Privacy Policy
Preamble
With this privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “Data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).
The terms used are not gender-specific.
As of: August 16, 2023
Legal text by Dr. Schwenke – for further information, please click here.
Table of Contents
Preamble
Controller
Overview of Processing Activities
Relevant Legal Bases
Security Measures
Transmission of Personal Data
International Data Transfers
Rights of Data Subjects
Use of Cookies
Business Services
Payment Processing
Provision of the Online Offering and Web Hosting
Registration, Login, and User Account
Contact and Inquiry Management
Communication via Messengers
Application Procedures
Cloud Services
Newsletters and Electronic Notifications
Advertising Communication via Email, Post, Fax, or Telephone
Contests and Competitions
Web Analysis, Monitoring, and Optimization
Online Marketing
Customer Reviews and Rating Processes
Presence on Social Networks (Social Media)
Plugins and Embedded Functions and Content
Management, Organization, and Tools
Controller
Johanna Glaser
Kirchplatz 2
9210 Pörtschach
Email address:
marketing@sandwirth.at
imprint: https://sandwirth.at/en/imprint/
Relevant Legal Bases
Relevant legal bases according to the GDPR: The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.
Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a Contract and Pre-contractual Inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Application Procedures as a Pre-contractual or Contractual Relationship (Art. 6(1)(b) GDPR) – To the extent that special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data, such as information about disability status or ethnic origin) are requested from applicants as part of the application procedure, the processing of such data will occur pursuant to Art. 9(2)(b) GDPR if it relates to carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. If the data subject provides explicit consent, the processing will be based on Art. 9(2)(a) GDPR.
Processing of Special Categories of Personal Data for Healthcare, Profession, and Social Security (Art. 9(2)(h) GDPR).
Consent to the Processing of Special Categories of Personal Data (Art. 9(2)(a) GDPR).
Processing of Special Categories of Personal Data to Protect Vital Interests (Art. 9(2)(c) GDPR).
National Data Protection Regulations in Austria: In addition to the GDPR, national data protection regulations apply in Austria. These include the Data Protection Act (Datenschutzgesetz – DSG). The Data Protection Act contains special provisions on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated individual decision-making.
Relevant Legal Bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (short “Swiss DPA,” effective from September 1, 2023). This also applies if our data processing affects you in Switzerland and you are affected by the processing. The Swiss DPA generally does not require (unlike the GDPR) that a legal basis be cited for the processing of personal data. We process personal data only if the processing is lawful, carried out in good faith, and proportionate (Art. 6(1) and (2) Swiss DPA). Furthermore, we only collect and process personal data for specific and identifiable purposes and ensure that it is compatible with these purposes (Art. 6(3) Swiss DPA).
Reference to the Applicability of GDPR and Swiss DPA: These data protection notices serve both to provide information in accordance with the Swiss Federal Data Protection Act (Swiss DPA) and the General Data Protection Regulation (GDPR). For the sake of broader spatial application and understandability, we use the terms of the GDPR. In particular, the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” used in the GDPR are used instead of the terms used in the Swiss DPA, such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data.” However, the legal meaning of the terms continues to be determined by the Swiss DPA within the scope of the applicability of the Swiss DPA.
Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing, referring to the affected individuals.
Types of Processed Data
Inventory Data.
Payment Data.
Location Data.
Contact Data.
Content Data.
Contract Data.
Usage Data.
Meta, Communication, and Process Data.
Applicant Data.
Image and/or Video Recordings.
Event Data (Facebook).
Special Categories of Data
Health Data.
Religious or Philosophical Beliefs.
Categories of Affected Persons
Customers.
Employees.
Prospects.
Communication Partners.
Users.
Applicants.
Contest and Competition Participants.
Business and Contractual Partners.
Processing Purposes
Provision of contractual services and fulfillment of contractual obligations.
Contact inquiries and communication.
Security measures.
Direct marketing.
Reach measurement.
Tracking.
Office and organizational procedures.
Remarketing.
Conversion measurement.
Audience targeting.
Management and response to inquiries.
Application procedures.
Conducting contests and competitions.
Feedback.
Marketing.
Profiles with user-related information.
Provision of our online offering and user-friendliness.
Information technology infrastructure.
Security Measures
In accordance with legal requirements and taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihoods and the extent of the threat to the rights and freedoms of natural persons, we implement suitable technical and organizational measures to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, disclosure, availability, and separation of them. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data, and responses to data threats. We also consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through technology design, and through privacy-friendly default settings.
IP Address Shortening: If IP addresses are processed by us or the service providers and technologies used, and the processing of a full IP address is not required, the IP address is shortened (also known as “IP masking”). Hereby, the last two digits, or the last part of the IP address after a dot, are removed or replaced with placeholders. IP address shortening is intended to prevent or significantly hinder the identification of a person based on their IP address.
TLS Encryption (https): To protect the data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission of Personal Data
In the context of our processing of personal data, it may happen that the data is transferred to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include service providers assigned with IT tasks or providers of services and content embedded in a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.
Transmission of data within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to this data. If this transfer is for administrative purposes, the transfer of data is based on our legitimate business and economic interests or is carried out if necessary for the fulfillment of our contractual obligations or if there is consent from the data subjects or a legal permission.
Transmission of data within the organization: We may transfer personal data to other units within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of data is based on our legitimate business and economic interests or is carried out if necessary for the fulfillment of our contractual obligations or if there is consent from the data subjects or a legal permission.
International Data Transfers
Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing occurs within the scope of using third-party services or the disclosure or transmission of data to other individuals, entities, or companies, this is done in compliance with legal requirements.
Subject to explicit consent or contractually or legally required transmission (see Art. 49 GDPR), we process or allow data processing only in third countries with an acknowledged level of data protection (Art. 45 GDPR), where compliance with contractual obligations is ensured through EU Commission’s standard data protection clauses (Art. 46 GDPR), or where certifications or binding corporate rules are in place (see Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as safe for certain companies from the USA, based on the adequacy decision dated July 10, 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in our privacy policy which service providers we use are certified under the Data Privacy Framework.
Disclosure of Personal Data Abroad: According to the Swiss Data Protection Act (DPA), we only disclose personal data abroad if adequate protection of the affected individuals is guaranteed (Art. 16 Swiss DPA). If the Federal Council does not determine adequate protection, we implement alternative security measures. These may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internally binding data protection regulations recognized in advance by the FDPIC or a competent data protection authority of another country.
According to Art. 16 of the Swiss DPA, exceptions for the disclosure of data abroad may be allowed if certain conditions are met, including the consent of the data subject, contract fulfillment, public interest, protection of life or physical integrity, publicly available data, or data from a legally established register. These disclosures always comply with legal requirements.
Rights of Data Subjects
Rights of Data Subjects under the GDPR: As data subjects, you have various rights under the GDPR, especially arising from Art. 15 to 21 GDPR:
Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this includes profiling to the extent that it is related to such direct marketing.
Right to Withdraw Consent: You have the right to withdraw consent you have given at any time.
Right to Information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain additional information in accordance with legal requirements.
Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you according to legal requirements.
Right to Erasure and Restriction of Processing: You have the right to obtain the erasure of personal data concerning you without undue delay or to obtain the restriction of processing according to legal requirements.
Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or you have the right to have that data transmitted to another controller, in accordance with legal requirements.
Complaint to Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
Rights of Data Subjects under Swiss DPA:
As data subjects under the Swiss DPA, you have the following rights:
Right to Information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to assert your rights under this law and to ensure transparent data processing.
Right to Disclosure or Transmission of Data: You have the right to request the disclosure of your personal data that you have provided to us in a commonly used electronic format.
Right to Rectification: You have the right to request the rectification of incorrect personal data concerning you.
Right to Object, Erasure, and Destruction: You have the right to object to the processing of your data and to request the erasure or destruction of personal data concerning you.
Use of Cookies
Cookies are small text files or other storage records that store information on end devices and retrieve information from end devices. For example, to store login status in a user account, shopping cart contents in an online shop, accessed content, or used functions of an online offering. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offerings, as well as for analyzing visitor flows.
Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless this is not legally required. Consent is not necessary, in particular, if the storage and retrieval of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offering) explicitly requested by them. Typically, essential cookies include cookies with functions that serve the display and functionality of the online offering, load balancing, security, storage of user preferences and choices, or similar purposes related to the provision of the main and ancillary functions of the requested online offering. The revocable consent is clearly communicated to users and includes information about the respective cookie use.
Notes on Data Protection Legal Bases: The legal basis on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies are based on our legitimate interests (e.g., in a business operation of our online offering and improving its usability) or, if the use of cookies is necessary to fulfill our contractual obligations, to fulfill our contractual obligations. We will clarify the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing processes.
Storage Period: The following types of cookies are distinguished with regard to the storage period:
Temporary Cookies (also known as Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
Persistent Cookies: Persistent cookies remain stored even after the user has closed their device. For example, the login status can be saved, or preferred content can be displayed directly when the user revisits a website. Likewise, data collected through cookies can be used for measuring reach. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., within the context of obtaining consent), users should assume that cookies are persistent and the storage duration can last up to two years.
General Notes on Revocation and Objection (Opt-Out): Users can revoke their given consent at any time and object to processing in accordance with legal requirements. To do so, users can restrict the use of cookies in their browser settings (which may also restrict the functionality of our online offering). Objection to the use of cookies for online marketing purposes can also be declared through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).
Additional Notes on Processing Processes, Procedures, and Services:
Processing of Cookie Data based on Consent: We utilize a procedure for cookie consent management in which user consents for the use of cookies, as well as the processing and providers mentioned within the framework of the cookie consent management procedure, can be obtained, managed, and revoked by users. The consent declaration is stored to avoid repeated inquiries and to be able to provide evidence of consent in accordance with legal obligations. Storage can occur on the server side and/or in a cookie (so-called opt-in cookie or using comparable technologies) to associate the consent with a user or their device. Subject to individual information regarding providers of cookie management services, the following notes apply: The duration of consent storage can be up to two years. For this purpose, a pseudonymous user identifier is generated, along with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers), and the browser, system, and device used. Legal Bases: Consent (Art. 6(1)(a) GDPR).
BorlabsCookie: Cookie consent management; Service provider: Hosted locally on our server, no data sharing with third parties; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, types of consent, and the time of consent are stored on the server side and in the cookie on the user’s device.
Business Services:
We process data of our contractual and business partners, such as customers and interested parties (collectively referred to as “contractual partners”), within the scope of contractual and similar legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to respond to inquiries.
We process this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed-upon services, any required updates, and remediation of warranty and other performance disruptions. Furthermore, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations, as well as corporate organization. In addition, we process the data based on our legitimate interests in proper and efficient business management and security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., to involve telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Insofar as required by law, we disclose the data of contractual partners to third parties only to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.
The data necessary for the aforementioned purposes are communicated to contractual partners before or in the course of data collection, e.g., in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks), or personally.
We delete the data after the expiry of legal warranty and comparable obligations, i.e., as a matter of principle after 4 years, unless the data are stored in a customer account, e.g., as long as they must be kept for legal reasons of archiving. The statutory retention period is 10 years for tax-relevant documents and for commercial books, inventories, opening balance sheets, annual financial statements, working instructions necessary for understanding these documents, and other organizational documents and tax-related documents and records, and 6 years for received commercial and business letters and documents required to be kept, in accordance with Section 257(1) of the German Commercial Code (HGB), and Section 147(1) of the German Tax Code (AO). The retention period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement, the management report, the commercial or business letter was received or sent, or the document was created, or the record was made, or the documents were otherwise produced.
To the extent that we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Processed data types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email addresses, phone numbers); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
Special categories of personal data: Health data. Religious or philosophical beliefs.
Affected individuals: Customers; Prospects. Business and contract partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Contact inquiries and communication; Office and organizational procedures; Management and response to inquiries; Conversion measurement (measurement of the effectiveness of marketing measures). Profiling with user-related information (creation of user profiles).
Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Additional notes on processing processes, procedures, and services:
Customer account: Customers can create an account within our online offering (e.g., customer or user account, abbreviated as “customer account”). If the registration of a customer account is required, customers will be informed about this as well as the necessary information for registration. The customer accounts are not public and cannot be indexed by search engines. In the context of registration as well as subsequent logins and use of the customer account, we store the customers’ IP addresses along with the access times to provide evidence of registration and prevent potential abuse of the customer account. If the customer account is terminated, the data of the customer account will be deleted after the termination date, unless they need to be retained for purposes other than providing the customer account or for legal reasons (e.g., internal storage of customer data, order processes, or invoices). It is the responsibility of customers to secure their data upon termination of the customer account; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Wishlist: Customers can create a product/wishlist. In this case, the products will be stored as part of the fulfillment of our contractual obligations until the account is deleted, unless the product list entries are removed by the customer or we explicitly inform the customer about different storage periods; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Customer loyalty program/customer card: We process customer data as part of our customer loyalty program to fulfill the services provided to participating customers within the framework of the customer loyalty program. For this purpose, customer data collected and, if necessary, marked as such will be stored in a customer profile. The profile also contains information about the use of the customer loyalty program and the use of associated services and benefits, and, only if necessary for the aforementioned purposes, will be shared with third parties (e.g., executing service providers). Customer profiles will be deleted after participation ends and will only be archived with the respective data to the extent necessary for legal retention purposes or for the fulfillment of legal (up to 11 years for tax-related documents from the end of the year of their creation) or contractual claims (up to three years from the end of the year of termination); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Economic analyses and market research: For business reasons and to identify market trends, preferences of contract partners, and users, we analyze the data available to us on business transactions, contracts, inquiries, etc., where contract partners, prospects, customers, visitors, and users of our online offering may fall into the group of affected individuals. The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., determining customer groups with different characteristics). If available, we may consider the profiles of registered users, including their information about used services. The analyses are for our use only and will not be disclosed externally, unless they are anonymous analyses with summarized, i.e., anonymized values. We also respect users’ privacy and process data for analysis purposes as pseudonymous as possible and, if feasible, anonymous (e.g., as summarized data); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Shop and e-commerce: We process our customers’ data to enable them to select, purchase, or order chosen products, goods, and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, especially postal, shipping, and logistics companies, to perform delivery or execution to our customers. We use the services of banks and payment service providers to handle payment transactions. The necessary information is marked as such within the scope of the order or similar acquisition process and includes the information required for delivery or provision and billing as well as contact information for possible inquiries; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Hotel and accommodation services: We process the information of our guests, visitors, and prospects (collectively referred to as “guests”) to provide accommodation and related services of a tourist or gastronomic nature, as well as to invoice the services provided. In the course of our services, it may be necessary for us to process special categories of data within the meaning of Art. 9 para. 1 GDPR, especially information about a person’s health or information related to their religious beliefs. Processing is carried out to protect the health interests of visitors (e.g., in the case of allergy information) or otherwise to meet their physical or mental needs at their request and with their consent.
If necessary for contract fulfillment or required by law, with guests’ consent, or based on our legitimate interests, we disclose or transmit guests’ data, e.g., to service providers involved in providing our services or to authorities, billing agencies, as well as in the field of IT, office, or similar services; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Events and Activities: We process the data of participants of events, gatherings, and similar activities offered or hosted by us (hereinafter collectively referred to as “participants” and “events”) to enable their participation in the events and the utilization of associated services or actions related to participation. In cases where we process health-related data, religious, political, or other special categories of data, such processing is carried out within the scope of manifest necessity (e.g., in the case of thematically focused events or for health precautions, security, or with the consent of the individuals involved).
The necessary information is indicated as such during the order, booking, or similar contractual agreement, and includes the information required for service provision and billing, as well as contact information to facilitate communication. To the extent that we have access to information about end customers, employees, or other individuals, we process this information in accordance with legal and contractual requirements. Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Rental Services: We process the data of our tenants and rental applicants in accordance with the underlying lease agreement. Additionally, we may process information about the characteristics and circumstances of individuals or their belongings when necessary for the rental relationship. This may include information about personal life circumstances, movable or immovable property, financial situation, as well as the use of ancillary services (such as water or energy supply). In the context of our engagement, it may be necessary for us to process special categories of data as defined in Article 9(1) GDPR, particularly health-related information. Processing is carried out to protect the tenants’ health interests and otherwise only with the tenants’ consent.
If required for contract fulfillment, legal obligations, with tenants’ consent, or based on our legitimate interests, we may disclose or transmit tenant data for purposes such as inquiries, contract closures, and contract settlements, e.g., to financial service providers, credit institutions, utilities (e.g., electricity), or authorities.
Furthermore, we process tenant data if necessary to fulfill legal obligations (e.g., information obligations related to ancillary services and utility costs). Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Payment Procedures: In the context of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer affected individuals efficient and secure payment options. For this purpose, we use additional service providers alongside banks and credit institutions (collectively referred to as “payment service providers”).
Data processed by payment service providers include inventory data, such as name and address, banking information, such as account numbers or credit card numbers, passwords, TANs, checksums, as well as contract-related, sum-related, and recipient-related information. This information is necessary to carry out transactions. However, the input data is processed and stored only by the payment service providers. This means that we do not receive account or credit card-related information, only confirmation or negative information about the payment. Under certain circumstances, payment service providers may transmit data to credit reporting agencies for identity and credit checks. We refer to the terms and privacy policies of the payment service providers for this purpose.
For payment transactions, the terms and conditions as well as the privacy policies of the respective payment service providers apply, which can be accessed on their respective websites or transaction applications. We also refer to these for further information and the exercise of revocation, information, and other data subject rights.
Processed Data Types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contract data (e.g., contract subject, duration, customer category), usage data (e.g., visited websites, interest in content, access times), meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status), contact data (e.g., email, phone numbers).
Affected Individuals: Customers, prospective customers.
Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional Notes on Processing Procedures, Processes, and Services:
American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.americanexpress.com/de. Privacy Policy: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html.
Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.mastercard.de/de-de.html. Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.
Mollie: Payment services (technical integration of online payment methods); Service provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.mollie.com/de. Privacy Policy: https://www.mollie.com/de/privacy.
PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, GB; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.visa.de. Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.
Provision of the Online Offer and Web Hosting
We process user data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.
Processed Data Types: Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
Affected Individuals: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures.
Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
Additional Notes on Processing Procedures, Processes, and Services:
Provision of Online Offer on Rented Storage Space: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also referred to as “web hoster”); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Service provider: The hosting provider is Lanaprinzip Publishing e.U.
Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, transferred data volumes, message about successful access, browser type and version, user’s operating system, referrer URL (previously visited page), and typically IP addresses and the requesting provider. Server log files can be used, on the one hand, for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure server load and stability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidence purposes is excluded from deletion until the respective incident is finally clarified.
Registration, Sign-In, and User Account
Users can create a user account. As part of the registration process, users are provided with the necessary mandatory information and processed on the basis of contractual performance to provide the user account. The processed data include, in particular, login information (username, password, and email address).
As part of using our registration and sign-in features, as well as using the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. Generally, this data is not disclosed to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.
Users can be informed via email about activities relevant to their user account, such as technical changes.
Processed Data Types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., inputs in online forms). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
Affected Individuals: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Administration and response to inquiries; Provision of our online offer and user-friendliness.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Additional Notes on Processing Procedures, Processes, and Services:
Registration with Pseudonyms: Users are allowed to use pseudonyms instead of real names as usernames; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
User Profiles are Not Public: User profiles are not publicly visible or accessible.
Data Deletion after Termination: If users have terminated their user account, their data related to the user account will be deleted, subject to legal permission, obligation, or consent of the users; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
No Obligation to Retain Data: Users are responsible for securing their data before the end of the contract upon termination. We are entitled to irrevocably delete all data stored during the contract period of the user; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Contact and Inquiry Management
When contacting us (e.g., by mail, contact form, email, telephone, or via social media) as well as within existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to contact inquiries and any requested actions.
Processed Data Types: Contact details (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
Affected Individuals: Communication partners.
Purposes of Processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness.
Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Additional Notes on Processing Procedures, Processes, and Services:
Contact Form: When users contact us via our contact form, email, or other communication methods, we process the data communicated to us in this context to address the conveyed issue; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
Communication via Messenger
For the purpose of communication, we use messengers and therefore ask you to consider the following information on the functionality of messengers, encryption, use of metadata in communication, and your objection options.
You can also contact us through alternative means, such as via telephone or email. Please use the contact information provided to you or the contact information provided within our online offer.
In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of messages is not viewable, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message content.
However, we also inform our communication partners that the messenger providers may not see the content but can determine if and when communication partners communicate with us, as well as technical information about the communication partner’s device and, depending on their device settings, location information (so-called metadata) is processed.
Notes on Legal Basis: If we ask communication partners for permission before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not request consent and they contact us, for example, on their own initiative, we use messengers with our contractual partners and as part of contract initiation as a contractual measure, and in the case of other interested parties and communication partners, based on our legitimate interests in rapid and efficient communication and fulfilling the needs of our communication partners for communication via messengers. Furthermore, we would like to point out that we do not transmit the contact details provided to us to messengers without your consent.
Revocation, Objection, and Deletion: You can revoke your consent at any time and object to communication with us via messengers at any time. In the case of communication via messengers, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that any inquiries from communication partners have been answered, if there is no reference back to a previous conversation to be expected, and deletion is not opposed by legal retention obligations.
Reservation of Reference to Other Communication Channels: Finally, we would like to point out, for reasons of your security, that we reserve the right not to answer inquiries via messengers. This is the case, for example, when contract-specific details require special confidentiality or a response via messenger does not meet formal requirements. In such cases, we refer you to more suitable communication channels.
Processed Data Types: Contact details (e.g., email, phone numbers), usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
Affected Individuals: Communication partners.
Purposes of Processing: Contact inquiries and communication. Direct marketing (e.g., via email or postal mail).
Legal Basis: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Notes on Processing Procedures, Procedures, and Services:
Instagram: Sending messages via the social network Instagram; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
Facebook Messenger: Facebook Messenger with end-to-end encryption (end-to-end encryption of the Facebook Messenger requires activation unless it is already enabled by default); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Addendum: https://www.facebook.com/legal/terms/dataprocessing; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
WhatsApp: WhatsApp Messenger with end-to-end encryption; Service Provider: WhatsApp Ireland Limited, 4 Grand Canal Quay, Dublin 2, D02 KH28, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF).
Application Process
The application process requires applicants to provide us with the data necessary for their assessment and selection. The required information can be found in the job description or in the case of online forms, in the provided details.
In general, the required information includes personal information such as name, address, contact details, and evidence of qualifications necessary for the position. Upon request, we can also inform applicants about the required information.
If provided, applicants can submit their applications via an online form. The data is transmitted to us in an encrypted form using state-of-the-art technology. Applicants can also submit their applications via email. However, please note that emails on the Internet are generally not encrypted. While emails are usually encrypted during transport, they are not encrypted on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and receipt on our server.
For the purpose of applicant search, application submission, and applicant selection, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.
Applicants are welcome to contact us to inquire about the method of submitting applications or send applications to us by postal mail.
Processing of Special Categories of Data: If special categories of personal data (Art. 9(1) GDPR, e.g., health data such as disability status or ethnic origin) are requested from applicants as part of the application process, their processing is carried out so that the data controller or the data subject can exercise their rights arising from labor law and social security law and fulfill their obligations in this regard, in the case of protecting vital interests of the applicants or other individuals, or for the purposes of preventive medicine, occupational medicine, assessing the employee’s ability to work, medical diagnosis, healthcare or social care, or for managing systems and services in healthcare or social care.
Deletion of Data: In the event of a successful application, the data provided by applicants can be further processed for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. The applicant’s data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will occur, subject to a legitimate withdrawal by the applicant, no later than six months after the end of the application process, allowing us to answer any follow-up questions regarding the application and fulfill our obligations under the regulations for the equal treatment of applicants. Invoices for travel expense reimbursement will be archived in accordance with tax regulations.
Inclusion in an Applicant Pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application process, and can be revoked at any time for the future.
Processed Data Types: Master data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), applicant data (e.g., personal details, postal and contact addresses, application-related documents and information contained therein, such as cover letters, CVs, certificates, as well as other information voluntarily provided by applicants about their person or qualifications).
Affected Individuals: Applicants.
Purposes of Processing: Application process (establishment and possible subsequent implementation and termination of the employment relationship).
Legal Basis: Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR); Processing of special categories of personal data relating to health, professional and social security (Art. 9(2)(h) GDPR); Consent to processing of special categories of personal data (Art. 9(2)(a) GDPR); Processing of special categories of personal data to protect vital interests (Art. 9(2)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Notes on Processing Procedures, Procedures, and Services:
Stepstone: Services related to employee recruitment (search for employees, communication, application process, contract negotiations); Service Provider: StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.stepstone.de; Privacy Policy: https://www.stepstone.de/Ueber-StepStone/Rechtliche-Hinweise/datenschutzerklaerung/.
Cloud Services
We use software services accessible via the internet and executed on the servers of their providers (so-called “cloud services,” also referred to as “Software as a Service”) for the storage and management of content (e.g., document storage and management, document exchange, sharing of documents, content, and information with specific recipients, or publication of content and information).
In this context, personal data may be processed and stored on the servers of the providers to the extent that they are part of communication processes with us or are otherwise processed by us, as described in this Privacy Policy. This data may include, in particular, master data and contact details of users, data about processes, contracts, and other procedures and their contents. The providers of cloud services also process usage data and metadata that are used by them for security purposes and service optimization.
If we use cloud services to provide forms or other documents and content to other users or publicly accessible websites, the providers may store cookies on users’ devices for the purposes of web analysis or to remember user settings (e.g., in the case of media controls).
Processed Data Types: Master data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), metadata, communication data, procedure data, identification numbers, consent status, image and/or video recordings.
Affected Individuals: Customers; Employees (e.g., staff, applicants, former employees); Prospects; Communication partners; Users (e.g., website visitors, users of online services).
Purposes of Processing: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical equipment, such as computers, servers, etc.); Provision of contractual services and fulfillment of contractual obligations.
Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
Further Notes on Processing Procedures, Procedures, and Services:
Adobe Creative Cloud: Applications and cloud storage for photo editing, video editing, graphic design, and web development; Service Provider: Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/creativecloud.html; Privacy Policy: https://www.adobe.com/de/privacy.html; Data Processing Agreement: Provided by the service provider; Basis for Transfer to Third Countries: Standard Contractual Clauses (Provided by the service provider).
Apple iCloud: Cloud storage service; Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/; Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
Dropbox: Cloud storage service; Service Provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.dropbox.com/de; Privacy Policy: https://www.dropbox.com/privacy; Data Processing Agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf).
Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause); Additional Information: https://cloud.google.com/privacy.
Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause); Additional Information: https://cloud.google.com/privacy.
Google Workspace: Cloud-based application software (e.g., word processing and spreadsheet editing, calendar and contact management), cloud storage, and cloud infrastructure services; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://workspace.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum; Basis for Transfer to Third Countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause); Additional Information: https://cloud.google.com/privacy.
Newsletter and Electronic Notifications
We only send newsletters, emails, and other electronic notifications (hereinafter referred to as “Newsletters”) with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during the subscription process, they are relevant for obtaining users’ consent. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personalized addressing in the newsletter or additional information if necessary for the purposes of the newsletter.
Double-Opt-In Procedure: The subscription to our newsletter generally takes place in a so-called double-opt-in procedure. This means that after registering, you will receive an email in which you will be asked to confirm your subscription. This confirmation is necessary to prevent anyone from registering with other people’s email addresses. Newsletter subscriptions are logged to be able to provide evidence of the registration process in accordance with legal requirements. This includes storing the registration and confirmation time as well as the IP address. Changes to the data stored with the email service provider are also logged.
Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to prove a previously given consent. The processing of this data is limited to the purpose of potential legal defense. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.
The logging of the registration process is based on our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure delivery system.
Contents:
Information about us, our services, promotions, and offers.
Processed Data Types: Master data (e.g., names, addresses), contact data (e.g., email, phone numbers), metadata, communication data, procedure data, identification numbers, consent status, usage data (e.g., visited websites, interest in content, access times).
Affected Individuals: Communication partners; Users (e.g., website visitors, users of online services).
Purposes of Processing: Direct marketing (e.g., by email or postal mail); Provision of contractual services and fulfillment of contractual obligations.
Legal Basis: Consent (Art. 6(1)(a) GDPR).
Option to Withdraw Consent (Opt-Out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent, or object to further receipt. A link to cancel the newsletter subscription can be found either at the end of each newsletter or you can use one of the contact options provided above, preferably via email.
Further Notes on Processing Procedures, Procedures, and Services:
Measurement of Open and Click Rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a shipping service provider, from their server. During this retrieval, technical information such as browser information and your system, as well as your IP address and the time of retrieval, are collected. This information is used for the technical improvement of our newsletter based on technical data or target group data and their reading behavior, determined based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until deleted. The evaluations are used to recognize the reading habits of our users and to tailor our content to them or to send different content according to the interests of our users.
The measurement of open rates and click rates and the storage of the measurement results in the profiles of users and their further processing are based on consent from the users.
Prerequisite for Using Free Services: Consenting to receive mailings may be a prerequisite for using free services (e.g., access to specific content or participation in certain promotions). If users would like to avail of the free service without subscribing to the newsletter, we ask them to get in touch.
Reminder Emails for the Order Process: If users do not complete an order process, we can remind them by email and send them a link to continue the process. This function can be useful, for example, if the purchase process could not be continued due to a browser crash, an accident, or forgetfulness. Sending these emails is based on consent, which users can revoke at any time.
Promotional Communication via Email, Mail, Fax, or Phone
We process personal data for the purposes of promotional communication, which can be conducted through various channels, such as email, phone, mail, or fax, in accordance with legal requirements.
Recipients have the right to revoke granted consents at any time or to object to promotional communication at any time.
After revocation or objection, we store the data necessary to prove the previous authorization for contact or sending until three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of potential legal defense. Based on the legitimate interest of permanently considering the users’ revocation or objection, we also store the data necessary to prevent future contact (e.g., depending on the communication channel, the email address, phone number, name).
Processed Data Types: Master data (e.g., names, addresses); contact data (e.g., email, phone numbers).
Affected Individuals: Communication partners.
Purposes of Processing: Direct marketing (e.g., by email or postal mail).
Legal Basis: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Contests and Competitions
We process personal data of participants in contests and competitions only in compliance with relevant data protection regulations. This processing may be necessary for the provision, execution, and handling of the contest, based on a contractual requirement, consent of the participants, or our legitimate interests (e.g., ensuring the security of the contest or protecting our interests against misuse by potential collection of IP addresses when submitting contest entries).
If participants’ contributions are published as part of the contests (e.g., in the context of voting or presentation of contest entries or winners, or in contest-related reporting), we note that participants’ names may also be published in this context. Participants can object to this at any time.
If the contest takes place on an online platform or a social network (e.g., Facebook or Instagram, hereinafter referred to as “online platform”), the usage and data protection regulations of the respective platforms also apply. In such cases, we inform that we are responsible for the information provided by participants as part of the contest and inquiries related to the contest should be directed to us.
The participants’ data will be deleted as soon as the contest or competition is over and the data is no longer needed to inform the winners or due to potential inquiries related to the contest. In principle, participants’ data will be deleted no later than 6 months after the contest ends. Data of winners can be retained for a longer period, for example, to answer questions about the prizes or fulfill prize obligations; in this case, the retention period depends on the nature of the prize and can be up to three years for goods or services, for example, to handle warranty cases. Furthermore, participants’ data can be stored longer, for example, in the form of reporting on the contest in online and offline media.
If data was collected for other purposes as part of the contest, their processing and retention duration are determined by the privacy information for that use (e.g., in the case of subscribing to a newsletter as part of a contest).
Processed Data Types: Master data (e.g., names, addresses); content data (e.g., entries in online forms); metadata, communication data, procedure data, identification numbers.
Affected Individuals: Participants in contests and competitions.
Purposes of Processing: Execution of contests and competitions.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate the visitor flows of our online offering and can include pseudonymous values of behavior, interests, or demographic information about visitors, such as age or gender. Through reach analysis, we can determine, for example, the times when our online offering or its features or content are most frequently used or invite reuse. Similarly, we can determine which areas require optimization.
In addition to web analysis, we can also use testing procedures to test and optimize different versions of our online offering or its components.
Unless otherwise specified below, for these purposes, profiles, i.e., data summarized for a usage process, can be created and information can be stored and read in a browser or end device. The collected information includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to us or the providers of the services we use, their location data may also be processed.
IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) for user protection. In general, within the scope of web analysis, A/B testing, and optimization, no clear data of users (such as email addresses or names) are stored, but pseudonyms are used. This means that neither we nor the providers of the employed software know the actual identity of users, only the information stored in their profiles for the purposes of the respective procedures.
Processed Data Types: Usage data (e.g., visited websites, interests in content, access times); meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
Affected Individuals: Users (e.g., website visitors, users of online services).
Purposes of Processing: Remarketing; Audience targeting; Reach measurement (e.g., access statistics, identification of recurring visitors); Profiling with user-related information (creation of user profiles); Provision of our online offering and user-friendliness.
Security Measures: IP masking (pseudonymization of the IP address).
Legal Basis: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Procedures, Methods, and Services:
Google Analytics 4: We use Google Analytics for measuring and analyzing the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It serves to associate analysis information with an end device in order to recognize which content users accessed within one or multiple usage processes, which search terms they used, accessed again, or interacted with our online offering. Likewise, the time of usage and its duration are stored, as well as sources of users referring to our online offering and technical aspects of their end devices and browsers. Pseudonymous user profiles are created from information of usage across different devices, where cookies may be used. Google Analytics does not log and store individual IP addresses for EU users. However, for EU traffic, IP address data is used exclusively for deriving geolocation data before being immediately deleted. They are not logged, not accessible, and not used for further purposes. When Google Analytics collects measurement data, all IP queries are carried out on EU-based servers before being forwarded for processing to Analytics servers; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for Displaying Advertisements: https://adssettings.google.com/authenticated. Further Information: https://privacy.google.com/businesses/adsservices (Types of Processing and Processed Data).
Google Signals (Google Analytics Feature): Google Signals are session data from websites and apps that Google associates with users who are signed in to their Google accounts and have enabled personalized advertising. This assignment of data to these signed-in users is used for cross-device reports, cross-device remarketing, and cross-device conversion measurement. This includes: Cross-device reports – linking data across devices and activities from different sessions using your user ID or Google Signals data, enabling an understanding of user behavior at every step of the conversion process, from the first contact to conversion and beyond; Remarketing with Google Analytics – creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; Demographics and Interests – Google Analytics collects additional information about demographic data and interests of users who are signed in to their Google accounts and have enabled personalized advertising; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=en; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms). Further Information: https://privacy.google.com/businesses/adsservices (Types of Processing and Processed Data).
Audience Targeting with Google Analytics: We use Google Analytics to display advertisements within Google’s advertising services and those of its partners only to users who have shown interest in our online offering or who exhibit certain characteristics (e.g., interests in specific topics or products determined based on visited websites) that we transmit to Google (so-called “remarketing” or “Google Analytics audiences”). Using the remarketing audiences, we also want to ensure that our ads correspond to users’ potential interests; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Legal Basis: https://business.safety.google/adsprocessorterms/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further Information: Types of Processing and Processed Data: https://privacy.google.com/businesses/adsservices. Data Processing Terms for Google Advertising Products and Standard Contractual Clauses for Third-Country Data Transfers: https://business.safety.google/adsprocessorterms.
Google Analytics in Consent Mode: In consent mode, Google processes personal data of users for measuring and advertising purposes, depending on user consent. The consent is obtained from users within the scope of our online services. If user consent is completely missing, data is processed only on an aggregated (i.e., not assigned to individual users and summarized) level. If consent only covers statistical measurement, no personal user data is processed for displaying ads or measuring advertising success (so-called “conversion”); Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=en.
Google Tag Manager: Google Tag Manager is a solution that allows us to manage so-called website tags through an interface and integrate other services into our online offering (for more information, refer to additional details in this privacy policy). With the Tag Manager itself (which implements the tags), user profiles are not created or cookies stored. Google only obtains the user’s IP address, which is necessary to execute the Google Tag Manager; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).
Online Marketing: We process personal data for the purpose of online marketing, which includes, in particular, the marketing of advertising space or the display of advertising and other content (referred to collectively as “content”) based on potential user interests, as well as measuring their effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar methods are used to store information relevant to the user for displaying the aforementioned content. This information may include viewed content, visited websites, used online networks, as well as communication partners and technical details such as the used browser, the used computer system, and information about usage times and utilized functions. If users have consented to the collection of their location data, this data may also be processed.
IP addresses of users are also stored. However, we use available IP masking procedures (i.e., pseudonymization by truncating the IP address) to protect users. In general, clear user data (such as email addresses or names) is not stored as part of online marketing processes, but pseudonyms are used. This means that neither we nor the providers of online marketing processes know the actual identity of users, only the information stored in their profiles.
The information in the profiles is usually stored in cookies or similar methods. These cookies can also be read on other websites that use the same online marketing processes, and can be analyzed for the purpose of displaying content, as well as supplemented with additional data and stored on the server of the online marketing process provider.
In exceptional cases, clear data can be assigned to profiles. This is the case, for example, when users are members of a social network whose online marketing processes we use and the network connects the users’ profiles with the aforementioned information. Please note that users may enter additional agreements with the providers, for example, through consent during registration.
In general, we only have access to aggregated information about the success of our advertisements. However, we can check, within the framework of so-called conversion measurements, which of our online marketing processes led to a so-called conversion, e.g., a contract conclusion with us. The conversion measurement is used solely for analyzing the success of our marketing measures.
Unless otherwise stated, please assume that the cookies used will be stored for a period of two years.
Processed Data Types: Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Event data (Facebook) (“Event data” are data that can be transmitted to Facebook by us via Facebook Pixel (via apps or other means) and relate to individuals or their actions; the data may include information about website visits, interactions with content, functions, app installations, product purchases, etc.; event data is processed for the purpose of creating target groups for content and advertising information (custom audiences). Event data does not include the actual content (such as posted comments), login information, or contact information (i.e., no names, email addresses, and phone numbers). Facebook deletes event data after a maximum of two years, and target groups formed from them are deleted with the deletion of our Facebook account).
Affected individuals: Users (e.g., website visitors, users of online services).
Processing purposes: Reach measurement (e.g., access statistics, recognition of recurring visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Conversion measurement (measurement of the effectiveness of marketing measures); Audience targeting; Marketing; Profiles with user-related information (creation of user profiles); Provision of our online offering and user-friendliness. Remarketing.
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
Opt-out options: We refer to the privacy notices of the respective providers and the opt-out options (so-called “Opt-Out”) provided for each provider. If no explicit opt-out option has been provided, you have the option to disable cookies in your browser settings. However, this may restrict the functionality of our online offering. Therefore, we also recommend the following opt-out options, which are offered in summarized form for respective regions: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
Further information on processing processes, procedures, and services:
Meta Pixel and Audience Targeting (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information through interfaces in apps), Meta Platforms is able to define the visitors of our online offering as an audience for displaying ads (so-called “Meta Ads”). Accordingly, we use the Meta Pixel to display the Meta Ads we have placed to users on Meta platforms and within the services of cooperating partners of Meta (known as the “Audience Network” https://www.facebook.com/audiencenetwork/ ) who have shown an interest in our online offering or exhibit certain characteristics (e.g., interest in specific topics or products based on visited websites) that we transmit to Meta (so-called “Custom Audiences”). With the Meta Pixel, we also aim to ensure that our Meta Ads correspond to users’ potential interests and do not appear intrusive. Using the Meta Pixel, we can also track the effectiveness of the Meta Ads for statistical and market research purposes by determining whether users were redirected to our website after clicking on a Meta Ad (so-called “Conversion Measurement”); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: Event data of users, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Facebook Advertisements: Display of advertisements within the Facebook platform and evaluation of advertisement results; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Opt-out options: We refer to the privacy and advertising settings in the user’s profile on the Facebook platform, as well as within Facebook’s consent procedure and Facebook’s contact options for exercising information and other data subjects’ rights in Facebook’s Privacy Policy. Further information: Event data of users, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Google Ads and Conversion Measurement: Online marketing procedures for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the ads. In addition, we measure the conversion of the ads, i.e., whether users have interacted with the ads and used the advertised offers as a result (so-called “Conversion”). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further information: Types of processing and types of processed data: https://privacy.google.com/businesses/adsservices. Data processing terms between controllers and Standard Contractual Clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that allows users who utilize an online service to be included in a pseudonymous remarketing list. This enables users to be shown ads on other online offerings based on their interactions with the online service. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further Information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices. Data Processing Terms between controllers and Standard Contractual Clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
Advanced Conversions for Google Ads: When customers click on our Google ads and subsequently use the advertised service (so-called “conversion”), user-entered data such as email address, name, residential address, or telephone number may be transmitted to Google. Hash values are then matched with existing Google accounts of users to better evaluate and improve users’ interactions with the ads (e.g., clicks or views); Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/google-ads/answer/9888656.
Google Adsense with Personalized Ads: We use the Google Adsense service with personalized ads to display ads within our online offering and receive compensation for their display or other usage; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further Information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices. Data Processing Terms for Google advertising products: Information about services, Data Processing Terms between controllers, and Standard Contractual Clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
Google Adsense with Non-Personalized Ads: We use the Google Adsense service with non-personalized ads to display ads within our online offering and receive compensation for their display or other usage; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further Information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices. Google Ads Controller-Controller Data Protection Terms and Standard Contractual Clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
Instagram Advertisements: Display of advertisements within the Instagram platform and evaluation of advertisement results; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Opt-out options: We refer to the privacy and advertising settings in the user’s profile on the Instagram platform, as well as within Instagram’s consent procedure and Instagram’s contact options for exercising information and other data subjects’ rights in Instagram’s Privacy Policy. Further Information: Event data of users, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially with regard to the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Customer Reviews and Rating Processes: We participate in review and rating processes to evaluate, optimize, and promote our services. When users rate us or provide feedback through the involved review platforms or processes, the general terms and conditions and privacy notices of the providers also apply. In most cases, providing a rating requires registration with the respective providers.
To ensure that the reviewing individuals have actually used our services, we, with the consent of the customers, transmit the necessary data related to the customer and the service used to the respective review platform (including name, email address, and order number or item number). These data are solely used for verifying the authenticity of the user.
Processed Data Types: Contract data (e.g., subject of the contract, duration, customer category); Usage data (e.g., visited web pages, interest in content, access times); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
Data Subjects: Customers, users (e.g., website visitors, users of online services).
Processing Purposes: Feedback (e.g., collecting feedback via online forms), marketing.
Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR), consent (Art. 6(1)(a) GDPR).
Further Notes on Processing Procedures, Processes, and Services:
Review Widget: We integrate so-called “review widgets” into our online offering. A widget is a functional and content element embedded in our online offering that displays changing information. It can be presented in the form of a seal or a similar element, sometimes also referred to as a “badge.” The corresponding content of the widget is displayed within our online offering but is retrieved from the servers of the respective widget provider at that moment. This is necessary to always show the current content, especially the current rating. For this purpose, a data connection must be established from the webpage accessed within our online offering to the widget provider’s server, and the widget provider receives certain technical data (access data, including IP address) required to deliver the widget’s content to the user’s browser. Additionally, the widget provider receives information that users have visited our online offering. This information can be stored in a cookie and used by the widget provider to recognize which online offerings participating in the review process have been visited by the user. The information can be stored in a user profile and used for advertising or market research purposes; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and opinions; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Terms and Conditions: https://support.google.com/merchants/topic/7259129?hl=en&ref_topic=7257954; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF); Further Information: As part of obtaining customer reviews, an identification number and the time of the transaction being reviewed, the customer’s email address in the case of review requests sent directly to customers, the customer’s country of residence, and the review details are processed; Additional information on processing types and processed data: https://privacy.google.com/businesses/adsservices. Data Processing Terms for Google advertising products: Information about services, Data Processing Terms between controllers, and Standard Contractual Clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
kununu: Review platform; Service Provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.kununu.com/en; Privacy Policy: https://privacy.xing.com/en/privacy-policy.
Trusted Shops (Trustedbadge): Review platform – Regarding data protection matters and the exercise of your rights, please preferably contact Trusted Shops using the contact information provided in the privacy information due to the joint responsibility existing between us and Trusted Shops. Regardless, you can always contact the responsible party of your choice. Your request will then be forwarded to the other responsible party, if necessary. The Trustbadge is provided by a US-based Content Delivery Network (CDN) provider. An adequate level of data protection is ensured by standard data protection clauses and further contractual measures.
When the Trustbadge is called up, the web server automatically stores a so-called server log file, which also includes your IP address, the date and time of the access, the amount of data transferred, and the requesting provider (access data) and documents the access. The IP address is anonymized immediately after collection, so the stored data cannot be attributed to your person. The anonymized data is used particularly for statistical purposes and error analysis.
If you have given your consent, the Trustbadge will access order information stored in your end device (order amount, order number, purchased product, if applicable) after the order is placed, and your email address will be hashed using cryptographic one-way function. The hash value is then transmitted to Trusted Shops along with the order information according to Art. 6(1)(a) GDPR. This is used to verify whether you are already registered for Trusted Shops services. If this is the case, further processing is carried out in accordance with the contractual agreement between you and Trusted Shops. If you have not registered for the services yet or do not provide consent for automatic recognition through the Trustbadge, you will have the opportunity to manually register for the services or complete the protection as part of your possibly existing user agreement.
The Trustbadge accesses the following information stored in your end device upon completing your order for the purpose of providing you with buyer protection: order amount, order number, and email address. This is necessary in order for us to offer you buyer protection. Data will only be transmitted to Trusted Shops when you actively decide to conclude buyer protection by clicking on the appropriately labeled button in the so-called Trustcard. If you choose to use the services, further processing will be based on the contractual agreement with Trusted Shops according to Art. 6(1)(b) GDPR, in order to finalize your registration for buyer protection, secure the order, and, if applicable, send you review invitations via email.
Trusted Shops uses service providers for hosting, monitoring, and logging purposes. The legal basis is Art. 6(1)(f) GDPR for the purpose of ensuring smooth operation. Processing may take place in third countries (USA and Israel). An adequate level of data protection is ensured in the case of the USA through standard data protection clauses and further contractual measures, and in the case of Israel through an adequacy decision.
Service Provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal Bases: Consent (Art. 6(1)(a) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.com; Privacy Policy: https://www.trustedshops.com/imprint/#data-protection.
Social Media Presences
We maintain online presences within social networks and process user data within this context to communicate with users active on those networks or to provide information about us.
We would like to point out that user data can be processed outside the European Union, which can pose risks to users, as enforcing users’ rights could be more challenging in these cases.
Furthermore, user data within social networks is typically processed for market research and advertising purposes. For instance, usage profiles can be created based on user behavior and resulting interests. These usage profiles can then be used to display advertisements both within and outside the networks that are likely to correspond to users’ interests. Cookies are usually stored on users’ computers for these purposes, storing users’ usage behavior and interests. Moreover, data can be stored in usage profiles regardless of the devices users use (especially if users are members of the respective platforms and are logged in).
For a detailed description of the respective processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.
Even in the case of information requests and the exercise of data subjects’ rights, we would like to point out that these are most effectively exercised with the providers. Only the providers have access to users’ data and can directly take corresponding measures and provide information. If you still need assistance, you can contact us.
Processed Data Types: Contact data (e.g., email, phone numbers), content data (e.g., input in online forms), usage data (e.g., visited web pages, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
Data Subjects: Users (e.g., website visitors, users of online services).
Processing Purposes: Contact requests and communication, feedback (e.g., collecting feedback via online forms), marketing.
Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Further Notes on Processing Procedures, Processes, and Services:
Instagram: Social network; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
Facebook Pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for collecting (but not further processing) data of visitors to our Facebook page (so-called “Fanpage”). This data includes information about the types of content users view or interact with, or actions they take (see “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating systems, browser types, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How Do We Use This Information?”, Facebook also collects and uses information to provide analysis services, so-called “Page Insights,” to page operators, to provide them with insights into how individuals interact with their pages and associated content. We have concluded a special agreement with Facebook (“Information About Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which particularly regulates the security measures Facebook must observe and in which Facebook has committed to fulfilling data subjects’ rights (i.e., users can direct requests for information or deletion directly to Facebook). The rights of users (especially the right to information, deletion, objection, and complaints to the competent supervisory authority) are not limited by the agreements with Facebook. Further information can be found in the “Information About Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further Information: Agreement on Joint Responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly concerning the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Facebook Groups: Interest groups within the Facebook social network – We use the “Groups” feature of the Facebook platform to create interest groups where Facebook users can interact with each other and with us, as well as exchange information. In doing so, we process personal data of users in our groups to the extent necessary for the purpose of group usage and moderation. Our guidelines within the groups may contain additional requirements and information regarding the use of the respective group. This data includes information such as first and last names, as well as publicly posted or privately shared content, as well as values related to group membership status or group-related activities, such as joining or leaving, as well as timestamps for the aforementioned data. Furthermore, we refer to the processing of user data by Facebook itself. This includes information about the types of content users view or interact with, or actions they take (see “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating systems, browser types, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How Do We Use This Information?”, Facebook also collects and uses information to provide analysis services, so-called “Insights,” for group operators, so they can gain insights into how people interact with their groups and associated content; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy. Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF).
Facebook Events: Event profiles within the Facebook social network – We use the “Events” feature of the Facebook platform to promote events and dates, as well as to interact with users (participants and interested parties) and exchange information. In doing so, we process personal data of users on our event pages to the extent necessary for the purpose of the event page and its moderation. This data includes information such as first and last names, as well as publicly posted or privately shared content, as well as values related to participation status and timestamps for the aforementioned data. Furthermore, we refer to the processing of user data by Facebook itself. This includes information about the types of content users view or interact with, or actions they take (see “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating systems, browser types, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How Do We Use This Information?”, Facebook also collects and uses information to provide analysis services, so-called “Insights,” for event providers, so they can gain insights into how people interact with their event pages and associated content; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy. Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF).
YouTube: Social network and video platform; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF). Opt-Out: https://adssettings.google.com/authenticated.
Plugins and Embedded Features, as well as Content: We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). This may include graphics, videos, or maps (hereinafter collectively referred to as “content”). The incorporation always requires that the third-party providers of this content process the IP address of the user, as they could not send the content to the user’s browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We make every effort to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic to the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, referring websites, visiting time, as well as other information about the use of our online offering, and may also be linked to such information from other sources.
Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times), meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status), location data (information about the geographical position of a device or person).
Data Subjects: Users (e.g., website visitors, users of online services).
Processing Purposes: Providing our online offering and user-friendliness.
Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Further Information on Processing Processes, Procedures, and Services:
Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., functional libraries that we use for the presentation or user-friendliness of our online offering). In this process, the respective providers collect the IP address of users and may process it for the purpose of transmitting the software to the users’ browsers, as well as for security, evaluation, and optimization of their offerings. – We integrate software into our online offering that we retrieve from servers of other providers (e.g., functional libraries that we use for the presentation or user-friendliness of our online offering). In this process, the respective providers collect the IP address of users and may process it for the purpose of transmitting the software to the users’ browsers, as well as for security, evaluation, and optimization of their offerings; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
Google Fonts (Hosting on Our Own Server): Provision of font files for a user-friendly display of our online offering; Service Provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
Google Maps: We integrate the maps of the “Google Maps” service provided by Google. Processed data may include IP addresses and user location data; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF).
Management, Organization, and Tools:
We use services, platforms, and software of other providers (hereinafter referred to as “third-party providers”) for the purpose of organization, administration, planning, and provision of our services. When selecting third-party providers and their services, we comply with legal requirements.
In this context, personal data may be processed and stored on the servers of third-party providers. Various data may be affected, which we process in accordance with this privacy policy. This data may include, in particular, master and contact data of users, data related to transactions, contracts, and other processes, as well as their contents.
If users are referred to third-party providers or their software or platforms as part of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore kindly ask you to observe the data protection notices of the respective third-party providers.
Processed Data Types: Content data (e.g., entries in online forms), usage data (e.g., visited web pages, interest in content, access times), meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
Data Subjects: Communication partners, users (e.g., website visitors, users of online services).
Processing Purposes: Contact inquiries and communication, provision of contractual services and fulfillment of contractual obligations, office and organizational procedures.
Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Further Information on Processing Processes, Procedures, and Services:
ChatGPT: AI-based service designed to understand and generate natural language and related inputs and data, analyze information, and make predictions (“AI” means “Artificial Intelligence” in the current legal sense of the term); Service Provider: OpenAI OpCo, LLC, 3180 18th St., San Francisco, CA 94110 USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://openai.com/product; Privacy Policy: https://openai.com/policies/privacy-policy. Opt-Out: https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
Trello: Project management tool; Service Provider: Trello Inc., 55 Broadway New York, NY 10006, USA, Parent Company: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://trello.com/; Privacy Policy: https://trello.com/privacy; Basis for Third-Country Transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider). Further Information: Data Transfer Impact Assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.
WeTransfer: File transfer over the internet; Service Provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://wetransfer.com; Privacy Policy: https://wetransfer.com/legal/privacy.