Privacy Policy

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

• Inventory data.
• Contact data.
• Content data.
• Usage data.
• Meta, communication and procedural data.
• Protocol data.

Categories of data subjects

• Communication partners.
• Users.

Purposes of processing

• Communication.
• Security measures.
• Organizational and administrative procedures.
• Feedback.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases apply in individual cases, we will inform you about these in the data protection declaration.

• Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR) - The data subject has their consent to the processing of personal data concerning them given a specific purpose or several specific purposes.
• Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR) - The processing is for the fulfillment of a contract to which the data subject is a party , or necessary to carry out pre-contractual measures at the request of the data subject.
• Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR) - the processing is necessary to protect the legitimate interests of the person responsible or a third party, provided that that the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data, do not outweigh this.

Third country (outside the EU and Switzerland): The data protection regulations in the country of residence of the person responsible apply in addition to or in addition to the data protection regulations of the GDPR. These regulations may contain specific provisions that go beyond or deviate from the requirements of the GDPR. These include, among other things, regulations to protect against misuse of personal data, regulations on access and deletion rights, rights of objection, processing of special categories of personal data, processing for other purposes, transfer and automated decision-making including profiling.

We take appropriate technical measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, securing availability and related data their separation. We have also set up procedures to ensure that the rights of those affected are exercised, data are deleted and responses are made to data threats. We also take the protection of personal data into account when developing or selecting hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): In order to protect user data transmitted via our online services from unauthorized access, we rely on TLS. /SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transfers meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by displaying HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

As part of our processing of personal data, it may happen that these are transmitted to or disclosed to other bodies, companies, legally independent organizational units or persons. The recipients of this data can include:  B. include service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place as part of the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies, this will only occur in accordance with legal requirements. If the data protection level in the third country has been recognized through an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the data protection level is ensured in another way, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49(1) GDPR). Additionally, we will inform you of the basis for third-country transfers for each provider from the third country, with adequacy decisions serving as the primary basis. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. As part of the so-called "Data Privacy Framework" (DPF), the European Commission also recognized the data protection level for certain companies from the USA as secure within the framework of the adequacy decision dated 10.07.2023. The list of certified companies and further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in our privacy notices which service providers we use are certified under the Data Privacy Framework.

We delete personal data that we process in accordance with legal regulations as soon as the underlying consent is revoked or there are no further legal bases for the processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be stored for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection notice contains additional information on the retention and deletion of data that applies specifically to certain processing processes.

If there is multiple information about the retention period or deletion period for a date, the longest period always applies.

If a deadline does not explicitly start on a specific date and is at least one year, it starts automatically at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event that triggers the deadline is the time when the termination or other termination of the legal relationship comes into effect.

We process data that is no longer stored for the originally intended purpose but due to legal requirements or other reasons only for the reasons that justify its storage.

Rights of the data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR; This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising.
• Right to revoke consent: You have the right to revoke your consent at any time.
• Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements .
• Right to correction: In accordance with legal requirements, you have the right to request that the data concerning you be completed or that incorrect data concerning you be corrected.
• Right to deletion and restriction of processing: In accordance with the legal requirements, you have the right to request that data concerning you be deleted immediately, or alternatively in accordance with the legal requirements Requirements to request a restriction on the processing of the data.
• Right to data portability: You have the right to receive or receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements to request transmission to another person responsible.
• Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your usual place of residence, your place of work or the place of the alleged Violation if you believe that the processing of your personal data violates the requirements of the GDPR.

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Processed data types: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, types of devices used and operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Log data (e.g., log files related to logins, data retrievals, or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures.
• Retention and deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

• Provision of online services on rented storage space: To provide our online services, we use storage space, computing power, and software that we rent or otherwise obtain from a server provider (also referred to as a "web host"); Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files may be used for security purposes, for example, to prevent server overload (especially in cases of abusive attacks, such as DDoS attacks), as well as to ensure server load and stability; Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is excluded from deletion until the respective incident is fully resolved.

Cookies are small text files or other storage notes that store information on end devices and read it from them. For example, to save the log-in status in a user account, the contents of a shopping cart in an e-shop, the content accessed or the functions used in an online offer. Cookies can also be used for various purposes, such as the functionality, security and convenience of online offerings and the creation of analyzes of visitor flows.

Notes on consent:We use cookies in accordance with legal regulations. We therefore obtain prior consent from users unless it is not required by law. In particular, permission is not necessary if the storage and reading of the information, including cookies, is absolutely necessary in order to provide users with a telemedia service they have expressly requested (i.e. our online offering). The revocable consent will be clearly communicated to you and contains information on the respective cookie use.

Notes on data protection legal bases:  On which data protection basis we process users' personal data using cookies depends on whether we ask them for consent. If users accept, the legal basis for the use of their data is their declared consent. Otherwise, the data used using cookies will be processed on the basis of our legitimate interests (e.g. in operating our online offering and improving its usability) or, if this is within the scope of fulfilling our contractual obligations, if the use of cookies is necessary is to fulfill our contractual obligations. We will explain the purposes for which we use cookies in the course of this data protection declaration or as part of our consent and processing processes.

Storage period:With regard to the storage period, a distinction is made between the following types of cookies:

• Temporary cookies (also: session or Session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the log-in status can be saved and preferred content can be displayed directly when the user visits a website again. The user data collected using cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. as part of obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke the consent they have given at any time and can also object to the processing in accordance with the legal requirements , also using the privacy settings of your browser.

• Types of data processed: Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, people involved) .
• Affected persons: Users (e.g. website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR). Consent (Art. 6 Para. 1 Sentence 1 Letter a) GDPR).

Further information on processing processes, procedures and services:

• Processing of cookies -Data based on consent: We use a consent management solution in which users' consent to the use of cookies or to the procedures and providers mentioned as part of the consent management solution is obtained. This procedure is used to obtain, record, manage and revoke consent, particularly with regard to the use of cookies and similar technologies that are used to store, read and process information on users' end devices. As part of this procedure, users' consents are obtained for the use of cookies and the related processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option to manage and revoke their consent. The declarations of consent are stored in order to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. The storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or using comparable technologies in order to be able to assign the consent to a specific user or their device. If there is no specific information about the providers of consent management services, the following general information applies: The duration of the storage of consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the device used becomes; Legal basis: Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR).

When contacting us (e.g., by mail, contact form, email, phone, or via social media) as well as within the context of existing user and business relationships, the information provided by the inquiring individuals will be processed to the extent necessary to respond to the contact requests and any requested actions.

• Processed data types: Master data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts as well as related information, such as author details or time of creation); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, types of devices used and operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form); provision of our online services and user-friendliness.
• Retention and deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).

Further information on processing procedures, methods, and services:

• Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to respond to and handle the respective inquiry. This typically includes information such as name, contact details, and, if applicable, other information shared with us that is necessary for appropriate processing. We use this data solely for the stated purpose of contact and communication; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

We ask you to regularly inform yourself about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information for companies and organizations in this data protection declaration, please note that the addresses may change over time and we ask you to check the information before contacting us.

In this section you will find an overview of the terms used in this data protection declaration. To the extent that the terms are defined by law, their legal definitions apply. The following explanations, on the other hand, are intended primarily to provide understanding.

• Inventory data: Inventory data includes essential information that is necessary for the identification and management of contractual partners, user accounts, profiles and similar assignments. This information may include, but is not limited to, personal and demographic information such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between people and services, facilities or systems by enabling clear attribution and communication.
• Content data: Content data includes information that is generated in the course of creating, editing and publishing all types of content. This category of data may include text, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not only limited to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates
• Contact details: Contact details are essential Information that enables communication with people or organizations. They include, among other things, telephone numbers, postal addresses and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
• Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about the way data is processed, transmitted and managed. Metadata, also known as data about data, includes information that describes the context, provenance, and structure of other data. They can include information about file size, creation date, author of a document and change histories. Communication data records the exchange of information between users across various channels, such as email traffic, call logs, social network messages and chat histories, including the people involved, timestamps and transmission routes. Procedural data describes the processes and operations within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to track and review operations.
• Usage Data: Usage data refers to information that captures how users interact with digital products, services or platforms. This data includes a wide range of information that shows how users use applications, what features they prefer, how long they spend on certain pages, and the paths they take to navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences and potential problem areas within digital offerings
• Personal data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Log data: Log data refers to information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
• Controller: The "controller" is the natural or legal person, authority, institution, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes virtually any handling of data, whether it involves collection, evaluation, storage, transmission, or deletion.