Arrange a demo

Privacy Policy

Status: 8 December 2020

I. Introduction

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as „data“) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both as part of the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as „online offering“).

The terms used are not gender-specific.

II. Controller

LegalTegrity GmbH
Unity Square 2
60327 Frankfurt

Authorised representatives: Pia Michel, Dr Thomas Altenbach

Email address contact@legaltegrity.com

Legal Notice: https://legaltegrity.com/impressum/

III. Overview of processing operations

The following overview summarises the types of data processed and the purposes of their processing, referencing the data subjects concerned.

1. Types of data processed

  • Master data (e.g. names, addresses).
  • Applicant data (e.g. personal details, postal and contact addresses, documents belonging to the application and the information contained therein, such as cover letter, résumé, certificates, as well as other information about the applicant's person or qualifications provided in relation to a specific position or voluntarily by applicants).
  • Content data (e.g. entries in online forms).
  • Contact details (e.g., email, phone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in content, times of access).
  • Location data (information relating to the geographical position of a device or a person).
  • Contractual data (e.g. contract subject, term, customer category).
  • Payment data (e.g. bank details, invoices, payment history).
 

2. Categories of affected persons

  • Employees (e.g. staff, applicants, former employees).
  • Applicant.
  • Business and contractual partners.
  • Interested parties.
  • Contact person.
  • Customers.
  • Users (e.g. website visitors, online service users).
 

3. Purposes of processing

  • Affiliate tracking.
  • Provision of our online offering and user-friendliness.
  • Conversion measurement (measuring the effectiveness of marketing activities).
  • Recruitment procedure (reasons for, and any subsequent implementation of, the recruitment process, as well as the possible subsequent termination of the employment relationship).
  • Office and organisational procedures.
  • Cross-device tracking (the processing of user data across devices for marketing purposes).
  • Direct marketing (e.g. by email or post).
  • Target group identification.
  • Interest-based and behavioural marketing.
  • Enquiries and communication.
  • Profiling (creating user profiles).
  • Remarketing.
  • Audience measurement (e.g. traffic statistics, identification of returning visitors).
  • Safety measures.
  • Tracking (e.g. interest-based or behavioural profiling, use of cookies).
  • Surveys and questionnaires (e.g. surveys with text fields, multiple-choice questions).
  • Provision of contractual services and customer service.
  • Managing and responding to enquiries.
  • Target audience identification (identifying target audiences relevant for marketing purposes or other forms of content distribution).

IV. Relevant legal bases

Below, we outline the legal bases of the General Data Protection Regulation (GDPR) on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence and domicile may apply. Furthermore, should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Article 6(1), first sentence, point (c) of the GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Protection of public interests (Article 6(1), first sentence, point (e) of the GDPR) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
  • The recruitment process as a pre-contractual or contractual relationship (Article 9(2)(b) of the GDPR) – Where, as part of the recruitment process, special categories of personal data within the meaning of Article 9(1) of the GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants, so that the controller or the data subject may exercise their rights and fulfil their obligations arising from labour law and the law on social security and social protection, such processing is carried out in accordance with Article 9(2)(b) GDPR; in the case of the protection of the vital interests of applicants or other individuals pursuant to Article 9(2)(c) of the GDPR; or for the purposes of preventive healthcare or occupational medicine, for the assessment of an employee’s fitness for work, for medical diagnosis, care or treatment in the health or social care sector, or for the administration of systems and services in the health or social care sector, in accordance with Article 9(2)(h) of the GDPR. Where the provision of special categories of data is based on voluntary consent, such data shall be processed on the basis of Article 9(2)(a) of the GDPR.
  • Performance of contracts and pre-contractual enquiries (EKD) (Section 6(5) DSG-EKD) – The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject’s request.
 

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, performance or termination of employment relationships, as well as the consent of employees. In addition, state data protection laws of the individual federal states may apply.

V. Safety Precautions

We implement technical and organisational measures appropriate to the circumstances and the purposes of the processing, as well as to the varying probabilities of occurrence and the severity of the threat to the rights and freedoms of natural persons, in accordance with the statutory requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihoods and severity of threats to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, and safeguarding of the availability of the data, and ensuring its segregation. Furthermore, we have established procedures to ensure that data subjects’ rights are upheld, that data is deleted and that appropriate action is taken in the event of a data breach. Furthermore, we take the protection of personal data into account right from the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and through privacy-friendly default settings.

IP address shorteningUnless it is possible for us to do so or storage of the IP address is not required, we shorten or have your IP address shortened. In the case of IP address shortening, also known as „IP masking“, the last octet, i.e., the last two numbers of an IP address, is deleted (the IP address is, in this context, an identifier assigned to an internet connection by the online access provider). The shortening of the IP address is intended to prevent or significantly hinder the identification of a person by means of their IP address.

SSL encryption (https)To protect the data you submit via our online service, we use SSL encryption. You can recognise such encrypted connections by the „https://“ prefix in your browser's address bar.

VI. Transfer and disclosure of personal data

In the course of processing personal data, it may be necessary to transfer or disclose data to other bodies, companies, legally independent organisational units, or individuals. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers tasked with IT functions, or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.

Data transfer within the organisationWe may disclose personal data to, or grant access to it to, other entities within our organisation. Where such disclosure is for administrative purposes, the disclosure of data is based on our legitimate corporate and business interests, or is necessary for the performance of our contractual obligations, or where the data subject's consent has been obtained or is permitted by law.

VII. Data Processing in Third Countries

Where we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place as part of the use of third-party services or the disclosure or transmission of data to other persons, bodies or companies, this shall only be done in accordance with the statutory provisions.

Subject to explicit consent or if transfer is contractually or legally required, we will only process or have data processed in third countries with an acknowledged level of data protection, contractual obligations through so-called EU Commission Standard Contractual Clauses, or where certifications or binding corporate rules are in place (Art. 44 to 49 GDPR, EU Commission Information Page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).

VIII. Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie primarily serves to store information about a user during or after their visit to an online service. The stored information can include, for example, language settings on a website, login status, a shopping basket, or the point at which a video was watched. We also include other technologies under the term „cookies“ that perform the same functions as cookies (e.g., when user data is stored using pseudonymous online identifiers, also referred to as "user IDs").

The following cookie types and functions are distinguished:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest once a user leaves an online service and closes their browser.
  • Persistent Cookies Persistent cookies remain stored even after the browser is closed. This allows, for example, the login status to be saved or preferred content to be displayed directly when a user revisits a website. Similarly, user interests, used for reach measurement or marketing purposes, can be stored in such a cookie.
  • First-Party Cookies: First-party cookies are set by us.
  • Third-party cookies (also known as cookies from third parties)Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or strictly required) cookies: Cookies may be absolutely essential for the operation of a website (e.g. to save logins or other user inputs, or for security reasons).
  • Statistics, Marketing and Personalisation CookiesCookies are also generally used for reach measurement, as well as when a user's interests or behaviour (e.g. viewing certain content, using functions, etc.) are stored in a user profile on individual websites. Such profiles are used to display content to users that corresponds to their potential interests, for example. This process is also referred to as „tracking“, i.e. monitoring the potential interests of users. Where we use cookies or „tracking“ technologies, we will inform you separately in our privacy policy or when seeking consent.
 

Notes on Legal Basis: The legal basis on which we process your personal data with the help of cookies depends on whether we ask for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the consent given. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the efficient operation of our online services and their improvement) or, if the use of cookies is necessary, to fulfil our contractual obligations.

Retention period: Unless we explicitly inform you about the storage duration of permanent cookies (e.g. as part of a „cookie opt-in“), please assume that the storage duration may be up to two years.

General information on revocation and objection (opt-out): Depending on whether processing is based on consent or a legal basis, you have the option at any time to withdraw consent or object to the processing of your data through cookie technologies (collectively referred to as „opt-out“). You can initially declare your objection through your browser settings, e.g., by deactivating the use of cookies (although this may also restrict the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be made through a variety of services, especially in the case of tracking, via the websites. https://optout.aboutads.info and https://www.youronlinechoices.com/ be explained. In addition, you can receive further objection notices within the scope of the information on the service providers and cookies used.

Processing of cookie data based on consentBefore processing or having data processed in the context of using cookies, we ask users for their consent, which can be withdrawn at any time. Before consent has been given, only cookies that are absolutely essential for the operation of our online offering will be used, if at all.

Cookie settings/opt-out options

Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

IX. Commercial and Business Services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as „contractual partners“) within the scope of contractual and comparable legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractually), e.g. to answer enquiries.

We process this data for the fulfilment of our contractual obligations, the safeguarding of our rights and for the purposes of the associated administrative tasks and entrepreneurial organisation. We only pass on the data of contractual partners to third parties within the scope of applicable law, insofar as this is necessary for the aforementioned purposes or for the fulfilment of legal obligations, or if the affected persons have given their consent (e.g. to telecommunications, transport and other services involved, as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this data protection declaration.

We will inform contractual partners about the data required for the aforementioned purposes before or during data collection, for example, in online forms, by special marking (e.g. colours) or symbols (e.g. asterisks or similar), or personally.

We delete data upon expiry of statutory warranty and comparable obligations, meaning generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for statutory archiving purposes (e.g., for tax purposes, typically 10 years). Data disclosed to us within the scope of an order by the contracting partner will be deleted in accordance with the order's specifications, generally after the end of the order.

Where we use third-party providers or platforms to render our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply to the relationship between users and the providers.

Customer accountContractual partners can create an account within our online service (e.g., a customer or user account, hereinafter „customer account“). If the registration of a customer account is required, contractual partners will be informed of this, as well as of the details required for registration. The customer accounts are not public and cannot be indexed by search engines. As part of the registration process, as well as subsequent logins and uses of the customer account, we store the IP addresses of customers along with the access times in order to prove the registration and to prevent any misuse of the customer account.

When customers have terminated their customer accounts, the data pertaining to the customer account will be deleted, subject to the requirement that storage is necessary for legal reasons. It is incumbent upon customers to secure their data once their customer account has been terminated.

Shop and E-commerceWe process our customers' data to enable them to select, acquire, or order the chosen products, goods, and associated services, as well as their payment and delivery or fulfilment. If required for the fulfilment of an order, we use service providers, in particular postal, freight forwarding, and shipping companies, to carry out the delivery or fulfilment to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The necessary details are marked as such during the ordering or comparable purchase process and include the information needed for delivery or provision and billing, as well as contact information for any necessary consultations.

Processed data types: Data relating to files (e.g. names, addresses), payment details (e.g. bank details, invoices, payment history), contact details (e.g. email, phone numbers), contract data (e.g. subject of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Interested parties, business and contract partners, customers.

Purposes of processing: Provision of contractual services and customer service, contact requests and communication, office and organisational procedures, administration and answering of enquiries, security measures.

Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), Legal obligation (Art. 6(1) sentence 1 lit. c GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

X. Payment Service Provider

In the context of contractual and other legal relationships, due to statutory obligations, or otherwise on the basis of our legitimate interests, we offer affected individuals efficient and secure payment options and use payment service providers, including banks and credit institutions, for this purpose (collectively, „Payment Service Providers“).

The data processed by payment service providers includes inventory data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and check digits, as well as contract, sum, and recipient-related details. The details are required to carry out the transactions. However, the entered data is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but merely information confirming or denying the payment. In certain circumstances, the data may be transmitted by the payment service providers to credit bureaus. This transmission is for the purpose of identity and credit checks. We refer to the terms and conditions and data protection information of the payment service providers in this regard.

The terms and conditions and data protection notices of the respective payment service providers, which can be accessed on their respective websites or transaction applications, also apply to payment transactions. We refer to these also for further information and for the assertion of cancellation, information and other data subject rights.

Processed data types: File data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. contract subject, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Customers, prospects.

Purposes of processing: Provision of contractual services and customer service, contact enquiries and communication, affiliate tracking.

Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR), Legitimate interests (Article 6(1)(f) GDPR).

Services and service providers used:

XI. Provision of the online service and web hosting

To provide our online services securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online services can be accessed. For these purposes, we can utilise infrastructure and platform services, computing capacity, storage space, database services, as well as security and technical maintenance services.

The data processed in connection with the provision of the hosting service may include all details concerning users of our online service that are generated during use and communication. This regularly includes the IP address, which is necessary to deliver the content of online services to browsers, and all entries made within our online service or on websites.

Collection of access data and log filesWe ourselves (or rather our web hosting provider) collect data on every access to the server (so-called server log files). Server log files can include the address and name of the accessed websites and files, date and time of access, data transfer volumes, notification of successful retrieval, browser type and version, the user's operating system, referring URL (the previously visited page), and usually IP addresses and the requesting provider.

The server log files can be used for security purposes, for example, to prevent server overload (particularly in the case of abusive attacks, so-called DDoS attacks), and also to ensure server utilisation and stability.

Processed data types: Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

XII. Registration, Logging in and User Account

Users can create a user account. During registration, users will be informed of the necessary mandatory details, which will be processed for the purpose of providing the user account as part of contractual performance. Processed data includes, in particular, login information (name, password, and an email address). The data entered during registration will be used for the purposes of using the user account and its function.

Users can be informed by email about events relevant to their user account, such as technical changes. If users have terminated their user account, their data relating to the user account will be deleted, subject to any statutory retention obligations. It is the responsibility of users to back up their data before the end of the contract if they have terminated it. We are entitled to irrevocably delete all data stored by the user during the contract period.

As part of the use of our registration and login functions, as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorised use. This data is not generally passed on to third parties, unless it is necessary for the assertion of our claims or there is a legal obligation to do so.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. entries in online forms), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Purposes of processing: Provision of contractual services and customer service, security measures, administration and handling of enquiries.

Legal basis: Consent (Art. 6(1)(a) GDPR), fulfillment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

XIII. Blogs and Publishing Media

We use blogs or similar online communication and publication channels (hereinafter referred to as „publication media“). Reader data will only be processed for the purposes of the publication media to the extent necessary for its presentation and communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication media within the scope of this privacy policy.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form inputs), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Purposes of processing: Provision of contractual services and customer service, feedback (e.g. collecting feedback via online form).

Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR), Legitimate interests (Article 6(1)(f) GDPR).

XIV. Getting in Touch

When you contact us (e.g. via contact form, email, telephone or social media), the details of the enquirers will be processed to the extent necessary to answer contact requests and any requested actions.

Responding to contact requests within the framework of contractual or pre-contractual relationships is for the purpose of fulfilling our contractual obligations or responding to (pre-)contractual inquiries, and furthermore, it is based on legitimate interests in responding to the inquiries.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form entries), payment data (e.g. bank details, invoices, payment history), contract data (e.g. contract subject, term, customer category), meta/communication data (e.g. device information, IP addresses).

Affected persons Communication partners, customers, users (e.g. website visitors, users of online services).

Purposes of processing: Contact requests and communication, management and answering of enquiries, feedback (e.g. collecting feedback via online form), surveys and questionnaires (e.g. surveys with input options, multiple-choice questions).

Legal basis: Fulfilment of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR), Performance of tasks carried out in the public interest (Art. 6(1)(e) GDPR).

Services and service providers used:

  • HubSpot: Customer care and service software (management of customer requests from various channels), ticketing system, feedback, satisfaction and other surveys; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy.

XV. Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following information regarding the functionality of the messengers, encryption, the use of communication metadata, and your options for objecting.

You can also contact us via alternative methods, for example, by phone or email. Please use the contact options provided to you or the contact options listed within our online services.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the content of the message and attached images) is end-to-end encrypted. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message content.

However, we also inform our communication partners that while the messenger providers cannot view the content, they can find out that and when communication partners communicate with us, as well as technical information about the device used by the communication partners and, depending on their device's settings, location information (so-called metadata) is processed.

Notes on Legal Basis: If we ask communication partners for permission before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own initiative, for example, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure, and in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and meeting the needs of our communication partners for communication via messenger. Furthermore, we would like to point out that we do not transmit the contact details provided to us to the messengers for the first time without your consent.

Revocation, objection, and deletion You can revoke your consent at any time, and you can object to communication with us via messenger at any time. In the case of communication via messenger, we will delete the messages in accordance with our general deletion policies (i.e., for example, as described above, after the termination of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any requests from communication partners, if no reference to a previous conversation is to be expected and no statutory retention obligations prevent deletion.

Subject to referral to other communication channels: To conclude, we would like to point out that for your safety, we reserve the right not to respond to requests via messenger. This is the case, for example, if contractual details require special confidentiality or if a response via messenger does not meet formal requirements. In such cases, we will refer you to more adequate communication channels.

Processed data types: Contact details (e.g. email, phone numbers), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), content data (e.g. entries in online forms).

Affected persons Contact person.

Purposes of processing: Contact requests and communication, direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

XVI. Chatbots and Chat Functions

We offer online chats and chatbot functionalities as communication options (collectively referred to as „chat services“). A chat is an online conversation conducted with some immediacy. A chatbot is software that answers user questions or informs them via messages. When you use our chat functionalities, we may process your personal data.

If you use our chat services within an online platform, your identification number within that platform will also be stored. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations via the chat services and log registration and consent processes in order to be able to prove them according to legal requirements.

We wish to inform users that the respective platform provider may ascertain that and when users communicate with our chat services, as well as collect technical information about the device used by the users and, depending on their device settings, also location information (so-called metadata) for the purpose of optimising the respective services and for security purposes. Similarly, the metadata of communication via chat services (i.e., for example, the information of who communicated with whom) may be used by the respective platform providers in accordance with their terms and conditions, to which we refer for further information, for marketing purposes or for displaying user-tailored advertising.

If users agree to a chatbot to activate information with regular messages, they always have the option to unsubscribe from the information for the future. The chatbot will inform users how and with what terms they can unsubscribe from the messages. By unsubscribing from chatbot messages, user data will be deleted from the list of message recipients.

We use the above-mentioned details to operate our chat services, e.g., to address users personally, to answer their queries, to send any requested content, and also to improve our chat services (e.g., to „teach“ chatbots answers to frequently asked questions or to identify unanswered queries).

Notes on Legal Basis: We use chat services based on consent when we have previously obtained users' permission to process their data within the scope of our chat services (this applies to cases where users are asked for consent, e.g., for a chatbot to send them regular messages). Where we use chat services to answer users' enquiries about our services or our company, this is done for contractual and pre-contractual communication. Furthermore, we use chat services based on our legitimate interests in optimising chat services, their economic efficiency, and enhancing the positive user experience.

Revocation, objection, and deletion You can revoke your consent at any time or object to the processing of your data within our chat services.

Processed data types: Contact details (e.g. email, phone numbers), content data (e.g. entries in online forms), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Contact person.

Purposes of processing: Contact requests and communication, direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

XVII. Video conferences, online meetings, webinars and screen sharing

We use third-party platforms and applications (hereinafter referred to as „third parties“) for the purposes of conducting video and audio conferences, webinars, and other types of video and audio meetings. We comply with legal requirements when selecting third parties and their services.

Within this framework, data from the communication participants are processed and stored on the third-party providers' servers, provided they are part of communication processes with us. These data may include, in particular, login and contact details, visual and vocal contributions, as well as chat inputs and shared screen content.

Should users be referred to third parties, or their software or platforms, within the scope of communication, business, or other relationships with us, the third parties may process usage data and metadata for security, service optimisation, or marketing purposes. We therefore ask that you observe the respective third parties' data protection notices.

Notes on Legal Basis: If we ask users for their consent to the use of third parties or specific functions (e.g. consent to record conversations), the legal basis for processing is consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of third parties has been agreed upon within this framework. Otherwise, user data will be processed on the basis of our legitimate interests in efficient and secure communication with our communication partners. In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form inputs), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Communication partner, user (e.g. website visitor, online service user).

Purposes of processing: Provision of contractual services and customer service, contact inquiries and communication, office and organisational procedures, direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6(1)(a) GDPR), fulfillment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

XVIII. Application Procedure

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the details provided there.

In principle, the required information includes personal details such as name, address, contact details, and proof of the qualifications necessary for a position. We are also happy to provide information on specific requirements upon request.

Where available, applicants can submit their applications to us using an online form. The data will be transmitted to us encrypted, using state-of-the-art technology. Applicants can also submit their applications to us via e-mail. However, we would like to point out that e-mails are generally not sent encrypted over the internet. As a rule, e-mails are encrypted during transit, but not on the servers from which they are sent and received. We therefore cannot accept responsibility for the transmission route of the application between the sender and receipt on our server.

For the purposes of candidate search, application submission, and candidate selection, we may use applicant management or recruitment software, and third-party platforms and services, in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send the application to us by post.

Processing of special categories of data: Where special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as disability status or ethnic origin) are requested from applicants within the scope of the application process, so that the controller or the data subject can exercise the rights and fulfil the obligations incumbent upon him or her under employment law and social security and social protection law, their processing will take place in accordance with Art. 9(2)(b) GDPR, in the case of the protection of vital interests of the applicant or another person pursuant to Art. 9(2)(c) GDPR, or for purposes of preventative medicine or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for care or treatment in the health or social security sector, or for the management of systems and services in the health or social security sector pursuant to Art. 9(2)(h) GDPR. In the case of special categories of data being disclosed on the basis of voluntary consent, their processing will take place on the basis of Art. 9(2)(a) GDPR.

Data deletion The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the applicant's data will be deleted. The applicant's data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will take place, subject to a legitimate withdrawal by the applicant, at the latest after a period of six months, so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence from the regulations on equal treatment of applicants. Invoices for any travel expense reimbursement will be archived in accordance with tax regulations.

Included in an applicant pool: Inclusion in an applicant pool, where offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no bearing on the ongoing application process, and that they can withdraw their consent at any time for the future.

Processed data types: Applicant data (e.g. personal details, postal and contact addresses, documents belonging to the application and the information contained therein, such as cover letter, résumé, certificates, as well as other information about the applicant's person or qualifications provided in relation to a specific position or voluntarily by applicants).

Affected persons Applicant.

Purposes of processing: Recruitment procedure (reasons for, and any subsequent implementation of, the recruitment process, as well as the possible subsequent termination of the employment relationship).

Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 9(2)(b) GDPR).

Services and service providers used:

XIX. Cloud Services

We use software services accessible via the internet and run on our providers„ servers (so-called “cloud services„, also referred to as “Software as a Service") for the following purposes: document storage and management, calendar management, sending emails, spreadsheets and presentations, exchanging documents, content and information with specific recipients or publishing websites, forms or other content and information, as well as chats and participation in audio and video conferences.

Within this framework, personal data may be processed and stored on the providers' servers, provided that they are part of communication processes with us or are otherwise processed by us, as set out in this privacy policy. This data may include, in particular, master data and contact details of users, data relating to processes, contracts, other processes and their contents. The providers of the cloud services also process usage data and metadata, which they use for security purposes and for service optimisation.

If we provide forms or other documents and content to other users or publicly accessible websites using cloud services, providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

Notes on Legal Basis: If we request consent for the use of cloud services, the legal basis for processing is consent. Furthermore, their use may form part of our (pre)contractual services, provided that the use of cloud services has been agreed upon within this framework. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes).

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form inputs), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Customers, employees (e.g. staff, applicants, former employees), prospects, communication partners.

Purposes of processing: Office and organisational procedures.

Legal basis: Consent (Art. 6(1)(a) GDPR), fulfillment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

XX. Newsletters and Electronic Notifications

We send out newsletters, emails, and other electronic notifications (hereinafter referred to as „newsletters“) only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described within the scope of registration, they are decisive for the consent of the users. Furthermore, our newsletters contain information about our services and us.

To sign up for our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personalised salutations in the newsletter, or further details if they are necessary for the purposes of the newsletter.

Double opt-in procedure Registration for our newsletter is generally carried out using a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with another person's email address. Newsletter registrations are logged to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

Erasure and restriction of processing: We can store the processed email addresses for up to three years based on our legitimate interests before deleting them, in order to prove consent that was previously given. The processing of this data will be limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the login procedure is carried out on the basis of our legitimate interests for the purposes of proving its proper execution. Where we commission a service provider with sending emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

Notes on Legal Basis: Newsletters are sent based on the consent of the recipients or, where consent is not required, based on our legitimate interests in direct marketing, insofar as this is permitted by law, e.g. in the case of existing customer advertising. Where we commission a service provider with the dispatch of emails, this is done on the basis of our legitimate interests. The registration process is recorded based on our legitimate interests in order to demonstrate that it was carried out in accordance with the law.

Contents Information about us, our services, promotions and offers.

Analysis and performance measurementThe newsletters contain a so-called „web beacon“, meaning a pixel-sized file that is retrieved from our server, or if we use a dispatch service provider, from their server, when the newsletter is opened. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, are collected.

This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behaviour, based on their retrieval locations (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. While this information can be assigned to individual newsletter recipients for technical reasons, it is neither our intention nor, if used, that of the shipping service provider, to monitor individual users. Rather, the evaluations serve us to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The evaluation of the newsletter and the measurement of its success are carried out, subject to the express consent of the users, based on our legitimate interests for the purpose of using a user-friendly and secure newsletter system, which serves both our business interests and meets the expectations of users.

Unfortunately, a separate revocation of the success measurement is not possible; in this case, the entire newsletter subscription must be cancelled or objected to.

Processed data types: File data (e.g. names, addresses), contact details (e.g. email, phone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).

Affected persons Contact person.

Purposes of processing: Direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Option to object (Opt-out): You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to cancel the newsletter can be found at the end of each newsletter, or you can use one of the contact options provided above, preferably email, for this purpose.

Services and service providers used:

XXI. Commercial communication via e-mail, post, fax or telephone

We process personal data for the purposes of advertising communication, which may be carried out through various channels, such as email, telephone, post or fax, in accordance with legal requirements.

The recipients have the right to withdraw given consents or object to advertising communications at any time.

Following withdrawal or objection, we may store the data required to prove consent for up to three years based on our legitimate interests before deleting it. The processing of this data will be limited to the purpose of defending against potential claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is simultaneously confirmed.

Processed data types: File data (e.g. names, addresses), contact details (e.g. email, phone numbers).

Affected persons Contact person.

Purposes of processing: Direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

XXII. Web Analysis, Monitoring and Optimisation

Web analysis (also referred to as „reach measurement“) serves to evaluate the visitor traffic of our online offering and can include insights into visitor behaviour, interests, or demographic information, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for instance, determine at what times our online offering, its features, or content are most frequently used or invite reuse. Likewise, we can understand which areas require optimisation.

In addition to web analytics, we can also use testing procedures to, for example, test and optimise different versions of our online offering or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called „cookie“) or similar procedures with the same purpose can be used. This information may include, for example, content viewed, websites visited and elements used there, and technical details such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed depending on the provider.

IP addresses of users are also stored. However, we use an IP masking process (i.e., pseudonymisation by truncating the IP address) to protect users. Generally, clear data of users (such as email addresses or names) are not stored for web analysis, A/B testing and optimisation purposes, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.

Notes on Legal Basis: If we ask users for their consent to use third parties, the legal basis for data processing is consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Purposes of processing: Reach measurement (e.g. access statistics, detection of repeat visitors), Tracking (e.g. interest/behaviour-based profiling, use of cookies), Conversion measurement (measurement of the effectiveness of marketing measures), Profiling (creation of user profiles).

Safety measures IP Masking (Pseudonymisation of the IP address).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

  • Google Analytics Reach measurement and web analytics; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy.

  • StatifyThis website uses the web analytics service Statify to analyse and regularly improve the use of our website. The legal basis for the use of Statify is Art. 6(1)(1)(f) GDPR. Statify only counts page views and not visitors. The plugin does not process or store any personal data, such as IP addresses. The plugin is an open-source project. Further information from the third-party provider on data protection can be found at https://de.wordpress.org/plugins/statify/.

  • Hotjar: We use Hotjar to better understand the needs of our users and to optimise this service and their experience. Hotjar is a technology service that helps us to get a better feel for our users' experience and what they might be interested in (e.g. how much time they spend on which pages, which links they choose to click, what users like and dislike, etc.) and this allows us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users' behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information in a pseudonymised user profile under our instruction. Hotjar is contractually obliged not to sell any of the data collected on our behalf. For further details, see the „About Hotjar“ section on the Hotjar Support Page.

XXIII. Online Marketing

We process personal data for online marketing purposes, which can include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as „content“) based on users' potential interests, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a „cookie“) or similar methods are used, by which information relevant to the user for the display of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical details such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed.

The IP addresses of users are also saved. However, we use available IP masking methods (i.e., pseudonymisation by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is saved within the scope of the online marketing process; instead, pseudonyms are used. This means that neither we nor the providers of the online marketing methods know the actual identity of the users, but only the information stored in their profiles.

The details in the profiles are usually stored in cookies or by means of similar procedures. These cookies can subsequently be read out on other websites that use the same online marketing procedure and analysed for the purpose of displaying content, as well as supplemented with further data and stored on the server of the online marketing procedure provider.

In exceptional cases, clear data can be assigned to profiles. This is the case, for example, when users are members of a social network for which we use online marketing procedures and the network links the users' profiles with the aforementioned details. Please note that users may make additional agreements with the providers, for instance, through consent during registration.

We generally only receive access to summarised information about the success of our advertisements. However, within the scope of so-called conversion tracking, we can check which of our online marketing methods have led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion tracking is used solely for the analysis of the success of our marketing measures.

Unless otherwise stated, please assume that cookies used will be stored for a period of two years.

Notes on Legal Basis: If we ask users for their consent to use third parties, the legal basis for data processing is consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Google Universal AnalyticsWe use Google Analytics in the design as Universal Analytics (https://support.google.com/analytics/answer/2790010?hl=de&ref_topic=6010376) in. „Universal Analytics“ refers to a method used by Google Analytics, where user analysis is based on a pseudonymous user ID, thereby creating a pseudonymous user profile with information from the use of different devices (so-called „cross-device tracking“).

Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (information on the geographical position of a device or person).

Affected persons Users (e.g. website visitors, users of online services), prospects.

Purposes of processing: Tracking (e.g. interest-based/behaviour-based profiling, use of cookies), remarketing, conversion measurement (measuring the effectiveness of marketing measures), interest-based and behaviour-based marketing, profiling (creation of user profiles), reach measurement (e.g. access statistics, detection of returning visitors), cross-device tracking (cross-device processing of user data for marketing purposes).

Safety measures IP Masking (Pseudonymisation of the IP address).

Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Option to object (Opt-out): We refer to the respective providers„ data protection notices and the opt-out possibilities indicated for the providers. If no explicit opt-out possibility has been indicated, it is possible for you to disable cookies in your browser settings, although this may restrict the functionality of our online services. Therefore, we also recommend the following opt-out possibilities, which are offered as a summary directed at the respective areas:

Services and service providers used:

XXIV. Affiliate Programme Offer

We offer an affiliate programme, meaning commissions or other benefits (collectively referred to as „commission“) for users (referred to as „affiliates“) who refer to our offerings and services. The referral is made via a link assigned to the respective affiliate or other methods (e.g. discount codes) that allow us to recognise that the utilisation of our services was based on the referral (collectively referred to as „affiliate links“).

In order to track whether users have availed themselves of our services via affiliate links used by affiliates, it is necessary for us to know that users have followed an affiliate link. The assignment of affiliate links to respective business transactions or other use of our services serves solely the purpose of commission settlement and will be deleted as soon as it is no longer required for that purpose.

For the purposes of the aforementioned assignment of affiliate links, the affiliate links may be supplemented with certain values, which are part of the link or can otherwise be stored, for example, in a cookie. The values may include, in particular, the referring website (referrer), the time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Notes on Legal Basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Furthermore, their use can be part of our (pre)contractual services, provided that the use of third-party providers has been agreed upon in this context. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economical and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this data protection declaration.

Processed data types: Contractual data (e.g. contract subject matter, term, customer category), usage data (e.g. websites visited, interest in content, access times).

Affected persons Users (e.g. website visitors, users of online services), business and contract partners.

Purposes of processing: Provision of contractual services and customer service, affiliate tracking.

Legal basis: Consent (Art. 6(1)(a) GDPR), fulfillment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

XXV. Presences on Social Media

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may create risks for users, as a result of which, for example, the enforcement of users' rights could be made more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on user behaviour and resulting interests. These usage profiles can, in turn, be used to display advertising within and outside the networks that presumably matches the users' interests. For these purposes, cookies are usually stored on users' computers, which store their usage behaviour and interests. Furthermore, data independent of the devices used by the users can also be stored in the usage profiles (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective processing methods and the possibilities of objection (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

Even in the case of information requests and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the user data in each case and can take corresponding measures and provide information directly. Should you still require assistance, you can contact us.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form inputs), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Purposes of processing: Contact inquiries and communication, tracking (e.g. interest/behaviour-related profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

XXVI. Plugins and embedded functions as well as content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as „third-party providers”). These may include, for example, graphics, videos, or social media buttons, as well as contributions (hereinafter collectively referred to as „content”).

Embedding always requires that third-party providers of these contents process users„ IP addresses, as they cannot send the contents to their browsers without the IP address. The IP address is therefore necessary for the display of these contents or functions. We endeavour to use only those contents whose respective providers merely use the IP address for the delivery of the contents. Third-party providers may also use so-called “pixel tags„ (invisible graphics, also known as “web beacons„) for statistical or marketing purposes. Through the “pixel tags", information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users' devices and may include technical information about the browser and operating system, referring websites, time of visit, and other details about the use of our online offering, as well as be linked to such information from other sources.

Notes on Legal Basis: If we ask users for their consent to use third parties, the legal basis for data processing is consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Users (e.g. website visitors, online service users).

Purposes of processing: Provision of our online offering and user-friendliness.

Services and service providers used:

XXVII. Planning, Organisation and Tools

We use services, platforms and software from other providers (hereinafter referred to as „third-party providers”) for the purposes of organising, administering, planning and providing our services. We observe the statutory requirements when selecting third-party providers and their services.

Within this framework, personal data can be processed and stored on third-party servers. This may involve various types of data, which we process in accordance with this privacy policy. These data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes, and their content.

If users are referred to third-party providers or their software or platforms within the scope of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to note the privacy notices of the respective third-party providers.

Notes on Legal Basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Furthermore, their use can be part of our (pre)contractual services, provided that the use of third-party providers has been agreed upon in this context. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economical and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this data protection declaration.

Processed data types: File data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. online form inputs), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Affected persons Communication partners, users (e.g. website visitors, online service users), customers.

Purposes of processing: Office and organisational procedures, contact requests and communication, reach measurement (e.g. access statistics, identification of returning visitors), tracking (e.g. interest-based/behaviour-based profiling, use of cookies), conversion measurement (measurement of the effectiveness of marketing measures), audience segmentation, management and processing of requests, feedback (e.g. collecting feedback via online form), audience segmentation (determination of target groups relevant for marketing purposes or other content delivery).

Legal basis: Consent (Art. 6(1)(a) GDPR), contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), contract performance and pre-contractual inquiries (EKD) (§ 6 No. 5 DSG-EKD).

Services and service providers used:

XXVIII. Deletion of Data

The data we process will be deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked, or other permissions cease to apply (e.g., if the purpose of processing this data is no longer applicable or they are no longer necessary for the purpose).

Unless the data is deleted because it is necessary for other legitimate purposes, its processing will be restricted to those purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person.

Further details on the deletion of personal data may also be provided within the individual data protection notices of this privacy policy.

XXIX. Amendment and Update of the Privacy Policy

We ask you to regularly consult the content of our privacy policy. We adjust the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact information for companies and organisations in this privacy policy, please note that addresses may change over time and we ask that you check the details before making contact.

XXX. Rights of Data Subjects

As individuals affected, you have various rights under the GDPR, particularly arising from Articles 15 to 21 of the GDPR:

  • Right of objection You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling, to the extent that it is related to such direct marketing.
  • Right of withdrawal for consents: You have the right to withdraw any consents you have given at any time.
  • Right to information You have the right to request confirmation as to whether or not personal data concerning you are being processed, and to request information about these data, as well as further information and a copy of the data, in accordance with the statutory requirements.
  • Right of rectification In accordance with the statutory provisions, you have the right to demand the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to demand that data concerning you be immediately deleted, or alternatively, in accordance with legal requirements, to demand a restriction on the processing of the data.
  • Right to data portability You have the right, in accordance with statutory provisions, to receive the personal data concerning you that you have provided to us in a structured, common, and machine-readable format, or to request its transfer to another controller.
  • Complaint to supervisory authority: You also have the right, in accordance with the legal provisions, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

XXXI. Definitions

In this section, you will find an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are defined primarily in Art. 4 GDPR. The legal definitions are binding. The explanations below are intended to aid understanding. The terms are listed in alphabetical order.

  • Affiliate Tracking: Links used in affiliate tracking log referrals from linking websites to websites featuring product or other offers. The operators of the linking websites can receive a commission if users follow these so-called affiliate links and subsequently take up the offers (e.g., purchase goods or use services). For this to work, providers must be able to track whether users who are interested in specific offers subsequently take them up as a result of the affiliate links. Therefore, for affiliate links to function, they must be supplemented with certain values that become part of the link or are stored elsewhere, for example, in a cookie. These values include, in particular, the source website (referrer), the time, an online identifier for the operators of the website on which the affiliate link was located, an online identifier for the respective offer, an online identifier for the user, as well as tracking-specific values, such as the advertising material ID, partner ID, and categorisations.
  • Cross-Device Tracking: Cross-device tracking is a form of tracking where user behavioural and interest information is collected across devices in so-called profiles by assigning an online identifier to users. This allows user information to be analysed, usually for marketing purposes, independently of the browsers or devices used (e.g. mobile phones or desktop computers). For most providers, the online identifier is not linked to clear data, such as names, postal addresses or email addresses.
  • IP-Masking: „IP masking” refers to a method where the last octet, meaning the last two digits of an IP address, is deleted so that the IP address can no longer be used for the unique identification of an individual. Therefore, IP masking is a means of pseudonymising processing operations, particularly in online marketing.
  • Interest-based and behavioural marketing: Interest-based and/or behavioural marketing refers to the precise pre-determination of potential user interests in advertisements and other content. This is done using information about their previous behaviour (e.g. visiting specific websites and dwelling on them, purchasing behaviour, or interacting with other users), which is stored in a profile. Cookies are usually used for these purposes.
  • Conversion measurement Conversion measurement (also known as „visit action evaluation“) is a method used to determine the effectiveness of marketing measures. This typically involves storing a cookie on users' devices within the websites where the marketing measures are implemented, and then retrieving it again on the target website. For example, this allows us to track whether the advertisements we placed on other websites were successful.
  • Personal data: „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as the „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiling: „Profiling“ refers to any automated processing of personal data which consists of using that personal data to evaluate certain personal aspects relating to a natural person (depending on the type of profiling, this includes information concerning age, gender, location data and movement data, interaction with websites and their content, purchasing behaviour, social interactions with other people) in order to analyse, assess or predict them (e.g. interests in certain content or products, click behaviour on a website or location). Cookies and web beacons are often used for profiling purposes.
  • Reach measurement Website analytics (also referred to as „Web Analytics“) is used for evaluating the visitor traffic of an online service and can include the behaviour or interests of visitors in specific information, such as website content. With the help of reach analysis, website owners can, for example, recognise at what times visitors access their website and which content they are interested in. This allows them to better adapt the website's content to their visitors' needs, for example. For reach analysis purposes, pseudonymous cookies and web beacons are frequently used to recognise returning visitors and thus obtain more accurate analyses of the use of an online service.
  • Remarketing „Remarketing“ or „retargeting“ is when, for advertising purposes, it's noted which products a user has shown interest in on a website, in order to remind the user of these products on other websites, for example through advertisements.
  • Location data Location data is generated when a mobile device (or another device with the technical prerequisites for location determination) connects to a mobile cell, a Wi-Fi network, or similar technical means and functions for location determination. Location data is used to indicate the geographically determinable position on Earth where the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.
  • Tracking: „Tracking“ refers to the ability to follow user behaviour across multiple online services. As a rule, behavioural and interest information relating to the online services used is stored in cookies or on the servers of the tracking technology providers (so-called „profiling“). This information can then be used, for example, to show users advertisements that are likely to match their interests.
  • Person in charge The „controller“ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: „Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether it be collection, analysis, storage, transmission or deletion.
  • Target group formation „Custom Audiences“ refers to the determination of target groups for advertising purposes, such as the display of advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or for the online shop where they viewed the products. „Lookalike Audiences“ (or similar target groups) are then used to display content deemed suitable to users whose profiles or interests are presumed to match those of the users for whom the profiles were created. Cookies and web beacons are typically used to create Custom Audiences and Lookalike Audiences.