Privacy policy

Introduction

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also briefly referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

As of: November 21, 2019

Introduction
Responsible person
Overview of Processing
Binding Legal Bases
Transmission and Disclosure of Personal Data
Data processing in third countries
Use of Cookies
Commercial and business services
Use of Online Marketplaces for E-Commerce
Payment Service Provider
Registration and Login
Blogs and Publication Media
Contact
Communication via Messenger
Online conferences, meetings, and webinars
Chatbots
Surveys and Questionnaires
Provision of the online service and web hosting
Application Process
Cloud Services
Newsletter and Mass Communication
Advertising communication via mail, fax, or telephone
Giveaways and Contests
Web Analysis and Optimization
Online Marketing
Offer of an Affiliate Program
Review Platforms
Presence on social networks
Plugins and embedded functions as well as content
Planning, Organization, and Auxiliary Tools
Deletion of Data
Change and Update of the Privacy Policy
Rights of the data subjects
Definitions of Terms

Responsible person

HALM Straws GmbH
Thaerstraße 19
10249 Berlin

Authorized RepresentativesSebastian Müller

Email address: contact@halm.co

Imprint: https://www.halm.co/policies/legal-notice

Overview of Processing

The following overview summarizes the types of processed data and the purposes of their processing, and refers to the affected individuals.

Types of Processed Data

Inventory data (e.g., names, addresses).
Applicant data (e.g., personal information, postal and contact addresses, application documents and the information contained therein, such as cover letters, resumes, certificates, as well as other information voluntarily provided by applicants regarding a specific position or their personal details or qualifications).
Content data (e.g., text entries, photographs, videos).
Contact details (e.g. email, phone numbers).
Meta/communication data (e.g., device information, IP addresses).
Usage data (e.g., visited websites, interest in content, access times).
Social data (data subject to social confidentiality (§ 35 SGB I) and processed, for example, by social insurance institutions, social welfare agencies, or pension authorities).
Location data (data that indicates the location of an end user's device).
Contract data (e.g., contract subject, duration, customer category).
Payment data (e.g., bank details, invoices, payment history).

Purposes of processing

Affiliate Tracking.
Provision of our online offer and user-friendliness.
Visitor campaign evaluation.
Application process (justification and possible later implementation as well as possible later termination of the employment relationship).
Office and organizational procedures.
Click tracking.
Cross-device tracking (cross-device processing of user data for marketing purposes).
Direct marketing (e.g., via email or postal mail).
Conducting sweepstakes and competitions.
Feedback (e.g., collecting feedback via online form).
Interest-based and behavioral marketing.
Contact requests and communication.
Conversion tracking (measurement of the effectiveness of marketing activities).
Profiling (Creating user profiles).
Remarketing.
Reach measurement (e.g., access statistics, recognition of returning visitors).
Safety measures.
Tracking (e.g., interest-/behavior-based profiling, use of cookies).
Contractual Services and Support.
Management and response to inquiries.
Target group formation (determination of target groups relevant for marketing purposes or other distribution of content).

Binding Legal Bases

Below we share the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence and domicile may also apply.

Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR) - The processing is necessary to fulfill a legal obligation to which the controller is subject.
Protection of vital interests (Art. 6 para. 1 sentence 1 lit. d. GDPR) - The processing is necessary to protect the vital interests of the data subject or another natural person.
Authorized interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) - The processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
Art. 9 para. 1 sentence 1 lit. b GDPR (Application procedure as a pre-contractual or contractual relationship) (If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants in the context of the application procedure, so that the controller or the data subject can exercise the rights arising from labor law and social security and social protection law and fulfill his or her related obligations, their processing takes place in accordance with Art. 9 para. 2 lit. b GDPR, in the case of the protection of vital interests of the applicants or other persons pursuant to Art. 9 para. 2 lit. c GDPR or for purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector or for the management of systems and services in the health or social sector pursuant to Art. 9 para. 2 lit. h GDPR. In the case of a voluntary consent-based disclosure of special categories of data, their processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.) - .

National data protection regulations in Germany : In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes, in particular, the Act to Protect Against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG), especially with regard to the establishment, execution, or termination of employment relationships as well as the consent of employees. In addition, state data protection laws of the individual federal states may also apply.

Transmission and Disclosure of Personal Data

As part of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data can include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks, or providers of services and content embedded in a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.

Data transmission within the organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this transfer is for administrative purposes, it is based on our legitimate business and commercial interests, or it occurs if it is necessary to fulfill our contractual obligations, or if consent from the data subjects or a legal authorization is present.

Data processing in third countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies, this is done only in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transmission, we process or have the data processed only in third countries with a recognized level of data protection, which include US processors certified under the "Privacy Shield," or on the basis of special guarantees, such as contractual obligations through so-called standard contractual clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations, (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en ).

Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. The stored information can include, for example, language settings on a website, login status, a shopping cart, or the point at which a video was watched. The term cookies also includes other technologies that perform the same functions as cookies (e.g., when user data is stored using pseudonymous online identifiers, also referred to as "user IDs").

The following types of cookies and functions are distinguished:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their browser.
Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Similarly, the interests of users, which are used for reach measurement or marketing purposes, can be stored in such a cookie.
First-party cookies: First-party cookies are set by us ourselves.
Third-party cookies (also: third-party cookies) : Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
Necessary (also: essential or strictly required) cookies: Cookies can be absolutely necessary for the operation of a website (e.g., to save logins or other user inputs or for security reasons).
Statistical, marketing, and personalization cookies Furthermore, cookies are generally used for reach measurement as well as when a user's interests or behavior (e.g., viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles serve to display content to users that corresponds to their potential interests. This process is also referred to as "tracking," i.e., tracking the potential interests of users. To the extent that we use cookies or "tracking" technologies, we inform you separately in our privacy policy or when obtaining consent.

Notes on Legal Bases: The legal basis on which we process your personal data using cookies depends on whether we ask for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies is processed based on our legitimate interests (e.g., in the economic operation of our online offer and its improvement) or, if the use of cookies is necessary to fulfill our contractual obligations.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke a given consent or to object to the processing of your data through cookie technologies (collectively referred to as "opt-out"). You can initially express your objection through your browser settings, for example, by disabling the use of cookies (which may also restrict the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be made through a variety of services, especially in the case of tracking, via the websites http://optout.aboutads.info and http://www.youronlinechoices.com/ can be explained. In addition, you can receive further objection notices as part of the information on the service providers and cookies used.

Processing of cookie data based on consent: Before we process or have data processed in the context of using cookies, we ask users for consent that can be revoked at any time. Until consent is given, only cookies that are necessary for the operation of our online offer may be used. Their use is based on our interest and the users' interest in the expected functionality of our online offer.

Processed data types: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons: Users (e.g., website visitors, users of online services).
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Commercial and business services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as "contractual partners") within the scope of contractual and comparable legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations, to secure our rights, and for purposes related to the administrative tasks and business organization associated with this information. We only share the data of contracting parties with third parties within the scope of applicable law to the extent necessary for the aforementioned purposes or to fulfill legal obligations, or with the consent of the contracting parties (e.g., with involved telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contracting parties are informed about other forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

Which data is required for the aforementioned purposes will be communicated to the contractual partners before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be retained for legal archiving reasons (e.g., usually 10 years for tax purposes). Data disclosed to us by the contracting party in the context of an order will be deleted in accordance with the order's specifications, generally after the end of the order.

As far as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Customer Account Contracting parties can create an account within our online offer (e.g., customer or user account, hereinafter "customer account"). If the registration of a customer account is required, contracting parties will be informed accordingly, as well as about the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process and subsequent logins and use of the customer account, we store the customers' IP addresses along with the access times in order to verify the registration and prevent any misuse of the customer account.

When customers have canceled their customer account, the data related to the customer account will be deleted, unless their retention is required by law. It is the responsibility of the customers to secure their data upon cancellation of the customer account.

Economic analyses and market research: For business reasons and to be able to recognize market trends, as well as the wishes of contracting parties and users, we analyze the data available to us regarding business transactions, contracts, inquiries, etc., whereby the group of affected persons may include contracting parties, prospects, customers, visitors, and users of our online offer.

The analyses are carried out for the purpose of business management evaluations, marketing, and market research (e.g., to identify customer groups with different characteristics). In doing so, we may consider the profiles of registered users along with their information, such as services used, if available. The analyses are for our use only and are not disclosed externally, unless they are anonymous analyses with aggregated, i.e., anonymized data. Furthermore, we respect the privacy of users and process the data for analysis purposes as pseudonymously as possible and, where feasible, anonymously (e.g., as aggregated data).

Shop and E-Commerce: We process our customers' data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as their payment and delivery or execution.

The required information is marked as such within the scope of the order or comparable acquisition process and includes the details needed for delivery, provision, and billing, as well as contact information to enable any necessary communication.

Publication activity: We process the data of our contact partners, interviewees, as well as other individuals who are the subject of our publishing, editorial, journalistic, and related activities. In this context, we refer to the applicability of the protection provisions of freedom of opinion and press according to Art. 85 GDPR in conjunction with the respective national laws. The processing serves the fulfillment of our commissioned activities and is otherwise carried out primarily on the basis of the public's interest in information and media offerings.

Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons: Prospects, business and contractual partners, customers.
Purposes of processing:Contractual services and service, contact inquiries and communication, office and organizational procedures, management and response to inquiries, security measures, visit action evaluation, interest-based and behavioral marketing, profiling (creating user profiles).
Legal basis:Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Use of Online Marketplaces for E-Commerce

We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy policy, the privacy policies of the respective platforms apply. This is especially true with regard to the procedures used on the platforms for reach measurement and interest-based marketing.

Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons:Customers.
Purposes of processing:Contractual Services and Support.
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Used services and service providers:

Alibaba.com:Online marketplace for e-commerce; service provider: Alibaba (China) Co., Ltd, 969 West Wen Yi Road, Yu Hang District, Hangzhou 311121, China; website:https://www.alibaba.com; Privacy Policy: https://rule.alibaba.com/rule/detail/2034.htm?spm=a2700.8293689.0.0.ef1765aaqDK7qq.
Amazon: Online marketplace for e-commerce; Service providers: Amazon Europe Core S.à.r.l., Amazon EU S.à.r.l., Amazon Services Europe S.à.r.l., and Amazon Media EU S.à.r.l., all four located at 38, avenue John F. Kennedy, L-1855 Luxembourg, as well as Amazon Instant Video Germany GmbH, Domagkstr. 28, 80807 Munich (together "Amazon Europe"), parent company: Amazon.com, Inc., 2021 Seventh Ave, Seattle, Washington 98121, USA; Website: https://www.amazon.de/; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.
avocadostore: Online marketplace for e-commerce; Service provider: Avocado Store GmbH, Cremon 32, 20457 Hamburg, Germany; Website: https://www.avocadostore.de/; Privacy Policy: https://www.avocadostore.de/privacy.
eBay:Online marketplace for e-commerce; service provider: eBay Marketplaces GmbH, Helvetiastrasse 15/17, 3005 Bern, Switzerland; website: https://www.ebay.de/; Privacy Policy: https://www.ebay.de/help/policies/member-behavior-policies/datenschutzerklrung?id=4260.
Etsy:Online marketplace for e-commerce; service provider: Etsy, Inc., 55 Washington Street, Suite 712, Brooklyn, NY 11201, USA; website: https://www.etsy.com/de; Privacy Policy: https://www.etsy.com/de/legal/privacy/?ref=ftr.
Lieferando: Delivery service platform for gastronomy services; Service provider: yd. yourdelivery GmbH, Am Karlsbad 16, D-10785 Berlin, Germany; Website: https://www.lieferando.de; Privacy Policy: https://www.lieferando.de/privacy-statement.
shopify:E-commerce platform and cloud services; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; website: https://www.shopify.de; Privacy Policy: https://www.shopify.de/legal/datenschutz.

Payment Service Provider

Within the scope of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer the affected persons efficient and secure payment options and use, in addition to banks and credit institutions, other payment service providers (collectively "payment service providers").

The data processed by the payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract-, amount-, and recipient-related information. This information is necessary to carry out the transactions. However, the entered data is only processed and stored by the payment service providers. That means we do not receive any account- or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transmission is intended for identity and creditworthiness verification. For this purpose, we refer to the terms and conditions and the privacy notices of the payment service providers.

The terms and conditions and privacy notices of the respective payment service providers, which can be accessed within the respective websites or transaction applications, apply to payment transactions. We also refer to these for further information and for asserting rights of withdrawal, information, and other data subject rights.

Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses), contact data (e.g., email, phone numbers).
Affected persons:Customers, prospects.
Purposes of processing:Contractual services and service, contact inquiries and communication, affiliate tracking.
Legal basis:Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Used services and service providers:

Amazon Payments:Payment services; Service provider: Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg; Website: https://pay.amazon.com/de; Privacy Policy: https://pay.amazon.com/de/help/201212490.
Apple Pay:Payment services; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Website: https://www.apple.com/de/apple-pay/; Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
Google Pay: Payment services; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://pay.google.com/intl/en_us/about/; Privacy Policy: https://policies.google.com/privacy.
Klarna / Instant Bank Transfer: Payment services; Service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Website: https://www.klarna.com/de; Privacy Policy: https://www.klarna.com/de/datenschutz.
Mastercard: Payment services; Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Website: https://www.mastercard.de/de-de.html; Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.
PayPal: Payment services and solutions (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Stripe: Payment services; Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Website: https://stripe.com/de; Privacy Policy: https://stripe.com/de/privacy.
Visa: Payment services; Service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, GB; Website: https://www.visa.de; Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

Registration and Login

Users can create a user account. As part of the registration process, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on contractual obligation fulfillment. The data processed includes, in particular, the login information (name, password, and an email address). The data entered during registration is used for the purposes of using the user account and its intended purpose.

Users can be informed by email about processes relevant to their user account, such as technical changes. If users have terminated their user account, their data related to the user account will be deleted, subject to any legal retention obligations. It is the users' responsibility to secure their data before the contract ends after termination. We are entitled to irreversibly delete all data stored during the contract period.

As part of using our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against abuse and other unauthorized use. These data are generally not passed on to third parties, unless it is necessary to pursue our claims or there is a legal obligation to do so.

Online Forum Participation in the forum requires registration, during which, unless otherwise specified in the registration form, one or your name, a password, and the email address to which the access data will be sent must be provided. For security reasons, the password should meet the current state of technology, meaning it should be complex (users will be informed of this during registration if necessary) and not used elsewhere. Posts in the forum are visible to the public unless their visibility is restricted to certain members or member groups. The posts of the authors are stored with their names, if registered or provided, the time, and the content of the entry. Additionally, IP addresses of users are stored during registration and when writing posts, in case the posts contain impermissible content and the IP addresses could serve legal prosecution. The responsible party reserves the right to delete registrations and posts based on a proper assessment.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), meta/communication data (e.g., device information, IP addresses), usage data (e.g., visited websites, interest in content, access times).
Affected persons: Users (e.g., website visitors, users of online services).
Purposes of processing:Contractual services and service, security measures, administration and response to inquiries.
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). The data of the readers are processed for the purposes of the publication medium only to the extent necessary for its presentation and the communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of this privacy policy.

Comments and Posts If users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone posts unlawful content in comments and contributions (insults, prohibited political propaganda, etc.). In such cases, we ourselves can be held liable for the comment or contribution and are therefore interested in the identity of the author.

Furthermore, we reserve the right to process user data for the purpose of spam detection based on our legitimate interests.

On the same legal basis, we reserve the right to store users' IP addresses for the duration of surveys and to use cookies to prevent multiple votes.

The information about the person provided in the comments and posts, any contact and website information, as well as the content details, will be stored by us permanently until the users object.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons: Users (e.g., website visitors, users of online services).
Purposes of processing: Contractual services and support, feedback (e.g., collecting feedback via online form), security measures, management and response to inquiries.
Legal basis: Performance of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR), consent (Art. 6 para. 1 sentence 1 lit. a GDPR), protection of vital interests (Art. 6 para. 1 sentence 1 lit. d. GDPR).

Contact

When contacting us (e.g., via contact form, email, phone, or social media), the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested actions.

The response to contact inquiries within the scope of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre-)contractual inquiries and otherwise based on the legitimate interests in responding to the inquiries.

Chat function : For the purposes of communication and responding to inquiries, we offer a chat function within our online service. The inputs from users within the chat are processed for the purpose of answering their inquiries.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected persons:Communication partners, interested parties.
Purposes of processing:Contact requests and communication, management and response to inquiries.
Legal basis:Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Communication via Messenger

We use messenger services for communication purposes and therefore ask you to take note of the following information regarding the functionality of the messengers, encryption, the use of communication metadata, and your options to object.

You can also contact us through alternative means, e.g., by phone or email. Please use the contact options provided to you or the contact options listed within our online offer.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages is not accessible, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of the message content.

However, we also inform our communication partners that the providers of the messengers do not view the content but can find out whether and when communication partners communicate with us, as well as process technical information about the communication partners' device and, depending on the settings of their device, also location information (so-called metadata).

Notes on Legal Bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Otherwise, if we do not ask for consent and, for example, they contact us on their own initiative, we use messengers in relation to our contractual partners as well as in the context of contract initiation as a contractual measure, and in the case of other interested parties and communication partners on the basis of our legitimate interests in quick and efficient communication and meeting the needs of our communication partners for communication via messengers. Furthermore, we point out that we do not transmit the contact details provided to us to the messengers for the first time without your consent.

Revocation, Objection, and Deletion: You can revoke any given consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion policies (i.e., for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that any inquiries from communication partners have been answered, when no reference to a previous conversation is expected, and no legal retention obligations prevent deletion.

Reservation of reference to other communication channels: In conclusion, we would like to point out that, for your security, we reserve the right not to respond to inquiries via messenger. This applies, for example, when contract details require special confidentiality or when a response via messenger does not meet formal requirements. In such cases, we will refer you to more appropriate communication channels.

Processed data types: Contact details (e.g. email, phone numbers), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses), content data (e.g. text entries, photographs, videos).
Affected persons:Communication partner.
Purposes of processing:Contact inquiries and communication, direct marketing (e.g., via email or postal mail).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

Facebook Messenger: Facebook Messenger with end-to-end encryption (the end-to-end encryption of Facebook Messenger requires activation unless it is enabled by default); service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Parent Company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website:https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Possibility to object (Opt-Out): https://www.facebook.com/settings?tab=ads.
Slack: Slack Messenger without end-to-end encryption; Service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; Website: https://slack.com/intl/en-gb/; Privacy Policy: https://slack.com/intl/en-gb/legal; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnMBAA0&status=Active.
Klaviyo:E-mail marketing platform; service provider: "Klaviyo" - 125 Summer St, Floor 6, Boston; MA02111, USA; website:https://www.klaviyo.com/; Privacy Policy:https://www.klaviyo.com/legal/privacy-notice; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active.

Online conferences, meetings, and webinars

We use platforms and applications from other providers (hereinafter referred to as "third parties") for the purposes of conducting video and audio conferences, webinars, and other types of video and audio meetings. When selecting third parties and their services, we comply with legal requirements.

In this context, data of the communication participants are processed and stored on the servers of third-party providers, insofar as they are part of communication processes with us. This data may include, in particular, registration and contact details, visual as well as voice contributions, inputs in chats, and shared screen contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata, which they process for security purposes, service optimization, or marketing purposes. We therefore ask you to observe the privacy notices of the respective third-party providers.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing is the consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of third-party providers has been agreed upon in this context. Otherwise, the users' data is processed based on our legitimate interests (i.e., interest in efficiency). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons: Communication partners, users (e.g., website visitors, users of online services).
Purposes of processing:Contractual services and service, contact inquiries and communication, office and organizational procedures.
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

Google Hangouts:Messenger and conference software; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://hangouts.google.com/; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Slack:Messenger and conference software; service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; website: https://slack.com/intl/en-gb/; Privacy Policy: https://slack.com/intl/en-gb/legal; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000GnMBAA0&status=Active.
TeamViewer: Conference software; Service provider: TeamViewer GmbH, Jahnstr. 30, 73037 Göppingen, Germany; Website: https://www.teamviewer.com/en; Privacy Policy: https://www.teamviewer.com/en/privacy-policy/.

Chatbots

We offer a communication option called a "chatbot." A chatbot is software that answers users' questions or informs them via messages. When you interact with our chatbot, we may process your personal data.

If you communicate with the chatbot within an online platform, your identification number within the respective platform will also be stored. We may also collect information about which users interact with our chatbot and when. Furthermore, we store the content of your conversations with the chatbot and log registration and consent processes in order to be able to demonstrate them in accordance with legal requirements.

Please note that the respective platform provider may be able to determine if and when users communicate with our chatbot, as well as collect technical information about the device used by the users and, depending on the settings of their device, also location information (so-called metadata) for the purposes of optimizing the respective services and for security purposes. Additionally, the metadata of the communication via chatbot (i.e., for example, the information about who communicated with whom) may be used by the respective platform providers in accordance with their terms, to which we refer for further information, for marketing purposes or to display user-tailored advertising.

If users agree to activate information through regular messages with the chatbot, they can unsubscribe from the information at any time for the future. The chatbot informs users how and with which terms they can unsubscribe from the messages. When unsubscribing from the chatbot messages, the users' data is deleted from the directory of message recipients.

The aforementioned information is used by us to operate our chatbot, for example, to address users personally, to respond to their inquiries to the chatbot, to transmit any requested content, and also to improve our chatbot (e.g., to "teach" it answers to frequently asked questions or to identify unanswered inquiries).

Notes on Legal Bases: We use the chatbot based on consent when we have previously obtained permission from users to process their data through the chatbot (this applies in cases where users are asked for consent, e.g., so that the chatbot can regularly send them messages). If we use the chatbot to respond to users' inquiries about our services or our company, this is done for contractual and pre-contractual communication. Otherwise, we use the chatbot based on our legitimate interests in optimizing the chatbot, its economic efficiency, and enhancing the positive user experience.

Revocation, Objection, and Deletion: You can revoke any given consent at any time or object to the processing of your data within the scope of our chatbot usage.

Processed data types: Contact data (e.g. email, phone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Affected persons: Communication partners, users (e.g., website visitors, users of online services).
Purposes of processing:Contact inquiries and communication, direct marketing (e.g., via email or postal mail), reach measurement (e.g., access statistics, recognition of returning visitors), tracking (e.g., interest-/behavior-based profiling, use of cookies), remarketing, visit action evaluation, profiling (creating user profiles), conversion measurement (measuring the effectiveness of marketing measures).
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

HubSpot:Chatbot and assistant software as well as related services; service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy.

Surveys and Questionnaires

The surveys and questionnaires conducted by us (hereinafter referred to as "surveys") are evaluated anonymously. The processing of personal data only takes place to the extent necessary for the provision and technical implementation of the surveys (e.g., processing the IP address to display the survey in the user's browser or using a temporary cookie (session cookie) to allow resuming the survey) or if users have given their consent.

Notes on Legal Bases: If we ask participants for consent to process their data, this is the legal basis for the processing; otherwise, the processing of participants' data is based on our legitimate interests in conducting an objective survey.

Processed data types: Contact data (e.g. email, phone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Affected persons: Communication partners, users (e.g., website visitors, users of online services).
Purposes of processing:Contact inquiries and communication, direct marketing (e.g., via email or postal mail), tracking (e.g., interest-/behavior-based profiling, use of cookies), feedback (e.g., collecting feedback via online form).
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

Google Form: Google Cloud Forms; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.

Provision of the online service and web hosting

In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers, whose servers (or servers managed by them) can be used to access the online services. For these purposes, we may utilize infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The data processed in the context of providing the hosting service may include all information relating to the users of our online service that arises during usage and communication. This regularly includes the IP address, which is necessary to deliver the content of online services to browsers, and all inputs made within our online service or on websites.

Email Sending and Hosting The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders, as well as other information related to the email transmission (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted during transmission, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission path of emails between the sender and the reception on our server.

Collection of access data and log files We ourselves (or our web hosting provider) collect data for every access to the server (so-called server log files). The server log files may include the address and name of the accessed web pages and files, date and time of access, amount of data transferred, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider.

The server log files can be used for security purposes, for example, to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the server load and their stability.

Processed data types: Content data (e.g. text entries, photographs, videos), usage data (e.g. visited websites, interest in content, access times), meta-/communication data (e.g. device information, IP addresses).
Affected persons: Users (e.g., website visitors, users of online services).
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required is specified in the job description or, in the case of online forms, in the information provided there.

Basically, the required information includes personal details such as name, address, a contact option, as well as proof of the qualifications necessary for a position. Upon request, we are also happy to inform you about which information is needed.

If available, applicants can submit their applications to us via an online form. The data is transmitted to us encrypted according to the state of the art. Applicants can also send us their applications via email. However, please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted during transmission, but not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission path of the application between the sender and the reception on our server.

For the purposes of applicant search, submission of applications, and selection of candidates, we may use applicant management or recruitment software and platforms, as well as services from third-party providers, in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send their application to us by mail.

Processing of special categories of data: Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data, such as severe disability status or ethnic origin) are requested from applicants within the scope of the application process, so that the controller or the data subject can exercise the rights arising from labor law and social security and social protection law and fulfill their related obligations, their processing takes place pursuant to Art. 9 para. 2 lit. b. GDPR, in the case of protecting the vital interests of the applicants or other persons pursuant to Art. 9 para. 2 lit. c. GDPR, or for purposes of health care or occupational medicine, for assessing the employee's ability to work, for medical diagnosis, for care or treatment in the health or social sector, or for the management of systems and services in the health or social sector pursuant to Art. 9 para. 2 lit. h. GDPR. In the case of a voluntary consent-based disclosure of special categories of data, their processing is based on Art. 9 para. 2 lit. a. GDPR.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the applicants' data will be deleted. The applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will take place, subject to a legitimate revocation by the applicants, no later than six months after the expiration of a period, so that we can answer any follow-up questions regarding the application and fulfill our documentation obligations under the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements will be archived in accordance with tax regulations.

Enrollment in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, does not affect the ongoing application process, and that they can revoke their consent at any time for the future.

Processed data types: Applicant data (e.g., personal information, postal and contact addresses, application documents and the information contained therein, such as cover letters, resumes, certificates, as well as additional information voluntarily provided by applicants regarding a specific position or their personal details or qualifications).
Affected persons:Applicant.
Purposes of processing: Application procedure (justification and possible later implementation as well as possible later termination of the employment relationship).
Legal basis: Art. 9 para. 1 sentence 1 lit. b GDPR (application procedure as a pre-contractual or contractual relationship) (If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants in the context of the application procedure, so that the controller or the data subject can exercise the rights arising from labor law and social security and social protection law and fulfill their related obligations, their processing takes place according to Art. 9 para. 2 lit. b GDPR, in the case of the protection of vital interests of the applicants or other persons according to Art. 9 para. 2 lit. c GDPR or for purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector or for the management of systems and services in the health or social sector according to Art. 9 para. 2 lit. h GDPR. In the case of a voluntary consent-based disclosure of special categories of data, their processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.).

Cloud Services

We use software services accessible via the internet and executed on the servers of their providers (so-called "cloud services," also referred to as "Software as a Service") for the following purposes: document storage and management, calendar management, email sending, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information, as well as chats and participation in audio and video conferences.

In this context, personal data may be processed and stored on the providers' servers, insofar as they are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. These data may include, in particular, master data and contact details of the users, data related to transactions, contracts, other processes, and their contents. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites using cloud services, the providers may store cookies on the users' devices for the purposes of web analysis or to remember user settings (e.g., in the case of media control).

Notes on Legal Bases: If we request consent for the use of cloud services, the legal basis for processing is the consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of cloud services has been agreed upon within this framework. Otherwise, the users' data is processed based on our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes).

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Affected persons:Customers, employees (e.g. staff, applicants, former employees), prospects, communication partners.
Purposes of processing:Office and organizational procedures.
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

Google Cloud Services: Cloud storage services; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/; Privacy Policy: https://www.google.com/policies/privacy , Safety instructions: https://cloud.google.com/security/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000000001L5AAI&status=Active; Standard Contractual Clauses (Warranty of Data Protection Level in Processing in Third Countries): https://cloud.google.com/terms/data-processing-terms; Additional notes on data protection: https://cloud.google.com/terms/data-processing-terms.

Newsletter and Mass Communication

We send newsletters, emails, and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the content of the newsletter is specifically described as part of a newsletter registration, it is decisive for the users' consent. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal addressing in the newsletter or additional information if it is necessary for the purposes of the newsletter.

Double Opt-In Procedure: Registration for our newsletter is generally done through a so-called double opt-in process. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary to ensure that no one can register using someone else's email address. Newsletter registrations are logged in order to be able to demonstrate the registration process in accordance with legal requirements. This includes storing the registration and confirmation timestamps as well as the IP address. Changes to your data stored with the mailing service provider are also logged.

Deletion and restriction of processing: We can store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist (so-called "blacklist").

The logging of the login process is carried out based on our legitimate interests for the purpose of proving its proper execution. Insofar as we commission a service provider with the sending of emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

Notes on Legal Bases: The sending of newsletters is based on the consent of the recipients or, if consent is not required, on the basis of our legitimate interests in direct marketing, provided and to the extent that this is legally permitted, e.g., in the case of advertising to existing customers. If we commission a service provider to send emails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to prove that it was carried out in accordance with the law.

Contents: Information about us, our services, promotions, and offers.

Success Measurement: The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from our server, or, if we use a shipping service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of the retrieval, are initially collected.

This information is used to technically improve our newsletter based on technical data or the target groups and their reading behavior according to their access locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if applicable, that of the sending service provider to monitor individual users. Rather, the evaluations serve to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The evaluation of the newsletter and the measurement of its success are carried out, subject to the explicit consent of the users, based on our legitimate interests for the purpose of using a user-friendly and secure newsletter system, which serves both our business interests and meets the expectations of the users.

A separate revocation of success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to.

Prerequisite for the use of free services Consent to the sending of mailings can be made a prerequisite for the use of free services (e.g., access to certain content or participation in certain promotions). If users wish to use the free service without subscribing to the newsletter, we ask you to contact us.

Shipping via SMS: Our communications are also sent via SMS text messages.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), meta/communication data (e.g., device information, IP addresses), usage data (e.g., visited websites, interest in content, access times).
Affected persons: Communication partners, users (e.g., website visitors, users of online services).
Purposes of processing: Direct marketing (e.g., via email or postal mail), contractual services and support, contact inquiries and communication.
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Opt-out option: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or you can use one of the contact options listed above, preferably email, for this purpose.

Used services and service providers:

HubSpot: E-mail marketing platform; service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy.
Mailchimp: E-mail marketing platform; service provider: "Mailchimp" - Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/privacy/; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active.
WhatsApp Broadcasts:WhatsApp Broadcasts - Messenger with end-to-end encryption; Service provider: WhatsApp Inc. WhatsApp Legal 1601 Willow Road Menlo Park, California 94025, USA; Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active.
Zapier: Import of email addresses to the shipping service providers used from other platforms or other sources; Service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; Website: https://zapier.com; Privacy Policy: https://zapier.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TNk2AAG&status=Active.

Promotional communication via mail, fax, or telephone

We process personal data for the purposes of advertising communication, which can take place through various channels, such as e-mail, telephone, mail, or fax. In this context, we comply with legal requirements and obtain the necessary consents, unless the communication is legally permitted.

Recipients have the right to revoke given consents at any time or to object to advertising communication at any time.

After revocation or objection, we may store the data required to prove consent for up to three years based on our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is simultaneously confirmed.

Processed data types: Inventory data (e.g., names, addresses), contact details (e.g., email, phone numbers).
Affected persons:Communication partner.
Purposes of processing: Direct marketing (e.g., via email or postal mail).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Giveaways and Contests

We process personal data of participants in sweepstakes and competitions only in compliance with the applicable data protection regulations, insofar as the processing is contractually necessary for the provision, execution, and handling of the sweepstakes, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., the security of the sweepstakes or the protection of our interests against misuse through possible collection of IP addresses when submitting sweepstakes entries).

If entries from participants are published as part of the contests (e.g., in the context of a vote or presentation of contest entries or winners or reporting on the contest), we point out that the names of the participants may also be published in this context. Participants can object to this at any time.

If the contest takes place within an online platform or a social network (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and privacy policies of the respective platforms also apply. In these cases, we point out that we are responsible for the information provided by participants in connection with the contest and that inquiries regarding the contest should be directed to us.

The participants' data will be deleted as soon as the sweepstakes or competition has ended and the data is no longer required to inform the winners or because inquiries regarding the sweepstakes are expected. As a rule, the participants' data will be deleted no later than 6 months after the end of the sweepstakes. Winners' data may be retained longer in order to, for example, answer inquiries about the prizes or fulfill the prize services; in this case, the retention period depends on the type of prize and is, for example, up to three years for goods or services, in order to handle warranty cases, for instance. Furthermore, participants' data may be stored longer, for example, in the form of reporting on the sweepstakes in online and offline media.

If data has also been collected for other purposes in the context of the competition, their processing and retention period are governed by the privacy notices related to that use (e.g., in the case of signing up for the newsletter as part of a competition).

Processed data types: Inventory data (e.g., names, addresses), content data (e.g., text entries, photographs, videos).
Affected persons:Giveaway and contest participants.
Purposes of processing: Conducting sweepstakes and competitions.
Legal basis:Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR).

Web Analysis and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offering and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine at what times our online offering or its functions or content are most frequently used or invite reuse. Likewise, we can identify which areas require optimization.

In addition to web analytics, we can also use testing methods to, for example, test and optimize different versions of our online offer or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called "cookie") or similar methods with the same purpose can be used. These details can include, for example, viewed content, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data, these may also be processed depending on the provider.

The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored in the context of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is the consent. Otherwise, the users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed data types: Usage data (e.g., visited websites, interest in content, access times).
Affected persons: Users (e.g., website visitors, users of online services).
Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors), tracking (e.g., interest-/behavior-based profiling, use of cookies), visit action evaluation, profiling (creating user profiles), interest-based and behavior-based marketing.
Safety measures:IP masking (pseudonymization of the IP address).
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used services and service providers:

Google Optimize: Use of Google Analytics data for the purpose of improving areas of our online offering and better targeting our marketing measures to potential user interests; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://optimize.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.

Online Marketing

We process personal data for the purposes of online marketing, which particularly includes the marketing of advertising spaces or the display of advertising and other content (collectively referred to as "content") based on the potential interests of users, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar methods are used, by means of which the information relevant for the display of the aforementioned content is stored about the user. This information can include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information such as the browser used, the computer system used, as well as information about usage times. If users have consented to the collection of their location data, this data may also be processed.

The IP addresses of users are also stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored within the scope of online marketing procedures, but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or by similar methods. These cookies can later generally also be read on other websites that use the same online marketing procedure, analyzed for the purpose of content presentation, supplemented with additional data, and stored on the server of the online marketing procedure provider.

Exceptionally, clear data can be assigned to profiles. This is the case, for example, when users are members of a social network whose online marketing procedures we use and the network links the users' profiles with the aforementioned information. Please note that users can make additional agreements with the providers, e.g., by giving consent during registration.

We generally only receive access to aggregated information about the success of our advertisements. However, within the scope of so-called conversion measurements, we can check which of our online marketing methods have led to a so-called conversion, i.e., for example, to a contract conclusion with us. The conversion measurement is used solely for analyzing the success of our marketing measures.

Unless otherwise specified, please assume that the cookies used are stored for a period of two years.

Target Group Formation with Google Analytics We use Google Analytics to display ads served within Google's advertising services and its partners only to users who have shown an interest in our online offerings or who exhibit certain characteristics (e.g., interests in specific topics or products determined based on the websites visited) that we transmit to Google (so-called "Remarketing" or "Google Analytics Audiences"). With the help of Remarketing Audiences, we also want to ensure that our ads correspond to the potential interests of the users.

Google Universal Analytics We use Google Analytics in the form of Universal Analytics ( https://support.google.com/analytics/answer/2790010?hl=en&ref_topic=6010376) "Universal Analytics" refers to a method by Google Analytics in which user analysis is based on a pseudonymous user ID, thereby creating a pseudonymous profile of the user with information from the use of various devices (so-called "cross-device tracking").

Facebook Pixel: With the help of the Facebook Pixel, Facebook is able, on the one hand, to identify the visitors of our online offer as a target group for displaying advertisements (so-called "Facebook Ads"). Accordingly, we use the Facebook Pixel to show the Facebook Ads placed by us only to such users on Facebook and within the services of partners cooperating with Facebook (the so-called "Audience Network").https://www.facebook.com/audiencenetwork/ ) to display to users who have also shown an interest in our online offer or who exhibit certain characteristics (e.g., interest in specific topics or products, which can be inferred from the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). With the help of the Facebook Pixel, we also want to ensure that our Facebook ads correspond to the potential interests of users and do not appear intrusive. Furthermore, the Facebook Pixel allows us to track the effectiveness of Facebook advertisements for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion tracking").

Extended Matching for the Facebook Pixel: When using the Facebook Pixel, the additional feature "advanced matching" is employed. In this context, data such as email addresses or Facebook IDs of users are transmitted to Facebook (encrypted) for the purpose of creating target audiences.

Facebook - Audience Creation via Data Upload : Uploading data, such as phone numbers, email addresses, or Facebook IDs to the Facebook platform. The data is encrypted in this process. The upload process is solely intended to display advertisements to the owners of the data or to persons whose user profiles correspond to the user profiles of the data owners on Facebook. We want to ensure that the ads are only shown to users who have an interest in our information and services.

Processed data types: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses), location data (data indicating the location of an end user's device), social data (data subject to social confidentiality (§ 35 SGB I) and, for example, processed by social insurance carriers, social welfare agencies, or supply authorities).
Affected persons: Users (e.g., website visitors, users of online services), prospects, customers, employees (e.g., staff, applicants, former employees), communication partners.
Purposes of processing: Tracking (e.g., interest-/behavior-based profiling, use of cookies), remarketing, visit action analysis, interest-based and behavior-based marketing, profiling (creating user profiles), conversion measurement (measuring the effectiveness of marketing measures), reach measurement (e.g., access statistics, recognition of returning visitors), cross-device tracking (cross-device processing of user data for marketing purposes), audience formation (determining target groups relevant for marketing purposes or other content delivery), click tracking, direct marketing (e.g., via email or postal mail).
Safety measures:IP masking (pseudonymization of the IP address).
Legal basis:Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Opt-out option: We refer to the privacy notices of the respective providers and the objection options (so-called "opt-out") provided by the providers. If no explicit opt-out option is specified, you can disable cookies in your browser settings. However, this may restrict the functionality of our online offer. Therefore, we additionally recommend the following opt-out options, which are offered collectively for the respective regions: a) Europe: https://www.youronlinechoices.eu . b) Canada: https://www.youradchoices.ca/choices . c) USA: https://www.aboutads.info/choices . d) Cross-regional: http://optout.aboutads.info.

Used services and service providers:

Google Tag Manager: Google Tag Manager is a solution that allows us to manage so-called website tags through an interface (and thus integrate, for example, Google Analytics as well as other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users' personal data, reference is made to the following information about the Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Google Analytics:Online marketing and web analysis; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.
Google Ads and Conversion Tracking: We use the online marketing method "Google Ads" to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.) so that they are shown to users who are likely interested in the ads. Furthermore, we measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page equipped with a so-called "conversion tracking tag." We ourselves do not receive any information that would allow users to be identified. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Google Ad Manager: We use the "Google Marketing Platform" (and services such as "Google Ad Manager") to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.). The Google Marketing Platform is characterized by displaying ads in real time based on the presumed interests of users. This allows us to display ads more targeted for and within our online offering, presenting users only with ads that potentially match their interests. If, for example, a user is shown ads for products they have shown interest in on other online platforms, this is referred to as "remarketing." Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Google Signals: Additional marketing options that only apply to users who have enabled personalized ads on Google ( https://support.google.com/ads/answer/2662856) and include device-specific as well as cross-device data processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website:https://support.google.com/analytics/answer/7532985?hl=en; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.
Facebook Pixel:Facebook Pixel; Service provider:https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Possibility to object (Opt-Out): https://www.facebook.com/settings?tab=ads.
Amazon: Marketing of advertising materials and advertising space; Service providers: Amazon Europe Core S.à.r.l., Amazon EU S.à.r.l., Amazon Services Europe S.à.r.l., and Amazon Media EU S.à.r.l., all four located at 38, avenue John F. Kennedy, L-1855 Luxembourg, as well as Amazon Instant Video Germany GmbH, Domagkstr. 28, 80807 Munich (together "Amazon Europe"), parent company: Amazon.com, Inc., 2021 Seventh Ave, Seattle, Washington 98121, USA; Website: https://www.amazon.de; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.
LinkedIn: Insights Tag / Conversion Measurement; Service Provider: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA; Website: https://www.linkedin.com; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://www.linkedin.com/legal/privacy-policyCookie Policy: https://www.linkedin.com/legal/cookie_policy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; Possibility to object (Opt-Out):https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Microsoft Advertising:Microsoft Advertising; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Website: https://about.ads.microsoft.com/; Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active; Possibility to object (Opt-Out): http://choice.microsoft.com/en-US/opt-out.
Outbrain: Display of personalized advertisements; Service provider: Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA; Website: https://www.outbrain.com; Privacy Policy: https://www.outbrain.com/legal/privacy; Standard Contractual Clauses (Warranty of Data Protection Level in Processing in Third Countries): Used in contracts with Outbrain service providers; Data Deletion: The stored personal data will be deleted or anonymized after 13 months.
Pinterest Web Analytics: Online marketing and web analysis; Service provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Website: https://analytics.pinterest.com/; Privacy Policy: https://about.pinterest.com/de/privacy-policy.

Offer of an Affiliate Program

We offer an affiliate program, i.e., commissions or other benefits (collectively referred to as "Commission") for users (referred to as "Affiliates") who refer to our offers and services. The referral is made using a link assigned to the respective affiliate or other methods (e.g., discount codes) that allow us to recognize that the use of our services was based on the referral (collectively referred to as "Affiliate Links").

To be able to track whether users have utilized our services through the affiliate links used by the affiliates, it is necessary for us to know that the users have followed an affiliate link. The assignment of affiliate links to the respective business transactions or other use of our services serves solely the purpose of commission accounting and is deleted as soon as it is no longer required for this purpose.

For the purposes of the aforementioned assignment of affiliate links, the affiliate links can be supplemented with certain values that are part of the link or can be stored otherwise, e.g., in a cookie. These values can include, in particular, the originating website (referrer), the time, an online identifier of the operators of the website where the affiliate link was located, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is the consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of third-party providers has been agreed upon within this framework. Otherwise, users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed data types: Contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times).
Affected persons: Users (e.g., website visitors, users of online services), business and contractual partners.
Purposes of processing:Contractual services and service, affiliate tracking.
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Review Platforms

We participate in evaluation procedures to assess, optimize, and promote our services. When users rate us through the involved review platforms or procedures or provide feedback in other ways, the general terms and conditions or terms of use and the privacy policies of the providers also apply. As a rule, the review also requires registration with the respective providers.

To ensure that the reviewers have actually used our services, we transmit the necessary data regarding the customer and the service used to the respective review platform (including name, email address, and order number or item number) with the customer's consent. This data is used solely to verify the authenticity of the user.

Review Widget We integrate so-called "review widgets" into our online offering. A widget is a functional and content element embedded in our online offering that displays variable information. It can be presented, for example, in the form of a seal or a comparable element, sometimes also called a "badge." The corresponding content of the widget is displayed within our online offering, but at that moment it is retrieved from the servers of the respective widget provider. This is the only way to always show the current content, especially the current rating. For this purpose, a data connection must be established from the webpage accessed within our online offering to the server of the widget provider, and the widget provider receives certain technical data (access data, including IP address) necessary to deliver the widget content to the user's browser.

Furthermore, the widget provider receives information that users have visited our online offer. This information can be stored in a cookie and used by the widget provider to identify which online offers participating in the review process have been visited by the user. The information can be stored in a user profile and used for advertising or market research purposes.

Processed data types: Contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected persons:Customers, users (e.g., website visitors, users of online services).
Purposes of processing: Feedback (e.g., collecting feedback via online form), reach measurement (e.g., access statistics, recognition of returning visitors), visit action evaluation, interest-based and behavior-based marketing, profiling (creating user profiles).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Presence on social networks

We maintain online presences within social networks to communicate with the users active there or to provide information about us.

We point out that user data may be processed outside the territory of the European Union. This may pose risks for users, as, for example, the enforcement of users' rights could be made more difficult. With regard to US providers certified under the Privacy Shield or offering comparable guarantees of a secure level of data protection, we point out that they commit to complying with EU data protection standards.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests. These usage profiles can, in turn, be used to display advertisements within and outside the networks that presumably match the users' interests. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of the users are saved. Additionally, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective processing methods and the options to object (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of information requests and the assertion of data subject rights, we point out that these can be most effectively asserted with the providers. Only the providers have access to the users' data and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected persons: Users (e.g., website visitors, users of online services).
Purposes of processing:Contact inquiries and communication, tracking (e.g., interest-/behavior-based profiling, use of cookies), remarketing, reach measurement (e.g., access statistics, recognition of returning visitors).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Used services and service providers:

Instagram :Social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: http://instagram.com/about/legal/privacy.
Facebook:Social network; service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Option to object (Opt-Out): Settings for advertisements: https://www.facebook.com/settings?tab=ads; Additional notes on data protection: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum , Privacy Policy for Facebook Pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; Possibility to object (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Pinterest: Social network; Service provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Website: https://www.pinterest.com; Privacy Policy: https://about.pinterest.com/en/privacy-policy; Possibility to object (Opt-Out): https://about.pinterest.com/en/privacy-policy.
Twitter:Social network; Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy Policy:https://twitter.com/de/privacy(Settings)https://twitter.com/personalization; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
YouTube: Social network; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): https://adssettings.google.com/authenticated.
Xing: Social network; Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/en/privacy-policy.

Plugins and embedded functions as well as content

We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as "third parties"). These may include, for example, graphics, videos, or social media buttons as well as posts (hereinafter collectively referred to as "content").

Embedding always assumes that the third-party providers of this content process the users' IP addresses, as they could not send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only such content whose respective providers use the IP address solely for delivering the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users' devices and may include, among other things, technical information about the browser and operating system, referring websites, visit time, as well as other details about the use of our online offer, and can be linked with such information from other sources.

Processed data types: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), inventory data (e.g., names, addresses).
Affected persons: Users (e.g., website visitors, users of online services), communication partners.
Purposes of processing: Provision of our online services and user-friendliness, contractual services and support, contact inquiries and communication, direct marketing (e.g., via email or postal mail), tracking (e.g., interest-/behavior-based profiling, use of cookies), interest-based and behavior-based marketing, profiling (creating user profiles), security measures, management and response to inquiries.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Used services and service providers:

Facebook Social Plugins: Facebook Social Plugins - These can include content such as images, videos, or text and buttons that allow users to share content from this online offering within Facebook. The list and appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/; Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Option to object (Opt-Out): Settings for advertisements: https://www.facebook.com/settings?tab=ads.
Google Fonts: We embed the fonts ("Google Fonts") from the provider Google, whereby the users' data is used solely for the purpose of displaying the fonts in the users' browsers. The integration is based on our legitimate interests in a technically secure, maintenance-free, and efficient use of fonts, their uniform display, and taking into account possible licensing restrictions for their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000TRkEAAW&status=Active.
Google Maps: We embed the maps of the service "Google Maps" provided by Google. The data processed may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually given within the settings of their mobile devices). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://maps.google.de; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TRkEAAW&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.
Instagram plugins and buttons: Instagram plugins and buttons - These can include content such as images, videos, or texts and buttons that allow users to share content from this online offer within Instagram. Service provider: https://www.instagram.com , Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: http://instagram.com/about/legal/privacy.
LinkedIn plugins and buttons: LinkedIn plugins and buttons - These can include content such as images, videos, or texts and buttons that allow users to share content from this online offer within LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.instagram.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (Guarantee of data protection level when processing data in the USA):https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; Possibility to object (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Pinterest plugins and buttons: Pinterest plugins and buttons - These can include content such as images, videos, or texts and buttons that allow users to share content from this online offer within Pinterest. Service provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Website: https://www.pinterest.com; Privacy Policy: https://about.pinterest.com/en/privacy-policy.
ReCaptcha: We integrate the "ReCaptcha" function to detect bots, e.g., during inputs in online forms. The behavioral data of users (e.g., mouse movements or queries) are evaluated to distinguish humans from bots. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TRkEAAW&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.
Twitter plugins and buttons: Twitter plugins and buttons - These can include content such as images, videos, or texts and buttons that allow users to share content from this online offer within Twitter. Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Website: https://twitter.com/de; Privacy Policy: https://twitter.com/de/privacy.
YouTube: Videos; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; Possibility to object (Opt-Out): Opt-Out plugin: http://tools.google.com/dlpage/gaoptout?hl=en , settings for the display of advertisements: https://adssettings.google.com/authenticated.
Vimeo: Video platform; service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Possibility to object (Opt-Out): We point out that Vimeo may use Google Analytics and refer to the privacy policy for this purpose (https://policies.google.com/privacy) as well as the opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=en) or the settings of Google for data usage for marketing purposes (https://adssettings.google.com/).

Planning, Organization, and Auxiliary Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third parties") for the purposes of organizing, managing, planning, and delivering our services. When selecting third parties and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. Various data may be affected by this, which we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of the users, data related to transactions, contracts, other processes, and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask that you observe the privacy notices of the respective third-party providers.

Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses).
Affected persons:Communication partners, users (e.g., website visitors, users of online services).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Deletion of Data

The data we process is deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer exists or if it is not necessary for the purpose).

Unless the data is deleted because it is required for other legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or for protecting the rights of another natural or legal person.

Further information regarding the deletion of personal data may also be provided within the individual data protection notices of this privacy policy.

Change and Update of the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and we ask you to verify the information before making contact.

Rights of the data subjects

As a data subject, you have various rights under the GDPR, particularly arising from Articles 15 to 18 and 21 of the GDPR:

Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out pursuant to Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such advertising; this also applies to profiling insofar as it is related to such direct marketing.
Right of withdrawal for consents: You have the right to revoke given consents at any time.
Right of information: You have the right to request confirmation as to whether the relevant data is being processed and to access this data as well as further information and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of incorrect data concerning you.
Right to deletion and restriction of processing: You have the right, in accordance with legal provisions, to request that data concerning you be deleted without delay, or alternatively, to request a restriction of the processing of the data in accordance with legal provisions.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request the transfer of such data to another controller.
Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, particularly in the member state of your habitual residence, place of work, or the location of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Definitions of Terms

This section provides an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are primarily defined in Art. 4 GDPR. The legal definitions are binding. The following explanations are intended primarily to aid understanding. The terms are sorted alphabetically.

Affiliate Tracking: As part of affiliate tracking, links that allow the linking websites to refer users to websites with product or other offers are logged. The operators of the respective linking websites can receive a commission if users follow these so-called affiliate links and subsequently take advantage of the offers (e.g., purchase goods or use services). For this purpose, it is necessary for the providers to be able to track whether users interested in certain offers subsequently take advantage of them due to the affiliate links. Therefore, for the functionality of affiliate links, it is necessary that they are supplemented with certain values that become part of the link or are otherwise stored, e.g., in a cookie. These values include, in particular, the originating website (referrer), the time, an online identifier of the operators of the website where the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as advertising media ID, partner ID, and categorizations.
Visitor campaign evaluation:"Visit action evaluation" (English "Conversion Tracking") refers to a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on the users' devices within the websites where the marketing measures take place and then retrieved again on the target website. For example, this allows us to track whether the ads we placed on other websites were successful.
Cross-Device Tracking: Cross-device tracking is a form of tracking in which user behavior and interest information is collected across devices in so-called profiles by assigning users an online identifier. This allows user information to be analyzed for marketing purposes regardless of the browsers or devices used (e.g., mobile phones or desktop computers). For most providers, the online identifier is not linked to clear data such as names, postal addresses, or email addresses.
IP Masking: "IP masking" refers to a method in which the last octet, i.e., the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing procedures, especially in online marketing.
Interest-based and behavioral marketing: Interest-based and/or behavioral marketing refers to the practice of predicting potential user interests in ads and other content as accurately as possible. This is done based on information about their previous behavior (e.g., visiting certain websites and staying on them, purchasing behavior, or interaction with other users), which is stored in a so-called profile. For these purposes, cookies are usually used.
Click Tracking: Click tracking allows for monitoring the movements of users within an entire online offering. Since the results of these tests are more accurate when user interaction can be tracked over a certain period of time (e.g., so we can find out if a user likes to return), cookies are usually stored on users' computers for these testing purposes.
Conversion Tracking: Conversion tracking is a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on the users' devices within the websites where the marketing measures take place and then retrieved again on the target website. For example, this allows us to track whether the ads we placed on other websites were successful.
Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Profiling: "Profiling" refers to any type of automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the type of profiling, this includes information regarding age, gender, location data and movement data, interaction with websites and their content, shopping behavior, social interactions with other people). For profiling purposes, cookies and web beacons are often used.
Range measurement: Reach measurement (also referred to as web analytics) is used to evaluate the visitor flows of an online offering and can include the behavior or interests of visitors in certain information, such as the content of websites. With the help of reach analysis, website owners can, for example, determine at what times visitors access their website and which content they are interested in. This allows them to better tailor the website content to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.
Remarketing: "Remarketing" or "Retargeting" refers to the practice of noting which products a user has shown interest in on a website for advertising purposes, in order to remind the user of these products on other websites, for example through advertisements.
Tracking: "Tracking" refers to the ability to trace user behavior across multiple online services. Typically, behavioral and interest information related to the online services used is stored in cookies or on the servers of the providers of the tracking technologies (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
Responsible: The term "controller" refers to the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of processing personal data.
Processing:"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and practically covers any handling of data, such as collecting, evaluating, storing, transmitting, or deleting.
Target group formation: Target group formation (or "Custom Audiences") refers to the process of defining target groups for advertising purposes, such as displaying advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that this user is interested in ads for similar products or the online shop where they viewed the products. "Lookalike Audiences" (or similar target groups) refer to users who are shown content deemed suitable because their profiles or interests presumably match those of the users for whom the profiles were created. For the purpose of creating Custom Audiences and Lookalike Audiences, cookies and web beacons are typically used.

Language

Privacy policy

Introduction

Table of Contents

Responsible person

Overview of Processing

Types of Processed Data

Categories of affected persons

Purposes of processing

Binding Legal Bases

Transmission and Disclosure of Personal Data

Data processing in third countries

Use of Cookies

Commercial and business services

Use of Online Marketplaces for E-Commerce

Payment Service Provider

Registration and Login

Blogs and Publication Media

Contact

Communication via Messenger

Online conferences, meetings, and webinars

Chatbots

Surveys and Questionnaires

Provision of the online service and web hosting

Application Process

Cloud Services

Newsletter and Mass Communication

Promotional communication via mail, fax, or telephone

Giveaways and Contests

Web Analysis and Optimization

Online Marketing

Offer of an Affiliate Program

Review Platforms

Presence on social networks

Plugins and embedded functions as well as content

Planning, Organization, and Auxiliary Tools

Deletion of Data

Change and Update of the Privacy Policy

Rights of the data subjects

Definitions of Terms

Language