General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original processing purpose no longer exists or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests require longer retention or archiving of the data. In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or protection of the rights of other natural or legal persons, must be archived accordingly. Our data protection notices contain additional information on data retention and deletion specific to certain processing procedures. If there are multiple indications of retention periods or deletion deadlines for a piece of data, the longest period always applies. If a period does not explicitly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the effective date of termination or other termination of the legal relationship. Data that is no longer needed for the originally intended purpose but is retained due to legal requirements or other reasons will be processed solely for the reasons justifying their retention.

Retention and Deletion of Data

The following general periods apply for retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the necessary working instructions and other organizational documents, booking receipts, and invoices (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 1, 4 und 4a AO, § 14b Abs. 1 UStG, § 257 Abs. 1 Nr. 1 u. 4, Abs. 4 HGB).
• 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, such as hourly wage slips, operating cost sheets, calculation documents, price markings, as well as payroll documents that are not already booking receipts and cash register receipts (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 2, 3, 5 AO, § 257 Abs. 1 Nr. 2 u. 3, Abs. 4 HGB).
• 3 years – Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights, and related inquiries based on previous business experiences and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of Data Subjects under the GDPR

As a data subject under the GDPR, you have various rights, particularly those arising from Articles 15 to 21 GDPR:

• Right to Object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling to the extent it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw consent given at any time.
• Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to access this data as well as further information and a copy of the data according to legal requirements.
• Right to Rectification: You have the right to request the completion or correction of your data according to legal requirements.
• Right to Erasure and Restriction of Processing: You have the right to request that data concerning you be deleted immediately or, alternatively, to request a restriction of processing according to legal requirements.
• Right to Data Portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to request its transmission to another controller.
• Right to Complain to Supervisory Authorities: You have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data of our contractual and business partners, such as customers and interested parties (collectively referred to as “contractual partners”), within the scope of contractual and similar legal relationships as well as related measures and for communication with the contractual partners (or pre-contractually), for example, to respond to inquiries. We use this data to fulfill our contractual obligations. This includes obligations to provide the agreed services, any updating obligations, and remedying warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for the purposes of associated administrative tasks and business organization. Additionally, we process the data based on our legitimate interests in proper and economically efficient business management as well as security measures to protect our contractual partners and our business operations from misuse, danger to their data, secrets, information, and rights (e.g., through the involvement of telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax, and legal advisors, payment service providers, or tax authorities). In accordance with applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, such as for marketing purposes, within this data protection declaration. The data required for the aforementioned purposes is communicated to the contractual partners before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or personally. We delete the data after the expiration of legal warranty and comparable obligations, generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving purposes (typically for tax purposes for ten years). Data disclosed to us within the framework of an order by the contractual partner is deleted in accordance with the specifications and generally after the end of the order.

Types of Data Processed

• Inventory data (e.g., full name, residential address, contact information, customer number, etc.).
• Payment data (e.g., bank account details, invoices, payment history).
• Contact data (e.g., postal and email addresses or phone numbers).
• Contract data (e.g., contract subject, duration, customer category).
• Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data Subjects

• Service recipients and clients
• Interested parties
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Security measures
• Communication
• Office and organizational procedures
• Organizational and administrative procedures
• Business processes and economic procedures

Retention and Deletion

Deletion is carried out in accordance with the information provided in the section “General Information on Data Storage and Deletion”.

Legal Bases

• Performance of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR)
• Legal obligation (Art. 6(1)(c) GDPR)
• Legitimate interests (Art. 6(1)(f) GDPR)

Online Shop, Order Forms, E-Commerce, and Delivery

We process our customers’ data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as to pay for and deliver or execute them. Where necessary for order execution, we use service providers, especially postal, freight, and shipping companies, to carry out delivery or execution to our customers. For payment processing, we use the services of banks and payment service providers. The necessary details are identified as such during the order or similar acquisition process and include the information required for delivery, provision, and billing, as well as contact information for any necessary consultations; legal bases: performance of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Payment Procedures

In the context of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer efficient and secure payment options and use other service providers besides banks and credit institutions (collectively “payment service providers”). The data processed by payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, sum, and recipient-related details. The information is required to carry out the transactions. However, the entered data is only processed by the payment service providers and stored by them. That means we do not receive any account or credit card-related information, but only information about the confirmation or negative evaluation of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies. This transmission aims at identity and credit checks. For this, we refer to the general terms and conditions and the data protection notices of the payment service providers. For payment transactions, the terms and conditions and the data protection notices of the respective payment service providers apply, which are available within the respective websites. We also refer to these for further information and assertion of withdrawal, information, and other data subject rights.

Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals); Contact details (e.g., postal and email addresses or telephone numbers). Affected persons: Service recipients and clients; Business and contractual partners. Prospective customers. Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and operational procedures. Retention and deletion: Deletion according to information in the section “General Information on Data Storage and Deletion.” Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Further information on processing procedures, procedures, and services:

American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.americanexpress.com/de/. Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/. Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/. Giropay: Payment services (technical integration of online payment methods); Service provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.giropay.de. Privacy Policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/. Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://pay.google.com/intl/de_de/about/. Privacy Policy: https://policies.google.com/privacy. Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html. Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html. PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/de/privacy. Basis for third country transfers: Data Privacy Framework (DPF). Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, GB; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.visa.de; Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html. Basis for third country transfers: Adequacy decision (GB).

Provision of the online offering and web hosting

We process user data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Processed data types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals); Log data (e.g., log files regarding logins or data retrieval or access times); Content data (e.g., textual or pictorial messages and posts as well as the information pertaining to them, such as authorship details or creation timestamps). Affected persons: Users (e.g., website visitors, users of online services). Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures. Retention and deletion: Deletion according to information in the section “General Information on Data Storage and Deletion.” Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Further information on processing procedures, procedures, and services:

Provision of online offering on leased storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called “web hoster”); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, message about successful access, browser type and version, user’s operating system, referrer URL (previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the utilization and stability of servers; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes are excluded from deletion until the final clarification of the respective incident. Email dispatch and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders as well as further information regarding email dispatch (e.g., the involved providers) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of spam detection. Please note that emails are generally not encrypted when sent over the internet. Typically, emails are encrypted in transit, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and the recipient on our server; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Content Delivery Network: We use a Content Delivery Network (CDN). A CDN is a service that helps deliver content of an online offering, especially large media files such as graphics or program scripts, more quickly and securely using regionally distributed and internet-connected servers; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). ALL-INKL: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: ALL-INKL.COM – Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://all-inkl.com/; Privacy Policy: https://all-inkl.com/datenschutzinformationen/. Data processing agreement: Provided by the service provider.

Use of Cookies

To manage the cookies and similar technologies (tracking pixels, web beacons, etc.) and related consents, we use the Consent Tool “Real Cookie Banner.” Details about the functionality of “Real Cookie Banner” can be found at <a href=”https://devowl.io/de/rcb/datenverarbeitung/” rel=”noreferrer” target=”_blank”>https://devowl.io/de/rcb/datenverarbeitung/</a>. The legal basis for processing personal data in this context is Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR. Our legitimate interest is in managing the cookies and similar technologies and related consents. Providing personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide personal data. If you do not provide personal data, we cannot manage your consents. Cookies are small text files or other storage markers that store information on devices and read it from them. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or used functions of an online offering. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offerings, as well as for analyzing visitor flows. Consent information: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Permission is not required, in particular, if storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offering) expressly requested by them. The revocable consent is clearly communicated to users and includes information about the respective cookie usage. Information about data protection legal bases: The legal basis on which we process users’ personal data using cookies depends on whether we request their consent. If users accept, the legal basis for processing their data is the declared consent. Otherwise, data processed using cookies are based on our legitimate interests (e.g., in the commercial operation of our online offering and improving its usability) or, if cookies are necessary for the performance of our contractual obligations, processing is based on fulfilling our contractual obligations. We will clarify the purposes for which cookies are used during this privacy policy or as part of our consent and processing processes. Storage duration: In terms of storage duration, the following types of cookies are distinguished:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application). Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, login status can be stored, and preferred content can be displayed directly when the user revisits a website. User data collected using cookies may also be used for audience measurement. If we do not provide explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that they are persistent and may be stored for up to two years. General information about revocation and objection (opt-out): Users can revoke their consent at any time and also object to processing in accordance with legal requirements, including through their browser’s privacy settings.

Processed data types: Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Affected persons: Users (e.g., website visitors, users of online services). Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Further information on processing procedures, procedures, and services:

Processing of cookie data based on consent: We use a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers mentioned within the consent management solution. This process is used to obtain, record, manage, and revoke consents, particularly regarding the use of cookies and similar technologies used to store, retrieve, and process information on users’ devices. Within this process, users’ consents for the use of cookies and associated information processing, including specific processing and providers mentioned in the consent management process, are obtained. Users also have the option to manage and revoke their consents. Consent declarations are stored to avoid repeated requests and to comply with legal requirements for documenting consent. Storage is done server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign consent to a specific user or their device. If no specific information about consent management service providers is available, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which, together with the time of consent, information about the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used, is stored; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, telephone, or via social media) as well as within existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Processed data types: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and contributions as well as the information concerning them, such as authorship details or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Affected individuals: Communication partners. Purposes of processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness. Storage and deletion: Deletion in accordance with the information provided in the section “General information on data storage and deletion.” Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Further information on processing procedures, procedures, and services:

Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and process the respective inquiry. This typically includes information such as name, contact information, and any additional information provided to us that is necessary for appropriate processing. We use this data exclusively for the specified purpose of contact and communication; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Newsletter and Electronic Notifications

We only send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during registration, these contents are decisive for the consent of the users. For registration for our newsletter, usually, providing your email address is sufficient. However, to offer you a personalized service, we may ask for your name for personal addressing in the newsletter or for further information if necessary for the purpose of the newsletter. Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove a previously given consent. The processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocking list. The logging of the registration procedure is based on our legitimate interests for the purpose of proving its proper conduct. If we commission a service provider with the dispatch of emails, this is based on our legitimate interests in an efficient and secure dispatch system. Contents: Information about us, our services, actions, and offers.

Processed data types: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems, interactions with content and functions). Affected individuals: Communication partners. Purposes of processing: Direct marketing (e.g., by email or post). Storage and deletion: 3 years – Contractual claims (AT) (Data necessary to consider potential warranty and damages claims or similar contractual claims and rights and to process related inquiries, based on previous business experiences and usual industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB)). 10 years – Contractual claims (CH) (Data necessary to consider potential damages claims or similar contractual claims and rights and to process related inquiries, based on previous business experiences and usual industry practices, are stored for the duration of the statutory limitation period of ten years unless a shorter period of five years applies, which is relevant in certain cases (Art. 127, 130 OR)). Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You can find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options provided above, preferably by email.

Promotional Communication via Email, Mail, Fax, or Phone

We process personal data for the purpose of promotional communication, which can be carried out through various channels such as email, telephone, mail, or fax, in accordance with legal requirements. Recipients have the right to revoke given consents at any time or to object to promotional communication at any time. After revocation or objection, we store the data necessary to prove the previous authorization for contact or sending for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of potential defense against claims. Based on the legitimate interest of permanently respecting the revocation or objection of users, we also store the data necessary to avoid renewed contact (e.g., depending on the communication channel, the email address, telephone number, name).

Processed Data Types: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers). Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as authorship details or time of creation). Affected Individuals: Communication partners. Purposes of Processing: Direct marketing (e.g., via email or postal); Marketing. Sales promotion. Storage and Deletion: Deletion according to information in the section “General information on data storage and deletion”. Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as “reach measurement”) serves to evaluate the visitor flows of our online offering and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offering or its functions or content are most frequently used, or invite reuse. Likewise, we are able to identify areas that require optimization. In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components, for example. Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created for these purposes and information can be stored in a browser or device and then read out. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible. In addition, the IP addresses of the users are stored. However, we use IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect the users. Generally, no clear data of users (such as email addresses or names) are stored within the scope of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures. Information on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, users’ data will be processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Affected Individuals: Users (e.g., website visitors, users of online services). Purposes of Processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); Profiles with user-related information (creation of user profiles). Storage and Deletion: Deletion according to information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years.). Security Measures: IP masking (pseudonymization of the IP address). Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Online Marketing

We process personal data for the purpose of online marketing, which includes, in particular, the promotion of advertising space or the presentation of advertising and other content (referred to collectively as “content”) based on potential user interests, as well as measuring their effectiveness. For these purposes, user profiles are created and stored in a file (the so-called “cookie”) or similar methods are used to store information relevant to the user for the display of the aforementioned content. This may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the operating system used, as well as information about usage times and functions. If users have consented to the collection of their location data, this may also be processed. In addition, we store the IP addresses of users. However, we use available IP masking techniques (i.e., pseudonymization by shortening the IP address) for user protection. Generally, no clear data of users (such as email addresses or names) are stored within the scope of the online marketing process, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual user identity, but only the information stored in their profiles. The statements in the profiles are usually stored in cookies or similar methods. These cookies can generally also be read on other websites that use the same online marketing process, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing process provider. In exceptional cases, it is possible to assign clear data to the profiles, especially if the users are, for example, members of a social network whose online marketing procedures we use and the network connects the user profiles with the aforementioned information. We therefore ask you to note that users can make additional agreements with the providers, for example by consenting during registration. We generally only have access to summarized information about the success of our advertisements. However, we can check which of our online marketing procedures have led to a so-called conversion, e.g., to a contract conclusion with us, as part of so-called conversion measurements. The conversion measurement is used solely for the success analysis of our marketing measures. Unless otherwise stated, please assume that cookies used will be stored for a period of two years. Legal basis for data processing is either the consent of users to the use of third-party providers or our legitimate interests in efficient, economical, and user-friendly services. In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy. Instructions for revocation and objection: We refer to the data protection notices of the respective providers and the objection options (so-called “opt-out”) indicated for the providers. If no explicit opt-out option has been specified, there is the possibility, on the one hand, that you can deactivate cookies in the settings of your browser. However, this may limit the functionality of our online offering. We therefore recommend additionally the following opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-region: https://optout.aboutads.info.

Processed data types: Usage data (e.g., page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication and process data (e.g., IP addresses, time data, identification numbers, persons involved). Affected persons: Users (e.g., website visitors, users of online services). Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Audience targeting; Marketing. Profiles with user-related information (creation of user profiles). Storage and deletion: Deletion according to information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users’ devices for a period of two years.). Security measures: IP masking (pseudonymization of the IP address).

Presences in social networks (Social Media)

We maintain online presences within social networks and process user data within this framework in order to communicate with active users there or to offer information about us. We would like to point out that user data can be processed outside the European Union in this context. This may entail risks for users, for example because it could make it more difficult to enforce user rights. Furthermore, the data of users within social networks is generally processed for market research and advertising purposes. For example, usage behavior and resulting user interests can be used to create usage profiles. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. Therefore, cookies are usually stored on users’ computers in which user behavior and interests are stored. In addition, data can also be stored in the usage profiles regardless of the devices used by the users (especially if they are members of the respective platforms and are logged in there). For a detailed presentation of the respective processing methods and the possibilities of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks. We also point out that requests for information and the assertion of data subject rights are most effectively made with the providers. Only the providers have access to the user data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

Processed data types: Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., text or image messages and contributions as well as the information concerning them, such as information on authorship or time of creation). Usage data (e.g., page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Affected persons: Users (e.g., website visitors, users of online services). Purposes of processing: Communication; Feedback (e.g., collecting feedback via online form). Public relations. Storage and deletion: Deletion according to information in the section “General information on data storage and deletion”. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

Instagram: Social network, allows sharing of photos and videos, commenting and favoriting posts, messaging, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). 

Pinterest: Social network, allows sharing of photos, commenting, favoriting, and curating posts, messaging, subscribing to profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.pinterest.com. Privacy Policy: https://policy.pinterest.com/de/privacy-policy. 

Created with the free data protection generator from Dr. Thomas Schwenke.