Data privacy policy

by Igor

Data privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online services”).

The terms used are not gender-specific.

Last updated: March 1, 2026

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you about these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and data transfers, as well as automated individual decision-making, including profiling. Furthermore, the data protection laws of the individual federal states may also apply.

National data protection regulations in Liechtenstein: In addition to the GDPR, national data protection regulations apply in Liechtenstein. This includes, in particular, the Data Protection Act (DSG) and the Data Protection Regulation (DSV).

National data protection regulations in Luxembourg: In addition to the GDPR, Luxembourg has its own national data protection regulations. These include, in particular, the “Luxembourg Data Protection Act” (“Loi du 1er août 2018 sur la protection des données”).

National Data Protection Regulations in the Netherlands: In addition to the GDPR, national data protection regulations apply in the Netherlands. These include, in particular, the “Implementing Act for the General Data Protection Regulation” (Uitvoeringswet Algemene verordening gegevensbescherming – UAVG).

National Data Protection Regulations in Austria: In addition to the GDPR, national data protection regulations apply in Austria. These include, in particular, the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (DSG). The DSG contains, in particular, special provisions on the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes, data transfers, and automated decision-making in individual cases.

National Data Protection Regulations in Poland: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Poland. These include, in particular, the Polish Data Protection Act (Ustawa z dnia 10 maja 2018 r. ochronie danych osobowych).

Relevant legal bases under the Swiss Federal Act on Data Protection: If you are resident in Switzerland, we process your data on the basis of the Federal Act on Data Protection (hereinafter referred to as the “Swiss Federal Act on Data Protection”). Unlike, for example, the GDPR, the Swiss Federal Act on Data Protection generally does not require a legal basis for the processing of personal data, but stipulates that the processing of personal data must be carried out in good faith, lawfully, and proportionately (Art. 6 para. 1 and 2 Swiss Federal Act on Data Protection). We collect personal data exclusively for a specific purpose that is comprehensible to the data subject and process it only in a manner compatible with that purpose (Art. 6 para. 3 Federal Act on Data Protection).

Note on the applicability of the GDPR and the Federal Act on Data Protection (FADP): This privacy policy serves to provide information in accordance with the Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). Due to its broader geographical scope and clarity, we use the terms of the GDPR here. In particular, the terms “processing” of “personal data,” “overriding interest,” and “special categories of personal data” used in the Federal Act are replaced by the terms “processing” of “personal data,” “legitimate interest,” and “special categories of personal data” used in the GDPR. However, the legal meaning of these terms remains governed by the Federal Act on Data Protection (DSG), insofar as it is applicable.

Applicability of data protection regulations in the country of residence: In the country where the controller is established, the national data protection regulations apply in addition to the General Data Protection Regulation (GDPR).

Overview of processing activities

The following overview summarizes the types of data processed, the purposes of processing, and the data subjects.
Types of Data Processed
Inventory data.
Employee data.
Payment data.
Location data.
Contact data.
Content data.
Contract data.
Usage data.
Metadata, communication data, and procedural data.
Log data.
Categories of Data Subjects
Service recipients and clients.
Employees.
Prospective clients.
Communication partners.
Users.
Business and contractual partners.
Third parties.
Whistleblowers.
Purposes of Processing
Provision of contractual services and fulfillment of contractual obligations.
Communication.
Security measures.
Reach measurement.
Tracking.
Office and organizational procedures.
Target group formation.
Organizational and administrative procedures.
Feedback.
Marketing.
Profiles with user-related information.
Provision of our online services and user-friendliness.
Information technology infrastructure.
Whistleblower protection.
Public relations.
Business processes and management procedures.

Security measures

In accordance with legal requirements, and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and separating the data. Furthermore, we have established procedures that guarantee the exercise of data subject rights, the erasure of data, and responses to data breaches. We also consider the protection of personal data during the development and selection of hardware, software, and processes, in accordance with the principles of data protection by design and by default.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and ensuring the separation of the data. IP address truncation: If IP addresses are processed by us or the service providers and technologies we use, and processing a full IP address is not necessary, the IP address is truncated (also known as “IP masking”). This involves removing the last two digits or the last part of the IP address after a period or replacing them with placeholders. The purpose of IP address truncation is to prevent or significantly hinder the identification of a person based on their IP address.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.

International Data Transfers

Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies (which is identifiable by the postal address of the respective provider or if the privacy policy explicitly refers to the data transfer to third countries), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers, which comply with the requirements of the EU Commission and establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the standard contractual clauses serve as an additional safeguard. Should any changes occur under the Data Privacy Framework (DPF), the Standard Contractual Clauses serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we will inform you whether they are DPF-certified and whether Standard Contractual Clauses are in place. Further information about the DPF and a list of certified companies can be found on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).
For data transfers to other third countries, appropriate safeguards apply, in particular standard contractual clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the European Commission’s information resource: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of personal data abroad: In accordance with the Swiss Federal Data Protection Act (FADP), we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 FADP). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative safeguards.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by Switzerland’s adequacy decision of September 15, 2024. In addition, we have concluded standard contractual clauses with the respective providers, which have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the standard contractual clauses serve as an additional layer of security. Should changes occur within the framework of the DPF, the standard contractual clauses come into play as a reliable fallback option. This ensures that your data remains adequately protected even in the event of any political or legal changes.

For each service provider, we will inform you whether they are DPF-certified and whether standard contractual clauses are in place. The list of certified companies and further information on the Data Privacy Framework (DPF) can be found on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, including international agreements, specific guarantees, standard contractual clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal company policies that have been approved in advance by the FDPIC or a competent data protection authority of another country.

General information on data storage and deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consent is withdrawn or no further legal basis for processing exists. This applies to cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on the retention and deletion of data that applies specifically to certain processing activities.

If there are multiple retention periods or deletion deadlines for a given date, the longest period always applies. Data that is no longer retained for the originally intended purpose, but is retained due to legal requirements or other reasons, is processed by us exclusively for the reasons that justify its retention.

Data Retention and Deletion: The following general retention periods apply under German law:

10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the work instructions and other organizational documents necessary for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).

8 years – Accounting documents, such as invoices and expense receipts (§ 147 para. 1 nos. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).

6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, e.g., timesheets, cost accounting sheets, calculation documents, price tags, but also payroll documents, insofar as they are not already accounting documents, and cash register receipts (Section 147 Paragraph 1 Nos. 2, 3, 5 in conjunction with Paragraph 3 of the German Fiscal Code (AO), Section 257 Paragraph 1 Nos. 2 and 3 in conjunction with Paragraph 4 of the German Commercial Code (HGB)).

3 years – Data required to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on past business experience and standard industry practices, will be stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 of the German Civil Code (BGB)).
Data Retention and Deletion: The following general retention periods apply under Austrian law for the retention and archiving of personal data, insofar as this is necessary for compliance with legal obligations or for the protection of legitimate interests:

7 years: Personal data processed in connection with tax-relevant business documents is retained for a period of seven years in accordance with Section 132 of the Austrian Federal Fiscal Code (BAO) and Sections 190–212 of the Austrian Commercial Code (UGB). This includes, in particular, books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents, invoices, as well as received and sent commercial or business correspondence and other documents relevant for tax assessment. The period begins at the end of the calendar year for which the last entry was made and is extended, if necessary, as long as the documents are relevant for pending tax proceedings.

3 years: Data required for the assertion, exercise, or defense of warranty, damage, or other contractual claims is stored for the duration of the applicable statutory limitation period. This period is generally three years according to Section 1489 of the Austrian Civil Code (ABGB), unless longer statutory retention periods apply.

Data Retention and Deletion: The following general retention periods apply under Swiss law:

10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).

10 years – Data necessary for considering potential claims for damages or similar contractual claims and rights, as well as for processing related inquiries, based on past business experience and standard industry practices, is stored for the statutory limitation period of ten years, unless a shorter period of five years applies, which is relevant in certain cases (Art. 127, 130 CO). Claims for rent, lease payments, and interest on capital, as well as other periodic payments, for the supply of food, for meals, and for innkeepers’ debts, and for skilled trades work, retail sales of goods, medical care, professional services of lawyers, legal agents, procurators, and notaries, and from the employment relationship of employees, become statute-barred after five years (Art. 128 of the Swiss Code of Obligations).

The limitation period begins at the end of the year: If a limitation period does not expressly begin on a specific date and is at least one year long, it begins automatically at the end of the calendar year in which the event triggering the limitation period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the limitation period is the effective date of the termination or other dissolution of the legal relationship.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information, as well as a copy of the personal data, in accordance with the legal requirements.

• Right to rectification: In accordance with legal requirements, you have the right to request the completion of incomplete personal data concerning you or the correction of inaccurate personal data concerning you.

  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that personal data concerning you be erased without undue delay, or alternatively, in accordance with legal requirements, to request the restriction of processing of your personal data.
  • Right to data portability: In accordance with legal requirements, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Rights of data subjects under the Swiss Federal Act on Data Protection (FADP):

As a data subject, you have the following rights under the provisions of the Swiss Federal Act on Data Protection (FADP):

  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to exercise your rights under this law and to ensure transparent data processing.
  • Right to data portability: You have the right to request that your personal data, which you have provided to us, be provided in a commonly used electronic format.
  • Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
  • Right to object, erasure, and destruction: You have the right to object to the processing of your data and to request that your personal data be erased or destroyed.

Processing of data within the framework of contractual and business relationships

We process personal data of our contractual and business partners, such as customers, clients, prospective clients, suppliers, and other cooperation partners (collectively referred to as “contractual partners”), for the initiation, execution, and processing of contractual relationships and similar legal relationships. This also includes pre-contractual measures upon request and communication related to the respective contractual relationship.

The processing of your data serves, in particular, to fulfill our primary and secondary contractual obligations. These include the provision of the agreed services, the fulfillment of any update and information obligations, the handling of warranty claims and other service disruptions, the processing of cancellations, terminations of ongoing contractual relationships, withdrawals, refunds, and the processing of other contract-related declarations and inquiries. This encompasses both one-off contracts and ongoing contractual relationships.

The data processed includes, in particular, master data such as name, address, and, if applicable, company name; contact details such as email address and telephone number; contract and performance data such as the subject matter of the contract, contract duration, order or transaction number; and usage and performance data. Payment and billing data, as well as communication content and history. Where necessary, we also process data disclosed or transmitted to us in the course of fulfilling orders.

Furthermore, we process data to protect our rights and to comply with legal obligations. This includes, in particular, commercial and tax law retention requirements, documentation requirements, and, where applicable, obligations to provide evidence and accountability. Processing is also based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as for protecting our business operations and the interests of our contractual partners from misuse, data breaches, violations of confidentiality, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other agents, insofar as this is necessary for the performance of the contract or for compliance with legal obligations.

This processing is also based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as for the protection of our business operations and the interests of our contractual partners from misuse, data breaches, violations of confidentiality, and other legal interests. Personal data will only be disclosed to third parties if this is necessary for the performance of a contract, for carrying out pre-contractual measures, for safeguarding legitimate interests, or for fulfilling legal obligations. We will provide separate information about any further processing, particularly for marketing purposes, within the framework of this privacy policy.

We will inform our contractual partners which data is required in each individual case during the data collection process, for example, through appropriate labeling in online forms or in personal contact.

The data will be deleted as soon as it is no longer required for the aforementioned purposes and no statutory retention obligations prevent its deletion. Statutory retention periods, particularly under commercial and tax law, may require longer storage. Data transmitted within the scope of a specific order will be deleted after completion of the order and expiry of any applicable retention periods, unless further legal or contractual obligations to retain the data exist.

Data will be deleted after completion of the order and expiry of any applicable retention periods. The legal basis for processing is Article 6(1)(b) GDPR for the performance of pre-contractual measures and for the fulfillment of the respective contractual relationship, and Article 6(1)(c) GDPR for compliance with legal obligations. Where processing is based on legitimate interests, it is carried out on the basis of Article 6(1)(f) GDPR. If processing is based on Article 6(1)(f) GDPR, it serves to safeguard our legitimate interests in a proper and efficient business organization, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, ensuring IT and data security, preventing misuse and fraud, and the economic management and further development of our business. These interests consist, in particular, of ensuring secure and legally compliant business operations and maintaining our entrepreneurial capacity.

Data types processed:

Inventory data (e.g., full name, residential address, contact information, customer number, etc.);

Payment data (e.g., bank details, invoices, payment history);

Contact details (e.g., postal and email addresses or telephone numbers);

Contract data (e.g., subject matter of the contract, term, customer category);

Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);

Metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Service recipients and clients; prospective customers; business and contractual partners.

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative processes; business processes and management procedures.

Storage and Deletion: Deletion is carried out in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal Basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Activities, Procedures, and Services:

Online Shop, Order Forms, E-Commerce, and Service Fulfillment: We process our customers’ data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as to facilitate payment and provision, delivery, or fulfillment. Where necessary for order processing, we use service providers, in particular postal, freight forwarding, and shipping companies, to carry out delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payments. The required information is marked as such during the ordering or similar purchase process and includes the data necessary for delivery, provision, and invoicing, as well as contact information to allow for any necessary follow-up.

Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Presence on third-party platforms and payment service providers

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our privacy policy. This applies in particular to payment processing and the methods used on the platforms for audience measurement and interest-based marketing.

Types of data processed:

Master data (e.g., full name, residential address, contact information, customer number, etc.);

Payment data (e.g., bank details, invoices, payment history);

Contact data (e.g., postal and email addresses or telephone numbers);

Contract data (e.g., subject matter of the contract, term, customer category);

Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);

Metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Service recipients and clients; Business and contractual partners.

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and management procedures.

Storage and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.

Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

eBay: Online marketplace for e-commerce; Service provider: eBay Marketplaces GmbH, Helvetiastrasse 15/17, 3005 Bern, Switzerland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ebay.de/ Privacy Policy: https://www.ebay.de/help/policies/member-behavior-policies/datenschutzerklrung?id=4260; Data Processing Agreement: Provided by the service provider.

Payment service provider

Within the framework of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, in addition to banks and credit institutions, utilize other service providers for this purpose (collectively referred to as “payment service providers”). Payment transactions are processed exclusively via state-of-the-art encrypted connections, ensuring that the entered data is protected from unauthorized access during transmission.

The data processed by the payment service providers includes master data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs (transaction authentication numbers) and checksums, as well as contract-, amount-, and recipient-related information. This information is necessary to process the transactions. However, the entered data is processed and stored only by the payment service providers. This means that we do not receive any account or credit card-related information, but only confirmations or rejections of the payment. The payment service providers may transmit the data to credit reference agencies for identity and creditworthiness checks. Please refer to the terms and conditions and privacy policies of the payment service providers for further information.

The terms and conditions and privacy policies of the respective payment service providers, which can be accessed on their websites or transaction applications, apply to payment transactions. We also refer you to these for further information and to exercise your rights of withdrawal, access, and other data subject rights.

Types of data processed:

Master data (e.g., full name, address, contact information, customer number, etc.);

Payment data (e.g., bank details, invoices, payment history);

Contract data (e.g., subject matter of the contract, term, customer category);

Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);

Metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Service recipients and clients; business and contractual partners; prospective customers.

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and operational procedures.

Storage and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.

Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.americanexpress.com/de/ Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/.

Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html; Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.

Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, UK; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.visa.de; Privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

Provision of the online service and web hosting

We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); log data (e.g., log files relating to logins, data retrieval, or access times).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures.

Storage and Deletion: Deletion is carried out in accordance with the information in the section “General Information on Data Storage and Deletion”.

Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Activities, Procedures, and Services:

Provision of Online Services on Dedicated Server Hardware: We use server hardware operated by us, as well as the associated storage space, computing capacity, and software, to provide our online services; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Collection of Access Data and Log Files: Access to our online services is logged in the form of so-called “server log files”. Server log files may contain the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, typically, IP addresses and the requesting provider. Server log files can be used for security purposes, such as preventing server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server capacity and stability. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.

Cookies and Similar Technologies

The term “cookies” encompasses functions that store information on and read it from users’ devices. Cookies can be used for various purposes, such as ensuring the functionality, security, and user-friendliness of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. Where necessary, we obtain users’ consent beforehand. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is absolutely necessary for providing the explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We provide clear information about the scope of this consent and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in connection with the respective services and procedures.

Storage duration: The following types of cookies are distinguished with regard to their storage duration:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).

Persistent cookies: Persistent cookies remain stored even after the device is closed. This allows, for example, the login status to be saved or preferred content to be displayed directly when the user revisits a website. The user data collected with the help of cookies can also be used for audience measurement. Unless we explicitly inform users otherwise, this does not affect the use of cookies.
When informing users about the type and storage duration of cookies (e.g., when obtaining their consent), they should assume that these cookies are persistent and can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to processing in accordance with legal requirements, including via their browser’s privacy settings.

Types of data processed:

Metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data subjects:

Users (e.g., website visitors, users of online services).

Legal basis:

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Registration, login, and user account

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The data processed includes, in particular, login information (username, password, and email address).

When you use our registration and login functions, as well as your user account, we store your IP address and the time of each user action. This storage is based on our legitimate interests, as well as those of the users, in protection against misuse and other unauthorized use. This data is generally not shared with third parties unless it is necessary for pursuing our legal claims or we are legally obligated to do so.

Users may be informed by email about events relevant to their user account, such as technical changes.

Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or image messages and posts, as well as related information such as authorship or creation date). Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Log data (e.g., log files concerning logins or data retrieval, or access times).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online services and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Deletion after termination of the contract.

Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, processes, and services:

Registration with real names: Due to the nature of our community, we ask users to use our services only with their real names. This means that the use of pseudonyms is not permitted; legal basis: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Deletion of data after termination: If users have terminated their user account, their data relating to the user account will be deleted, subject to any legal permission, obligation, or user consent; legal basis: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

No obligation to retain data: It is the users’ responsibility to back up their data before the end of the contract if they have terminated their account. We are entitled to irretrievably delete all user data stored during the contract period. Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Blogs and publication media

We use blogs or similar online communication and publication tools (hereinafter referred to as “publication medium”). Reader data is processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers, or for security reasons. For further information, please refer to the section on processing visitor data for our publication medium within this privacy policy.

Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or image-based messages and posts, as well as related information such as authorship details or date of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Feedback (e.g., collecting feedback via online form); provision of our online services and user-friendliness; security measures; organizational and administrative procedures.

Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, processes, and services:

Comments and posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone leaves unlawful content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves can be held liable for the comment or post and are therefore interested in the author’s identity.

Furthermore, we reserve the right, based on our legitimate interests, to process user data for spam detection.

On the same legal basis, we reserve the right, in the case of surveys, to store users’ IP addresses for the duration of the survey and to use cookies to prevent multiple submissions.

The personal information provided in the context of comments and posts, including any contact and website information, as well as the content itself, will be stored by us permanently until the user objects; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Retrieval of WordPress emojis and smileys: Within our WordPress blog, graphical emojis (or smileys) are used for the purpose of efficiently integrating content elements. This website uses small graphic files that express emotions, retrieved from external servers. The server providers collect users’ IP addresses. This is necessary so that the emoji files can be transmitted to users’ browsers. Service provider: Automattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy; Data processing agreement: Provided by the service provider. Basis for third-country transfers: EU/EEA Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider), Switzerland Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider).

Contact and inquiry management

When you contact us (e.g., by mail, contact form, email, telephone, or via social media), as well as within the context of existing user and business relationships, the information you provide will be processed to the extent necessary to respond to your inquiries and any requested actions.

Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or image messages and posts, as well as related information such as authorship or date of creation); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data subjects: Communication partners.

Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online services and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing procedures, processes, and services:

Contact form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to answer and process your request. This generally includes information such as your name, contact details, and any other information you provide that is necessary for proper processing. We use this data exclusively for the stated purpose of contacting you and communicating with you; legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web analytics, monitoring and optimization

Web analytics (also known as “audience measurement”) is used to evaluate visitor traffic to our website and can include pseudonymous data about visitor behavior, interests, or demographic information such as age or gender. Audience analysis allows us, for example, to identify when our website, its features, or content are most frequently used and encourage repeat visits. It also enables us to understand which areas require optimization.

In addition to web analytics, we may also use testing procedures to test and optimize different versions of our website or its components.

Unless otherwise stated below, profiles—that is, data aggregated from a user session—may be created for these purposes, and information may be stored and then retrieved from a browser or device. The data collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the operating system, and usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored for web analytics, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Legal basis: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Audience measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online services and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.” Cookies are stored for up to two years (Unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years).

Security measures: IP masking (pseudonymization of the IP address).

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to assign analytical information to a device in order to recognize which content users have accessed within one or more browsing sessions, which search terms they have used, whether they have revisited the content, or how they have interacted with our online services. The time and duration of use are also recorded, as well as the sources of users who refer to our online services and technical aspects of their devices and browsers.

Pseudony user profiles are created using information from the use of various devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and the city’s derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU data traffic, IP address data is used exclusively for deriving geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purpose. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Legal basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad settings: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Social media presence

We maintain online presences within social networks and process user data in this context to communicate with users active there or to provide information about ourselves.

Please note that user data may be processed outside the European Union. This can pose risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For instance, user profiles can be created based on usage patterns and the resulting user interests. These profiles may then be used to display advertisements both within and outside the networks that are presumably tailored to the users’ interests. Therefore, cookies are typically stored on users’ computers, recording their usage patterns and interests. Additionally, user profiles can also store data independently of the devices used by the users (especially if they are members of the respective platforms and logged in).

For a detailed description of the specific processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

We also advise that requests for information and the assertion of data subject rights are most effectively addressed directly with the providers. Only the latter have access to user data and can directly take appropriate action and provide information. Should you still require assistance, please contact us.

Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or image messages and posts, as well as related information such as authorship or creation date); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, etc.).
Device types and operating systems, interactions with content and features).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Communication; feedback (e.g., collecting feedback via online form). Public relations.

Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.

Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data, which is used to create the “Page Insights” (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. Details about the devices used are also collected, such as… B. IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles such as job title, country, industry, hierarchical level, company size, and employment status. Information on LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

We have entered into a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which, in particular, regulates the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can, for example, submit requests for access or erasure directly to LinkedIn). The rights of users (in particular, the right to access, erasure, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint controllership is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to its parent company, LinkedIn Corporation, in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plug-ins and embedded functions as well as content

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).

The integration of this content always requires that the third-party providers process the users’ IP addresses, as they cannot send the content to their browsers without them. The IP address is therefore necessary for displaying this content or these functions. We strive to use only content from providers who use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags allow information such as visitor traffic on the pages of this website to be analyzed. The pseudonymous information can also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, the time of visit, and other information about the use of our online services. This information may also be combined with information from other sources.

Legal basis: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Location data (information about the geographic location of a device or person).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; audience measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-based/behavioral profiling, use of cookies); target group creation. Marketing.

Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Cookies are stored for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years).

Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

Integration of third-party software, scripts, or frameworks (e.g., jQuery): We integrate software into our online services that we retrieve from third-party servers (e.g., function libraries that we use for the presentation or user-friendliness of our online services). In doing so, the respective providers collect users’ IP addresses and may process them for the purpose of transmitting the software to users’ browsers, for security purposes, and for evaluating and optimizing their services. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

We integrate software into our online services that we retrieve from third-party servers (e.g., function libraries that we use for the presentation or user-friendliness of our online services). In doing so, the respective providers collect users’ IP addresses and may process them for the purpose of transmitting the software to users’ browsers, for security purposes, and for evaluating and optimizing their services.

Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Google Fonts (retrieved from Google servers): Fonts (and symbols) are retrieved for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their consistent display, and compliance with any applicable licensing restrictions. The user’s IP address is transmitted to the font provider so that the fonts can be made available in the user’s browser. Furthermore, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the device used and the technical specifications.
This is necessary for a niche environment. This data may be processed on a server of the font provider in the USA. When visiting our website, users’ browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the webpage on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referring URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adapt the font generated for the specific browser type. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts Analytics page. Finally, the referring URL is logged so the data can be used for production maintenance and to generate an aggregated report of top integrations based on the number of font requests. According to Google, none of the information collected by Google Fonts is used to create end-user profiles or to display targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA Data Privacy Framework (DPF), Switzerland Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.

Font Awesome (hosted on our own server): Display of fonts and icons; Service provider: The Font Awesome icons are hosted on our server; no data is transmitted to the provider of Font Awesome; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Google Maps: We integrate maps from the “Google Maps” service provided by Google. The data processed may include, in particular, users’ IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: EU/EEA Data Privacy Framework (DPF), Switzerland Data Privacy Framework (DPF).

YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Legal basis for third-country transfers: EU/EEA Data Privacy Framework (DPF), Switzerland Data Privacy Framework (DPF). Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for ad personalization: https://myadcenter.google.com/personalizationoff.

This section provides an overview of the terminology used in this privacy policy. Where terms are legally defined, those legal definitions apply. The following explanations are primarily intended for better understanding.

Employees: Employees are defined as individuals who are in an employment relationship, whether as staff members, employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee, established by an employment contract or agreement. It involves the employer’s obligation to pay the employee remuneration while the employee performs their work. The employment relationship comprises various phases, including the establishment, in which the employment contract is concluded; the performance, in which the employee carries out their work; and the termination, when the employment relationship ends, whether through dismissal, a mutual termination agreement, or otherwise. Employee data is any information relating to these individuals and in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, leave entitlements, health data, and performance reviews.

Inventory data: Inventory data comprises essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar associations. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, facilities, or systems by enabling unambiguous identification and communication.

Content data: Content data comprises information generated during the creation, editing, and publication of all types of content. This category of data can include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.

Contact data: Contact data is essential information that enables communication with individuals or organizations. They include, among other things, telephone numbers, postal addresses, and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.

Metadata, communication data, and procedural data: Metadata, communication data, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information that describes the context, origin, and structure of other data. It can include details about file size, creation date, document author, and modification history. Communication data captures the exchange of information between users across various channels, such as email traffic, call logs, social media messages, and chat histories, including the individuals involved, timestamps, and transmission paths. Procedural data describes the processes and procedures within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs, which are used to track and verify operations.

Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data encompasses a wide range of information that reveals how users utilize applications, which features they prefer, how long they stay on specific pages, and the paths they take through an application. Usage data can also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.

Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”).
A natural person is considered to be someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Profiles with user-related information: The processing of “profiles with user-related information,” or simply “profiling,” encompasses any form of automated processing of personal data that involves using that personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various pieces of information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). Examples of such aspects include interests in specific content or products, click behavior on a website, or location. Cookies and web beacons are frequently used for profiling purposes.

Log data: Log data is information about events or activities logged in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system problems, monitor security, or generate performance reports.

Reach measurement: Reach measurement (also known as web analytics) is used to evaluate visitor traffic to an online service and can include visitors’ behavior or interests in specific information, such as website content. With the help of reach analysis, operators of online services can, for example, determine when users visit their websites and what content they are interested in. This allows them to better tailor website content to the needs of their visitors. Pseudonymous cookies and web beacons are frequently used for reach analysis purposes to recognize returning visitors and thus obtain more accurate analyses of the use of an online service.

Location data: Location data is generated when a mobile device (or another device with the technical capabilities for location tracking) connects to a cell tower, Wi-Fi network, or similar location-determining technology. Location data indicates the geographically identifiable position of the device on Earth. Location data can be used, for example, to display map functions or other location-dependent information.

Tracking: “Tracking” refers to the ability to trace user behavior across multiple online services. Typically, behavioral and interest information related to the online services used is stored in cookies or on the servers of the tracking technology providers (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.

Controller: The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“` Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, be it collection, analysis, storage, transmission, or erasure.

Contractual data: Contractual data is specific information relating to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contractual data may include the start and end dates of the contract, the type of services or products agreed upon, pricing agreements, payment terms, termination rights, renewal options, and special terms or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations and enforcing claims.
Dispute resolution and settlement.

Payment data: Payment data encompasses all information required to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction data, verification numbers, and invoice information. Payment data can also include information about payment status, chargebacks, authorizations, and fees.

Custom audience creation: Custom audience creation refers to the process of defining target groups for advertising purposes, such as displaying advertisements. For example, based on a user’s interest in specific products or topics online, it can be inferred that this user will be interested in advertisements for similar products or the online store where they viewed the products. The term “lookalike audiences” (or similar target groups) refers to situations where content deemed suitable is displayed to users whose profiles or interests are likely to match those of the users for whom the profiles were created. Cookies and web beacons are typically used to create custom audiences and lookalike audiences.