (e.g., via email or postal mail).

- Legal Bases: Consent (Art. 6(1)(a) GDPR).

- Opt-Out Option: You can unsubscribe from our newsletter at any time, either by revoking your consent or by objecting to further receipt. You will find an unsubscribe link at the end of each newsletter or can use one of the contact methods provided above, preferably email.

 

Further Notes on Processing Processes, Procedures, and Services:

- Measurement of Open and Click Rates: Newsletters contain a "web beacon," a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. In this process, technical information such as browser and system information, IP address, and time of retrieval are collected. This information is used for the technical improvement of our newsletter based on technical data or user behavior in terms of locations (determined using IP addresses) or access times. This analysis includes determining whether newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until deletion. These evaluations help us understand user reading habits and adapt our content to them or send different content according to user interests. The measurement of open and click rates and the storage of measurement results in user profiles, as well as their further processing, are based on user consent. Unfortunately, a separate withdrawal of this measurement is not possible; in this case, the entire newsletter subscription must be canceled, or further receipt must be objected to. In this case, the stored profile information will be deleted. Legal Basis: Consent (Art. 6(1)(a) GDPR).

- Reminder Emails for Order Processes: If users do not complete an order process, we can send them reminder emails to continue the process and provide them with a link for continuation. This function can be useful, for example, if the purchase process couldn't be completed due to a browser crash, mistake, or forgetfulness. Sending these emails is based on consent, which users can revoke at any time. Legal Basis: Consent (Art. 6(1)(a) GDPR).

 

Advertising Communication via Email, Post, Fax, or Phone:

We process personal data for the purpose of advertising communication that can take place via various channels such as email, telephone, postal mail, or fax, in accordance with legal requirements. Recipients have the right to revoke granted consents or object to advertising communication at any time. After revocation or objection, we store the data necessary to demonstrate prior authorization for contact or sending for up to three years after the end of the year of revocation or objection, based on our legitimate interests. Processing of this data is limited to the purpose of potential defense against claims. Based on the legitimate interest of permanently considering user revocations or objections, we also store data necessary to prevent further contact (e.g., email address, phone number, name, depending on the communication channel).

 

Processed Data Types: Master data (e.g., names, addresses); Contact details (e.g., email, phone numbers).

Concerned Individuals: Communication partners.

Processing Purposes: Direct marketing (e.g., via email or postal mail).

Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate Interests (Art. 6(1)(f) GDPR).

 

Contests and Competitions:

We process personal data of participants in contests and competitions in compliance with relevant data protection regulations. Processing is carried out if it's contractually necessary for providing, conducting, and handling the contest, if participants have consented to the processing, or if processing serves our legitimate interests (e.g., security of the contest or protection against misuse through potential IP address capture when submitting contest entries). If participant contributions are published as part of contests (e.g., in voting or presentation of entries/winners), participant names may also be published in this context. Participants can object to this at any time. If the contest takes place within an online platform or social network (e.g., Facebook or Instagram), the terms of use and privacy policies of the respective platforms also apply. In such cases, we are responsible for the information provided by participants in the context of the contest, and inquiries regarding the contest should be directed to us. Participant data is deleted once the contest or competition is concluded and the data is no longer required to inform winners or address contest-related inquiries. Generally, participant data is deleted no later than 6 months after the contest ends. Winner data may be retained longer to address queries about prizes or fulfill prize obligations (e.g., up to three years for items or services to handle warranty cases). Additionally, participant data may be retained longer, for example, for reporting on the contest in online and offline media. If data collected during the contest is also used for other purposes, processing and retention periods will follow the privacy information for that use (e.g., if signing up for a newsletter as part of the contest).

 

Processed Data Types: Master data (e.g., names, addresses); Content data (e.g., entries in online forms); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

Concerned Individuals: Contest and competition participants.

Processing Purpose: Conducting contests and competitions.

Legal Basis: Fulfillment of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

 

Surveys:

We conduct surveys to collect information for the communicated survey purpose. The surveys are evaluated anonymously. Processing of personal data only occurs to the extent necessary for providing and technically conducting the surveys (e.g., processing IP addresses to display the survey in users' browsers or using cookies to allow resuming the survey).

 

Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).

Concerned Individuals: Communication partners; Participants.

Processing Purpose: Feedback (e.g., collecting feedback via online form).

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

 

Web Analysis, Monitoring, and Optimization:

Web analysis, also referred to as "reach measurement," involves evaluating visitor traffic to our online offering. It can include behavioral, interest, or demographic information about visitors, such as age or gender, in pseudonymous form. Web analysis helps us understand the most frequently used times for our online offering or its features and content, as well as areas in need of optimization. Additionally, we may use test procedures to test and optimize different versions of our online offering or its components.

 

Profiles may be created for these purposes, i.e., data combined for a usage process, and information stored and read from a browser or end device. The collected information includes, among others, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data to us or the providers of the services we use, location data may also be processed. IP addresses of users are also stored. However, we use IP masking (pseudonymization of the IP address) to protect users. Generally, web analysis, A/B testing, and optimization do not store clear user data (such as email addresses or names) but pseudonyms. This means neither we nor the providers of the used software know the actual identity of users, only the information stored in their profiles for the respective processes.

 

Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact details (e.g., email, phone numbers); Contract data (e.g., contract subject, duration, customer category).

Concerned Individuals: Users (e.g., website visitors, online service users); Customers.

Processing Purposes: Range measurement (e.g., access statistics, recognition of recurring visitors); Profiling with user-related information (creating user profiles); Tracking (e.g., interest/behavior-based profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing measures); Audience targeting; Marketing; Provision of our online offering and user-friendliness; Provision of contractual services and fulfillment of contractual obligations.

Security Measures: IP masking (pseudonymization of the IP address).

Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

1&1 IONOS WebAnalytics:

Range measurement and web analysis; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/; Additional Information: Data is collected either via a pixel or log file without using cookies. Visitor IP addresses are transmitted during page views, then anonymized and further processed without personal reference. Data processing is based on a data processing agreement.

Shopify:

Shopify is a platform through which e-commerce services are offered and conducted. These services include online shops, websites, their offerings and content, community elements, purchase and payment processes, customer communication, analysis, and marketing. Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.shopify.de. Privacy Policy: https://www.shopify.de/legal/datenschutz.

 

Online Marketing:

We process personal data for the purpose of online marketing, which includes the marketing of advertising space or the presentation of advertising and other content (referred to collectively as "content") based on potential user interests, as well as measuring their effectiveness.

 

For these purposes, user profiles are created and stored in a file (referred to as a "cookie") or similar methods are used, through which relevant information about the user for displaying the aforementioned content is stored. This information may include viewed content, visited websites, used online networks, as well as communication partners and technical details such as the browser used, the computer system used, and information about usage times and functions used. If users have consented to the collection of their location data, this information can also be processed.

 

IP addresses of users are also stored. However, we use IP masking methods (i.e., pseudonymization through IP address truncation) available to protect users. Generally, no clear user data (such as email addresses or names) are stored within the online marketing process, but rather pseudonyms. This means that neither we nor the providers of online marketing processes know the actual identity of the users, only the information stored in their profiles.

 

The information in the profiles is typically stored in cookies or similar methods. These cookies can later be read on other websites that also use the same online marketing process, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing process provider.

 

In exceptional cases, clear user data can be assigned to the profiles. This is the case, for example, when users are members of a social network for which we use an online marketing process, and the network links the users' profiles with the aforementioned information. Please note that users can make additional agreements with the providers, for example, through consent during registration.

 

In general, we only have access to summarized information about the success of our advertisements. However, we can check, through conversion measurements, which of our online marketing processes have led to a so-called conversion, such as a contract conclusion with us. The conversion measurement is used solely for the analysis of the success of our marketing measures.

 

Unless otherwise stated, please assume that cookies used will be stored for a period of two years.

 

Processed Data Types:

- Content data (e.g., entries in online forms)

- Usage data (e.g., visited websites, interest in content, access times)

- Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status)

- Event data (Facebook) ("Event data" refers to data that can be transmitted to Facebook, for example, via the Facebook pixel (via apps or other means), relating to individuals or their actions; Data includes information about website visits, interactions with content, features, app installations, product purchases, etc.; Event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event data does not include the actual content (e.g., written comments), login information, or contact information (i.e., no names, email addresses, and phone numbers). Event data is deleted by Facebook after a maximum of two years, and target groups formed from them are deleted with the deletion of our Facebook account).

 

Affected Individuals:

Users (e.g., website visitors, users of online services).

 

Purposes of Processing: 

- Reach measurement (e.g., access statistics, identification of recurring visitors)

- Tracking (e.g., interest/behavior-based profiling, use of cookies)

- Conversion measurement (measurement of the effectiveness of marketing measures)

- Target group formation

- Marketing

- Profiles with user-related information (creation of user profiles)

- Provision of our online offering and user-friendliness.

 

Security Measures: 

IP masking (pseudonymization of the IP address).

 

Legal Bases:

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). 

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Objection Option (Opt-Out):

We refer to the data protection information of the respective providers and the objection options (so-called "opt-out") provided for the providers. If no explicit opt-out option has been specified, you can generally deactivate cookies in your browser settings. However, this may limit the functionality of our online offering. Therefore, we recommend using the following opt-out options, which are offered in a summarized form for the respective areas: 

- Europe: https://www.youronlinechoices.eu 

- Canada: https://www.youradchoices.ca/choices 

- USA: https://www.aboutads.info/choices 

- Cross-regional: https://optout.aboutads.info.

 

Additional Information on Processing Processes, Procedures, and Services:

Amazon: Marketing of advertising materials and advertising space; Service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.amazon.de; Privacy policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010. Basis for data transfer to third countries: EU-US Data Privacy Framework (DPF).

 

Meta Pixel and Target Group Formation (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information through interfaces in apps), the company Meta is able to determine visitors to our online offering as a target audience for the display of ads (so-called "Meta Ads"). Accordingly, we use the Meta Pixel to display the Meta Ads we have placed only to users on Meta platforms and within the services of cooperating partners of Meta (so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have shown an interest in our online offering or who exhibit certain characteristics (e.g., interest in specific topics or products, evident from visited websites) that we transmit to Meta (so-called "Custom Audiences"). With the Meta Pixel, we also aim to ensure that our Meta Ads correspond to users' potential interests and do not appear intrusive. With the Meta Pixel, we can also track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called "conversion measurement"); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for data transfer to third countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Additional information: Event data of users, i.e., behavioral and interest-related information, are processed for the purposes of targeted advertising and target group formation based on the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is solely the responsibility of Meta Platforms Ireland Limited, particularly concerning the transfer of data to the parent company, Meta Platforms, Inc., in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

 

Facebook Advertisements: Placement of advertisements within the Facebook platform and evaluation of advertisement results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Basis for data transfer to third countries: EU-US Data Privacy Framework (DPF); Objection possibility (opt-out): We refer to the privacy and advertising settings in the users' profiles on the Facebook platform, as well as within Facebook's consent process and Facebook's contact options for exercising information and other data subject rights in Facebook's privacy policy. Additional information: Event data of users, i.e., behavioral and interest-related information, are processed for the purposes of targeted advertising and target group formation based on the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is solely the responsibility of Meta Platforms Ireland Limited, particularly concerning the transfer of data to the parent company, Meta Platforms, Inc., in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

 

Google Ads and Conversion Measurement: Online marketing procedures for the purpose of placing content and advertisements within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who presumably have an interest in the ads. Furthermore, we measure the conversion of the ads, i.e., whether users have interacted with the ads and used the advertised offers as a result (so-called "conversion"). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for data transfer to third countries: EU-US Data Privacy Framework (DPF); Additional information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices. Data processing terms between data controllers and Standard Contractual Clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.