Preamble
With the following privacy policy we would like to inform you which types of
your personal data (hereinafter also abbreviated as "data") we process for
which purposes and in which scope. The privacy statement applies to all
processing of personal data carried out by us, both in the context of
providing our services and in particular on our websites, in mobile
applications and within external online presences, such as our social media
profiles (hereinafter collectively referred to as "online services").
The terms used are not gender-specific.
Preamble
With the following privacy policy we would like to inform you about the types
of personal data (hereinafter also referred to as "data") we process, for
which purposes and to what extent in the context of providing our application.
The terms used are not gender-specific.
Last Update: 21. January 2025
Table of contents
Controller
Jan Poth
Rahlstedter Kamp 50
22143 Hamburg
E-mail address: [email protected]
Legal Notice:
https://www.mrcook.app/legal/imprint
Overview of processing operations
The following table summarises the types of data processed, the purposes for
which they are processed and the concerned data subjects.
Categories of Processed Data
- Inventory data.
- Employee Data.
- Payment Data.
- Location data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication and process data.
- Images and/ or video recordings.
- Audio recordings.
- Contact Information (Facebook).
- Event Data (Facebook).
- Log data.
Categories of Data Subjects
- Service recipients and clients.
- Employees.
- Prospective customers.
- Communication partner.
- Users.
- Participants in sweepstakes and competitions.
- Business and contractual partners.
- Participants.
- Third parties.
Purposes of Processing
-
Provision of contractual services and fulfillment of contractual
obligations.
- Communication.
- Security measures.
- Direct marketing.
- Web Analytics.
- Targeting.
- Office and organisational procedures.
- Remarketing.
- Conversion tracking.
- Clicktracking.
- Affiliate Tracking.
- Affiliate Tracking.
- Organisational and Administrative Procedures.
- Conducting sweepstakes and contests.
- Content Delivery Network (CDN).
- Feedback.
- Polls and Questionnaires.
- Marketing.
- Profiles with user-related information.
- Authentication processes.
- Provision of our online services and usability.
- Establishment and execution of employment relationships.
- Information technology infrastructure.
- Public relations.
- Sales promotion.
- Business processes and management procedures.
- Artificial Intelligence (AI).
Relevant legal bases
Relevant legal bases according to the GDPR: In the following,
you will find an overview of the legal basis of the GDPR on which we base the
processing of personal data. Please note that in addition to the provisions of
the GDPR, national data protection provisions of your or our country of
residence or domicile may apply. If, in addition, more specific legal bases
are applicable in individual cases, we will inform you of these in the data
protection declaration.
-
Consent (Article 6 (1) (a) GDPR)- The data subject has
given consent to the processing of his or her personal data for one or more
specific purposes.
-
Performance of a contract and prior requests (Article 6 (1) (b) GDPR)
- Performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a
contract.
-
Compliance with a legal obligation (Article 6 (1) (c) GDPR)
- Processing is necessary for compliance with a legal obligation to which
the controller is subject.
-
Legitimate Interests (Article 6 (1) (f) GDPR)- the
processing is necessary for the protection of the legitimate interests of
the controller or a third party, provided that the interests, fundamental
rights, and freedoms of the data subject, which require the protection of
personal data, do not prevail.
-
Healthcare, occupational and social security processing of special
categories of personal data (Article 9 (2)(h) GDPR)
- processing is necessary for the purposes of preventive or occupational
medicine, for the assessment of the working capacity of the employee,
medical diagnosis, the provision of health or social care or treatment or
the management of health or social care systems and services on the basis of
Union or Member State law or pursuant to contract with a health
professional.
National data protection regulations in Germany: In addition
to the data protection regulations of the GDPR, national regulations apply to
data protection in Germany. This includes in particular the Law on Protection
against Misuse of Personal Data in Data Processing (Federal Data Protection
Act - BDSG). In particular, the BDSG contains special provisions on the right
to access, the right to erase, the right to object, the processing of special
categories of personal data, processing for other purposes and transmission as
well as automated individual decision-making, including profiling.
Furthermore, data protection laws of the individual federal states may apply.
Relevant legal basis according to the Swiss Data Protection Act:
If you are located in Switzerland, we process your data based on the
Federal Act on Data Protection (referred to as "Swiss DPA"). Unlike the GDPR,
for instance, the Swiss DPA does not generally require that a legal basis for
processing personal data be stated and that the processing of personal data is
conducted in good faith, lawfully and proportionately (Art. 6 para. 1 and 2 of
the Swiss DPA). Furthermore, we only collect personal data for a specific
purpose recognizable to the data subject and process it only in a manner
compatible with this purpose (Art. 6 para. 3 of the Swiss DPA).
Reference to the applicability of the GDPR and the Swiss DPA:
These privacy policy serves both to provide information pursuant to
the Swiss Federal Act on Data Protection (FADP) and the General Data
Protection Regulation (GDPR). For this reason, we ask you to note that due to
the broader spatial application and comprehensibility, the terms used in the
GDPR are applied. In particular, instead of the terms used in the Swiss FADP
such as "processing" of "personal data", "predominant interest", and
"particularly sensitive personal data", the terms used in the GDPR, namely
"processing" of "personal data", as well as "legitimate interest" and "special
categories of data" are used. However, the legal meaning of these terms will
continue to be determined according to the Swiss FADP within its scope of
application.
Security Precautions
We take appropriate technical and organisational measures in accordance with
the legal requirements, taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, in order to ensure a level of security
appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality,
integrity and availability of data by controlling physical and electronic
access to the data as well as access to, input, transmission, securing and
separation of the data. In addition, we have established procedures to ensure
that data subjects' rights are respected, that data is erased, and that we are
prepared to respond to data threats rapidly. Furthermore, we take the
protection of personal data into account as early as the development or
selection of hardware, software and service providers, in accordance with the
principle of privacy by design and privacy by default.
Securing online connections through TLS/SSL encryption technology (HTTPS): To
protect the data of users transmitted via our online services from
unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets
Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure
data transmission on the internet. These technologies encrypt the information
that is transferred between the website or app and the user's browser (or
between two servers), thereby safeguarding the data from unauthorized access.
TLS, as the more advanced and secure version of SSL, ensures that all data
transmissions conform to the highest security standards. When a website is
secured with an SSL/TLS certificate, this is indicated by the display of HTTPS
in the URL. This serves as an indicator to users that their data is being
securely and encryptedly transmitted.
Transmission of Personal Data
In the course of processing personal data, it may happen that this data is
transmitted to or disclosed to other entities, companies, legally independent
organizational units, or individuals. Recipients of this data may include
service providers tasked with IT duties or providers of services and content
that are integrated into a website. In such cases, we observe the legal
requirements and particularly conclude relevant contracts or agreements that
serve to protect your data with the recipients of your data.
International data transfers
Data Processing in Third Countries: If we process data in a third country
(i.e., outside the European Union (EU) or the European Economic Area (EEA)),
or if the processing is done within the context of using third-party services
or the disclosure or transfer of data to other individuals, entities, or
companies, this is only done in accordance with legal requirements. If the
data protection level in the third country has been recognized by an adequacy
decision (Article 45 GDPR), this serves as the basis for data transfer.
Otherwise, data transfers only occur if the data protection level is otherwise
ensured, especially through standard contractual clauses (Article 46 (2)(c)
GDPR), explicit consent, or in cases of contractual or legally required
transfers (Article 49 (1) GDPR). Furthermore, we provide you with the basis of
third-country transfers from individual third-country providers, with adequacy
decisions primarily serving as the foundation. "Information regarding
third-country transfers and existing adequacy decisions can be obtained from
the information provided by the EU Commission:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.
Within the context of the so-called "Data Privacy Framework" (DPF), the EU
Commission has also recognized the data protection level for certain companies
from the USA as secure within the adequacy decision of 10th July 2023. The
list of certified companies as well as additional information about the DPF
can be found on the website of the US Department of Commerce at
https://www.dataprivacyframework.gov/s/.
We will inform you which of our service providers are certified under the Data
Privacy Framework as part of our data protection notices.
Disclosure of Personal Data Abroad: In accordance with the Swiss Data
Protection Act (Swiss DPA), we only disclose personal data abroad when an
appropriate level of protection for the affected persons is ensured (Art. 16
Swiss DPA). If the Federal Council does not determine that there is an
adequate level of protection (list of states:
https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures. These measures may include
international agreements, specific guarantees, data protection clauses in
contracts, standard data protection clauses approved by the Federal Data
Protection and Information Commissioner (FDPIC), or internal company data
protection regulations previously recognised by the FDPIC or a competent data
protection authority of another country. Under Art. 16 of the Swiss DSG,
exceptions can be made for the disclosure of data abroad if certain conditions
are met, including the consent of the affected person, contract execution,
public interest, protection of life or physical integrity, publicly made data
or data from a legally provided register. Such disclosures always comply with
the legal requirements. As part of the so-called "Data Privacy Framework"
(DPF), the Switzerland has recognized the data protection level for certain
companies from the USA as adequate under the adequacy decision dated June 7,
2024. You can find the list of certified companies and additional information
about the DPF on the website of the U.S. Department of Commerce at
https://www.dataprivacyframework.gov/
(in English). We inform you in our privacy notice about which service
providers we use are certified under the Data Privacy Framework.
General Information on Data Retention and Deletion
We delete personal data that we process in accordance with legal regulations
as soon as the underlying consents are revoked or no further legal bases for
processing exist. This applies to cases where the original purpose of
processing is no longer applicable or the data is no longer needed. Exceptions
to this rule exist if statutory obligations or special interests require a
longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax law reasons,
or whose storage is necessary for legal prosecution or protection of the
rights of other natural or legal persons, must be archived accordingly.
Our privacy notices contain additional information on the retention and
deletion of data specifically applicable to certain processing processes.
In cases where multiple retention periods or deletion deadlines for a date are
specified, the longest period always prevails.
If a period does not expressly start on a specific date and lasts at least one
year, it automatically begins at the end of the calendar year in which the
event triggering the period occurred. In the case of ongoing contractual
relationships in the context of which data is stored, the event triggering the
deadline is the time at which the termination or other termination of the
legal relationship takes effect.
Data that is no longer stored for its originally intended purpose but due to
legal requirements or other reasons are processed exclusively for the reasons
justifying their retention.
Further information on processing methods, procedures and services used:
-
Data Retention and Deletion: The following general
deadlines apply for the retention and archiving according to German law:
-
10 Years - Fiscal Code/Commercial Code - Retention period for books and
records, annual financial statements, inventories, management reports,
opening balance sheet as well as the necessary work instructions and
other organisational documents (Section 147 Paragraph 1 No. 1 in
conjunction with Paragraph 3 of the German General Tax Code (AO),
Section 14b Paragraph 1 of the German VAT Act (UStG), Section 257
Paragraph 1 No. 1 in conjunction with Paragraph 4 of the German
Commercial Code (HGB)).
-
8 years - Accounting documents, such as invoices, booking and expense
receipts (Section 147 Paragraph 1 No. 4 and 4a in conjunction with
Paragraph 3 of the German General Tax Code (AO), Section 257 Paragraph 1
No. 4 in conjunction with Paragraph 4 of the German Commercial Code
(HGB))
-
6 Years - Other business documents: received commercial or business
letters, copies of dispatched commercial or business letters, and other
documents to the extent that they are significant for taxation purposes,
for example, hourly wage slips, operating accounting sheets, calculation
documents, price tags, as well as payroll accounting documents, provided
they are not already accounting vouchers and cash register tapes Section
(Section 147 Paragraph 1 No. 2, 3, 5 in conjunction with Paragraph 3 of
the German General Tax Code (AO), Section 257 Paragraph 1 No. 2 and 3 in
conjunction with Paragraph 4 of the German Commercial Code (HGB)).
-
3 Years - Data required to consider potential warranty and compensation
claims or similar contractual claims and rights, as well as to process
related inquiries, based on previous business experiences and common
industry practices, will be stored for the duration of the regular
statutory limitation period of three years. This period begins at the
end of the year in which the relevant contractual transaction took place
or the contractual relationship ended in the case of ongoing contracts
(Sections 195, 199 of the German Civil Code).
-
Data Retention and Deletion: The following general
retention and archiving periods apply under Swiss law:
-
10 years - Retention period for books and records, annual financial
statements, inventories, management reports, opening balances,
accounting vouchers and invoices, as well as all necessary working
instructions and other organizational documents (Article 958f of the
Swiss Code of Obligations (OR)).
-
10 years - Data necessary to consider potential claims for damages or
similar contractual claims and rights, as well as for the processing of
related inquiries based on previous business experiences and usual
industry practices, will be stored for the statutory limitation period
of ten years, unless a shorter period of five years is applicable, which
is relevant in certain cases (Articles 127, 130 OR). Claims for rent,
lease, and interest on capital, as well as other periodic services, for
the delivery of food, for board and lodging, for innkeeper debts, as
well as for craftsmanship, small-scale sales of goods, medical care,
professional services by lawyers, legal agents, procurators, and
notaries, and from the employment relationship of employees, expire
after five years (Article 128 OR).
Rights of Data Subjects
Rights of the Data Subjects under the GDPR: As data subject, you are entitled
to various rights under the GDPR, which arise in particular from Articles 15
to 21 of the GDPR:
-
Right to Object: You have the right, on grounds arising from your
particular situation, to object at any time to the processing of your
personal data which is based on letter (e) or (f) of Article 6(1) GDPR,
including profiling based on those provisions. Where personal data are
processed for direct marketing purposes, you have the right to object at
any time to the processing of the personal data concerning you for the
purpose of such marketing, which includes profiling to the extent that it
is related to such direct marketing.
-
Right of withdrawal for consents:You have the right to
revoke consents at any time.
-
Right of access:You have the right to request confirmation
as to whether the data in question will be processed and to be informed of
this data and to receive further information and a copy of the data in
accordance with the provisions of the law.
-
Right to rectification:You have the right, in accordance
with the law, to request the completion of the data concerning you or the
rectification of the incorrect data concerning you.
-
Right to Erasure and Right to Restriction of Processing:In
accordance with the statutory provisions, you have the right to demand that
the relevant data be erased immediately or, alternatively, to demand that
the processing of the data be restricted in accordance with the statutory
provisions.
-
Right to data portability:You have the right to receive
data concerning you which you have provided to us in a structured, common
and machine-readable format in accordance with the legal requirements, or to
request its transmission to another controller.
-
Complaint to the supervisory authority:In accordance with
the law and without prejudice to any other administrative or judicial
remedy, you also have the right to lodge a complaint with a data protection
supervisory authority, in particular a supervisory authority in the Member
State where you habitually reside, the supervisory authority of your place
of work or the place of the alleged infringement, if you consider that the
processing of personal data concerning you infringes the GDPR.
Rights of the data subjects under the Swiss DPA:
As the data subject, you have the following rights in accordance with the
provisions of the Swiss DPA:
-
Right to information: You have the right to request
confirmation as to whether personal data concerning you are being processed,
and to receive the information necessary for you to assert your rights under
the Swiss DPA and to ensure transparent data processing.
-
Right to data release or transfer: You have the right to
request the release of your personal data, which you have provided to us, in
a common electronic format, as well as its transfer to another data
controller, provided this does not require disproportionate effort.
-
Right to rectification: You have the right to request the
rectification of inaccurate personal data concerning you.
-
Right to object, deletion, and destruction: You have the
right to object to the processing of your data, as well as to request that
personal data concerning you be deleted or destroyed.
Business services
We process data of our contractual and business partners, e.g. customers and
interested parties (collectively referred to as "contractual partners") within
the context of contractual and comparable legal relationships as well as
associated actions and communication with the contractual partners or
pre-contractually, e.g. to answer inquiries.
We process this data in order to fulfill our contractual obligations. These
include, in particular, the obligations to provide the agreed services, any
update obligations and remedies in the event of warranty and other service
disruptions. In addition, we process the data to protect our rights and for
the purpose of administrative tasks associated with these obligations and
company organization. Furthermore, we process the data on the basis of our
legitimate interests in proper and economical business management as well as
security measures to protect our contractual partners and our business
operations from misuse, endangerment of their data, secrets, information and
rights (e.g. for the involvement of telecommunications, transport and other
auxiliary services as well as subcontractors, banks, tax and legal advisors,
payment service providers or tax authorities). Within the framework of
applicable law, we only disclose the data of contractual partners to third
parties to the extent that this is necessary for the aforementioned purposes
or to fulfill legal obligations. Contractual partners will be informed about
further forms of processing, e.g. for marketing purposes, within the scope of
this privacy policy.
Which data are necessary for the aforementioned purposes, we inform the
contracting partners before or in the context of the data collection, e.g. in
online forms by special marking (e.g. colors), and/or symbols (e.g. asterisks
or the like), or personally.
We delete the data after expiry of statutory warranty and comparable
obligations, i.e. in principle after expiry of 4 years, unless the data is
stored in a customer account or must be kept for legal reasons of archiving.
The statutory retention period for documents relevant under tax law as well as
for commercial books, inventories, opening balance sheets, annual financial
statements, the instructions required to understand these documents and other
organizational documents and accounting records is ten years and for received
commercial and business letters and reproductions of sent commercial and
business letters six years. The period begins at the end of the calendar year
in which the last entry was made in the book, the inventory, the opening
balance sheet, the annual financial statements or the management report was
prepared, the commercial or business letter was received or sent, or the
accounting document was created, furthermore the record was made or the other
documents were created.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Payment Data (e.g. bank details, invoices, payment history); Contact data
(e.g. postal and email addresses or phone numbers); Contract data (e.g.
contract object, duration, customer category); Usage data (e.g. page views
and duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features).
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Service recipients and clients; Prospective
customers. Business and contractual partners.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Security measures;
Communication; Office and organisational procedures; Organisational and
Administrative Procedures. Business processes and management procedures.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1)
(c) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Online shop, order forms, e-commerce and delivery.: We
process the data of our customers in order to enable them to select,
purchase or order the selected products, goods and related services, as well
as their payment and delivery, or performance of other services. If
necessary for the execution of an order, we use service providers, in
particular postal, freight and shipping companies, in order to carry out the
delivery or execution to our customers. For the processing of payment
transactions we use the services of banks and payment service providers. The
required details are identified as such in the course of the ordering or
comparable purchasing process and include the details required for delivery,
or other way of making the product available and invoicing as well as
contact information in order to be able to hold any consultation;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Data Analysis: We process the data of our customers and
clients to enable them to perform data analysis, evaluation, and consulting,
as well as related services. The required information includes that needed
for analysis, evaluation, and billing, as well as contact information for
necessary coordination. To the extent that we have access to information
from end customers, employees, or other persons, we process this in
accordance with legal and contractual requirements;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6
(1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
-
Marketing Services: We process the data of our customers
and clients (uniformly referred to as "customers") to offer marketing
services such as market research, advertising campaigns, content creation,
and social media management. The necessary information is indicated as such
at the time of order placement and includes the details required for service
provision and billing, as well as contact information in order to be able to
hold any consultations. Insofar as we gain access to information from end
customers, employees, or other persons, we process it in accordance with
legal and contractual requirements;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6
(1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
-
IT Services: We process the data of our clients as well as
contractors to enable them to plan, implement, and support IT solutions and
associated services. The required information is marked as such during the
contract, project, or similar agreement phase and includes details necessary
for service provision and billing, as well as contact information to
facilitate any necessary consultations. Insofar as we gain access to
information from end customers, employees, or other individuals, we process
this in accordance with legal and contractual requirements.
Processing processes include project management and documentation, which
cover all phases from initial requirement analysis to project completion.
This involves creating and managing project timelines, budgets, and resource
allocations. Data processing also supports change management, where changes
in the project flow are documented and tracked to ensure compliance and
transparency.
Another process is customer relationship management (CRM), which involves
recording and analyzing customer interactions and feedback to improve
service quality and efficiently address individual customer needs.
Additionally, the processing process encompasses technical support and
trouble-shooting, which includes capturing and handling support requests,
error resolutions, and regular maintenance.
Furthermore, reporting and performance analysis are conducted by capturing
and evaluating performance metrics to assess the effectiveness of provided
IT solutions continuously optimizing them. All these processes are aimed at
ensuring high customer satisfaction and compliance with all relevant
regulations;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6
(1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
-
Project and Development Services: We process the data of
our customers and clients (hereinafter uniformly referred to as "customers")
in order to enable them to select, acquire or commission the selected
services or works as well as associated activities and to pay for and make
available such services or works or to perform such services or works.
The required information is indicated as such within the framework of the
conclusion of the agreement, order or equivalent contract and includes the
information required for the provision of services and invoicing as well as
contact information in order to be able to hold any consultations. Insofar
as we gain access to the information of end customers, employees or other
persons, we process it in accordance with the legal and contractual
requirements;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Software and Platform Services: We process the data of our
users, registered and any test users (hereinafter uniformly referred to as
"users") in order to provide them with our contractual services and on the
basis of legitimate interests to ensure the security of our offer and to
develop it further. The required details are identified as such within the
context of the conclusion of the agreement, order or comparable contract and
include the details required for the provision of services and invoicing as
well as contact information in order to be able to hold any further
consultations;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Technical and Engineering services: We process the data of
our customers and clients (hereinafter uniformly referred to as "customers")
in order to enable them to select, acquire or commission the selected
services or works as well as associated activities and to pay for and make
available such services or works or to perform such services or works.
The required information is indicated as such within the framework of the
conclusion of the agreement, order or equivalent contract and includes the
information required for the provision of services and invoicing as well as
contact information in order to be able to hold any consultations. Insofar
as we gain access to the information of end customers, employees or other
persons, we process it in accordance with the legal and contractual
requirements;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Consulting: Insofar as it is necessary for our contractual
performance or required by law, or if the consent of the customer has been
obtained, we disclose or transfer the customer's data to third parties or
agents, such as authorities, courts or in the field of IT, office or
comparable services, in compliance with the contractual and legal
requirements;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
Use of online platforms for listing and sales purposes
We offer our services on online platforms operated by other service providers.
In addition to our privacy policy, the privacy policies of the respective
platforms apply. This is particularly true with regard to the payment process
and the methods used on the platforms for performance measuring and
behaviour-related marketing.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Payment Data (e.g. bank details, invoices, payment history); Contact data
(e.g. postal and email addresses or phone numbers); Contract data (e.g.
contract object, duration, customer category); Usage data (e.g. page views
and duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features);
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties). Content data (e.g. textual or
pictorial messages and contributions, as well as information pertaining to
them, such as details of authorship or the time of creation.).
-
Data subjects:Service recipients and clients; Business and
contractual partners. Prospective customers.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Marketing; Business processes
and management procedures; Conversion tracking (Measurement of the
effectiveness of marketing activities). Provision of our online services and
usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Lemon Squeezy: E-commerce platform, with features for
invoicing, payment processing, economic analysis, customer and business
partner management, as well as external communication and external
interfaces; Service provider: Lemon Squeezy LLC, 222 South
Main Street, Suite 500., Salt Lake City, UT 84101, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.lemonsqueezy.com/; Privacy Policy:
https://www.lemonsqueezy.com/privacy; Data Processing Agreement:
https://www.lemonsqueezy.com/dpa. Basis for third-country transfers:EEA - Standard
Contractual Clauses (https://www.lemonsqueezy.com/dpa), Switzerland - Standard Contractual Clauses (https://www.lemonsqueezy.com/dpa).
Providers and services used in the course of business
As part of our business activities, we use additional services, platforms,
interfaces or plug-ins from third-party providers (in short, "services") in
compliance with legal requirements. Their use is based on our interests in the
proper, legal and economic management of our business operations and internal
organization.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Payment Data (e.g. bank details, invoices, payment history); Contact data
(e.g. postal and email addresses or phone numbers); Content data (e.g.
textual or pictorial messages and contributions, as well as information
pertaining to them, such as details of authorship or the time of creation.);
Contract data (e.g. contract object, duration, customer category). Usage
data (e.g. page views and duration of visit, click paths, intensity and
frequency of use, types of devices and operating systems used, interactions
with content and features).
-
Data subjects:Service recipients and clients; Prospective
customers; Business and contractual partners; Users (e.g. website visitors,
users of online services). Third parties.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Office and organisational
procedures; Business processes and management procedures. Artificial
Intelligence (AI).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Replicate: Creation and provision of machine learning
models, execution of image and text generation, analysis and processing of
large datasets, support in the implementation of AI applications, provision
of an API for accessing models and data processing services;
Service provider: Replicate, Inc., 2261 Market Street Suite 4056, 94114 San Francisco, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://replicate.com.
Privacy Policy:
https://replicate.com/privacy.
Payment Procedure
Within the framework of contractual and other legal relationships, due to
legal obligations or otherwise on the basis of our legitimate interests, we
offer data subjects efficient and secure payment options and use other service
providers for this purpose in addition to banks and credit institutions
(collectively referred to as "payment service providers").
The data processed by the payment service providers includes inventory data,
such as the name and address, bank data, such as account numbers or credit
card numbers, passwords, TANs and checksums, as well as the contract, total
and recipient-related information. The information is required to carry out
the transactions. However, the data entered is only processed by the payment
service providers and stored with them. I.e. we do not receive any account or
credit card related information, but only information with confirmation or
negative information of the payment. Under certain circumstances, the data may
be transmitted by the payment service providers to credit agencies. The
purpose of this transmission is to check identity and creditworthiness. Please
refer to the terms and conditions and data protection information of the
payment service providers.
The terms and conditions and data protection information of the respective
payment service providers apply to the payment transactions and can be
accessed within the respective websites or transaction applications. We also
refer to these for further information and the assertion of revocation,
information and other data subject rights.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Payment Data (e.g. bank details, invoices, payment history); Contract data
(e.g. contract object, duration, customer category); Usage data (e.g. page
views and duration of visit, click paths, intensity and frequency of use,
types of devices and operating systems used, interactions with content and
features); Meta, communication and process data (e.g. IP addresses,
timestamps, identification numbers, involved parties). Contact data (e.g.
postal and email addresses or phone numbers).
-
Data subjects:Service recipients and clients. Business and
contractual partners.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Business processes and
management procedures; Conversion tracking (Measurement of the effectiveness
of marketing activities); Marketing. Provision of our online services and
usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
RevenueCat : Provision of technical and organizational
infrastructure for the creation as well as administration and transaction
handling of in-app purchases and subscriptions;
Service provider: Revenuecat, Inc., 1032 E Brandon Blvd #3003 Brandon, Fl 33511USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.revenuecat.com/. Privacy Policy:
https://www.revenuecat.com/privacy/.
Provision of online services and web hosting
We process user data in order to be able to provide them with our online
services. For this purpose, we process the IP address of the user, which is
necessary to transmit the content and functions of our online services to the
user's browser or terminal device.
-
Processed data types:Usage data (e.g. page views and
duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features);
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties); Log data (e.g. log files
concerning logins or data retrieval or access times.). Content data (e.g.
textual or pictorial messages and contributions, as well as information
pertaining to them, such as details of authorship or the time of creation.).
-
Data subjects:Users (e.g. website visitors, users of online
services). Service recipients and clients.
-
Purposes of processing:Provision of our online services and
usability; Information technology infrastructure (Operation and provision of
information systems and technical devices, such as computers, servers,
etc.)); Security measures; Content Delivery Network (CDN). Provision of
contractual services and fulfillment of contractual obligations.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Content-Delivery-Network: We use a so-called "Content
Delivery Network" (CDN). A CDN is a service with whose help contents of our
online services, in particular large media files, such as graphics or
scripts, can be delivered faster and more securely with the help of
regionally distributed servers connected via the Internet;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
-
Provision of online offer on rented hosting space: For the
provision of our online services, we use storage space, computing capacity
and software that we rent or otherwise obtain from a corresponding server
provider (also referred to as a "web hoster");
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
-
Collection of Access Data and Log Files: Access to our
online service is logged in the form of so-called "server log files". Server
log files may include the address and name of the accessed web pages and
files, date and time of access, transferred data volumes, notification of
successful retrieval, browser type along with version, the user's operating
system, referrer URL (the previously visited page), and typically IP
addresses and the requesting provider. The server log files can be used for
security purposes, e.g., to prevent server overload (especially in the case
of abusive attacks, known as DDoS attacks), and to ensure server load
management and stability;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
Retention period:Log file information is stored for
a maximum period of 30 days and then deleted or anonymized. Data, the
further storage of which is necessary for evidence purposes, are excluded
from deletion until the respective incident has been finally clarified.
-
E-mail Sending and Hosting: The web hosting services we use
also include sending, receiving and storing e-mails. For these purposes, the
addresses of the recipients and senders, as well as other information
relating to the sending of e-mails (e.g. the providers involved) and the
contents of the respective e-mails are processed. The above data may also be
processed for SPAM detection purposes. Please note that e-mails on the
Internet are generally not sent in encrypted form. As a rule, e-mails are
encrypted during transport, but not on the servers from which they are sent
and received (unless a so-called end-to-end encryption method is used). We
can therefore accept no responsibility for the transmission path of e-mails
between the sender and reception on our server;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
-
Hetzner: Services in the field of the provision of
information technology infrastructure and related services (e.g. storage
space and/or computing capacities); Service provider:
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.hetzner.com; Privacy Policy:
https://www.hetzner.com/de/rechtliches/datenschutz; Data Processing Agreement:
https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/. Basis for third-country transfers:Switzerland - Adequacy
decision (Germany).
-
Cloudflare: Content-Delivery-Network (CDN) - service with
whose help contents of our online services, in particular large media files,
such as graphics or scripts, can be delivered faster and more securely with
the help of regionally distributed servers connected via the Internet;
Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.cloudflare.com; Privacy Policy:
https://www.cloudflare.com/privacypolicy/; Data Processing Agreement:
https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Data Privacy Framework (DPF).
-
Sentry: Monitoring system stability and identifying code
errors - Information about the device or error time are collected
pseudonymously and are deleted afterwards;
Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco,
California 94107, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://sentry.io;Security measures:IP Masking (Pseudonymization of the IP address);
Privacy Policy:
https://sentry.io/privacy; Data Processing Agreement:
https://sentry.io/legal/dpa/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Data Privacy Framework (DPF).
-
Vercel: Services in the field of the provision of
information technology infrastructure and related services (e.g. storage
space and/or computing capacities) as well as development environment;
Service provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://vercel.com;Privacy Policy:
https://vercel.com/legal/privacy-policy; Data Processing Agreement:
https://vercel.com/legal/dpa. Basis for third-country transfers:EEA - Standard
Contractual Clauses (https://vercel.com/legal/dpa), Switzerland - Standard Contractual Clauses (https://vercel.com/legal/dpa).
Use of Cookies
The term "cookies" refers to functions that store information on users'
devices and read it from them. Cookies can also be used for different
purposes, such as ensuring the functionality, security, and convenience of
online services, as well as analyzing visitor traffic. We use cookies in
accordance with legal regulations. If necessary, we obtain users' consent in
advance. If consent is not required, we rely on our legitimate interests. This
applies when storing and reading information is essential to provide
explicitly requested content and functions. This includes, for example, saving
settings and ensuring the functionality and security of our online services.
Consent can be withdrawn at any time. We clearly inform users about the scope
of the consent and which cookies are used.
Information on legal data protection bases:Whether we process
personal data using cookies depends on users' consent. If consent is given, it
serves as the legal basis. Without consent, we rely on our legitimate
interests, as outlined in this section and in the context of the respective
services and procedures.
Storage duration:The following types of cookies are
distinguished based on their storage duration:
-
Temporary cookies (also: session cookies):Temporary cookies
are deleted at the latest after a user leaves an online service and closes
their device (e.g., browser or mobile application).
-
Permanent cookies:Permanent cookies remain stored even
after the device is closed. For example, the login status can be saved, and
preferred content can be displayed directly when the user revisits a
website. Additionally, the user data collected with cookies may be used for
audience measurement. Unless we provide explicit information to users about
the type and storage duration of cookies (e.g., when obtaining consent),
users should assume that these are permanent and may have a storage duration
of up to two years.
General information on withdrawal and objection (opt-out):
Users can withdraw their consent at any time and also object to the processing
according to legal regulations, including through the privacy settings of
their browser.
-
Processed data types:Meta, communication and process data
(e.g. IP addresses, timestamps, identification numbers, involved parties).
Usage data (e.g. page views and duration of visit, click paths, intensity
and frequency of use, types of devices and operating systems used,
interactions with content and features).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Provision of our online services and
usability.
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Consent (Article 6 (1) (a) GDPR).
Further information on processing methods, procedures and services used:
-
Processing Cookie Data on the Basis of Consent: We
implement a consent management solution that obtains users' consent for the
use of cookies or for the processes and providers mentioned within the
consent management framework. This procedure is designed to solicit, log,
manage, and revoke consents, particularly regarding the use of cookies and
similar technologies employed to store, read from, and process information
on users' devices. As part of this procedure, user consents are obtained for
the use of cookies and the associated processing of information, including
specific processing and providers named in the consent management process.
Users also have the option to manage and withdraw their consents. Consent
declarations are stored to avoid repeated queries and to provide proof of
consent according to legal requirements. The storage is carried out
server-side and/or in a cookie (so-called opt-in cookie) or by means of
comparable technologies in order to associate the consent with a specific
user or their device.If no specific details about the providers of consent
management services are provided, the following general notes apply: The
duration of consent storage is up to two years. A pseudonymous user
identifier is created, which is stored along with the time of consent,
details on the scope of consent (e.g., relevant categories of cookies and/or
service providers), as well as information about the browser, system, and
device used;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
-
Cookie-Opt-Out: In the footer of our website you will find
a link that allows you to change your cookie settings as well as revoke
corresponding consents.
Special Notes on Applications (Apps)
We process the data of the users of our application to the extent necessary to
provide the users with the application and its functionalities, to monitor its
security and to develop it further. Furthermore, we may contact users in
compliance with the statutory provisions if communication is necessary for the
purposes of administration or use of the application. In addition, we refer to
the data protection information in this privacy policy with regard to the
processing of user data.
Legal basis:The processing of data necessary for the
provision of the functionalities of the application serves to fulfil
contractual obligations. This also applies if the provision of the functions
requires user authorisation (e.g. release of device functions). If the
processing of data is not necessary for the provision of the functionalities
of the application, but serves the security of the application or our business
interests (e.g. collection of data for the purpose of optimising the
application or security purposes), it is carried out on the basis of our
legitimate interests. If users are expressly requested to give their consent
to the processing of their data, the data covered by the consent is processed
on the basis of the consent.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Usage data (e.g. page views and duration of visit, click paths, intensity
and frequency of use, types of devices and operating systems used,
interactions with content and features); Meta, communication and process
data (e.g. IP addresses, timestamps, identification numbers, involved
parties); Payment Data (e.g. bank details, invoices, payment history);
Contract data (e.g. contract object, duration, customer category); Images
and/ or video recordings (e.g. photographs or video recordings of a person);
Audio recordings. Location data (Information on the geographical position of
a device or person).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Security measures. Provision of
our online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Commercial use: We process the data of the users of our
application, registered and any test users (hereinafter uniformly referred
to as "users") in order to provide them with our contractual services and on
the basis of legitimate interests to ensure the security of our application
and to develop it further. The required details are identified as such
within the scope of the conclusion of a contract for the use of the
application, the conclusion of an order, an order or a comparable contract
and may include the details required for the provision of services and any
invoicing as well as contact information in order to be able to hold any
consultations;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Storage of the universally unique identifier (UUID): The
application stores a so-called Universally Unique Identifier (UUID) for the
purpose of analysing the use and functionality of the application and
storing the user's settings. This identifier is generated when the
application is installed (but is not connected to the device, so no device
ID in this sense), remains stored between the start of the application and
its updates and is deleted when users remove the application from their
device.
-
Storage of an own unique identifier: In order to provide
the application and ensure its functionality, we use a pseudonymous
identifier. The identifier is a mathematical value (i.e. no clear data such
as names are used) that is assigned to a device and/or the installation of
the application installed on it. This identifier is generated during the
installation of the application, remains stored between the start of the
application and its updates and is deleted when users remove the application
from the device.
-
Device authorizations for access to functions and data: The
use of certain functions of our application may require access to the camera
and the stored recordings of the users. By default, these authorizations
must be granted by the user and can be revoked at any time in the settings
of the respective devices. The exact procedure for controlling app
permissions may depend on the user's device and software. Users can contact
us if they require further explanation. We would like to point out that the
refusal or revocation of the respective authorizations can affect the
functionality of our application.
-
Accessing the camera and stored recordings: In the course
of using our application, image and/or video recordings (whereby audio
recordings are also included) of the users (and of other persons captured by
the recordings) are processed by accessing the camera functions or stored
recordings. Access to the camera functions or stored recordings requires an
authorization by the user that can be withdrawn at any time. The processing
of the image and/or video recordings serves only to provide the respective
functionality of our application, according to its description to the users
or the typical and expectable functionality of the application.
-
Use of the microphone functions: The use of certain
functions of our application may require access to the camera and the stored
recordings of the users. By default, these authorizations must be granted by
the user and can be revoked at any time in the settings of the respective
devices. The exact procedure for controlling app permissions may depend on
the user's device and software. Users can contact us if they require further
explanation. We would like to point out that the refusal or revocation of
the respective authorizations can affect the functionality of our
application.
-
Processing of stored contacts: When using our application,
the contact information of persons (e.g. name, e-mail address and telephone
number) stored in the contact directory of the device is processed. The use
of the contact information requires user authorization, which can be
withdrawn at any time. The use of the contact information serves only to
provide the respective functionality of our application, according to its
description to the users, or its typical and expectable functionality. Users
are advised that permission to process the contact information must be
granted and, especially in the case of natural persons, their consent or a
legal permission is required.
-
Use of contact data for contact matching purposes: The data
of contacts stored in the contact directory of the device can be used to
check whether these contacts also use our application. For this purpose, the
contact data of the respective contacts (which includes the telephone number
and e-mail address) are uploaded to our server and used only for the purpose
of matching.
-
Processing of location data: Within the course of using our
application, the location data collected by the device used or otherwise
entered by the user are processed. The use of the location data requires an
authorization of the users, which can be revoked at any time. The use of the
location data serves only to provide the respective functionality of our
application, according to its description to the users or its typical and
expectable functionality.
-
Location history and movement profiles: The location data
is only used selectively and is not processed to create a location history
or a movement profile of the devices used or of their users.
Purchase of applications via Appstores
The purchase of our apps is done via special online platforms operated by
other service providers (so-called "appstores"). In this context, the data
protection notices of the respective appstores apply in addition to our data
protection notices. This applies in particular with regard to the methods used
on the platforms for webanalytics and for interest-related marketing as well
as possible costs.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Payment Data (e.g. bank details, invoices, payment history); Contact data
(e.g. postal and email addresses or phone numbers); Contract data (e.g.
contract object, duration, customer category); Usage data (e.g. page views
and duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features).
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Service recipients and clients. Users (e.g.
website visitors, users of online services).
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Marketing. Provision of our
online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Apple App Store: App and software distribution platform;
Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.apple.com/app-store/. Privacy Policy:
https://www.apple.com/privacy/privacy-policy/.
-
Google Play: App and software distribution platform;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://play.google.com/store/apps?hl=en; Privacy Policy:
https://policies.google.com/privacy. Basis for third-country transfers:Switzerland - Adequacy
decision (Ireland).
-
Microsoft Store: App and software distribution platform;
Service provider: Microsoft Irland Operations Limited, One Microsoft Place, South County
Business Park, Leopardstown, Dublin 18, D18 P521, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.microsoft.com/en-gb/store; Privacy Policy:
https://privacy.microsoft.com/de-de/privacystatement, Security information:
https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Registration, Login and User Account
Users can create a user account. Within the scope of registration, the
required mandatory information is communicated to the users and processed for
the purposes of providing the user account on the basis of contractual
fulfilment of obligations. The processed data includes in particular the login
information (name, password and an e-mail address).
Within the scope of using our registration and login functions as well as the
use of the user account, we store the IP address and the time of the
respective user action. The storage is based on our legitimate interests, as
well as the user's protection against misuse and other unauthorized use. This
data will not be passed on to third parties unless it is necessary to pursue
our claims or there is a legal obligation to do so.
Users may be informed by e-mail of information relevant to their user account,
such as technical changes.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.); Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems used,
interactions with content and features). Log data (e.g. log files concerning
logins or data retrieval or access times.).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Security measures;
Organisational and Administrative Procedures. Provision of our online
services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion". Deletion after termination.
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Registration with pseudonyms: Users may use pseudonyms as
user names instead of real names;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Users' profiles are public: Users' profiles are publicly
visible and accessible.
-
Deletion of data after termination: If users have
terminated their user account, their data relating to the user account will
be deleted, subject to any legal permission, obligation or consent of the
users;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
No obligation to retain data: It is the responsibility of
the users to secure their data before the end of the contract in the event
of termination. We are entitled to irretrievably delete all user data stored
during the term of the contract;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
Community Functions
The community functions provided by us allow users to engage in conversations
and other forms of interaction with each other. Please note that the use of
the community functions is only permitted in compliance with the applicable
legal situation, our terms and guidelines and the rights of other users and
third parties.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.).
Usage data (e.g. page views and duration of visit, click paths, intensity
and frequency of use, types of devices and operating systems used,
interactions with content and features).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Security measures. Provision of
our online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
User contributions are public: The posts and content
created by users are publicly visible and accessible;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Storage of data for security purposes: The posts and other
entries of the users are processed for the purposes of the community and
conversation functions and, subject to legal obligations or legal
permission, are not disclosed to third parties. An obligation to disclosure
may arise in particular in the case of unlawful posts for the purposes of
legal prosecution. We would like to point out that, in addition to the
content of the posts, their time and the IP address of the user are also
stored. This is done in order to be able to take appropriate measures to
protect other users and the community;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Right to delete content and information: The deletion of
posts, content or information provided by users is permissible to the extent
necessary after proper consideration if there are concrete indications that
they could represent a violation of legal regulations, our provisions or the
rights of third parties;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Restricted deletion of posts: Out of consideration for
other users, the user's contributions to conversations remain stored even
after termination and account deletion, so that conversations, comments,
advice and similar communications do not lose their meaning or become
inverted.This ensures that conversations, comments, advice or similar
communication between and among users do not lose their meaning or become
inverted. User names will be deleted or pseudonymised if they were not
already pseudonyms.Users can request the complete deletion of their posts at
any time;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
-
Protection of own data: Users decide for themselves what
data they disclose about themselves within our online services. For example,
when users provide personal information or participate in conversations. We
ask users to protect their data and to publish personal data only with
caution and only to the extent necessary. In particular, we ask users to
note that they must protect their login credentials in particular and use
secure passwords (preferably long and random combinations of characters);
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
Single Sign-on Authentication
Single Sign-On" or "Single Sign-On Authentication or Logon" are procedures
that allow users to log in to our online services using a user account with a
provider of Single Sign-On services (e.g. a social network). The prerequisite
for Single Sign-On Authentication is that users are registered with the
respective Single Sign-On provider and enter the required access data in the
online form provided for this purpose, or are already logged in with the
Single Sign-On provider and confirm the Single Sign-On login via the button.
Authentication takes place directly with the respective single sign-on
provider. Within the scope of such authentication, we receive a user ID with
the information that the user is logged in with the respective single sign-on
provider under this user ID and an ID that cannot be used for other purposes
(so-called "user handle"). Whether we receive further data depends solely on
the single sign-on procedure used, the data releases selected as part of
authentication and also which data users have released in the privacy or other
settings of the user account with the single sign-on provider. Depending on
the single sign-on provider and the user's choice, there can be different
data, usually the e-mail address and the user name. The password entered by
the single sign-on provider as part of the single sign-on procedure is neither
visible to us nor is it stored by us.
Users are requested to note that their data stored with us can be
automatically compared with their user account with the single sign-on
provider, but this is not always possible or actual. If, for example, the
e-mail addresses of users change, users must change these manually in their
user account with us.
We can use single sign-on authentication, provided that it has been agreed
with users in the context of pre-fulfillment or fulfilment of the contract, in
the context of consent processing and otherwise use it on the basis of our
legitimate interests and the interests of users in an effective and secure
authentication system.
Should users decide to no longer want to use the link of their user account
with the Single Sign-On provider for the Single Sign-On procedure, they must
remove this link within their user account with the Single Sign-On provider.
If users wish to delete their data from us, they must cancel their
registration with us.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Usage data
(e.g. page views and duration of visit, click paths, intensity and frequency
of use, types of devices and operating systems used, interactions with
content and features); Meta, communication and process data (e.g. IP
addresses, timestamps, identification numbers, involved parties); Event Data
(Facebook) ("Event Data" is data that can be transmitted from us to
Facebook, e.g. via Facebook pixels (via apps or other means) and relates to
persons or their actions; the data includes, for example, information about
visits to websites, interactions with content, functions, installations of
apps, purchases of products, etc.; Event data is processed for the purpose
of creating target groups for content and advertising information (Custom
Audiences). Event Data does not include the actual content (such as written
comments), login information, and Contact Information (such as names, email
addresses, and phone numbers). Event Data is deleted by Facebook after a
maximum of two years, the Custom Audiences created from them with the
deletion of our Facebook account).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Security measures;
Authentication processes. Provision of our online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion". Deletion after termination.
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Apple Single-Sign-On: Authentication services for user
logins, provision of single sign-on functionalities, management of identity
information and application integrations; Service provider:
Apple Inc., Infinite Loop, Cupertino, CA 95014, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.apple.com.
Privacy Policy:
https://www.apple.com/legal/privacy/en-ww/.
-
Facebook Single-Sign-On: Authentication service of the
platform Facebook; Service provider: Meta Platforms Ireland
Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/; Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Google Single-Sign-On: Authentication services for user
logins, provision of single sign-on functionalities, management of identity
information and application integrations; Service provider:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.google.com;
Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Opt-Out:Settings for the Display of Advertisements:
https://myadcenter.google.com/personalizationoff.
-
Microsoft Single-Sign-On: Authentication services for user
logins, provision of single sign-on functionalities, management of identity
information and application integrations; Service provider:
Microsoft Irland Operations Limited, One Microsoft Place, South County
Business Park, Leopardstown, Dublin 18, D18 P521, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.microsoft.com/en-gb/security/business/identity-access/azure-active-directory-single-sign-on; Privacy Policy:
https://privacy.microsoft.com/en-gb/privacystatement; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Further Information:
https://www.microsoft.com/en-gb/trust-center.
Blogs and publication media
We use blogs or comparable means of online communication and publication
(hereinafter "publication medium"). Readers' data will only be processed for
the purposes of the publication medium to the extent necessary for its
presentation and communication between authors and readers or for security
reasons. For the rest, we refer to the information on the processing of
visitors to our publication medium within the scope of this privacy policy.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.); Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems used,
interactions with content and features). Meta, communication and process
data (e.g. IP addresses, timestamps, identification numbers, involved
parties).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Feedback (e.g. collecting feedback
via online form); Provision of our online services and usability; Security
measures. Organisational and Administrative Procedures.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Comment subscriptions: When users leave comments or other
contributions, their IP addresses may be stored based on our legitimate
interests. This is done for our safety, if someone leaves illegal contents
(insults, forbidden political propaganda, etc.) in comments and
contributions. In this case, we ourselves can be prosecuted for the comment
or contribution and are therefore interested in the author's identity.
Furthermore, we reserve the right to process user data for the purpose of
spam detection on the basis of our legitimate interests.
On the same legal basis, in the case of surveys, we reserve the right to
store the IP addresses of users for the duration of the surveys and to use
cookies in order to avoid multiple votes.
The personal information provided in the course of comments and
contributions, any contact and website information as well as the content
information will be stored permanently by us until the user objects;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
-
Gravatar Profile Pictures: Profile Pictures - We use the
service Gravatar within our on-line offer and in particular in the Blog.
Gravatar is a service where users can register and store profile pictures
and their e-mail addresses. If users leave contributions or comments with
the respective e-mail address on other online presences (especially in
blogs), their profile pictures can be displayed next to the contributions or
comments. For this purpose, the e-mail address provided by the users is
transmitted to Gravatar in encrypted form for the purpose of checking
whether a profile is stored for it. This is the only purpose of transmitting
the email address and it will not be used for other purposes, but deleted
thereafter.
The use of Gravatar is based on our legitimate interests, as we use Gravatar
to offer authors of contributions and comments the opportunity to
personalize their contributions with a profile picture.
By displaying the images, Gravatar knows the IP address of the user, as this
is necessary for communication between a browser and an online service.
If users do not want a user image linked to their e-mail address to appear
in the comments at Gravatar, they should use an e-mail address which is not
stored at Gravatar for commenting. We would also like to point out that it
is also possible to use an anonymous e-mail address or no e-mail address at
all if users do not wish their own e-mail address to be sent to Gravatar.
Users can completely prevent the transmission of data by not using our
comment system; Service provider: Aut O’Mattic A8C Ireland
Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://automattic.com;
Privacy Policy:
https://automattic.com/privacy. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Contact and Inquiry Management
When contacting us (e.g. via mail, contact form, e-mail, telephone or via
social media) as well as in the context of existing user and business
relationships, the information of the inquiring persons is processed to the
extent necessary to respond to the contact requests and any requested
measures.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.); Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems used,
interactions with content and features). Meta, communication and process
data (e.g. IP addresses, timestamps, identification numbers, involved
parties).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.); Users (e.g. website visitors, users of online services).
Business and contractual partners.
-
Purposes of processing:Communication; Organisational and
Administrative Procedures; Feedback (e.g. collecting feedback via online
form). Provision of our online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
-
Contact form: Upon contacting us via our contact form,
email, or other means of communication, we process the personal data
transmitted to us for the purpose of responding to and handling the
respective matter. This typically includes details such as name, contact
information, and possibly additional information provided to us that is
necessary for appropriate processing. We use this data exclusively for the
stated purpose of contact and communication;
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
-
canny: Collection of user feedback, management of feature
requests, prioritisation of product developments based on user needs,
communication of updates to users, integration into existing workflows and
analysis of feedback trends; Service provider: Canny Inc.,
800 N King Street, DE 19801 Wilmington, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://canny.io/;Privacy Policy:
https://canny.io/privacy; Data Processing Agreement:Provided by the service
provider. Basis for third-country transfers:EEA - Standard
Contractual Clauses (Provided by the service provider), Switzerland -
Standard Contractual Clauses (Provided by the service provider).
Communication via Messenger
We use messenger services for communication purposes and therefore ask you to
observe the following information regarding the functionality of the messenger
services, encryption, use of the metadata of the communication and your
objection options.
You can also contact us by alternative means, e.g. telephone or e-mail. Please
use the contact options provided to you or use the contact options provided
within our online services.
In the case of encryption of content (i.e. the content of your message and
attachments), we point out that the communication content (i.e. the content of
the message and attachments) is encrypted end-to-end. This means that the
content of the messages is not visible, not even by the messenger service
providers themselves. You should always use a current version of the messenger
service with activated encryption, so that the encryption of the message
contents is guaranteed.
However, we would like to point out to our communication partners that
although messenger service providers do not see the content, they can find out
that and when communication partners communicate with us and process technical
information on the communication partner's device used and, depending on the
settings of their device, also location information (so-called metadata).
Information on Legal basis: If we ask communication partners
for permission before communicating with them via messenger services, the
legal basis of our processing of their data is their consent. Otherwise, if we
do not request consent and you contact us, for example, voluntarily, we use
messenger services in our dealings with our contractual partners and as part
of the contract initiation process as a contractual measure and in the case of
other interested parties and communication partners on the basis of our
legitimate interests in fast and efficient communication and meeting the needs
of our communication partners for communication via messenger services. We
would also like to point out that we do not transmit the contact data provided
to us to the messenger service providers for the first time without your
consent.
Withdrawal, objection and deletion: You can withdraw your
consent or object to communication with us via messenger services at any time.
In the case of communication via messenger services, we delete the messages in
accordance with our general data retention policy (i.e. as described above
after the end of contractual relationships, archiving requirements, etc.) and
otherwise as soon as we can assume that we have answered any information
provided by the communication partners, if no reference to a previous
conversation is to be expected and there are no legal obligations to store the
messages to prevent their deletion.
Reservation of reference to other means of communication:For
your security, we kindly ask for your understanding that we may not respond to
enquiries via messenger for specific reasons. This applies in situations where
contract details require heightened confidentiality or a response via
messenger does not meet formal requirements. In such cases, we recommend using
more appropriate communication channels.
-
Processed data types:Contact data (e.g. postal and email
addresses or phone numbers); Content data (e.g. textual or pictorial
messages and contributions, as well as information pertaining to them, such
as details of authorship or the time of creation.); Usage data (e.g. page
views and duration of visit, click paths, intensity and frequency of use,
types of devices and operating systems used, interactions with content and
features). Meta, communication and process data (e.g. IP addresses,
timestamps, identification numbers, involved parties).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.).
-
Purposes of processing:Communication.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Consent (Article 6 (1) (a) GDPR); Performance
of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Instagram: Messaging via the social network Instagram;
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.instagram.com; Privacy Policy:
https://privacycenter.instagram.com/policy/. Basis for third-country transfers:Switzerland - Adequacy
decision (Ireland).
-
Facebook-Messenger: Sending and receiving text messages,
making voice and video calls, creating group chats, sharing files and media,
transmitting location information, synchronising contacts, encrypting
messages; Service provider: Meta Platforms Ireland Limited,
Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/; Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Chatbots and chat functions
We provide online chats and chatbot functions as a means of communication
(together referred to as "Chat Services"). A chat is an online conversation
that is conducted with a certain degree of immediacy. A chatbot is software
that answers users' questions or informs them about messages. If you use our
chat functions, we may process your personal data.
If you use our Chat Services within an online platform, your identification
number is also stored within the respective platform. We may also collect
information about which users interact with our Chat Services and when.
Furthermore, we store the content of your conversations via the Chat Services
and log registration and consent processes in order to be able to prove these
in accordance with legal requirements.
We would like to inform users that the respective platform provider can find
out that and when users communicate with our Chat Services and can collect
technical information about the user's device used and, depending on the
settings of their device, also location information (so-called metadata) for
the purpose of optimising the respective services and for security purposes.
Likewise, the metadata of communication via Chat Services (i.e., information
about who has communicated with whom) could be used by the respective platform
providers for marketing purposes or to display advertising tailored to users
in accordance with their regulations, to which we refer for further
information.
If users agree to activate information with regular messages to a chatbot,
they have the possibility to unsubscribe from the information for the future
at any time. The chatbot points out to users how and with which terms they can
unsubscribe the messages. By unsubscribing from the chatbot messages, Users'
data is deleted from the directory of message recipients.
We use the aforementioned information to operate our Chat Services, e.g. to
address users personally, to answer their inquiries, to transmit any requested
content and also to improve our Chat Services (e.g. to "teach" chatbots
answers to frequently asked questions or to identify unanswered inquiries).
Information on Legal basis:We use the Chat Services on the
basis of a consent if we first obtain the permission of the users to process
their data by the Chat Services (this applies in cases where users are asked
for consent, e.g. so that a chatbot regularly sends them messages). If we use
Chat Services to answer user queries about our services or our company, this
is done for contractual and pre-contractual communication. In addition, we use
Chat Services based on our legitimate interests in optimizing the Chat
Services, its operating efficiency and enhancing the positive user experience.
Withdrawal, objection and deletion:You can revoke a given
consent at any time or contradict the processing of your data in the context
of our chatbot use.
-
Processed data types:Contact data (e.g. postal and email
addresses or phone numbers); Content data (e.g. textual or pictorial
messages and contributions, as well as information pertaining to them, such
as details of authorship or the time of creation.); Usage data (e.g. page
views and duration of visit, click paths, intensity and frequency of use,
types of devices and operating systems used, interactions with content and
features). Meta, communication and process data (e.g. IP addresses,
timestamps, identification numbers, involved parties).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.). Users (e.g. website visitors, users of online services).
-
Purposes of processing:Communication. Provision of our
online services and usability.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Consent (Article 6 (1) (a) GDPR); Performance
of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Push notifications
With the consent of the users, we can send the users so-called "push
notifications". These are messages that are displayed on users' screens,
devices or browsers, even if our online services are not being actively used.
In order to sign up for push messages, users must confirm that their browser
or device has requested to receive push messages. This approval process is
documented and stored. The storage is necessary to recognize whether users
have consented to receive the push messages and to be able to prove their
consent. For these purposes, a pseudonymous identifier of the browser
(so-called "push token") or the device ID of a terminal device is stored.
The push messages may be necessary for the fulfilment of contractual
obligations (e.g. technical and organisational information relevant for the
use of our online offer) and will otherwise be sent, unless specifically
mentioned below, on the basis of user consent. Users can change the receipt of
push messages at any time using the notification settings of their respective
browsers or end devices.
-
Processed data types:Usage data (e.g. page views and
duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features).
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.). Users (e.g. website visitors, users of online services).
-
Purposes of processing:Communication; Provision of our
online services and usability; Web Analytics (e.g. access statistics,
recognition of returning visitors). Direct marketing (e.g. by e-mail or
postal).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion". Deletion after termination.
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Push messages with commercial information: The push
notifications we send may contain commercial information. The commercial
push messages are processed on the basis of user consent. If the contents of
the push messages are described in detail in the context of the consent to
receive the commercial push messages, the descriptions are decisive for the
consent of the users. In addition, our newsletters contain information about
our services and us;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
-
Analysis and performance measurement: We statistically
evaluate push messages and can thus identify if and when push messages were
displayed and clicked on. This information is used for the technical
improvement of our push messages based on technical data or target groups
and their retrieval behavior or retrieval times. This analysis also includes
determining whether the push messages are opened, when they are opened and
whether users interact with their content or buttons. For technical reasons,
this information can be assigned to individual push message recipients.
However, it is neither our intention nor, if used, that of the push message
service provider to monitor individual users. Rather, the evaluations serve
to identify the usage habits of our users and to adapt our push messages to
them or to send different push messages according to the interests of our
users.
The evaluation of the push messages and the measurement of performance are
based on the consent of the users, which is given with their permission to
receive the push messages. Users can object to the analysis and performance
measurement by unsubscribing from the push messages. Unfortunately, it is
not possible to cancel the analysis and performance measurement separately;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
-
Firebase Cloud Messaging: Sending cross-platform messages
and information; Service provider: Google Ireland Limited,
Gordon House, Barrow Street, Dublin 4, Ireland; Website:
https://firebase.google.com/; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://firebase.google.com/terms/data-processing-terms. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Firebase: Google Firebase is a platform for developers of
apps for mobile devices and websites. Google Firebase offers a variety of
features for testing apps, monitoring their functionality and optimizing
them (shown on the following overview page:
https://firebase.google.com/products).The functions include the storage of apps including personal data of the
application users, such as content created by them or information regarding
their interaction with the apps (so-called "cloud computing"). Google
Firebase also offers interfaces that allow interaction between the users of
the app and other services, e.g. authentication using services such as
Facebook, Twitter or an e-mail password combination;
Service provider: Google Ireland Limited, Gordon House,
Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://firebase.google.com; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Artificial Intelligence (AI)
We use artificial intelligence (AI), which involves the processing of personal
data. The specific purposes and our interest in using AI are mentioned below.
According to the term "AI system" as defined in Article 3 No. 1 of the AI
Regulation, we understand AI to be a machine-based system designed for varying
degrees of autonomous operation, capable of adaptation after deployment, and
producing outputs such as predictions, content, recommendations, or decisions
that can influence physical or virtual environments.
Our AI systems are used in strict compliance with legal requirements. These
include both specific regulations for artificial intelligence and data
protection requirements. In particular, we adhere to the principles of
lawfulness, transparency, fairness, human oversight, purpose limitation, data
minimisation, integrity and confidentiality. We ensure that the processing of
personal data is always based on a legal foundation. This may either be the
consent of the data subjects or a statutory permission.
When using external AI systems, we carefully select their providers
(hereinafter referred to as "AI providers"). In accordance with our legal
obligations, we ensure that the AI providers comply with applicable
provisions. We also observe our duties when using or operating the acquired AI
services. The processing of personal data by us and the AI providers is
carried out exclusively on the basis of consent or legal authorisation. We
place particular emphasis on transparency, fairness and maintaining human
oversight over AI-supported decision-making processes.
To protect processed data, we implement appropriate and robust technical as
well as organisational measures. These ensure the integrity and
confidentiality of processed data and minimise potential risks. Through
regular reviews of AI providers and their services, we ensure ongoing
compliance with current legal and ethical standards.
-
Processed data types:Content data (e.g. textual or
pictorial messages and contributions, as well as information pertaining to
them, such as details of authorship or the time of creation.). Usage data
(e.g. page views and duration of visit, click paths, intensity and frequency
of use, types of devices and operating systems used, interactions with
content and features).
-
Data subjects:Users (e.g. website visitors, users of online
services). Third parties.
-
Purposes of processing:Artificial Intelligence (AI).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
ChatGPT: AI-based service designed to understand and
generate natural language and related input and data, analyze information,
and make predictions ("AI", meaning "Artificial Intelligence" shall be
construed in the applicable legal sense of the term);
Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/policies/privacy-policy/; Basis for third-country transfers:Switzerland - Adequacy
decision (Ireland). Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
-
DALL-E: Generation of images from text descriptions,
adaptation and editing of existing images based on text instructions,
generation of variations of an image, support in creative projects through
visual content; Service provider: OpenAI, 3180 18th St, San
Francisco, CA 94110, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/policies/privacy-policy. Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
-
DeepL: Translation of texts into various languages and
provision of synonyms as well as context examples. Support with the
correction and improvement of texts in different languages;
Service provider: DeepL SE, Maarweg 165, 50825 Köln, Germany;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.deepl.com;
Privacy Policy:
https://www.deepl.com/en/privacy; Data Processing Agreement:Provided by the service
provider. Basis for third-country transfers:Switzerland -
Adequacy decision (Germany).
-
OpenAI API: An AI API that provides developers with access
to a variety of advanced language and image models, including GPT-4 and
DALL-E. The OpenAI API enables the integration of complex tasks such as text
generation, language processing, and image analysis into applications;
Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/policies/privacy-policy/; Data Processing Agreement:
https://openai.com/policies/data-processing-addendum; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
Cloud Services
We use Internet-accessible software services (so-called "cloud services", also
referred to as "Software as a Service") provided on the servers of its
providers for the storage and management of content (e.g. document storage and
management, exchange of documents, content and information with certain
recipients or publication of content and information).
Within this framework, personal data may be processed and stored on the
provider's servers insofar as this data is part of communication processes
with us or is otherwise processed by us in accordance with this privacy
policy. This data may include in particular master data and contact data of
data subjects, data on processes, contracts, other proceedings and their
contents. Cloud service providers also process usage data and metadata that
they use for security and service optimization purposes.
If we use cloud services to provide documents and content to other users or
publicly accessible websites, forms, etc., providers may store cookies on
users' devices for web analysis or to remember user settings (e.g. in the case
of media control).
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.). Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems used,
interactions with content and features).
-
Data subjects:Prospective customers; Communication partner
(Recipients of e-mails, letters, etc.); Business and contractual partners.
Users (e.g. website visitors, users of online services).
-
Purposes of processing:Office and organisational
procedures. Information technology infrastructure (Operation and provision
of information systems and technical devices, such as computers, servers,
etc.)).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Apple iCloud: Cloud storage service;
Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.apple.com.
Privacy Policy:
https://www.apple.com/legal/privacy/en-ww/.
-
Google Cloud Services: Cloud infrastructure services and
cloud-based application software; Service provider: Google
Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://cloud.google.com/; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Further Information:
https://cloud.google.com/privacy.
-
Google Cloud Storage: Cloud storage, cloud infrastructure
services and cloud-based application software;
Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://cloud.google.com/; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Further Information:
https://cloud.google.com/privacy.
-
Google Workspace: Cloud storage, cloud infrastructure
services and cloud-based application software;
Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://workspace.google.com/; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Further Information:
https://cloud.google.com/privacy.
Newsletter and Electronic Communications
We send newsletters, emails, and other electronic notifications (hereinafter
"newsletters") exclusively with the consent of the recipients or based on a
legal basis. If the contents of the newsletter are specified during
registration for the newsletter, these contents are decisive for the users'
consent. Normally, providing your email address is sufficient to sign up for
our newsletter. However, to offer you a personalised service, we may ask for
your name for personal salutation in the newsletter or for additional
information if necessary for the purpose of the newsletter.
Deletion and restriction of processing: We may store unsubscribed email
addresses for up to three years based on our legitimate interests before
deleting them to be able to demonstrate previously given consent. The
processing of these data is limited to the purpose of potentially defending
against claims. An individual request for deletion is possible at any time,
provided that at the same time the former existence of consent is confirmed.
In case of obligations to permanently observe objections, we reserve the right
to store the email address solely for this purpose in a blocklist.
The logging of the registration process is based on our legitimate interests
for the purpose of proving its proper execution. If we commission a service
provider to send emails, this is done based on our legitimate interests in an
efficient and secure mailing system.
Contents:
Information about us, our services, promotions and offers.
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Meta,
communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties). Usage data (e.g. page views and
duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.).
-
Purposes of processing:Direct marketing (e.g. by e-mail or
postal); Web Analytics (e.g. access statistics, recognition of returning
visitors); Conversion tracking (Measurement of the effectiveness of
marketing activities); Clicktracking; Marketing. Profiles with user-related
information (Creating user profiles).
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
-
Opt-Out: You can cancel the receipt of our newsletter at
any time, i.e. revoke your consent or object to further receipt. You will
find a link to cancel the newsletter either at the end of each newsletter or
you can otherwise use one of the contact options listed above, preferably
e-mail.
Further information on processing methods, procedures and services used:
-
Measurement of opening rates and click rates: The
newsletters contain a so-called "web beacons", which is a pixel-sized file
that is retrieved from our server, or the server of the dispatch service
provider if one is used, when the newsletter is opened. In the course of
this retrieval, technical information such as details about the browser and
your system, as well as your IP address and the time of access are
collected. This information is used to technically improve our newsletter
based on technical data or target audiences and their reading behavior,
which can be determined by their access locations (identifiable by IP
address) or access times. This analysis also includes determining whether
and when newsletters are opened and which links are clicked. The information
is assigned to individual newsletter recipients and stored in their profiles
until deletion. The evaluations serve to recognize the reading habits of our
users and adjust our content to them or send different content according to
the interests of our users. The measurement of opening and click rates, as
well as the storage of the measurement results in user profiles and their
further processing, are based on user consent. Unfortunately, it is not
possible to revoke success measurement separately; in this case, the entire
newsletter subscription must be cancelled or objected to. In that case,
stored profile information will be deleted;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
-
Order process reminder emails: When users cancel an order
process, we can send them a notice of the cancellation and remind them to
continue. This function can be useful, for example, if the purchase process
could not be continued due to a browser crash, oversight or forgetting. The
dispatch is based on consent, which users can object to at any time;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
-
Resend: Sending, receiving, and managing emails; tools for
analyzing and optimizing email campaigns; Service provider:
Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114,
USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://resend.com/.
Privacy Policy:
https://resend.com/legal/privacy-policy.
Commercial communication by E-Mail, Postal Mail, Fax or Telephone
We process personal data for the purposes of promotional communication, which
may be carried out via various channels, such as e-mail, telephone, post or
fax, in accordance with the legal requirements.
The recipients have the right to withdraw their consent at any time or to
object to the advertising communication at any time.
After revocation or objection, we store the data required to prove the past
authorization to contact or send up to three years from the end of the year of
revocation or objection on the basis of our legitimate interests. The
processing of this data is limited to the purpose of a possible defense
against claims. Based on the legitimate interest to permanently observe the
revocation, respectively objection of the users, we further store the data
necessary to avoid a renewed contact (e.g. depending on the communication
channel, the e-mail address, telephone number, name).
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers). Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.).
-
Purposes of processing:Direct marketing (e.g. by e-mail or
postal); Marketing. Sales promotion.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Sweepstakes and Contests
We process the personal data of participants in We process personal data of
participants in competitions, contents, raffles, prize-draws or sweepstakes
(hereinafter referred to as "competitions") only in compliance with the
relevant data protection regulations and if the processing is contractually
necessary for the provision, execution and handling of the competition, the
participants have consented to the processing or the processing serves our
legitimate interests (e.g. in the security of the competition or the
protection of our interests against misuse by possible recording of IP
addresses when submitting entries to the competition.
In the event that entries are published as part of the competitions (e.g. as
part of a vote or presentation of the competition entries, or the winner or
reporting on the competition), we would like to point out that the names of
participants may also be published in this context. The participants can
object to this at any time.
If the competitions take place within an online platform or a social network
(e.g. Facebook or Instagram, hereinafter referred to as "online platform"),
the usage and data protection provisions of the respective online platforms
also apply. In such cases, we would like to point out that we are responsible
for the information provided by the participants as part of the competition
and that we must be contacted with regard to the competitions.
The data of the participants will be deleted as soon as the competition has
ended and the data is no longer required to inform the winners or because
questions about the competition can be expected. In general, the data of the
participants will be deleted at the latest 6 months after the end of the
competition. Winners' data can be retained for a longer period of time, e.g.
in order to answer questions about the prizes or to fulfil the prizes; in this
case, the retention period depends on the type of prize and is up to three
years for items or services, e.g. in order to be able to process warranty
claims. Furthermore, the participants' data may be stored for longer, e.g. in
the form of coverage of the competition in online and offline media.
Insofar as data was collected for other purposes as part of the competition,
its processing and storage period shall be governed by the privacy information
for this use (e.g. in the case of registration for a newsletter as part of a
competition).
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers). Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.).
-
Data subjects:Participants in sweepstakes and competitions.
-
Purposes of processing:Conducting sweepstakes and contests.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Surveys and Questionnaires
We conduct surveys and interviews to gather information for the survey purpose
communicated in each case. The surveys and questionnaires ("surveys") carried
out by us are evaluated anonymously. Personal data is only processed insofar
as this is necessary for the provision and technical execution of the survey
(e.g. processing the IP address to display the survey in the user's browser or
to enable a resumption of the survey with the aid of a cookie).
-
Processed data types:Inventory data (For example, the full
name, residential address, contact information, customer number, etc.);
Contact data (e.g. postal and email addresses or phone numbers); Content
data (e.g. textual or pictorial messages and contributions, as well as
information pertaining to them, such as details of authorship or the time of
creation.). Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems used,
interactions with content and features).
-
Data subjects:Participants.
-
Purposes of processing:Feedback (e.g. collecting feedback
via online form). Polls and Questionnaires (e.g. surveys with input options,
multiple choice questions).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
Web Analysis, Monitoring and Optimization
Web analytics (also referred to as "reach measurement") is used to evaluate
the visitor flows of our online services and may include pseudonymous values
related to visitor behavior, interests, or demographic information such as age
or gender. Through reach analysis, we can, for example, identify when our
online services or their functions and content are most frequently used or
likely to encourage repeat visits. It also enables us to determine which areas
need optimization.
In addition to web analytics, we may also use testing procedures to test and
optimize different versions of our online services or their components.
Unless otherwise specified below, profiles (i.e., data combined from a usage
process) may be created for these purposes, and information can be stored in
and later retrieved from a browser or device. The data collected includes, in
particular, visited websites and elements used on them, as well as technical
information such as the browser used, the computer system, and information
about usage times. If users have given consent to the collection of their
location data to us or to the providers of the services we use, the processing
of location data is also possible.
Additionally, users' IP addresses are stored. However, we use an IP masking
process (i.e., pseudonymization by shortening the IP address) to protect
users. In general, no clear user data (such as email addresses or names) is
stored as part of web analytics, A/B testing, or optimization. Instead,
pseudonyms are used. This means that neither we nor the providers of the
software used know the actual identity of the users, only the information
stored in their profiles for the respective procedures.
Legal basis information: If we ask users for their consent to use third-party
providers, the legal basis for data processing is consent. Otherwise, user
data is processed based on our legitimate interests (i.e., our interest in
efficient, economic, and user-friendly services). In this context, we would
also like to point out the information on the use of cookies in this privacy
policy.
-
Processed data types:Usage data (e.g. page views and
duration of visit, click paths, intensity and frequency of use, types of
devices and operating systems used, interactions with content and features).
Meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Web Analytics (e.g. access
statistics, recognition of returning visitors); Profiles with user-related
information (Creating user profiles). Targeting (e.g. profiling based on
interests and behaviour, use of cookies).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion". Storage of cookies for up to 2 years (Unless otherwise
stated, cookies and similar storage methods may be stored on users' devices
for a period of two years.).
-
Security measures:IP Masking (Pseudonymization of the IP
address).
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Firebase: Google Firebase is a platform for developers of
apps for mobile devices and websites. Google Firebase offers a variety of
features for testing apps, monitoring their functionality and optimizing
them (shown on the following overview page:
https://firebase.google.com/products).The functions include the storage of apps including personal data of the
application users, such as content created by them or information regarding
their interaction with the apps (so-called "cloud computing"). Google
Firebase also offers interfaces that allow interaction between the users of
the app and other services, e.g. authentication using services such as
Facebook, Twitter or an e-mail password combination;
Service provider: Google Ireland Limited, Gordon House,
Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://firebase.google.com; Privacy Policy:
https://policies.google.com/privacy; Data Processing Agreement:
https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Cloudflare Web Analytics: Web analysis, measuring reach and
analyzing user behavior in relation to the use and interests regarding
functions and content as well as their duration of use based on a
pseudonymous user identification number and profile creation;
Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.cloudflare.com/web-analytics/; Privacy Policy:
https://www.cloudflare.com/privacypolicy/; Data Processing Agreement:
https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Data Privacy Framework (DPF).
Online Marketing
We process personal data for the purposes of online marketing, which may
include in particular the marketing of advertising space or the display of
advertising and other content (collectively referred to as "Content") based on
the potential interests of users and the measurement of their effectiveness.
For these purposes, so-called user profiles are created and stored in a file
(so-called "cookie") or similar procedure is used by which the relevant user
information for the display of the aforementioned content is stored. This
information may include, for example, content viewed, websites visited, online
networks used, communication partners and technical information such as the
browser used, computer system used and information on usage times and used
functions. If users have consented to the collection of their sideline data,
these can also be processed.
The IP addresses of the users are also stored. However, we use provided IP
masking procedures (i.e. pseudonymisation by shortening the IP address) to
ensure the protection of the user's by using a pseudonym. In general, within
the framework of the online marketing process, no clear user data (such as
e-mail addresses or names) is secured, but pseudonyms. This means that we, as
well as the providers of online marketing procedures, do not know the actual
identity of the users, but only the information stored in their profiles.
The information in the profiles is usually stored in the cookies or similar
memorizing procedures. These cookies can later, generally also on other
websites that use the same online marketing technology, be read and analyzed
for purposes of content display, as well as supplemented with other data and
stored on the server of the online marketing technology provider.
Exceptionally, clear data can be assigned to the profiles. This is the case,
for example, if the users are members of a social network whose online
marketing technology we use and the network links the profiles of the users in
the aforementioned data. Please note that users may enter into additional
agreements with the social network providers or other service providers, e.g.
by consenting as part of a registration process.
As a matter of principle, we only gain access to summarised information about
the performance of our advertisements. However, within the framework of
so-called conversion measurement, we can check which of our online marketing
processes have led to a so-called conversion, i.e. to the conclusion of a
contract with us. The conversion measurement is used alone for the performance
analysis of our marketing activities.
Unless otherwise stated, we kindly ask you to consider that cookies used will
be stored for a period of two years.
Notes on revocation and objection:
We refer to the privacy policies of the respective service providers and the
possibilities for objection (so-called "opt-out"). If no explicit opt-out
option has been specified, it is possible to deactivate cookies in the
settings of your browser. However, this may restrict the functions of our
online offer. We therefore recommend the following additional opt-out options,
which are offered collectively for each area:
a) Europe:
https://www.youronlinechoices.eu.
b) Canada:
https://www.youradchoices.ca/choices.
c) USA:
https://www.aboutads.info/choices.
d) Cross-regional:
https://optout.aboutads.info.
-
Processed data types:Content data (e.g. textual or
pictorial messages and contributions, as well as information pertaining to
them, such as details of authorship or the time of creation.); Usage data
(e.g. page views and duration of visit, click paths, intensity and frequency
of use, types of devices and operating systems used, interactions with
content and features); Meta, communication and process data (e.g. IP
addresses, timestamps, identification numbers, involved parties); Event Data
(Facebook) ("Event Data" is data that can be transmitted from us to
Facebook, e.g. via Facebook pixels (via apps or other means) and relates to
persons or their actions; the data includes, for example, information about
visits to websites, interactions with content, functions, installations of
apps, purchases of products, etc.; Event data is processed for the purpose
of creating target groups for content and advertising information (Custom
Audiences); Event Data does not include the actual content (such as written
comments), login information, and Contact Information (such as names, email
addresses, and phone numbers). Event Data is deleted by Facebook after a
maximum of two years, the Custom Audiences created from them with the
deletion of our Facebook account); Contact Information (Facebook) ("Contact
Information" is data that (clearly) identifies data subjects, such as names,
email addresses and phone numbers, that can be transmitted to Facebook, e.g.
via Facebook pixels or uploads for matching purposes to form Custom
Audiences. After the matching to create target groups, the Contact
Information is deleted).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Web Analytics (e.g. access
statistics, recognition of returning visitors); Targeting (e.g. profiling
based on interests and behaviour, use of cookies); Conversion tracking
(Measurement of the effectiveness of marketing activities); Affiliate
Tracking; Marketing; Profiles with user-related information (Creating user
profiles); Provision of our online services and usability; Remarketing.
Clicktracking.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion". Storage of cookies for up to 2 years (Unless otherwise
stated, cookies and similar storage methods may be stored on users' devices
for a period of two years.).
-
Security measures:IP Masking (Pseudonymization of the IP
address).
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Meta Pixel and Custom Audiences (Custom Audiences): With
the help of the Meta-Pixel (or equivalent functions, to transfer Event-Data
or Contact Information via interfaces or other software in apps), Meta is on
the one hand able to determine the visitors of our online services as a
target group for the presentation of ads (so-called "Meta ads").
Accordingly, we use Meta-Pixels to display Meta ads placed by us only to
Meta users and within the services of partners cooperating with Meta
(so-called "audience network"
https://www.facebook.com/audiencenetwork/) who have shown an interest in our online services or who have certain
characteristics (e.g. interests in certain topics or products that are
determined on the basis of the websites visited) that we transmit to Meta
(so-called "custom audiences"). With the help of Meta-Pixels, we also want
to ensure that our Meta ads correspond to the potential interest of users
and do not appear annoying. The Meta-Pixel also enables us to track the
effectiveness of Meta ads for statistical and market research purposes by
showing whether users were referred to our website after clicking on a Meta
ad (known as "conversion tracking"); Service provider: Meta
Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/; Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Further Information:User event data, i.e. behavioral and interest data, is processed for the
purposes of targeted advertising and audience building on the basis of the
joint controllership agreement ("Controller Addendum",
https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of
the data to Meta Platforms Ireland Limited, a company located in the EU.
Further processing of the data is the sole responsibility of Meta Platforms
Ireland Limited, which concerns in particular the transfer of the data to
the parent company Meta Platforms, Inc. in the USA (on the basis of standard
contractual clauses concluded between Meta Platforms Ireland Limited and
Meta Platforms, Inc.).
-
Advanced matching for the Meta-Pixel: In addition to the
processing of Event Data in the context of the use of the Meta-Pixel (or
equivalent functions, e.g. in apps), Contact Information (data identifying
individual persons, names, email addresses and telephone numbers) is also
collected by Meta within our online offer or transmitted to Meta. The
processing of contact information serves to form target groups (so-called "
Custom Audiences") for the display of content and advertising information
based on the presumed interests of users. The collection, or transmission
and matching with data available on Meta is not in plain text, but as
so-called "hash values", i.e. mathematical representations of the data (this
method is used, for example, in the storage of passwords). After the
matching to create target groups, the Contact Information is deleted;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Privacy Policy:Meta Platforms Ireland Limited,
Merrion Road, Dublin 4, D04 X2K5, Ireland;
Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Data Privacy Framework (DPF).
Further Information:
https://www.facebook.com/legal/terms/data_security_terms.
-
Meta - Custom Audiences from File: Creation of target
groups for marketing purposes - We submit Contact Information (names, email
addresses and phone numbers) to Meta in list form for the purpose of
creating Custom Audiences for content and advertising information based on
the presumed interests of users. The transmission and matching with data
available on Meta is not in plain text, but as so-called "hash values", i.e.
mathematical representations of the data (this method is used, for example,
in the storage of passwords). After the matching to create target groups,
the Contact Information is deleted; Service provider: Meta
Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/; Data Processing Agreement:
https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Facebook Ads: Placement of ads within the Facebook platform
and analysis of ad results; Service provider: Meta
Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Opt-Out:We refer to the privacy and advertising settings in the users' profiles on
the Facebook platforms, as well as to Facebook's consent procedures and
contact options for exercising access and other data subject rights, as
described in Facebook's privacy policy.
Further Information:User event data, i.e. behavioral and
interest data, is processed for the purposes of targeted advertising and
audience building on the basis of the joint controllership agreement
("Controller Addendum",
https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of
the data to Meta Platforms Ireland Limited, a company located in the EU.
Further processing of the data is the sole responsibility of Meta Platforms
Ireland Limited, which concerns in particular the transfer of the data to
the parent company Meta Platforms, Inc. in the USA (on the basis of standard
contractual clauses concluded between Meta Platforms Ireland Limited and
Meta Platforms, Inc.).
-
Google Ad Manager: We use the service "Google Ad Manager"
to place ads in the Google advertising network (e.g. in search results,
videos, websites, etc.). The Google Ad Manager stands out because ads are
displayed in real time based on users' presumed interests. This allows us to
display ads for our online offering to users who may have a potential
interest in our offering or who have previously shown interest, and measure
the success of the ads; Service provider: Google Ireland
Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Further Information:Types of processing and data processed:
https://business.safety.google/adsservices/; Google Ads Controller-Controller Data Protection Terms and standard
contractual clauses for data transfers to third countries:
https://business.safety.google/adscontrollerterms. where Google acts as processor, Data Processing Conditions for Google
Advertising Products and standard contractual clauses for data transfers to
third countries:
https://business.safety.google/adsprocessorterms
apply.
-
Google Ads and Conversion Tracking: Online marketing
process for purposes of placing content and advertisements within the
provider's advertising network (e.g., in search results, in videos, on web
pages, etc.) so that they are displayed to users who have a presumed
interest in the ads. Furthermore, we measure the conversion of the ads, i.e.
whether the users took them as a reason to interact with the ads and make
use of the advertised offers (so-called conversion). However, we only
receive anonymous information and no personal information about individual
users; Service provider: Google Ireland Limited, Gordon
House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR), Legitimate
Interests (Article 6 (1) (f) GDPR);
Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Further Information:Types of processing and data processed:
https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard
contractual clauses for data transfers to third countries:
https://business.safety.google/adscontrollerterms.
-
Google Ads Remarketing: Google Remarketing, also known as
retargeting, is a technology that adds users who use an online service to a
pseudonymous remarketing list so that users can be shown ads on other online
services based on their visit to the online service
;Service provider: Google Ireland Limited, Gordon
House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Further Information:Types of processing and data processed:
https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard
contractual clauses for data transfers to third countries:
https://business.safety.google/adscontrollerterms.
-
Enhanced Conversions for Google Ads: When users click on
our Google ads and subsequently use the advertised service (so-called
"conversion"), the data entered by the user, such as email address, name,
residential address or telephone number, may be transmitted to Google. The
hash values are then matched with existing Google accounts of the users to
better evaluate and improve their interaction with the ads (e.g., clicks or
views) and thus their performance;
Legal Basis:Consent (Article 6 (1) (a) GDPR).
Website:
https://support.google.com/google-ads/answer/9888656.
-
Google Adsense with personalized ads: We integrate the
service Google Adsense, which enables the placement of personalized
advertisements within our online offering. Google Adsense analyzes user
behavior and uses this data to deliver targeted advertising that is aligned
with the interests of our visitors. We receive financial compensation for
each advertisement placement or other types of usage of these ads;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Further Information:Types of processing and data processed:
https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard
contractual clauses for data transfers to third countries:
https://business.safety.google/adscontrollerterms.
-
Google Adsense with non-personalized ads: We use the
service Google Adsense to display non-personalised advertisements in our
online offering. These advertisements are not based on individual user
behaviour but are selected based on general characteristics such as the
content of the page or your approximate geographical location. We receive a
fee for the display or other use of these advertisements;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://marketingplatform.google.com; Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Further Information:Types of processing and data processed:
https://business.safety.google/adsservices/. Google Ads Controller-Controller Data Protection Terms and standard
contractual clauses for data transfers to third countries:
https://business.safety.google/adscontrollerterms.
-
Instagram Ads: Placement of ads within the Instagram
platform and analysis of ad results; Service provider: Meta
Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.instagram.com; Privacy Policy:
https://privacycenter.instagram.com/policy/; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland);
Opt-Out:We refer to the data protection and advertising settings in the user's
profile on the Instagram platform as well as Instagram's consent procedure
and Instagram's contact options for exercising information and other data
subject rights in Instagram's privacy policy.
Further Information:User event data, i.e. behavioral and
interest data, is processed for the purposes of targeted advertising and
audience building on the basis of the joint controllership agreement
("Controller Addendum",
https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of
the data to Meta Platforms Ireland Limited, a company located in the EU.
Further processing of the data is the sole responsibility of Meta Platforms
Ireland Limited, which concerns in particular the transfer of the data to
the parent company Meta Platforms, Inc. in the USA (on the basis of standard
contractual clauses concluded between Meta Platforms Ireland Limited and
Meta Platforms, Inc.).
-
UTM Parameter: Analysis of sources and user actions based
on an extension of web addresses referring to us with an additional
parameter, the "UTM" parameter. For example, a UTM parameter
"utm_source=platformX &utm_medium=video" can tell us that a person clicked
the link on platform X within a video. The UTM parameters provide
information about the source of the link, the medium used (e.g. social
media, website, newsletter), the type of campaign or the content of the
campaign (e.g. posting, link, image and video). With the help of this
information, we can, for example, check our visibility on the Internet or
the effectiveness of our campaigns;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
Affiliate-Programms und Affiliate-Links
Within our online services, we include so-called affiliate links or other
references (which for example may include search forms, widgets or discount
codes) to the offers and services of third parties (collectively referred to
as "affiliate links"). When users follow affiliate links or subsequently take
advantage of offers, we may receive commission or other benefits (collectively
referred to as "commission") from these third parties.
In order to be able to track whether the users have followed the offers of an
affiliate link used by us, it is necessary for the respective third party to
know that the users have followed an affiliate link used within our online
services. The assignment of affiliate links to the respective business
transactions or other actions (e.g., purchases) serves the sole purpose of
commission settlement and is removed as soon as it is no longer required for
this purpose.
For the purposes of the aforementioned affiliate link assignment, the
affiliate links may be supplemented by certain values that may be a component
of the link or otherwise stored, for example, in a cookie. The values may
include in particular the source website (referrer), time, an online
identifier of the operator of the website on which the affiliate link was
located, an online identifier of the respective offer, the type of link used,
the type of offer and an online identifier of the user.
Information on legal basis:If we ask the users for their
consent to the use of third party providers, the legal basis of the processing
is consent. Otherwise, user data will be processed on the basis of our
legitimate interests (i.e. interest in efficient, economic and recipient
friendly services). In this context, we would also like to refer you to the
information on the use of cookies in this privacy policy.
-
Processed data types:Contract data (e.g. contract object,
duration, customer category); Usage data (e.g. page views and duration of
visit, click paths, intensity and frequency of use, types of devices and
operating systems used, interactions with content and features). Meta,
communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Prospective customers. Users (e.g. website
visitors, users of online services).
-
Purposes of processing:Affiliate Tracking.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Consent (Article 6 (1) (a) GDPR). Legitimate
Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
AWIN Affiliate Program (formerly Zanox and Affilinet):
Affiliate marketing partner program; Service provider: AWIN AG, Eichhornstr. 3, 10785 Berlin, Germany;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.awin.com;
Privacy Policy:
https://www.awin.com/gb/legal/privacy-policy-gb. Basis for third-country transfers:Switzerland - Adequacy
decision (Germany).
Affiliate Program
We offer an affiliate program, i.e. we offer commissions or other benefits
(collectively referred to as "Commission") to users (collectively referred to
as "Affiliates") who refer to our offers and services. The reference is made
through a link associated with the Affiliate or other methods (e.g., discount
codes) that allow us to recognize that the use of our services was based on
the reference (collectively referred to as "Affiliate Links").
In order to track whether users have perceived our services based on affiliate
links used by affiliates, it is necessary for us to know that users have
followed an affiliate link. The assignment of affiliate links to the
respective business transactions or other use of our services serves solely
the purpose of Commission billing and will be cancelled as soon as it is no
longer necessary for the purpose.
For the purposes of the aforementioned affiliate link assignment, the
affiliate links may be supplemented by certain values that may be a component
of the link or otherwise stored, for example, in a cookie. The values may
include in particular the source website (referrer), time, an online
identifier of the operator of the website on which the affiliate link was
located, an online identifier of the respective service, the type of link
used, the type of service and an online identifier of the user.
Information on legal basis:The processing of the data of our
partners is carried out for the provision of our (pre)contractual services.
The users' data is processed on the basis of their consent.
-
Processed data types:Contract data (e.g. contract object,
duration, customer category); Usage data (e.g. page views and duration of
visit, click paths, intensity and frequency of use, types of devices and
operating systems used, interactions with content and features). Log data
(e.g. log files concerning logins or data retrieval or access times.).
-
Data subjects:Users (e.g. website visitors, users of online
services). Business and contractual partners.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations. Affiliate Tracking.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Customer Reviews and Ratings
We participate in review and rating procedures to evaluate, optimise and
advertise our performance. If users rate us via the participating rating
platforms or methods or otherwise provide feedback, the General Terms and
Conditions of Business or Use and the data protection information of the
providers also apply. As a rule, the rating also requires registration with
the respective provider.
In order to ensure that the evaluators have actually made use of our services,
we transmit, with the consent of the customer, the necessary data relating to
the customer and the service or products used to the respective rating
platform (this includes the name, e-mail address, order number or article
number). This data is used solely to verify the authenticity of the user.
-
Processed data types:Contract data (e.g. contract object,
duration, customer category); Usage data (e.g. page views and duration of
visit, click paths, intensity and frequency of use, types of devices and
operating systems used, interactions with content and features). Meta,
communication and process data (e.g. IP addresses, timestamps,
identification numbers, involved parties).
-
Data subjects:Service recipients and clients. Users (e.g.
website visitors, users of online services).
-
Purposes of processing:Feedback (e.g. collecting feedback
via online form). Marketing.
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
Rating Widget: We include so-called " rating widgets " in
our online services. A widget is a functional and content element integrated
within our online services that displays variable information (e.g. a widget
can be displayed in the form of a seal or a badge). Although the
corresponding content of the widget is displayed within our online services,
it is retrieved from the servers of the respective widget provider at this
moment. This is the only way to always show the current content, especially
the current rating. For this purpose, a data connection must be established
from the website accessed within our online service to the widget provider's
server and the widget provider receives certain technical data (access data,
including the IP address) that is necessary for the content of the widget to
be delivered to the user's browser.
In addition, the widget provider receives information that users have
visited our online services. This information may be stored in a cookie and
used by the widget provider to identify which online offerings participating
in the rating process have been visited by the user. The information can be
stored in a user profile and used for advertising or market research
purposes;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
Profiles in Social Networks (Social Media)
We maintain online presences within social networks and process user data in
this context in order to communicate with the users active there or to offer
information about us.
We would like to point out that user data may be processed outside the
European Union. This may entail risks for users, e.g. by making it more
difficult to enforce users' rights.
In addition, user data is usually processed within social networks for market
research and advertising purposes. For example, user profiles can be created
on the basis of user behaviour and the associated interests of users. The user
profiles can then be used, for example, to place advertisements within and
outside the networks which are presumed to correspond to the interests of the
users. For these purposes, cookies are usually stored on the user's computer,
in which the user's usage behaviour and interests are stored. Furthermore,
data can be stored in the user profiles independently of the devices used by
the users (especially if the users are members of the respective networks or
will become members later on).
For a detailed description of the respective processing operations and the
opt-out options, please refer to the respective data protection declarations
and information provided by the providers of the respective networks.
Also in the case of requests for information and the exercise of rights of
data subjects, we point out that these can be most effectively pursued with
the providers. Only the providers have access to the data of the users and can
directly take appropriate measures and provide information. If you still need
help, please do not hesitate to contact us.
-
Processed data types:Contact data (e.g. postal and email
addresses or phone numbers); Content data (e.g. textual or pictorial
messages and contributions, as well as information pertaining to them, such
as details of authorship or the time of creation.); Usage data (e.g. page
views and duration of visit, click paths, intensity and frequency of use,
types of devices and operating systems used, interactions with content and
features). Meta, communication and process data (e.g. IP addresses,
timestamps, identification numbers, involved parties).
-
Data subjects:Users (e.g. website visitors, users of online
services).
-
Purposes of processing:Communication; Feedback (e.g.
collecting feedback via online form). Public relations.
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Consent (Article 6 (1) (a) GDPR).
Further information on processing methods, procedures and services used:
-
Instagram: Social network, allows the sharing of photos and
videos, commenting on and favouriting posts, messaging, subscribing to
profiles and pages; Service provider: Meta Platforms
Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.instagram.com; Privacy Policy:
https://privacycenter.instagram.com/policy/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Facebook Pages: Profiles within the social network Facebook
- We are jointly responsible (so called "joint controller") with Meta
Platforms Ireland Limited for the collection (but not the further
processing) of data of visitors to our Facebook page. This data includes
information about the types of content users view or interact with, or the
actions they take (see "Things that you and others do and provide" in the
Facebook Data Policy:
https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g., IP addresses,
operating system, browser type, language settings, cookie information; see
"Device Information" in the Facebook Data Policy:
https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How we use this
information?" Facebook also collects and uses information to provide
analytics services, known as "page insights," to site operators to help them
understand how people interact with their pages and with content associated
with them. We have concluded a special agreement with Facebook ("Information
about Page-Insights",
https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular the security measures that Facebook must
observe and in which Facebook has agreed to fulfill the rights of the
persons concerned (i.e. users can send information access or deletion
requests directly to Facebook). The rights of users (in particular to access
to information, erasure, objection and complaint to the competent
supervisory authority) are not restricted by the agreements with Facebook.
Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint controllership is limited to the collection and transfer of
the data to Meta Platforms Ireland Limited, a company located in the EU.
Further processing of the data is the sole responsibility of Meta Platforms
Ireland Limited; Service provider: Meta Platforms Ireland
Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
Facebook-Groups: We use the "Groups" function of the
Facebook platform to create interest groups within which Facebook users can
contact each other or us and exchange information. In doing so, we process
personal data of the users of our groups as far as this is necessary for the
purpose of the group use as well as its moderation. These data include
information on first and last names, as well as published or privately
shared content, as well as values on the status of group membership or
group-related activities, such as entry or exit, as well as the time
information on the aforementioned data. Our guidelines within the groups may
contain further specifications and information on the use of the respective
group. Furthermore, we would like to point out the processing of data of the
users by Facebook itself. This data includes information about the types of
content users view or interact with, or the actions they take (see under
"Things You and Others Do and Provide" in the Facebook Data Policy:
https://www.facebook.com/privacy/policy/), as well as information about the devices users use (e.g., IP addresses,
operating system, browser type, language settings, cookie data; see under
"Device Information" in the Facebook Data Policy:
https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How do we use this
information?", Facebook also collects and uses information to provide
analytics services, called "Insights," to group operators to provide them
with insights about how people interact with their groups and with content
associated with them; Service provider: Meta Platforms
Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.facebook.com; Privacy Policy:
https://www.facebook.com/privacy/policy/. Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
-
LinkedIn: Social network - We are jointly responsible with
LinkedIn Ireland Unlimited Company for the collection (but not the further
processing) of visitor data, which is used to create "Page Insights"
(statistics) for our LinkedIn profiles. This data includes information about
the types of content users view or interact with, as well as the actions
they take. It also includes details about the devices used, such as IP
addresses, operating systems, browser types, language settings, and cookie
data, as well as profile details of users, such as job function, country,
industry, seniority, company size, and employment status. Privacy
information regarding the processing of user data by LinkedIn can be found
in LinkedIn's privacy policy:
https://www.linkedin.com/legal/privacy-policy.
We have entered into a special agreement with LinkedIn Ireland ("Page
Insights Joint Controller Addendum,"
https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates the security measures LinkedIn must comply
with and in which LinkedIn has agreed to fulfill the rights of data subjects
(i.e., users can, for example, direct requests for information or deletion
directly to LinkedIn). The rights of users (particularly the right to
information, deletion, objection, and to lodge a complaint with the
competent supervisory authority) are not restricted by our agreements with
LinkedIn. The joint responsibility is limited to the collection of data and
its transmission to LinkedIn Ireland Unlimited Company, a company based in
the EU. Further processing of the data is the sole responsibility of
LinkedIn Ireland Unlimited Company, particularly concerning the transfer of
data to the parent company LinkedIn Corporation in the USA;
Service provider: LinkedIn Ireland Unlimited Company,
Wilton Place, Dublin 2, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://www.linkedin.com; Privacy Policy:
https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Opt-Out:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
-
TikTok: Social network, allows the sharing of photos and
videos, commenting on and favouriting posts, messaging, subscribing to
accounts; Service provider: TikTok Technology Limited, 10
Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information
Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United
Kingdom, EC1A 9HP;
Legal Basis:Consent (Article 6 (1) (a) GDPR);
Website:
https://www.tiktok.com;
Privacy Policy:
https://www.tiktok.com/de/privacy-policy. Basis for third-country transfers:EEA - Standard
Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), Switzerland - Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
-
X: Social network; Service provider:
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2
D02 AX07, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://x.com;Privacy Policy:
https://x.com/privacy.Basis for third-country transfers:Switzerland - Adequacy
decision (Ireland).
-
YouTube: Social network and video platform;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Privacy Policy:
https://policies.google.com/privacy; Basis for third-country transfers:EEA - Data Privacy
Framework (DPF), Switzerland - Adequacy decision (Ireland).
Opt-Out:
https://myadcenter.google.com/personalizationoff.
Management, Organization and Utilities
We use services, platforms and software from other providers (hereinafter
referred to as " third-party providers") for the purposes of organizing,
administering, planning and providing our services. When selecting third-party
providers and their services, we comply with the legal requirements.
Within this context, personal data may be processed and stored on the servers
of third-party providers. This may include various data that we process in
accordance with this privacy policy. This data may include in particular
master data and contact data of users, data on processes, contracts, other
processes and their contents.
If users are referred to the third-party providers or their software or
platforms in the context of communication, business or other relationships
with us, the third-party provider processing may process usage data and
metadata that can be processed by them for security purposes, service
optimisation or marketing purposes. We therefore ask you to read the data
protection notices of the respective third party providers.
-
Processed data types:Content data (e.g. textual or
pictorial messages and contributions, as well as information pertaining to
them, such as details of authorship or the time of creation.); Usage data
(e.g. page views and duration of visit, click paths, intensity and frequency
of use, types of devices and operating systems used, interactions with
content and features). Meta, communication and process data (e.g. IP
addresses, timestamps, identification numbers, involved parties).
-
Data subjects:Communication partner (Recipients of e-mails,
letters, etc.); Users (e.g. website visitors, users of online services).
Third parties.
-
Purposes of processing:Provision of contractual services
and fulfillment of contractual obligations; Office and organisational
procedures. Artificial Intelligence (AI).
-
Retention and deletion:Deletion in accordance with the
information provided in the section "General Information on Data Retention
and Deletion".
-
Legal Basis:Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
-
AI software (on own server): Use of "artificial
intelligence" in the applicable legal sense of the term, i.e., software that
is primarily based on specific logic and is essentially autonomous in its
ability to understand and produce natural language or other input, output,
and data, analyze information, and make predictions;
Service provider: Executed on servers and/or computers under our controllership;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR).
-
ChatGPT: AI-based service designed to understand and
generate natural language and related input and data, analyze information,
and make predictions ("AI", meaning "Artificial Intelligence" shall be
construed in the applicable legal sense of the term);
Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1,
Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/de/policies/eu-privacy-policy; Basis for third-country transfers:Switzerland - Adequacy
decision (Ireland). Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
-
DALL-E: AI-based image processing service designed to
understand and generate natural language and related input and data, analyze
information, and make predictions ("AI", meaning "Artificial Intelligence"
shall be construed in the applicable legal sense of the term);
Service provider: OpenAI OpCo, LLC, 3180 18th St., San Francisco, CA 94110 USA;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/policies/privacy-policy. Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
-
OpenAI API: Interface access (so-called "API") to AI-based
services designed to understand and generate natural language and related
inputs, analyze information, and make predictions ("AI", i.e., "Artificial
Intelligence", is to be understood in the legal sense of the term as
applicable). The provision of AI services includes the processing (including
collection, storage, organization, and structuring) of personal data as part
of a machine learning process based on natural language; conducting
activities to verify or maintain the quality of the services; identifying
and correcting errors that impair the existing intended functionality, as
well as supporting efforts to ensure the security and integrity of the AI
services; Service provider: OpenAI Ireland Ltd, 117-126
Sheriff Street Upper, D01 YC43 Dublin 1, Ireland;
Legal Basis:Legitimate Interests (Article 6 (1) (f)
GDPR);
Website:
https://openai.com/product; Privacy Policy:
https://openai.com/de/policies/eu-privacy-policy; Data Processing Agreement:
https://openai.com/policies/data-processing-addendum; Basis for third-country transfers:EEA - Standard
Contractual Clauses (https://openai.com/policies/data-processing-addendum), Switzerland - Adequacy decision (Ireland). Opt-Out:
https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
Processing of data in the context of employment relationships
In the context of employment relationships, the processing of personal data
aims to effectively manage the establishment, execution, and termination of
such relationships. This data processing supports various operational and
administrative functions necessary for managing employee relations.
The data processing covers various aspects ranging from contract initiation to
termination. Included are the organization and management of daily working
hours, management of access rights and permissions, as well as handling
personnel development measures and staff appraisals. The processing also
serves payroll accounting and management of wage and salary payments, which
represent critical aspects of contract execution.
Additionally, the data processing considers legitimate interests of the
responsible employer, such as ensuring workplace safety or capturing
performance data for evaluating and optimizing operational processes.
Moreover, the data processing includes disclosing employee data in external
communication and publication processes where necessary for operational or
legal purposes.
The processing of this data always takes place with due regard for the
applicable legal frameworks, aiming always to create and maintain a fair and
efficient working environment. This also includes considering the privacy of
affected employees, anonymizing or deleting data after fulfilling the
processing purpose or according to legal retention periods.
-
Processed data types:Employee Data (Information about
employees and other individuals in an employment relationship).
-
Data subjects:Employees (e.g. employees, job applicants,
temporary workers, and other personnel.).
-
Purposes of processing:Establishment and execution of
employment relationships (Processing of employee data in the context of the
establishment and execution of employment relationships). Business processes
and management procedures.
-
Legal Basis:Performance of a contract and prior requests
(Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1)
(c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR). Healthcare,
occupational and social security processing of special categories of
personal data (Article 9 (2)(h) GDPR).
Further information on processing methods, procedures and services used:
-
Deletion of Employee Data: Employee data in Switzerland is
deleted when it is no longer required for the purpose for which it was
collected, unless it must be retained or archived due to legal obligations
or due to the interests of the employer. The following retention and
archiving obligations are observed:
-
10 years - Retention period for ledgers and records, annual accounts,
inventories, management reports, opening balances, accounting vouchers,
and invoices, as well as all required work instructions and other
organisational documents (Art. 958f of the Swiss Code of Obligations
(OR)).
-
10 years - Data necessary for considering potential claims for damages
or similar contractual claims and rights, as well as for processing
associated inquiries, based on past business experiences and usual
industry practices, are stored for the statutory limitation period of
ten years, unless a shorter period of five years is applicable, which is
relevant in certain cases (Art. 127, 130 OR). Claims expire after five
years for rental, lease and capital interest payments, and other
periodic services, from the supply of food, for catering and innkeeper
debts, as well as from craftsmanship, retail sale of goods, medical
care, professional work of lawyers, legal agents, solicitors, and
notaries, and from the employment relationship of employees (Art. 128
OR).
.
-
10 years - Mandatory retention period for finance-related accounting
documents and corresponding business correspondence as per the Business
Recordkeeping Ordinance (GeBüV), specifically pertaining to financial
documents of employees (e.g., payroll, social insurance) and clients
(e.g., accounts receivable management, pension contracts).
-
5 years - Mandatory retention period for employment-related documents as
per Art. 73 of Ordinance 1 on the Labour Law (ArGV1), specifically for
documents relating to personal details, type of employment, entry/exit,
work/break/rest periods, salary supplements, and medical evaluations.
Changes and Updates
We kindly ask you to inform yourself regularly about the contents of our data
protection declaration. We will adjust the privacy policy as changes in our
data processing practices make this necessary. We will inform you as soon as
the changes require your cooperation (e.g. consent) or other individual
notification.
If we provide addresses and contact information of companies and organizations
in this privacy policy, we ask you to note that addresses may change over time
and to verify the information before contacting us.
Terminology and Definitions
In this section, you will find an overview of the terminology used in this
privacy policy. Where the terminology is legally defined, their legal
definitions apply. The following explanations, however, are primarily intended
to aid understanding.
-
Affiliate Tracking:Affiliate tracking logs links that the
linking websites use to refer users to websites with products or other
offers. The owners of the respective linked websites can receive a
commission if users follow these so-called "affiliate links" and
subsequently take advantage of the offers (e.g. buy goods or use services).
To this end, it is necessary for providers to be able to track whether users
who are interested in certain offers subsequently follow the affiliate
links. It is therefore necessary for the functionality of affiliate links
that they are supplemented by certain values that become part of the link or
are otherwise stored, e.g. in a cookie. The values include in particular the
source website (referrer), time, an online identification of the owner of
the website on which the affiliate link was located, an online
identification of the respective offer, an online identifier of the user, as
well as tracking specific values such as advertising media ID, partner ID
and categorizations
-
Artificial Intelligence (AI):The purpose of processing data
through Artificial Intelligence (AI) includes the automated analysis and
processing of user data to identify patterns, make predictions, and improve
the efficiency and quality of our services. This involves the collection,
cleansing, and structuring of data, training and applying AI models, as well
as the continuous review and optimisation of results, and is carried out
exclusively with users' consent or based on legal authorisation grounds.
-
Clicktracking:Clicktracking allows users to keep track of
their movements within an entire website. Since the results of these tests
are more accurate if the interaction of the users can be followed over a
certain period of time (e.g. if a user likes to return), cookies are usually
stored on the computers of the users for these test purposes.
-
Contact data:Contact details are essential information that
enables communication with individuals or organizations. They include, among
others, phone numbers, postal addresses, and email addresses, as well as
means of communication like social media handles and instant messaging
identifiers.
-
Content Delivery Network (CDN):A "Content Delivery Network"
(CDN) is a service with whose help contents of our online services, in
particular large media files, such as graphics or scripts, can be delivered
faster and more securely with the help of regionally distributed servers
connected via the Internet.
-
Content data:Content data comprise information generated in
the process of creating, editing, and publishing content of all types. This
category of data may include texts, images, videos, audio files, and other
multimedia content published across various platforms and media. Content
data are not limited to the content itself but also include metadata
providing information about the content, such as tags, descriptions,
authorship details, and publication dates.
-
Contract data:Contract data are specific details pertaining
to the formalisation of an agreement between two or more parties. They
document the terms under which services or products are provided, exchanged,
or sold. This category of data is essential for managing and fulfilling
contractual obligations and includes both the identification of the
contracting parties and the specific terms and conditions of the agreement.
Contract data may encompass the start and end dates of the contract, the
nature of the agreed-upon services or products, pricing arrangements,
payment terms, termination rights, extension options, and special conditions
or clauses. They serve as the legal foundation for the relationship between
the parties and are crucial for clarifying rights and duties, enforcing
claims, and resolving disputes.
-
Controller:"Controller" means the natural or legal person,
public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data.
-
Conversion tracking:Conversion tracking is a method used to
evaluate the effectiveness of marketing measures. For this purpose, a cookie
is usually stored on the devices of the users within the websites on which
the marketing measures take place and then called up again on the target
website (e.g. we can thus trace whether the advertisements placed by us on
other websites were successful).
-
Employees:As employees, individuals are those who are
engaged in an employment relationship, whether as staff, employees, or in
similar positions. Employment refers to a legal relationship between an
employer and an employee, established through an employment contract or
agreement. It entails the obligation of the employer to pay the employee
remuneration while the employee performs their work. The employment
relationship encompasses various stages, including establishment, where the
employment contract is concluded, execution, where the employee carries out
their work activities, and termination, when the employment relationship
ends, whether through termination, mutual agreement, or otherwise. Employee
data encompasses all information pertaining to these individuals within the
context of their employment. This includes aspects such as personal
identification details, identification numbers, salary and banking
information, working hours, holiday entitlements, health data, and
performance assessments.
-
Inventory data:Inventory data encompass essential
information required for the identification and management of contractual
partners, user accounts, profiles, and similar assignments. These data may
include, among others, personal and demographic details such as names,
contact information (addresses, phone numbers, email addresses), birth
dates, and specific identifiers (user IDs). Inventory data form the
foundation for any formal interaction between individuals and services,
facilities, or systems, by enabling unique assignment and communication.
-
Location data:Location data is created when a mobile device
(or another device with the technical requirements for a location
determination) connects to a radio cell, a WLAN or similar technical means
and functions of location determination. Location data serve to indicate the
geographically determinable position of the earth at which the respective
device is located. Location data can be used, for example, to display map
functions or other information dependent on a location.
-
Log data:Protocol data, or log data, refer to information
regarding events or activities that have been logged within a system or
network. These data typically include details such as timestamps, IP
addresses, user actions, error messages, and other specifics about the usage
or operation of a system. Protocol data is often used for analyzing system
issues, monitoring security, or generating performance reports.
-
Meta, communication and process data:Meta-, communication,
and procedural data are categories that contain information about how data
is processed, transmitted, and managed. Meta-data, also known as data about
data, include information that describes the context, origin, and structure
of other data. They can include details about file size, creation date, the
author of a document, and modification histories. Communication data capture
the exchange of information between users across various channels, such as
email traffic, call logs, messages in social networks, and chat histories,
including the involved parties, timestamps, and transmission paths.
Procedural data describe the processes and operations within systems or
organisations, including workflow documentations, logs of transactions and
activities, and audit logs used for tracking and verifying procedures.
-
Payment Data:Payment data comprise all information
necessary for processing payment transactions between buyers and sellers.
This data is crucial for e-commerce, online banking, and any other form of
financial transaction. It includes details such as credit card numbers, bank
account information, payment amounts, transaction dates, verification
numbers, and billing information. Payment data may also contain information
on payment status, chargebacks, authorizations, and fees.
-
Personal Data:"personal data" means any information
relating to an identified or identifiable natural person ("data subject");
an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
-
Processing:The term "processing" covers a wide range and
practically every handling of data, be it collection, evaluation, storage,
transmission or erasure.
-
Profiles with user-related information:The processing of
"profiles with user-related information", or "profiles" for short, includes
any kind of automated processing of personal data that consists of using
these personal data to analyse, evaluate or predict certain personal aspects
relating to a natural person (depending on the type of profiling, this may
include different information concerning demographics, behaviour and
interests, such as interaction with websites and their content, etc.) (e.g.
interests in certain content or products, click behaviour on a website or
location). Cookies and web beacons are often used for profiling purposes.
-
Remarketing:Remarketing" or "retargeting" is the term used,
for example, to indicate for advertising purposes which products a user is
interested in on a website in order to remind the user of these products on
other websites, e.g. in advertisements.
-
Targeting:"Tracking" is the term used when the behaviour of
users can be traced across several websites. As a rule, behavior and
interest information with regard to the websites used is stored in cookies
or on the servers of the tracking technology providers (so-called
profiling). This information can then be used, for example, to display
advertisements to users presumably corresponding to their interests.
-
Usage data:Usage data refer to information that captures
how users interact with digital products, services, or platforms. These data
encompass a wide range of information that demonstrates how users utilise
applications, which features they prefer, how long they spend on specific
pages, and through what paths they navigate an application. Usage data can
also include the frequency of use, timestamps of activities, IP addresses,
device information, and location data. They are particularly valuable for
analysing user behaviour, optimising user experiences, personalising
content, and improving products or services. Furthermore, usage data play a
crucial role in identifying trends, preferences, and potential problem areas
within digital offerings
-
Web Analytics:Web Analytics serves the evaluation of
visitor traffic of online services and can determine their behavior or
interests in certain information, such as content of websites. With the help
of web analytics, website owners, for example, can recognize at what time
visitors visit their website and what content they are interested in. This
enables them, for example, to better adapt the content of their websites to
the needs of their visitors. For the purposes of web analytics ,
pseudonymous cookies and web beacons are often used to recognize returning
visitors and thus obtain more precise analyses of the use of an online
service.