Privacy Policy
Preamble
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter referred to as "Data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as "Online Offer").
The terms used are not gender-specific.
Date: April 27, 2023
Table of Contents
- Preamble
- Controller
- Overview of Processing Activities
- Applicable Legal Bases
- Security Measures
- Transfer of Personal Data
- International Data Transfers
- Data Deletion
- Rights of Data Subjects
- Use of Cookies
- Business Services
- Use of Online Platforms for Offering and Sales Purposes
- Providers and Services Used in the Course of Business Activities
- Provision of the Online Offer and Web Hosting
- Special Notes on Applications (Apps)
- Registration, Log-in, and User Account
- Community Features
- Blogs and Publishing Media
- Contact and Inquiry Management
- Communication via Messenger
- Chatbots and Chat Functions
- Push Notifications
- Video Conferences, Online Meetings, Webinars, and Screen Sharing
- Application Procedures
- Cloud Services
- Newsletters and Electronic Notifications
- Promotional Communication via Email, Mail, Fax, or Telephone
- Web Analysis, Monitoring, and Optimization
- Online Marketing
- Customer Reviews and Rating Processes
- Presences on Social Networks (Social Media)
- Plugins and Embedded Functions, as well as Content
- Amendment and Updating of the Privacy Policy
- Definitions
Controller
Crafthunt GmbH
LeopoldstraΓe 18
80803 Munich
Email Address:
Applicable Legal Bases
Applicable legal bases under the GDPR: Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or domicile or our place of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Contractual Performance and Pre-contractual Inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject's request.
- Legal Obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
- Application Procedure as Pre-contractual or Contractual Relationship (Art. 6(1)(b) GDPR) - Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data, such as severely disabled status or ethnic origin) are requested from applicants as part of the application process, so that the controller or the data subject can exercise their rights arising from labor law and social security and social protection law and fulfill their obligations in this regard, the processing of such data is carried out in accordance with Art. 9(2)(b) GDPR, in the case of protecting the vital interests of the applicants or other individuals pursuant to Art. 9(2)(c) GDPR or for purposes of preventive medicine, for the assessment of the employee's ability to work, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems and services pursuant to Art. 9(2)(h) GDPR. In the case of a voluntary declaration of consent, the processing of special categories of data is based on Art. 9(2)(a) GDPR.
National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains special provisions, in particular on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. Furthermore, state data protection laws of the individual federal states may apply.
Reference to Applicability of the GDPR and Swiss Data Protection Act: These data protection notices serve both to provide information under the Swiss Federal Data Protection Act (Swiss DPA) and under the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader spatial application and comprehensibility, the terms used in the GDPR have been replaced by Swiss terms. In particular, instead of the terms "processing" of "personal data" (or briefly "data") and "legitimate interest" used in the GDPR, the terms "processing" of "personal data" and "predominant interest" used in the Swiss DPA are used. However, the legal meaning of the terms is still determined in accordance with the Swiss DPA within the scope of its applicability.
Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the individuals affected.
Types of Processed Data
- Inventory data.
- Payment data.
- Location data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication, and procedural data.
- Applicant data.
- Image and/or video recordings.
- Audio recordings.
- Location history and movement profiles.
- Contact information (Facebook).
- Event data (Facebook).
Categories of Individuals Affected
- Customers.
- Employees.
- Prospective customers.
- Communication partners.
- Users.
- Applicants.
- Business and contractual partners.
- Students/participants.
- Persons depicted.
Purposes of Processing
- Provision of contractual services and customer support.
- Contact inquiries and communication.
- Security measures.
- Direct marketing.
- Reach measurement.
- Tracking.
- Office and organizational procedures.
- Remarketing.
- Conversion measurement.
- Click tracking.
- Audience targeting.
- A/B testing.
- Management and response to inquiries.
- Application procedures.
- Content Delivery Network (CDN).
- Feedback.
- Marketing.
- Profiling with user-related information.
- Registration procedures.
- Provision of our online offerings and user-friendliness.
- Information technology infrastructure.
Security Measures
In accordance with legal requirements and taking into account the state of the art, the implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation thereof. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the erasure of data, and the response to data breaches. Moreover, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.
TLS encryption (https): To protect your data transmitted via our online services, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission of Personal Data
In the course of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content that are integrated into a website and perform IT tasks. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
International Data Transfers
Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in the context of using third-party services or disclosing/transferring data to other persons, entities, or companies, this will only occur in compliance with the legal requirements.
Subject to explicit consent or contractual or legal requirements for transmission, we process or have the data processed in third countries with a recognized level of data protection, contractual obligations through so-called standard data protection clauses issued by the European Commission, certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Data Deletion
The data processed by us will be deleted or their processing will be restricted in accordance with legal requirements as soon as the consents allowing the processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer exists or it is not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to those purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.
As part of our privacy policy, we can provide users with further information on deletion and the retention of data that specifically applies to the respective processing processes.
Rights of Data Subjects
Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly arising from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to such direct marketing.
- Right to Withdraw Consent: You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, if so, to access such data and receive additional information and a copy of the data according to legal requirements.
- Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed, in accordance with legal requirements.
- Right to Erasure and Restriction of Processing: You have the right, subject to legal requirements, to obtain the erasure of personal data concerning you without undue delay or to obtain the restriction of processing of your data.
- Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to transmit that data to another controller, in accordance with legal requirements.
- Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Use of Cookies
Cookies are small text files or other storage technologies that store information on end devices and retrieve information from them. For example, cookies may store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the functions used in an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings, as well as for analyzing visitor traffic.
Notes on Consent: We use cookies in compliance with legal regulations. Therefore, we obtain prior consent from users, unless such consent is not required by law. Consent is not required, in particular, if the storage and retrieval of information, including cookies, are absolutely necessary to provide users with an expressly requested telemedia service (i.e., our online offering). Cookies that are absolutely necessary usually include cookies with functions related to the display and operability of the online offering, load balancing, security, storing user preferences and choices, or similar purposes related to the provision of the main and ancillary functions of the online offering requested by users. The revocable consent is communicated clearly to users and contains information about the respective cookie usage.
Notes on Data Protection Legal Bases: The legal basis for processing users' personal data using cookies depends on whether we ask users for consent. If users give their consent, the legal basis for processing their data is the declared consent. Otherwise, data processed using cookies is based on our legitimate interests (e.g., operating our online offering in a commercially viable manner and improving its usability) or, if it is necessary for the performance of our contractual obligations, on the necessity of using cookies to fulfill our contractual obligations. We provide information about the purposes for which we process cookies to users during the course of this privacy policy or as part of our consent and processing procedures.
Storage Period: With regard to the storage period, the following types of cookies are distinguished:
- Temporary Cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
- Permanent Cookies: Permanent cookies remain stored even after closing the device. For example, the login status can be saved or preferred content can be displayed directly when the user revisits a website. The data collected from users using cookies can also be used for measuring reach. If we do not provide explicit information about the type and storage period of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and can have a storage period of up to two years.
General Information on Revocation and Objection (Opt-Out): Users can revoke their given consent at any time and object to processing in accordance with legal requirements. To do so, users can restrict the use of cookies in their browser settings (which may also limit the functionality of our online offering). A objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Legal Bases
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).
Further Information on Processing Processes, Procedures, and Services:
- Processing of Cookie Data based on Consent: We use a cookie consent management procedure through which users can provide, manage, and revoke their consent to the use of cookies or the processing and providers mentioned in the context of the cookie consent management procedure. The consent declaration is stored to avoid the need for repeated consent requests and to be able to provide evidence of consent in accordance with legal obligations. The storage can be done server-side and/or in a cookie (known as an opt-in cookie or similar technologies) to associate the consent with a user or their device. Unless otherwise specified regarding the providers of cookie management services, the following information applies: The storage period of the consent can be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, details about the scope of consent (e.g., categories of cookies and/or service providers), as well as the browser, system, and device used. Legal basis: Consent (Art. 6(1)(a) GDPR).
Business Services
We process data of our contractual and business partners, such as customers and prospects (collectively referred to as "contractual partners"), within the scope of contractual and similar legal relationships, as well as related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.
We process this data to fulfill our contractual obligations, including the obligations to provide the agreed-upon services, perform any necessary updates, and remedy warranty and other performance issues. Furthermore, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations and organizational management. Additionally, we process the data based on our legitimate interests in proper and efficient business management, as well as security measures to protect our contractual partners and our business operations from misuse, safeguard their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In accordance with applicable law, we only disclose data of contractual partners to third parties to the extent required for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.
We disclose which data is required for the aforementioned purposes to contractual partners before or during data collection, e.g., in online forms, through specific labeling (e.g., colors) or symbols (e.g., asterisks), or personally.
We delete the data after the expiration of statutory warranty and similar obligations, generally after 4 years, unless the data is stored in a customer account, for example, as long as it is legally required for archiving purposes. The legal retention period is ten years for documents relevant to taxation and commercial law, such as commercial books, inventories, opening balance sheets, annual financial statements, and the relevant work instructions and organizational documents, as well as six years for received commercial and business letters and copies of sent commercial and business letters. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent, or the booking voucher was created, and the recording was made or the other documents were created.
If we use third-party providers or platforms to provide our services, the terms and privacy policies of the respective third-party providers or platforms apply to the relationship between users and providers.
- Processed Data Types: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, telephone numbers); Contract data (e.g., contract subject matter, duration, customer category); Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status); Applicant data (e.g., personal information, postal and contact addresses, application documents, and the information contained therein, such as cover letter, CV, certificates, as well as further information provided voluntarily by applicants regarding their person or qualifications).
- Data Subjects: Customers; Prospects; Business and contractual partners; Students; Applicants.
- Purposes of Processing: Provision of contractual services and customer support; Security measures; Contact inquiries and communication; Office and organizational procedures; Administration and response to inquiries; Conversion measurement (measuring the effectiveness of marketing measures); Profiles with user-related information (creating user profiles).
- Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing procedures, methods, and services:
- Customer account: Customers can create an account within our online offer (e.g., customer or user account, "customer account" for short). If the registration of a customer account is required, customers will be informed about this as well as the necessary information for registration. The customer accounts are not public and cannot be indexed by search engines. In the context of registration, subsequent logins, and use of the customer account, we store the customers' IP addresses along with the access times to be able to provide evidence of registration and prevent any misuse of the customer account. If the customer account is terminated, the data of the customer account will be deleted after the termination date, unless they need to be retained for purposes other than providing the customer account or for legal reasons (e.g., internal storage of customer data, order processes, or invoices). It is the responsibility of the customers to secure their data upon termination of the customer account; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Watchlist/Wishlist: Customers can create a product/wishlist. In this case, the products will be stored until the account is deleted as part of fulfilling our contractual obligations, unless the customer removes the product list entries or we explicitly inform the customer of different retention periods; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Business analysis and market research: For business reasons and to identify market trends, the desires of contractual partners and users, we analyze the data we have on business transactions, contracts, inquiries, etc., whereby the group of affected persons can include contractual partners, interested parties, customers, visitors, and users of our online offer. The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., determining customer groups with different characteristics). In doing so, we can take into account the profiles of registered users, including their information on services used. The analyses serve solely for our purposes and are not disclosed externally unless they involve anonymous analyses with aggregated, i.e., anonymized, values. Furthermore, we respect the privacy of users and process the data for analytical purposes in a pseudonymous manner and, if possible, anonymously (e.g., as aggregated data); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
- Agency services: We process the data of our customers as part of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR). Educational and training services: We process the data of participants in our educational and training programs (collectively referred to as "trainees") to provide them with our training services. The processed data, the type, scope, purpose, and necessity of their processing are determined by the underlying contractual and training relationship. The processing also includes performance evaluation and evaluation of our services as well as those of the instructors. As part of our activities, we may also process special categories of data, particularly information regarding the health of the trainees and data revealing ethnic origin, political opinions, religious or philosophical beliefs. For this purpose, we obtain explicit consent from the trainees if necessary and otherwise only process the special categories of data when necessary for the provision of training services, health care purposes, social protection, or protection of the vital interests of the trainees; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Online courses and online training: We process the data of participants in our online courses and online training programs (collectively referred to as "participants") to provide them with our course and training services. The processed data, the type, scope, purpose, and necessity of their processing are determined by the underlying contractual relationship. The data generally includes information about the courses and services used and, to the extent part of our service offering, personal specifications and results of the participants. The processing also includes performance evaluation and evaluation of our services as well as those of the course and training instructors; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Recruiting services: Within the scope of our services, which include the search for potential job candidates, contacting them, and placing them, we process the data of job candidates and the personal data of potential employers or their employees. We process the information and contact details provided by the job candidates for the purpose of establishing, performing, and, if applicable, terminating a contract for job placement. Additionally, in accordance with legal requirements, we may later inquire about the success of our placement services. We process the data of job candidates and employers to fulfill our contractual obligations and to process the job placement requests to the satisfaction of the parties involved. We may keep records of the placement processes to provide evidence of the existence of the contractual relationship and the consent of the interested parties, in accordance with legal accountability requirements (Art. 5(2) GDPR). This information is stored for a period of three to four years if we need to provide evidence of the original request (e.g., to demonstrate the authorization to contact the job candidates); Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Offer of software and platform services: We process the data of our users, registered users, and potential test users (hereinafter collectively referred to as "users") to provide them with our contractual services and, based on legitimate interests, to ensure the security of our offering and further develop it. The required information is indicated as such within the framework of the order, purchase, or similar contractual process and includes the information necessary for the provision and billing of services as well as contact information for any follow-up communication; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Business consulting: We process the data of our customers, clients, interested parties, and other contracting parties or contractual partners (hereinafter collectively referred to as "customers") to provide them with our contractual or pre-contractual services, especially consulting services. The processed data, the type, scope, purpose, and necessity of their processing are determined by the underlying contractual and business relationship. If necessary for contract performance or legally required, or if the customers have given their consent, we disclose or transmit customer data to third parties or agents, such as authorities, courts, or in the field of IT, office, or comparable services, in compliance with professional regulations; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Events and conferences: We process the data of participants in the events, conferences, and similar activities offered or organized by us (hereinafter collectively referred to as "participants" and "events") to enable their participation in the events and the use of associated services or actions. If we process health-related data, religious, political, or other special categories of data in this context, it is based on obviousness (e.g., in thematically oriented events) or serves health care, safety, or is carried out with the consent of the data subjects. The required information is indicated as such within the framework of the order, purchase, or similar contractual process and includes the information necessary for the provision and billing of services as well as contact information for any follow-up communication. To the extent that we have access to information about end customers, employees, or other individuals, we process it in accordance with legal and contractual requirements; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Brokerage services: We process the information provided by the interested parties in the context of brokerage inquiries for the purpose of establishing, performing, and, if applicable, terminating a contract for the brokerage of offers from providers of products or services requested by the interested parties. We use the contact details of the interested parties to specify their inquiry using the agreed or otherwise permitted communication channel (e.g., telephone or email) and to suggest suitable providers or offers based on the specified inquiry. Additionally, in accordance with legal requirements, we may later inquire about the success of our brokerage services. We process the data of the interested parties as well as the providers to fulfill our contractual obligations and to link the requests submitted by the interested parties with the suitable offers from the providers and forward them to the respective providers or make suggestions. We may log the entries made by the interested parties in the online form sent by them to provide evidence of the existence of the contractual relationship and the consent of the interested parties, in accordance with legal accountability requirements (Art. 5(2) GDPR). This information is stored for a period of three to four years if we need to provide evidence of the original request (e.g., to demonstrate the authorization to contact the interested parties); Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Use of Online Platforms for Offer and Sales Purposes
We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy policy, the privacy policies of the respective platforms apply. This applies in particular to the execution of the payment process and the methods used on the platforms for reach measurement and interest-based marketing.
- Types of data processed: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).
- Data subjects: Customers.
- Purposes of processing: Provision of contractual services and customer service; Marketing.
- Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Providers and Services Used in the Course of Business Activities
In the course of our business activities, we use additional services, platforms, interfaces, or plugins from third-party providers (referred to as "services"), while complying with legal requirements. The use of these services is based on our interests in proper, lawful, and efficient management of our business operations and internal organization.
- Types of data processed: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Contract data (e.g., subject matter of the contract, duration, customer category).
- Data subjects: Customers; Prospective customers; Users (e.g., website visitors, users of online services); Business and contractual partners; Employees (e.g., employees, applicants, former employees).
- Purposes of processing: Provision of contractual services and customer service; Office and organizational procedures.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing operations, procedures, and services:
- DATEV: Software for accounting, communication with tax advisors and authorities, and with document storage; Service provider: DATEV eG, Paumgartnerstr. 6-14, 90429 Nuremberg, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.datev.de/web/de/mydatev/online-anwendungen/; Privacy policy: https://www.datev.de/web/de/m/ueber-datev/datenschutz/; Data processing agreement: Provided by the service provider.
Provision of the Online Offer and Web Hosting
We process user data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
- Types of data processed: Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); Content data (e.g., entries in online forms).
- Data subjects: Users (e.g., website visitors, users of online services); Business and contractual partners; Customers.
- Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures; Content Delivery Network (CDN); Provision of contractual services and customer service.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing operations, procedures, and services:
- Providing Online Offer on Rented Storage Space: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web hoster"); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
- Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, date and time of access, data volumes transferred, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, such as avoiding server overload (especially in the case of abusive attacks, known as DDoS attacks), and ensuring the server's load and stability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is excluded from deletion until the respective incident is finally clarified.
- Content Delivery Network (CDN): We use a content delivery network (CDN). A CDN is a service that enables the delivery of content, particularly large media files such as graphics or program scripts, more quickly and securely through regionally distributed servers connected via the Internet; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
- Amazon Web Services (AWS): Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com; Privacy policy: https://aws.amazon.com/privacy; Data processing agreement: https://aws.amazon.com/compliance/gdpr-center; Standard Contractual Clauses (ensuring an adequate level of data protection for processing in third countries): Included in the data processing agreement.
- Cloudflare: Content delivery network (CDN) service that enables the delivery of content, particularly large media files such as graphics or program scripts, more quickly and securely through regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy policy: https://www.cloudflare.com/privacypolicy; Data processing agreement: https://www.cloudflare.com/cloudflare-customer-dpa; Standard Contractual Clauses (ensuring an adequate level of data protection for processing in third countries): https://www.cloudflare.com/cloudflare-customer-scc.
- Sentry: Monitoring system stability and identification of code errors - Device information or error time is collected pseudonymously and subsequently deleted; Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://sentry.io; Security measures: defined (undefined), undefined (undefined), undefined (undefined), undefined (undefined); Privacy policy: https://sentry.io/privacy; Standard Contractual Clauses (ensuring an adequate level of data protection for processing in third countries): https://sentry.io/legal/dpa.
Special Notes on Applications (Apps)
We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, monitor their security, and further develop them. We may also contact users in accordance with legal requirements if communication is necessary for the administration or use of the application. For the processing of user data, please refer to the data protection information in this privacy policy.
Legal bases: The processing of data necessary for the provision of the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of the functions requires authorization from users (e.g., device function permissions). If the processing of data for the provision of the functionalities of the application is not necessary but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or security purposes), it is based on our legitimate interests. If users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on consent.
- Processed data types: Inventory data (e.g., names, addresses); meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, duration, customer category); image and/or video recordings (e.g., photographs or video recordings of a person); audio recordings; location data (information about the geographic position of a device or person); location history and movement profiles (collection of location data and changes in position over a certain period).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of contractual services and customer service.
- Legal bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing procedures, procedures, and services:
- Commercial Use: We process the data of users of our application, registered and potential test users (hereinafter collectively referred to as "users"), in order to provide them with our contractual services and, based on legitimate interests, ensure the security and further development of our application. The necessary information is identified as such within the framework of the user, order, purchase, or similar contract conclusion and may include the information required for service provision and possible billing, as well as contact information for communication purposes; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Storage of a Universal and Unique Identifier (UUID): For the purpose of analyzing the usage and functionality of the application, as well as storing user preferences, the application stores a so-called Universal Unique Identifier (UUID). This identifier is generated upon installation of the application (but is not associated with the device, so it is not a device identifier in this sense), remains stored between application launches and updates, and is deleted when users remove the application from their device.
- Storage of a Pseudonymous Identifier: In order to provide the application and ensure its functionality, we use a pseudonymous identifier. The identifier is a mathematical value (i.e., it does not contain clear data such as names) that is associated with a device and/or the installation of the application on that device. This identifier is generated upon installation of the application, remains stored between application launches and updates, and is deleted when users remove the application from the device.
- Device Permissions for Access to Features and Data: The use of our application or its functionalities may require users' permissions to access certain functions of the devices used or the data stored on or accessible through the devices. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the users' device and software. If clarification is needed, users can contact us. Please note that the denial or revocation of specific permissions may affect the functionality of our application.
- Access to Camera and Stored Recordings: In the context of using our application, image and/or video recordings (including audio recordings) of users (and other individuals captured in the recordings) are processed through access to the camera functions or stored recordings. Access to camera functions or stored recordings requires users' revocable permission. The processing of image and/or video recordings is solely for providing the respective functionality of our application, as described to users, or its typical and expected functionality.
- Use of Microphone Functions: In the context of using our application, microphone functions and audio recordings captured through it are processed. The use of microphone functions requires users' permission, which can be revoked at any time. The use of microphone functions and audio data is solely for providing the respective functionality of our application, as described to users, or its typical and expected functionality.
- Processing of Stored Contacts: In the context of using our application, contact information stored in the device's contact directory, such as names, email addresses, and phone numbers, is processed. The use of contact information requires users' permission, which can be revoked at any time. The use of contact information is solely for providing the respective functionality of our application, as described to users, or its typical and expected functionality. Users are informed that processing contact information must be permitted and, in particular, requires the consent of natural persons or a legal basis.
- Use of Contact Data for Contact Matching: Data of contacts stored in the device's contact directory can be used to check if these contacts also use our application. For this purpose, the contact data of the respective contacts (including phone numbers, email addresses, and names) are uploaded to our server and used only for the purpose of matching.
- Processing of Location Data: In the context of using our application, location data collected from the device used or entered by users is processed. The use of location data requires users' permission, which can be revoked at any time. The use of location data is solely for providing the respective functionality of our application, as described to users, or its typical and expected functionality.
- Location History and Movement Profiles: Based on the location data collected during the use of our application, a location history is created, showing the geographic movements of the devices used over a certain period of time (which may allow inferences about the movement profiles of users). The location history is solely for providing the respective functionality of our application, as described to users, or its typical and expected functionality.
- Posthog: Software improvement; Service Provider: Posthog Inc., San Francisco, USA; Website: https://posthog.com/docs/privacy/gdpr-compliance; Privacy Policy: https://posthog.com/docs/privacy/gdpr-compliance.
Registration, Login, and User Account
Users can create a user account. As part of the registration process, users will be provided with the necessary mandatory information and their data will be processed for the purpose of providing the user account based on contractual fulfillment. The processed data includes, in particular, login information (username, password, and email address).
In the context of using our registration and login functions, as well as the user account, we store the IP address and the timestamp of each user action. The storage is based on our legitimate interests as well as the users' interests in protection against misuse and unauthorized use. In general, these data are not disclosed to third parties unless it is necessary for the enforcement of our claims or there is a legal obligation to do so.
Users can be informed by email about activities relevant to their user account, such as technical changes.
- Processed data types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of contractual services and customer support; Security measures; Administration and response to inquiries; Provision of our online offer and user-friendliness.
- Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing operations, procedures, and services:
- Registration with pseudonyms: Users are allowed to use pseudonyms as usernames instead of their real names; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- User profiles are public: User profiles are publicly visible and accessible.
- Setting the visibility of profiles: Users can determine, through settings, the extent to which their profiles are visible or accessible to the public or only to certain groups of people; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Data deletion after termination: If users have terminated their user account, their data related to the user account will be deleted, subject to legal permission, obligation, or user consent; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- No obligation to retain data: It is the users' responsibility to secure their data before the end of the contract in case of termination. We are entitled to irrevocably delete all data stored during the contract period; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Blogs and Publishing Media
We use blogs or similar means of online communication and publication (hereinafter referred to as "publication medium"). The data of readers is only processed for the purposes of the publication medium to the extent necessary for its display and communication between authors and readers or for security reasons. For further information on the processing of visitors to our publication medium, please refer to the information provided in this privacy policy.
- Processed data types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of contractual services and customer support; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness; Security measures; Management and response to inquiries.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional information on processing operations, procedures, and services:
- Comments and Posts: If users leave comments or other posts, their IP addresses may be stored on the basis of our legitimate interests. This is done for our own protection in case someone leaves unlawful content in comments and posts (insults, prohibited political propaganda, etc.). In such cases, we can be held liable for the comment or post and are therefore interested in the identity of the author. Furthermore, we reserve the right to process user information for spam detection on the basis of our legitimate interests. On the same legal basis, we reserve the right to store the IP addresses of users for the duration of surveys and to use cookies to prevent multiple voting. The personal information, contact information, website information, and content information provided within comments and posts will be stored permanently by us until the user objects; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Contact and Inquiry Management
When contacting us (e.g., by mail, contact form, email, telephone, or via social media) and within the scope of existing user and business relationships, the information provided by the inquiring individuals will be processed to the extent necessary to respond to the contact inquiries and any requested measures.
- Processed data types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Communication partners.
- Purposes of processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness.
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional information on processing operations, procedures, and services:
- Contact Form: When users contact us through our contact form, email, or other communication channels, we process the data provided to us in this context to process the stated request; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
- HubSpot: Customer management as well as process and sales support with personalized customer care through multi-channel communication, i.e., management of customer inquiries from various channels, and with analysis and feedback functions; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy policy: https://legal.hubspot.com/de/privacy-policy; Data processing agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (ensuring an adequate level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
Communication via Messenger
For the purpose of communication, we use messenger services. Therefore, please take note of the following information regarding the functionality of the messengers, encryption, the use of communication metadata, and your options for objection.
You can also contact us through alternative means, such as telephone or email. Please use the contact information provided to you or the contact options indicated within our online offer.
In the case of end-to-end encryption of content (i.e., the content of your messages and attachments), we would like to point out that the communication contents (i.e., the content of the messages and attached images) are encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use the latest version of the messenger with encryption enabled to ensure the encryption of message contents.
However, we would like to inform our communication partners that although the messenger providers cannot view the content, they may obtain information about when and with whom our communication partners are communicating, as well as technical information about the communication partners' devices and, depending on their device settings, location information (known as metadata) may be processed.
Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, on their own initiative, we use messengers in relation to our contractual partners and within the context of contract initiation as a contractual measure, and in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners via messengers. Furthermore, we would like to inform you that we will not initially transmit the contact information you provide to the messengers without your consent.
Revocation, objection, and deletion: You can revoke your consent at any time and object to communication with us via messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion policies (e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.), and otherwise, once we can assume that any information provided by the communication partners has been addressed, if no reference to a previous conversation is expected, and deletion does not conflict with any legal retention obligations.
Reservation of referring to other communication channels: Finally, we would like to point out that for reasons of security, we reserve the right not to respond to inquiries via messenger. This is the case, for example, when contractual details require special confidentiality or when a response via messenger does not meet formal requirements. In such cases, we will refer you to more appropriate communication channels.
- Processed data types: Contact details (e.g., email, phone numbers); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Communication partners.
- Purposes of processing: Contact inquiries and communication; Direct marketing (e.g., via email or postal mail).
- Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures, and services:
- Instagram: Sending messages through the social network Instagram; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
- Facebook Messenger: Facebook Messenger with end-to-end encryption (end-to-end encryption of Facebook Messenger requires activation unless it is enabled by default); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing terms: https://www.facebook.com/legal/terms/dataprocessing; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum.
Communication via WhatsApp
We use WhatsApp as a messenger service for communication purposes. Please review the following information about WhatsAppβs functionality, encryption, communication metadata processing, and your options for objection.
You may also contact us through alternative methods, such as telephone or email, using the provided contact information or as indicated on our online platforms.
End-to-End Encryption
Messages and attachments sent via WhatsApp use end-to-end encryption. This means the content of your messages (including images or files) is protected from access by third parties, including WhatsApp itself. Please ensure you use the latest version of WhatsApp with encryption enabled for maximum security.
However, even though WhatsApp cannot view the message content, they may gather metadata about when and with whom our communication partners are communicating. Additionally, WhatsApp may collect technical data about communication partnersβ devices, and, depending on device settings, location information (metadata) may also be processed.
Legal Basis for Use
- Consent: If we seek your consent to communicate via WhatsApp, the legal basis for processing your data is your consent.
- Contractual Relationships: If you contact us via WhatsApp on your own, we process data within our contractual relationships or for contract initiation.
- Legitimate Interest: For other interested parties and communication partners, we rely on our legitimate interest in efficient communication via WhatsApp to meet their needs.
We will not transmit the contact information you provide to WhatsApp without your consent.
Revocation, Objection, and Deletion
You may revoke your consent or object to communication with us via WhatsApp at any time. We delete WhatsApp messages according to our general deletion policies (e.g., following the end of contractual relationships or for archiving requirements). Messages will also be deleted once the information is no longer necessary, provided there is no need to reference a previous conversation and no legal retention obligations apply.
Use of Alternative Communication Channels
For security reasons, we reserve the right to respond via alternative channels when certain messages require special confidentiality or formal communication standards that WhatsApp may not meet. In these cases, we will guide you to a more suitable communication option.
Processed Data Types
- Contact details (e.g., phone numbers)
- Usage data (e.g., access times, interest in content)
- Meta, communication, and procedural data (e.g., IP addresses, timestamps, consent status)
Data Subjects
- Communication partners
Purposes of Processing
- Handling contact inquiries and communication
- Direct marketing (e.g., via email or postal mail)
Legal Bases
- Consent (Art. 6(1)(a) GDPR)
- Legitimate interests (Art. 6(1)(f) GDPR)
Further Information on WhatsApp
- Service provider: WhatsApp Ireland Limited, 4 Grand Canal Quay, Dublin 2, D02 KH28, Ireland
- Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
- Website: https://www.whatsapp.com
- Privacy policy: https://www.whatsapp.com/legal
Chatbots and Chat Functions
We offer online chats and chatbot functions as a means of communication (referred to together as 'chat services'). A chat is a real-time online conversation. A chatbot is a software that answers user questions or provides them with information through messages. When you use our chat functions, we may process your personal data.
If you use our chat services within an online platform, your identification number within the respective platform will also be stored. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations through the chat services and log registration and consent processes in order to comply with legal requirements.
We inform users that the respective platform provider may become aware of when and how users communicate with our chat services, as well as technical information about the users' devices and, depending on their device settings, location information (known as metadata) for the purpose of optimizing the respective services and ensuring security. Additionally, the metadata of communication via chat services (e.g., information about who communicated with whom) may be used by the respective platform providers, in accordance with their provisions, for marketing purposes or for displaying personalized advertisements to users.
If users agree to receive regular messages from a chatbot, they have the option to unsubscribe from the messages at any time. The chatbot informs users how to unsubscribe using specific terms. By unsubscribing from chatbot messages, user data is deleted from the directory of message recipients.
We use the aforementioned information to operate our chat services, such as addressing users personally, answering their inquiries, transmitting requested content, and improving our chat services (e.g., teaching chatbots responses to frequently asked questions or identifying unanswered inquiries).
Legal Basis Information: We use chat services based on consent, if we have obtained the users' permission to process their data within the scope of our chat services (this applies to cases where users are asked for consent, e.g., to receive regular messages from a chatbot). If we use chat services to respond to user inquiries about our services or our company, this is done for contractual and pre-contractual communication. Furthermore, we use chat services based on our legitimate interests in optimizing the chat services, their economic efficiency, and enhancing the positive user experience.
Revocation, Objection, and Deletion: You can revoke your consent or object to the processing of your data within the scope of our chat services at any time.
- Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Direct marketing (e.g., via email or postal mail).
- Legal Basis: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Procedures, Procedures, and Services:
- HubSpot: Chatbot and assistance software as well as related services; Service Provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (Ensuring an Adequate Level of Data Protection for Processing in Third Countries): https://legal.hubspot.com/dpa.
Push Notifications
With the user's consent, we can send users so-called 'push notifications'. These are messages that are displayed on the screens, devices, or browsers of the users, even when our online service is not actively being used.
To sign up for push notifications, users must confirm the query of their browser or device to receive push notifications. This consent process is documented and stored. Storage is necessary to determine whether users have agreed to receive push notifications and to be able to provide evidence of consent. For these purposes, a pseudonymous identifier of the browser (so-called 'push token') or the device ID of a device is stored.
Push notifications may be necessary for the fulfillment of contractual obligations (e.g. relevant technical and organizational information for the use of our online service) and, unless specifically mentioned below, are sent based on the user's consent. Users can change the receipt of push notifications at any time using the notification settings of their respective browsers or devices.
- Processed data types: Usage data (e.g. visited websites, interest in content, access times); meta, communication, and process data (e.g. IP addresses, time information, identification numbers, consent status); location data (information about the geographical position of a device or person); content data (e.g. entries in online forms).
- Data subjects: Communication partners; users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of our online service and user-friendliness; reach measurement (e.g. access statistics, recognition of recurring visitors); direct marketing (e.g. by email or postal mail); tracking (e.g. interest/behavior-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); A/B testing; marketing; profiles with user-related information (creation of user profiles).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures, and services:
- Push notifications with advertising content: The push notifications sent by us may contain advertising information. The advertising push notifications are processed based on the user's consent. If the contents of the advertising push notifications are specifically described as part of a consent to receive them, the descriptions are decisive for the user's consent. In addition, our newsletters contain information about our services and us; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Location-dependent sending of push notifications: The push notifications sent by us can be displayed depending on the user's location, based on the location data transmitted by the device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Analysis and success measurement: We statistically analyze push notifications and can thus determine whether and when push notifications have been displayed and clicked. This information is used for the technical improvement of our push notifications based on technical data or target groups and their retrieval behavior or retrieval times. This analysis also includes determining whether push notifications are opened, when they are opened, and whether users interact with their content or buttons. For technical reasons, this information can be assigned to the individual recipients of push notifications. However, it is neither our intention nor, if used, that of the push notification service provider to observe individual users. Rather, the evaluations serve us to recognize the usage habits of our users and to adapt our push notifications to them or to send different push notifications according to the interests of our users. The analysis of push notifications and the measurement of success are based on the explicit consent of the users, which is given with the consent to receive push notifications. Users can object to the analysis and measurement of success by unsubscribing from push notifications. Unfortunately, a separate revocation of the analysis and measurement of success is not possible; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Firebase: Firebase is a development platform for mobile and web applications. It provides tools and infrastructure via a so-called software development kit (SDK) that is intended to enable a developer to provide functions more easily and efficiently via programming interfaces on various platforms; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogersonβs Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://firebase.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://firebase.google.com/terms/data-processing-terms; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://firebase.google.com/terms/data-processing-terms.
Video conferences, online meetings, webinars, and screen sharing
We use platforms and applications from other providers (hereinafter referred to as 'conference platforms') for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as 'conference'). When selecting conference platforms and their services, we comply with legal requirements.
Data processed by conference platforms: In the context of participating in a conference, conference platforms process the personal data of participants listed below. The extent of processing depends on the data required for a specific conference (e.g. provision of access data or real names) and optional information provided by participants. In addition to processing for the purpose of conducting the conference, the data of participants may also be processed by conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, information about professional position/function, the IP address of the internet access, information about participants' devices, their operating system, browser, and its technical and language settings, information about the content of communication processes, i.e. inputs in chats as well as audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.
Logging and recordings: If text inputs, participation results (e.g. from surveys), as well as video or audio recordings are logged, participants will be transparently informed in advance and, if necessary, asked for their consent.
Data protection measures for participants: Please refer to the privacy notices of the conference platforms for details on how your data is processed by them and choose the optimal security and privacy settings within the conference platforms' settings. Furthermore, during a video conference, please ensure data and personal privacy in the background of your recording (e.g. by informing roommates, locking doors, and using, if technically possible, the function to blur the background). Links to conference rooms and access data must not be shared with unauthorized third parties.
Notes on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in participant lists, in the case of processing conversation results, etc.). Otherwise, users' data is processed based on our legitimate interests in efficient and secure communication with our communication partners.
- Processed data types: Master data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. inputs in online forms); usage data (e.g. visited websites, interest in content, access times); meta, communication, and procedure data (e.g. IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Communication partners; users (e.g. website visitors, users of online services); depicted persons.
- Purposes of processing: Provision of contractual services and customer support; contact inquiries and communication; office and organizational procedures.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures, and services:
- Google Hangouts / Meet: Conference and communication software; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://hangouts.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause.
- Microsoft Teams: Conference and communication software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.microsoft.com/en-us/microsoft-365; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement, Security information: https://www.microsoft.com/en-us/trustcenter; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- Slack: Messenger and conference software; Service provider: Slack Technologies Limited, Level 1, Block A Nova Atria North, Sandyford Business District, Dublin 18, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://slack.com/intl/en-de/; Privacy policy: https://slack.com/intl/en-de/legal; Data processing agreement: https://slack.com/intl/en-de/terms-of-service/data-processing; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://slack.com/intl/en-de/terms-of-service/data-processing.
Application Process
The application process requires applicants to provide us with the necessary data for their evaluation and selection. The required information can be found in the job description or, in the case of online forms, in the provided details.
In general, the required information includes personal information such as name, address, contact details, as well as proof of the necessary qualifications for a position. Upon request, we are happy to provide additional information on the required details.
If available, applicants can submit their applications to us using an online form. The data is transmitted to us encrypted using state-of-the-art technology. Applicants can also submit their applications via email. However, please note that emails sent over the internet are generally not encrypted. While emails are usually encrypted during transport, they may not be encrypted on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission of applications between the sender and our server.
For the purpose of applicant search, submission of applications, and selection of candidates, we may use applicant management or recruitment software and platforms, as well as services provided by third parties, in compliance with legal requirements.
Applicants are welcome to contact us regarding the submission of their application or to send their application by post.
Processing of special categories of data: If special categories of personal data (Article 9(1) GDPR, e.g. health data, such as disability status or ethnic origin) are requested from applicants as part of the application process, their processing is carried out so that the data controller or the data subject can exercise their rights and fulfill their obligations arising from labor law, social security, and social protection law, in the case of protecting the vital interests of the applicants or other individuals, or for the purposes of preventive medicine, occupational medicine, the assessment of the employee's working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services (Article 9(2) lit. b), c), and h) GDPR).
Deletion of data: In the event of a successful application, the data provided by the applicants can be further processed for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted. The applicant's data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will take place, subject to a justified revocation by the applicant, no later than six months after the end of the application process, in order to be able to answer any follow-up questions regarding the application and to fulfill our obligations to provide evidence in accordance with the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with the tax regulations.
Inclusion in an applicant pool: The inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process, and can be revoked at any time for the future.
- Processed data types: Master data (e.g. names, addresses); Contact data (e.g. email, telephone numbers); Content data (e.g. entries in online forms); Applicant data (e.g. personal data, postal and contact addresses, application documents and the information contained therein, such as cover letter, CV, certificates, as well as other information voluntarily provided by applicants regarding their person or qualifications).
- Data subjects: Applicants.
- Purposes of processing: Application process (establishment and, if applicable, subsequent implementation and possible termination of the employment relationship).
- Legal basis: Application process as a pre-contractual or contractual relationship (Article 6(1) sentence 1 lit. b) GDPR); Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR).
Further information on processing procedures, procedures, and services:
- Facebook Jobs: Job search and application-related services within the Facebook platform; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum.
- LinkedIn Recruiter: Job search and application-related services within the LinkedIn platform; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Terms of Service: https://legal.linkedin.com/dpa; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa.
- Monster: Services related to employee recruitment (search for employees, communication, application process, contract negotiations); Service provider: Monster Worldwide Deutschland GmbH, Ludwig-Erhard-StraΓe 14, 65760 Eschborn, Germany; Legal basis: Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR); Website: https://www.monster.de; Privacy policy: https://www.monster.de/datenschutz/datenschutz/home.aspx.
- Stepstone: Services related to employee recruitment (search for employees, communication, application process, contract negotiations); Service provider: StepStone Deutschland GmbH, VΓΆlklinger StraΓe 1, 40219 DΓΌsseldorf, Germany; Legal basis: Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR); Website: https://www.stepstone.de; Privacy policy: https://www.stepstone.de/Ueber-StepStone/Rechtliche-Hinweise/datenschutzerklaerung/.
- Xing: Job search and application-related services within the Xing platform; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Article 6(1) sentence 1 lit. f) GDPR); Website: https://www.xing.com; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
Cloud Services
We use software services accessible over the internet and executed on the servers of their providers (so-called 'cloud services', also referred to as 'software as a service') for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).
Within this framework, personal data may be processed and stored on the servers of the providers, to the extent that they are part of communication processes with us or are otherwise processed by us as described in this privacy policy. This data may include in particular master data and contact data of users, data on processes, contracts, other processes and their contents. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If we use the cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on the users' devices for the purpose of web analysis or to remember user settings (e.g. in the case of media control).
- Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Affected persons: Customers; employees (e.g. employees, applicants, former employees); interested parties; communication partners; users (e.g. website visitors, users of online services).
- Purposes of processing: Office and organizational procedures; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, procedures and services:
- Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogersonβs Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
- Google Cloud Storage: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogersonβs Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
- Google Workspace: Cloud-based application software (e.g. text and spreadsheet processing, calendar and contact management), cloud storage and cloud infrastructure services; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogersonβs Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://workspace.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
Newsletter and Electronic Notifications
We only send newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletter") with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described as part of a newsletter registration, they are decisive for the user's consent. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter or additional information if it is necessary for the purposes of the newsletter.
Double Opt-In Procedure: The registration for our newsletter is generally done through a so-called double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address. Newsletter registrations are logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the shipping service provider are also logged.
Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.
The logging of the registration process is based on our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.
Contents:
Information about us, our services, promotions, and offers.
- Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); usage data (e.g., visited websites, interest in content, access times).
- Data subjects: Communication partners; customers; prospects; users (e.g., website visitors, users of online services).
- Purposes of processing: Direct marketing (e.g., by email or postal mail); marketing; provision of contractual services and customer service.
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You can find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options given above, preferably email, for this purpose.
Further information on processing procedures, procedures, and services:
- Measurement of opening and click rates: The newsletters contain a so-called web beacon, i.e., a pixel-sized file that is retrieved from our server or, if we use a shipping service provider, from its server when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used for the technical improvement of our newsletters based on the technical data or the target groups and their reading behavior, which is determined by the retrieval locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening rates and click rates as well as the storage of the measurement results in the profiles of the users and their further processing are based on the consent of the users. A separate revocation of the measurement of success is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to. In this case, the stored profile information will be deleted; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Requirement for the use of free services: The consent to the sending of mailings can be made a requirement for the use of free services (e.g., access to certain content or participation in certain promotions). If users want to take advantage of the free service without subscribing to the newsletter, we ask them to contact us.
- Reminder emails for the order process: If users do not complete an order process, we can remind them by email of the order process and send them a link to continue it. This function can be useful, for example, if the purchase process could not be continued due to a browser crash, inadvertence, or forgetfulness. The sending is based on consent, which users can revoke at any time; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Sending via SMS: The electronic notifications can also be sent as SMS text messages (or are exclusively sent via SMS if the authorization to send, e.g., consent, only includes sending via SMS); Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- HubSpot: Email marketing platform; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hubspot.de; Privacy policy: https://legal.hubspot.com/de/privacy-policy; Data processing agreement: https://legal.hubspot.com/dpa; Standard contractual clauses (ensuring the level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
- SendGrid: Email delivery and communication platform for transactional and marketing emails; Service provider: Twilio Ireland Limited, 25 - 28 North Wall Quay, North Wall, Dublin 1, D01 H104, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://sendgrid.com; Privacy policy: https://www.twilio.com/legal/privacy; Data processing agreement: https://www.twilio.com/legal/data-protection-addendum; Standard contractual clauses (ensuring the level of data protection for processing in third countries): https://www.twilio.com/legal/data-protection-addendum.
- Zapier: Automation of processes, integration of various services, import and export of personal and contact data, as well as analysis of these processes; Service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://zapier.com; Privacy policy: https://zapier.com/privacy; Standard contractual clauses (ensuring the level of data protection for processing in third countries): https://zapier.com/tos (part of the terms of service).
Advertising communication via email, mail, fax or telephone
We process personal data for the purpose of advertising communication, which can be carried out through various channels such as email, telephone, mail or fax, in accordance with legal requirements.
Recipients have the right to revoke consent granted at any time or to object to advertising communication at any time.
After revocation or objection, we store the data necessary to prove the previous authorization for contact or sending for up to three years after the end of the year of revocation or objection, based on our legitimate interests. The processing of this data is limited to the purpose of possible defense against claims. Based on the legitimate interest of permanently considering the revocation or objection of users, we also store the data necessary to avoid further contact (e.g. email address, telephone number, name, depending on the communication channel).
- Processed data types: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers).
- Affected individuals: Communication partners.
- Purposes of processing: Direct marketing (e.g. via email or postal mail).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis (also known as 'reach measurement') is used to evaluate the visitor flows of our online offering and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine the times at which our online offering or its functions or content are most frequently used or invite for reuse. We can also understand which areas need optimization.
In addition to web analysis, we can also use testing procedures to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created and information can be stored and read out in a browser or on an end device for these purposes. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data can also be processed.
The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. In general, no clear data of the users (such as email addresses or names) are stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
- Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Remarketing; Audience targeting; Reach measurement (e.g., access statistics, recognition of recurring visitors); Profiles with user-related information (creating user profiles); Provision of our online offering and user-friendliness.
- Security measures: IP masking (pseudonymization of the IP address).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures, and services:
- Google Optimize: Software for analyzing and optimizing online offerings based on feedback functions and pseudonymously conducted measurements and analyses of user behavior, including A/B tests (measuring the popularity and user-friendliness of different content and functions), measuring click paths, and interaction with content and functions of the online offering; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://optimize.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
- Firebase: Google Firebase is a platform for developers of applications (short 'apps') for mobile devices and websites. Google Firebase offers a variety of features for testing apps, monitoring their functionality, and optimizing them (which are shown on the following overview page: https://firebase.google.com/products). The features include, among other things, the storage of apps, including personal data of application users, such as content created by them or information regarding their interaction with the apps (so-called 'cloud computing'). In addition, Google Firebase offers interfaces that allow interaction between app users and other services, such as authentication using services like Facebook, Twitter, or an email-password combination. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://firebase.google.com; Privacy policy: https://policies.google.com/privacy.
- Google Analytics 4: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed within one or more usage processes, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users referring to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users are created with information from the use of different devices, with cookies being used. In Google Analytics, data on the geographical location is processed at a higher level by capturing the following metadata using IP lookup: 'City' (and the derived latitude and longitude of the city), 'Continent', 'Country', 'Region', 'Subcontinent' (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. The IP address of the users is not logged and is shortened by the last two digits by default. The IP address is shortened on EU servers for EU users. In addition, all sensitive data collected from users in the EU is deleted before being collected via EU domains and servers. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms; Possibility of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
- Google Analytics (Server-side usage): We use Google Analytics to measure and analyze the use of our online services by users. While user data is processed, it is not transmitted directly from the users' end devices to Google. In particular, the IP address of the users is not transmitted to Google. Instead, the data is first transmitted to our server, where the user's data records are assigned to our internal user identification number. The subsequent transmission only takes place in this pseudonymized form from our server to Google. The identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed within one or more usage processes, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users referring to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users are created with information from the use of different devices, with cookies being used. In Analytics, data on the geographical location is provided at a higher level by capturing the following metadata using IP lookup: 'City' (and the derived latitude and longitude of the city), 'Continent', 'Country', 'Region', 'Subcontinent' (and the ID-based equivalents). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
- Google Signals (Google Analytics feature): Google Signals are session data from websites and apps that Google associates with users who have signed in to their Google accounts and have enabled ad personalization. This assignment of data to these signed-in users is used to enable cross-device reports, cross-device remarketing, and cross-device conversion measurement. This includes: Cross-device reports - linking data about devices and activities from different sessions using your user ID or Google Signals data, allowing an understanding of user behavior at each step of the conversion process, from initial contact to conversion and beyond; Remarketing with Google Analytics - creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; Demographics and interests - Google Analytics collects additional information about demographic data and interests of users who are signed in to their Google accounts and have enabled ad personalization. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=de; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
- Audience targeting with Google Analytics: We use Google Analytics to display ads within advertising services provided by Google and its partners only to users who have shown an interest in our online offering or who have certain characteristics (e.g., interests in certain topics or products determined based on the websites visited) that we transmit to Google (so-called 'remarketing' or 'Google Analytics audiences'). With the help of remarketing audiences, we also want to ensure that our ads correspond to the potential interests of the users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Legal basis: https://business.safety.google/adsprocessorterms/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Further information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing conditions for Google advertising products and standard contractual clauses for third-country transfers of data: https://business.safety.google/adsprocessorterms.
- No collection of detailed location and device data (Google Analytics feature): No detailed location and device data is collected (further information: https://support.google.com/analytics/answer/12017362).
- Google Analytics in consent mode: In consent mode, personal data of users is processed by Google for measurement and advertising purposes, depending on the user's consent. The consent is obtained from users as part of our online services. If users do not give their consent at all, the data is only processed on an aggregated (i.e., not assigned to individual users and summarized) level. If the consent only includes statistical measurement, no personal data of users is processed for ad serving or ad measurement (so-called 'conversion'). Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de.
- Google Tag Manager: Google Tag Manager is a solution that allows us to manage so-called website tags via an interface and thus integrate other services into our online offering (for further information, please refer to the additional information in this privacy policy). With the Tag Manager itself (which implements the tags), no user profiles are created or cookies are stored. Google only learns the IP address of the user, which is necessary to execute the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms.
- Google Tag Manager (Server-side usage): The Google Tag Manager is an application that allows us to manage so-called website tags via an interface and thus integrate other services into our online offering (see also the further information in this privacy policy). With the Tag Manager itself (which implements the tags), no user profiles or cookies are stored. The integration of the other services takes place on the server side. This means that user data is not transmitted directly from their end device to the respective service or Google. In particular, the IP address of the user is not transmitted to the other service. Instead, the data is first transmitted to our server, where the user's data records are assigned to our internal user identification number. The subsequent transmission of the data from our server to the servers of the respective service providers only takes place in this pseudonymized form. The user identification number does not contain unique data such as names or email addresses. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://business.safety.google/adsprocessorterms; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
- VG Wort / Scalable Central Measuring Method: VG Wort / Scalable Central Measuring Method - We use 'session cookies' from VG Wort, Munich, to measure access to texts in order to determine the probability of copying. Session cookies are small units of information that a provider stores in the working memory of the visitor's computer. In a session cookie, a randomly generated unique identification number, a so-called session ID, is stored. In addition, a cookie contains information about its origin and the storage period. Session cookies cannot store any other data. These measurements are carried out by Kantar Germany GmbH using the Scalable Central Measuring Method (SZM). They help to determine the probability of copying individual texts for the remuneration of legal claims by authors and publishers. We do not collect personal data about cookies. In the Scalable Central Measuring Method, anonymous measurement values are collected. The access measurement uses a session cookie or a signature created from various automatically transmitted information from your browser to recognize computer systems. IP addresses are only processed in anonymized form. The procedure was developed with data protection in mind. The sole purpose of the procedure is to determine the probability of copying individual texts. At no time are individual users identified. Your identity is always protected. You will not receive any advertising through the system. Service provider: Verwertungsgesellschaft WORT (VG WORT), Untere WeidenstraΓe 5, 81543 Munich, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.vgwort.de; Privacy policy: https://www.vgwort.de/hilfsseiten/datenschutz.html.
Online Marketing
We process personal data for the purpose of online marketing, which includes the marketing of advertising space or the display of advertising and other content (collectively referred to as 'content') based on potential user interests and the measurement of their effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called 'cookie') or similar methods are used, by means of which relevant information about the user for the display of the aforementioned content is stored. This information may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the computer system used, as well as information about usage times and used functions. If users have consented to the collection of their location data, this data can also be processed.
IP addresses of the users are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect the users. In general, no clear data of the users (such as email addresses or names) are stored as part of the online marketing process, but pseudonyms are used. This means that we and the providers of the online marketing processes do not know the actual identity of the users, but only the information stored in their profiles.
The information in the profiles is usually stored in cookies or similar methods. These cookies can later be read and analyzed on other websites that use the same online marketing process, and can also be supplemented with additional data and stored on the server of the online marketing process provider.
In exceptional cases, clear data can be assigned to the profiles. This is the case, for example, if users are members of a social network whose online marketing process we use and the network connects the profiles of the users with the aforementioned information. Please note that users may have additional agreements with the providers, for example, through consent during registration.
In general, we only have access to aggregated information about the success of our advertisements. However, we can check, as part of so-called conversion measurements, which of our online marketing processes have led to a so-called conversion, i.e., for example, to a contract conclusion with us. The conversion measurement is used solely for the analysis of the success of our marketing measures.
Unless otherwise stated, please assume that the cookies used will be stored for a period of two years.
- Processed data types: Content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status); event data (Facebook) ('Event data' are data that can be transmitted to Facebook, for example, via the Facebook pixel (via apps or other means) by us and relate to individuals or their actions; the data includes, for example, information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (custom audiences); event data does not include the actual content (such as written comments), login information, or contact information (i.e., no names, email addresses, and telephone numbers). Event data is deleted by Facebook after a maximum of two years, and the target groups formed from them are deleted with the deletion of our Facebook account); contact information (Facebook) ('Contact information' is data that can clearly identify individuals, such as names, email addresses, and telephone numbers, which can be transmitted to Facebook, for example, via the Facebook pixel or upload for the purpose of creating custom audiences; after the comparison for the purpose of creating target groups, the contact information is deleted).
- Affected individuals: Users (e.g., website visitors, users of online services).
- Purposes of processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); tracking (e.g., interest/behavior-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles); provision of our online offer and user-friendliness; remarketing; click tracking.
- Security measures: IP masking (pseudonymization of the IP address).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Possibility of objection (opt-out): We refer to the data protection information of the respective providers and the opt-out options indicated for the providers (so-called 'opt-out'). If no explicit opt-out option has been specified, there is the possibility, on the one hand, to disable cookies in the settings of your browser. However, this may restrict the functions of our online offer. We therefore recommend the following opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
Further information on processing procedures, procedures, and services:
- Facebook Pixel and Audience Building (Custom Audiences): With the help of the Facebook pixel (or similar functions, for transmitting event data or contact information via interfaces in apps), Facebook is able to determine the visitors of our online offer as a target group for the display of advertisements (so-called 'Facebook ads'). Accordingly, we use the Facebook pixel to display the Facebook ads we have placed only to those users on Facebook and within the services of Facebook's cooperating partners (so-called 'Audience Network' https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offer or who have certain characteristics (e.g., interest in certain topics or products that can be seen based on the visited websites) that we transmit to Facebook (so-called 'custom audiences'). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interests of the users and do not appear annoying. With the help of the Facebook pixel, we can also track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called 'conversion measurement'); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Further information: Event data of users, i.e., behavioral and interest-related information, is processed for the purposes of targeted advertising and audience building based on the agreement on joint responsibility ('Controller Addendum', https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- Extended Matching for Facebook Pixel: In addition to the processing of event data as part of the use of the Facebook pixel (or similar functions, e.g., in apps), contact information (data identifying individual persons, such as names, email addresses, and telephone numbers) is also collected or transmitted to Facebook within our online offer. The processing of contact information is used to create target groups (so-called 'custom audiences') for the display of content and advertising information oriented towards the presumed interests of the users. The collection, transmission, and comparison with data existing at Facebook are not in plain text, but as so-called 'hash values', i.e., mathematical representations of the data (this method is used, for example, for storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted. The processing of contact information is based on an order processing agreement with Meta Platforms Ireland Limited ('Data Processing Terms', https://www.facebook.com/legal/terms/dataprocessing), the 'Data Security Terms' (https://www.facebook.com/legal/terms/data_security_terms), and with regard to processing in the USA, on the basis of standard contractual clauses ('Facebook EU Data Transfer Addendum', https://www.facebook.com/legal/EU_data_transfer_addendum). Further information on the processing of contact information can be found in the 'Terms of Use for Facebook Business Tools', https://www.facebook.com/legal/technology_terms; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Facebook - Audience Building via Data Upload: Building target groups for marketing purposes - We transmit contact information (names, email addresses, and telephone numbers) in list form to Facebook for the purpose of creating target groups (so-called 'custom audiences') for the display of content and advertising information oriented towards the presumed interests of the users. The transmission and comparison with data existing at Facebook are not in plain text, but as so-called 'hash values', i.e., mathematical representations of the data (this method is used, for example, for storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted. The processing of contact information is based on an order processing agreement with Meta Platforms Ireland Limited ('Data Processing Terms', https://www.facebook.com/legal/terms/dataprocessing), the 'Data Security Terms' (https://www.facebook.com/legal/terms/data_security_terms), and with regard to processing in the USA, on the basis of standard contractual clauses ('Facebook EU Data Transfer Addendum', https://www.facebook.com/legal/EU_data_transfer_addendum). Further information on the processing of contact information can be found in the 'Terms of Use for Custom Audiences with Customer Lists', https://www.facebook.com/legal/terms/customaudience; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Order processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum.
- Facebook Ads: Placement of advertisements within the Facebook platform and evaluation of the results of the advertisements; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Possibility of objection (opt-out): We refer to the data protection and advertising settings in the user's profile on the Facebook platform, as well as within the scope of Facebook's consent procedure and Facebook's contact options for exercising information and other rights of data subjects in Facebook's privacy policy; Further information: Event data of users, i.e., behavioral and interest-related information, is processed for the purposes of targeted advertising and audience building based on the agreement on joint responsibility ('Controller Addendum', https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- Google Ads and Conversion Tracking: Online marketing procedure for the placement of content and advertisements within the advertising network of the service provider (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the advertisements. In addition, we measure the conversion of the advertisements, i.e., whether users have interacted with the advertisements and used the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Further information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing terms between controllers and standard contractual clauses for the transfer of data to third countries: https://business.safety.google/adscontrollerterms.
- Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that allows users who have used an online service to be included in a pseudonymous remarketing list so that users can be shown ads on other online offerings based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Further information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing terms between controllers and standard contractual clauses for the transfer of data to third countries: https://business.safety.google/adscontrollerterms.
- Enhanced Conversions for Google Ads: When customers click on our Google ads and subsequently use the advertised service (so-called 'conversion'), the data entered by the user, such as the email address, name, residential address, or telephone number, can be transmitted to Google. The hash values are then compared with existing Google accounts of the users in order to better evaluate and improve the users' interaction with the ads (e.g., clicks or views) and their performance; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://support.google.com/google-ads/answer/9888656.
- Instagram Ads: Placement of advertisements within the Instagram platform and evaluation of the results of the advertisements; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy; Possibility of objection (opt-out): We refer to the data protection and advertising settings in the user's profile on the Instagram platform, as well as within the scope of Instagram's consent procedure and Instagram's contact options for exercising information and other rights of data subjects in Instagram's privacy policy; Further information: Event data of users, i.e., behavioral and interest-related information, is processed for the purposes of targeted advertising and audience building based on the agreement on joint responsibility ('Controller Addendum', https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- LinkedIn: Insights tag / conversion tracking; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy, Cookie policy: https://www.linkedin.com/legal/cookie_policy; Standard contractual clauses (ensuring the level of data protection when processing in third countries): https://legal.linkedin.com/dpa; Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Microsoft Advertising: Online marketing procedure for the placement of content and advertisements within the advertising network of the service provider (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the advertisements. In addition, we measure the conversion of the advertisements, i.e., whether users have interacted with the advertisements and used the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://about.ads.microsoft.com/; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement; Possibility of objection (opt-out): https://account.microsoft.com/privacy/ad-settings/; Further information: https://about.ads.microsoft.com/de-de/policies/legal-privacy-and-security.
- UTM Parameters: Analysis of sources and user actions based on an extension of web addresses referring to us with an additional parameter, the 'UTM' parameter. For example, a UTM parameter 'utm_source=platformX &utm_medium=video' can tell us that a person clicked on the link on platform X within a video. The UTM parameters provide information about the source of the link, the medium used (e.g., social media, website, newsletter), the type of campaign, or the content of the campaign (e.g., post, link, image, and video). With the help of this information, we can, for example, check our visibility on the Internet or the effectiveness of our campaigns; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Customer Reviews and Rating Procedures
We participate in review and rating procedures to evaluate, optimize, and promote our services. If users rate us or provide feedback through the involved review platforms or procedures, the general terms and conditions and privacy policy of the providers also apply. In most cases, registration with the respective providers is required for rating.
To ensure that the reviewing individuals have actually used our services, we transmit the necessary data regarding the customer and the service used to the respective review platform with the customer's consent (including name, email address, and order or item number). This data is solely used to verify the authenticity of the user.
- Processed data types: Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedure data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data subjects: Customers; Users (e.g., website visitors, users of online services).
- Purposes of processing: Feedback (e.g., collecting feedback via online form); Marketing.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures, and services:
- Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Terms and conditions: https://support.google.com/merchants/topic/7259129?hl=en&ref_topic=7257954; Privacy policy: https://policies.google.com/privacy; Further information: As part of obtaining customer reviews, an identification number and timestamp for the transaction to be reviewed, the customer's email address in the case of review requests sent directly to customers, the customer's country of residence, and the review information itself are processed; Further information on the types of processing and the processed data: https://privacy.google.com/businesses/adsservices; Data processing terms for Google advertising products: Information on the services' data processing terms between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
- kununu: Review platform; Service provider: XING AG, DammtorstraΓe 29-32, 20354 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.kununu.com; Privacy policy: https://privacy.xing.com/en/privacy-policy.
Presences in social networks (Social Media)
We maintain online presences within social networks and process user data in this context in order to communicate with active users there or to provide information about us.
We would like to point out that user data may be processed outside the European Union. This may result in risks for the users, as, for example, the enforcement of user rights could be made more difficult.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage behavior and resulting user interests can be used to create user profiles. These user profiles can in turn be used to display advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the user profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective processing methods and the options for objection (opt-out), please refer to the data protection declarations and information provided by the operators of the respective networks.
Also, in the event of requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.
- Processed data types: Contact data (e.g. email, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. visited websites, interest in content, access times); Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Contact inquiries and communication; Feedback (e.g. collecting feedback via online form); Marketing.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, procedures and services:
- Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
- Facebook Pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called 'fan page'). This data includes information about the types of content users view or interact with, or the actions they take (see 'Things You and Others Do and Provide' in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see 'Device Information' in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under 'How We Use This Information', Facebook also collects and uses information to provide analysis services, so-called 'Page Insights', for page operators, so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ('Information on Page Insights', https://www.facebook.com/legal/terms/page_controller_addendum), which in particular regulates the security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, address requests for information or deletion directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the 'Information on Page Insights' (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- Facebook Groups: Interest groups within the social network Facebook - We use the 'Groups' function of the Facebook platform to create interest groups where Facebook users can interact with each other or with us and exchange information. In doing so, we process personal data of the users of our groups to the extent necessary for the purpose of group use and its moderation. Our policies within the groups may contain further requirements and information on the use of the respective group. This data includes information about first and last names, as well as published or privately communicated content, as well as values ββrelated to the status of group membership or group-related activities, such as joining or leaving, as well as the time information related to the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content users view or interact with, or the actions they take (see 'Things You and Others Do and Provide' in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see 'Device Information' in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under 'How We Use This Information', Facebook also collects and uses information to provide analysis services, so-called 'Insights', for group operators, so that they can gain insights into how people interact with their groups and the content associated with them; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy.
- LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://legal.linkedin.com/dpa; Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- TikTok: Social network / video platform; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.tiktok.com; Privacy policy: https://www.tiktok.com/de/privacy-policy.
- Twitter: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, Parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).
- YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy policy: https://policies.google.com/privacy; Possibility of objection (opt-out): https://adssettings.google.com/authenticated.
- Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.xing.de; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
Plugins and Embedded Functions as well as Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include graphics, videos, or maps (hereinafter collectively referred to as "content").
The integration always requires that the third-party providers of this content process the IP address of the users, as they would not be able to send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We make every effort to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering, as well as be combined with such information from other sources.
- Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Location data (information about the geographical position of a device or person).
- Data subjects: Users (e.g., website visitors, users of online services); Communication partners.
- Purposes of processing: Provision of our online offering and user-friendliness; Provision of contractual services and customer support; Contact inquiries and communication; Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures, and services:
- Integration of third-party software, scripts, or frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and may process it for the purpose of transmitting the software to the users' browser, as well as for security purposes, and for evaluating and optimizing their offering. - We integrate software into our online offering that we retrieve from servers of other providers (e.g., function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and may process it for the purpose of transmitting the software to the users' browser, as well as for security purposes, and for evaluating and optimizing their offering; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Google Fonts (access from Google server): Access to fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform display, and consideration of possible license restrictions. The provider of the fonts is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted, which are necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA - When users visit our online offering, their browser sends their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides users with the cascading style sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referring URL (i.e., the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referring URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. In the Google Fonts Web API, the user agent must adapt the font generated for the respective browser type. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referring URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations can be generated based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to display targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Further information: https://developers.google.com/fonts/faq/privacy?hl=en.
- Google Maps: We integrate the maps of the service "Google Maps" provided by Google. The processed data may include IP addresses and location data of the users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy.
- Google Maps APIs and SDKs: Interfaces to Google's mapping and location services, which allow, for example, the completion of address entries, location determinations, distance calculations, or the provision of additional information about locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy.
- reCAPTCHA: We integrate the function "reCAPTCHA" to determine whether inputs (e.g., in online forms) are made by humans or by automatically acting machines (so-called "bots"). The processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, length of stay on web pages, previously visited web pages, interactions with reCaptcha on other web pages, possibly cookies, as well as results of manual recognition processes (e.g., answering questions posed or selecting objects in images). The data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; Opt-out possibility (Opt-Out): Opt-Out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of advertising: https://adssettings.google.com/authenticated.
- YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Opt-out possibility (Opt-Out): Opt-Out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of advertising: https://adssettings.google.com/authenticated.
- Twilio: Cloud communication platform that enables, for example, programmatically making and receiving calls, sending and receiving text messages, and executing other communication functions using web service interfaces; Service provider: Twilio Ireland Limited, 25 - 28 North Wall Quay, North Wall, Dublin 1, D01 H104, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.twilio.com; Privacy policy: https://www.twilio.com/legal/privacy; Data processing agreement: https://www.twilio.com/legal/data-protection-addendum; Standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.twilio.com/legal/data-protection-addendum.
Change and Update of Privacy Policy
We kindly ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as the changes to the data processing we carry out require it. We will inform you as soon as the changes require your cooperation (e.g. consent) or any other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and we kindly ask you to verify the information before contacting them.
Definitions
In this section, you will find an overview of the terms used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.
- A/B Testing: A/B testing is used to improve the user-friendliness and performance of online offerings. Users are shown different versions of a website or its elements, such as input forms, where the placement of content or the labeling of navigation elements may differ. Based on user behavior, such as longer stays on the website or more frequent interaction with the elements, it can be determined which of these websites or elements better meet the users' needs.
- Content Delivery Network (CDN): A content delivery network (CDN) is a service that helps deliver content of an online offering, especially large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the internet.
- Click Tracking: Click tracking allows for tracking user movements within an entire online offering. Since the results of these tests are more accurate when user interaction can be tracked over a certain period of time (e.g., to determine if a user returns), cookies are typically stored on users' computers for these testing purposes.
- Conversion Tracking: Conversion tracking (also known as "visit action evaluation") is a method for determining the effectiveness of marketing measures. Typically, a cookie is stored on users' devices within the web pages where the marketing measures are carried out and then retrieved again on the target web page. For example, we can track whether the ads we placed on other websites were successful.
- Personal Data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Profiles with User-Related Information: The processing of "profiles with user-related information," or simply "profiles," includes any form of automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may involve different information concerning demographics, behavior and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
- Reach Measurement: Reach measurement (also referred to as web analytics) is used to evaluate the visitor flows of an online offering and may include the behavior or interests of visitors in certain information, such as the content of web pages. With the help of reach analysis, website owners can, for example, determine at what time visitors access their website and what content they are interested in. This allows them to better tailor the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognize recurring visitors and obtain more accurate analyses of the use of an online offering.
- Remarketing: Remarketing or retargeting refers to the practice of noting which products a user has shown interest in on a website for advertising purposes, in order to remind the user of these products, for example, in advertisements on other websites.
- Location Data: Location data is generated when a mobile device (or another device with the technical prerequisites for determining location) connects to a radio cell, a Wi-Fi network, or similar technical intermediaries and functions for determining location. Location data indicates the geographically identifiable position on Earth where the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.
- Location History and Movement Profiles: Location history (also referred to as "movement profile") refers to the collection of location data over a certain period of time. Location history allows conclusions to be drawn about the geographic movements (i.e., changes in position) of devices or their users.
- Tracking: Tracking refers to the ability to trace user behavior across multiple online offerings. In general, behavioral and interest information is stored in cookies or on servers of the providers of tracking technologies (known as profiling) with regard to the online offerings used. This information can then be used, for example, to display advertisements to users that are likely to correspond to their interests.
- Controller: The "controller" is the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
- Processing: "Processing" means any operation or set of operations performed with or without the aid of automated processes in connection with personal data. The term is broad and practically encompasses any handling of data, whether it involves collecting, evaluating, storing, transmitting, or deleting.
- Audience Building: Audience building (also known as "custom audiences") refers to the determination of target groups for advertising purposes, such as displaying advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that the user is interested in advertisements for similar products or the online shop where they viewed the products. "Lookalike audiences" (or similar target groups) refer to the display of content deemed suitable to users whose profiles or interests presumably correspond to those for which the profiles were created. Cookies and web beacons are typically used for the purpose of creating custom audiences and lookalike audiences.