Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to shortly as “data”) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications as well as within external online presences, such as our mobile applications or social media profiles (hereinafter summarily referred to as “online offering”).

The terms used are not gender-specific.

As of: April 19, 2024

Table of Contents

• Preamble
• Controller
• Contact Data Protection Officer
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• Storage and Deletion of Data
• Rights of Data Subjects
• Provision of Online Offering and Web Hosting
• Use of Cookies
• Newsletter and Electronic Notifications
• Web Analysis, Monitoring, and Optimization
• Presence in Social Networks (Social Media)
• Plug-ins and Embedded Functions as well as Contents
• Change and Update of Privacy Policy
• Definitions

Controller

Party Compass
Julius, Hartmann
Zeiseweg 39
22765, Hamburg, Germany
Email: [email protected]
Imprint: party-compass.com/imprint

Contact Data Protection Officer

[email protected]

Overview of Processing

The following overview summarizes the types of processed data and the purposes of their processing and refers to the data subjects.

Types of Processed Data

• Inventory Data.
• Contact Data.
• Content Data.
• Usage Data.
• Meta, Communication, and Process Data.

Categories of Data Subjects

• Communication Partners.
• Users.

Purposes of Processing

• Contact Inquiries and Communication.
• Security Measures.
• Direct Marketing.
• Reach Measurement.
• Management and Response to Inquiries.
• Feedback.
• Marketing.
• Profiles with User-Related Information.
• Provision of Our Online Offering and User-Friendliness.
• Information Technology Infrastructure.

Relevant Legal Bases

Relevant Legal Bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases be relevant in individual cases, we will inform you about them in the privacy policy.

• Consent (Art. 6 para. 1 p. 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special regulations, in particular, regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. Furthermore, data protection laws of the individual federal states may apply.

Security Measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, security of availability, and separation thereof. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through design and by default settings that are privacy-friendly.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

As part of our processing of personal data, it may occur that such data is transferred to other entities, companies, legally independent organizational units, or persons or disclosed to them. The recipients of this data may include, for example, IT service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data, which serve to protect your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place as part of the use of third-party services or the disclosure or transmission of data to other individuals, entities, or companies, this only occurs in accordance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR). Furthermore, we inform you about the basis of the third-country transfer with each provider from the third country, with adequacy decisions taking precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the European Commission has also recognized the level of data protection for certain companies from the USA as safe within the framework of the adequacy decision of 10.07.2023. The list of certified companies as well as further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you within the data protection notices which service providers we use are certified under the Data Privacy Framework.

Storage and Deletion of Data

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original purpose of processing ceases to exist or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the storage and deletion of data that specifically applies to certain processing processes. If there are multiple indications of the retention period or deletion deadlines of a piece of data, the longest period is always decisive. If a deadline does not explicitly start on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred.

Data that is retained not for the originally intended purpose but due to legal requirements or other reasons, we process exclusively for the reasons that justify their retention.

Rights of Data Subjects

Rights of data subjects under the GDPR: You have various rights as data subjects under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw consent you have given at any time.
• Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and other information.
• Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you or to have incomplete personal data completed.
• Right to Erasure and Restriction of Processing: You have the right, under certain conditions, to obtain the erasure of personal data concerning you without undue delay or to obtain the restriction of processing of your data.
• Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission of that data to another controller.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of Online Offerings and Web Hosting

We process user data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

• Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, involved individuals).
• Concerned Individuals: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.
• Legal Basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

• Provision of Online Offerings on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also known as “web hoster”); Legal Basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).
• Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transferred, message about successful access, browser type and version, user’s operating system, referrer URL (previously visited page), and usually IP addresses and the requesting provider. The server log files can be used, on the one hand, for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand, to ensure the utilization and stability of the servers; Legal Basis: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR). Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidence purposes is excluded from deletion until the final clarification of the respective incident.

Use of Cookies

Cookies are small text files or other storage mechanisms that store information on end devices and retrieve it from them. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the features used of an online offering. Cookies can also be used for various purposes, such as functionality, security, and comfort of online offerings, as well as for analyzing visitor flows.

Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offering) expressly requested by them. The revocable consent is clearly communicated to them and contains information about the respective cookie usage.

Information on legal bases for data protection: The legal basis on which we process users’ personal data using cookies depends on whether we ask for consent. If users accept, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g., in the economic operation of our online offering and the improvement of its usability) or, if this is done as part of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We will clarify the purposes for which cookies are used as part of this privacy policy or in the context of our consent and processing processes.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the end device has been closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Likewise, user data collected using cookies can be used for reach measurement. If we do not provide specific information about the type and storage period of cookies (e.g., as part of obtaining consent), users should assume that they are persistent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent given at any time and also object to processing in accordance with legal requirements, including using the privacy settings of their browser.

• Legal bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR). Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution where users’ consent to the use of cookies or to the procedures and providers mentioned within the consent management solution is obtained. This process is used to obtain, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies used to store, retrieve, and process information on users’ end devices. As part of this process, users’ consent for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process, is obtained. Users also have the option to manage and revoke their consent. The consent declarations are stored to avoid repeated queries and to be able to provide evidence of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using similar technologies to assign consent to a specific user or their device. If there are no specific details about providers of consent management services, the following general information applies: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information about the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletter”) only with the consent of the recipients or based on legal permission. If the contents of the newsletter are specified as part of registration for the newsletter, these contents are decisive for users’ consent. Usually, providing your email address is sufficient for registering for our newsletter. However, to offer you a personalized service, we may ask for your name for personal addressing in the newsletter or for further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove previously given consent. The processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure delivery system.

Contents:

Information about us, our services, and new features of our app.

• Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedure data (e.g., IP addresses, time data, identification numbers, persons involved). Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Affected individuals: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
• Objection option (Opt-Out): Users can cancel their subscription to our newsletter at any time, i.e., revoke their consent, or object to further receipt. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or users can use one of the contact options provided above, preferably email, for this purpose.

Further information:

• Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also known as a “web hoster”); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Collection of access data and log files: Access to our online services is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, amount of data transferred, message about successful access, browser type and version, user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes are excluded from deletion until the respective incident is finally clarified.

  Use of Cookies

  Cookies are small text files or other storage notes that store information on end devices and read it from them. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content, or used functions of an online service. Cookies can also be used for various purposes, such as functionality, security, and comfort of online services, as well as for analyzing visitor flows.

  Consent information: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Permission is particularly not necessary if storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online service) expressly desired by them. The revocable consent is clearly communicated to them and includes information about the respective cookie usage.

  Information on data protection legal bases: The legal basis on which we process users’ personal data using cookies depends on whether we ask for consent. If users accept, the legal basis for the use of their data is the declared consent. Otherwise, data processed using cookies is based on our legitimate interests (e.g., in the economically efficient operation of our online service and improving its usability) or, if this is done in the course of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We clarify the purposes for which cookies are used either in this data protection declaration or in the context of our consent and processing processes.

  Storage duration: With regard to the storage period, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed his end device (e.g., browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device has been closed. For example, the login status can be saved, and preferred content can be displayed directly when the user visits a website again. Likewise, user data collected using cookies can be used for audience measurement. If we do not provide users with explicit information about the type and storage period of cookies (e.g., as part of obtaining consent), they should assume that these are permanent and that the storage period can be up to two years.

  General information on revocation and objection (opt-out): Users can revoke their consent given at any time and also object to processing in accordance with legal requirements, also by adjusting the privacy settings of their browser.

  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

  Further information on processing processes, procedures, and services:

  • Processing of cookie data based on consent: We use a consent management solution to obtain user consent for the use of cookies or for the procedures and providers mentioned within the consent management solution. This procedure is used to obtain, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies used to store, retrieve, and process information on users’ devices. Within this process, user consents for the use of cookies and the associated processing of information, including specific processing and providers mentioned in the consent management process, are obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated requests and to be able to provide evidence of consent in accordance with legal requirements. Storage is done server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign consent to a specific user or their device. If there are no specific details about the providers of consent management services, the following general information applies: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, details of the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

  Newsletter and electronic notifications

  We only send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) with the consent of the recipients or based on a legal basis. If the content of the newsletter is specified during registration, this content is relevant for the user’s consent. For registration for our newsletter, usually providing your email address is sufficient. However, to provide you with a personalized service, we may ask for your name for personalization in the newsletter or for additional information if necessary for the purpose of the newsletter.

  Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove a previously given consent. The processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

  The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we engage a service provider to send emails, this is done based on our legitimate interests in an efficient and secure delivery system.

  Content:

  Information about us, our services, and new features of our app.

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices used, and operating systems, interactions with content and features).
  • Affected individuals: Communication partners.
  • Purposes of processing: Direct marketing (e.g., by email or post).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Option to object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., revoke your consent, or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options provided above, preferably email, for this purpose.

  Further information on processing processes, procedures, and services:

  • Measurement of opening and click rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our or its server, if we use a dispatch service provider, when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used to improve our newsletter technically based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until deleted. The evaluations are used to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. Measurement of opening and click rates as well as storage of the measurement results in the user profiles. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

  Web analysis, monitoring, and optimization

  Web analysis (also referred to as “reach measurement”) is used to evaluate the visitor traffic to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the reach analysis, for example, we can determine at what time our online offering or its functions or contents are most frequently used, or invite for reutilization. Likewise, it is possible for us to understand which areas need optimization.

  In addition to web analysis, we may also use test procedures to test and optimize different versions of our online offering or its components.

  Unless otherwise stated below, profiles, i.e., data summarized for a usage process, may be created for these purposes and information may be stored and then read in a browser or on an end device. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the operating system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.

  In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored in the context of web analysis, A/B testing, and optimization, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

  Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices used, and operating systems, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected individuals: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); Profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

  Further information on processing processes, procedures, and services:

  • Google Analytics: We use Google Analytics to measure and analyze the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device to recognize which content users have accessed within one or more usage processes, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their devices and browsers.
    For this purpose, pseudonymous profiles of users are created with information from the use of different devices, whereby cookies can be used. Google Analytics does not log and store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. They are not logged, not accessible, and not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Terms: https://business.safety.google/adsprocessorterms/; Basis for Third Country Transfers: Data Privacy Framework (DPF); Opt-Out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Display Ad Settings: https://myadcenter.google.com/personalizationoff. Additional Information: https://business.safety.google/adsservices/ (Types of processing and processed data).

  Presence in Social Networks (Social Media)

  We maintain online presences within social networks and process user data in this context to communicate with active users there or to provide information about us.

  We would like to point out that user data can be processed outside the European Union in this context. This may entail risks for users because, for example, enforcing user rights could be made more difficult.

  Furthermore, the data of users within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests of the users. The latter may in turn be used, for example, to display advertisements within and outside the networks that presumably correspond to the interests of the users. Therefore, cookies are usually stored on the users’ computers, in which the users’ usage behavior and interests are stored. In addition, data can also be stored in the usage profiles independently of the devices used by the users (especially if they are members of the respective platforms and logged in there).

  For a detailed presentation of the respective processing methods and the possibilities of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

  Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. However, if you still need assistance, you can contact us.

  • Processed data types: Contact details (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as authorship details or time of creation); Usage data (e.g., page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, times, identification numbers, persons involved).
  • Affected individuals: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form). Marketing.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

  Further information on processing processes, procedures, and services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy. Basis for Third Country Transfers: Data Privacy Framework (DPF).
  • TikTok: Social network / Video platform; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/de/privacy-policy.
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfers: Data Privacy Framework (DPF). Opt-Out: https://myadcenter.google.com/personalizationoff.

  Plug-ins and embedded functions as well as content

  We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter uniformly referred to as “content”).

  The integration always presupposes that the third-party providers of this content process the IP address of the users, since they could not send the content to their browser without the IP address. The IP address is thus necessary for the presentation of this content or functions. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Through the “pixel tags”, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, as well as other information about the use of our online offering, but may also be linked to such information from other sources.

  Notes on legal bases: If we ask users for their consent to use third-party services, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g., page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, times, identification numbers, persons involved); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or pictorial messages and contributions as well as the information concerning them, such as authorship details or time of creation).
  • Affected individuals: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; Marketing. Profiles with user-related information (creation of user profiles).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

  Further information on processing processes, procedures, and services:

  • Google Fonts (Sourced from Google Server): Procurement of fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols in terms of topicality and loading times, their uniform presentation, and consideration of possible license restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted, which are necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA – When visiting our online offering, users’ browsers send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the User-Agent, which describes the browser and operating system versions of the website visitors, as well as the referring URL (i.e., the webpage on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, User-Agent, and referring URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load fonts for. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the User-Agent must adjust the font generated for the respective browser type. The User-Agent is primarily logged for debugging and used to generate aggregated usage statistics to measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referring URL is logged so that the data can be used for production maintenance and an aggregated report on top integrations based on the number of font requests can be generated. According to Google’s own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to display targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfers: Data Privacy Framework (DPF).
  More information: https://developers.google.com/fonts/faq/privacy?hl=en.
  • Instagram plugins and content: Instagram plugins and content – This may include content such as images, videos, or text and buttons through which users can share content from this online offering within Instagram. – We, together with Meta Platforms Ireland Limited, are jointly responsible for the collection or receipt in the context of transmission (but not the further processing) of “event data” that Facebook collects through Instagram functions (e.g., embedding functions for content) executed on our online offering or receives for the following purposes: a) Display of content and advertising information that corresponds to the presumed interests of users; b) Delivery of commercial and transaction-related messages (e.g., addressing users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information presumably corresponds to the interests of users). We have entered into a specific agreement with Facebook (“Addendum for Controllers”, https://www.facebook.com/legal/controller_addendum), which regulates in particular the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). Note: If Facebook provides us with measurements, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing does not occur within the joint responsibility, but based on a data processing agreement (“Data Processing Terms”, https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and with regard to processing in the USA based on standard contractual clauses (“Facebook-EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (especially with regard to information, deletion, objection, and complaint to the competent supervisory authority) are not limited by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy/.
  • YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfers: Data Privacy Framework (DPF). Opt-Out Possibility: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for Displaying Ads: https://myadcenter.google.com/personalizationoff.

  Change and update of the privacy policy

  We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

  If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.

  Definition of Terms

  In this section, you will find an overview of the terminology used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are intended primarily to aid understanding.

  • Inventory Data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. These data may include personal and demographic information such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling clear identification and communication.
  • Content Data: Content data includes information generated during the creation, editing, and publication of content of all kinds. This category of data may include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content but also includes metadata providing information about the content itself, such as tags, descriptions, author information, and publication dates.
  • Contact Data: Contact data are essential information that enables communication with individuals or organizations. They include, among other things, phone numbers, postal addresses, and email addresses, as well as communication means such as social media handles and instant messaging identifiers.
  • Meta-, Communication, and Process Data: Meta-, communication, and process data are categories containing information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. It may include details such as file size, creation date, document author, and revision history. Communication data captures the exchange of information between users across various channels, such as email traffic, call logs, messages on social networks, and chat logs, including the parties involved, timestamps, and transmission paths. Process data describes the processes and procedures within systems or organizations, including workflow documentation, transaction and activity logs, as well as audit logs used for tracking and verifying operations.
  • Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. These data include a wide range of information that shows how users use applications, which features they prefer, how long they stay on particular pages, and the paths they navigate through an application. Usage data may also include usage frequency, activity timestamps, IP addresses, device information, and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
  • Personal Data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles with User-related Information: The processing of “profiles with user-related information,” or simply “profiles,” includes any type of automated processing of personal data involving the use of such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). For profiling purposes, cookies and web beacons are often used.
  • Reach Measurement: Reach measurement (also known as web analytics) serves to evaluate the visitor flows of an online offering and may include the behavior or interests of visitors in certain information, such as content of websites. With the help of reach analysis, operators of online offerings, for example, can recognize when users visit their websites and what content interests them. This enables them, for example, to better tailor the content of the websites to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognize returning visitors and obtain more precise analyses of the use of an online offering.
  • Controller: The “controller” is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, whether it is collecting, analyzing, storing, transmitting, or deleting.