xolaro - Privacy Policy

Data privacy statement

Introduction

With the following data privacy statement, we would like to inform you about which types of your personal data (hereinafter also referred to in brief as “data”) we process for which purposes and to what extent. The data privacy statement applies for all processing of personal data carried out by us, both within the framework of the provision of our services as well as in particular on our websites, in mobile applications and within external online presences such as our social media profiles (hereinafter referred to collectively as “online offering”).

The terms used are not gender-specific.

Status: 30 April 2020

Table of contents

  • Introduction
  • Controller
  • Overview of processing
  • Relevant legal bases
  • Security measures
  • Transfer and disclosure of personal data
  • Data processing in third countries
  • Use of cookies
  • Commercial and business services
  • Use of online marketplaces for e-commerce
  • Payment service providers
  • Provision of the online offering and web hosting
  • Contact
  • Communication via Messenger
  • Video conferences, online meetings, webinars and screen sharing
  • Cloud services
  • Newsletters and mass communication
  • Advertising communication via e-mail, post, fax or telephone
  • Sweepstakes and competitions
  • Polls and surveys
  • Web analysis and optimisation
  • HubSpot
  • Online marketing
  • Review platforms
  • Presence in social networks
  • Plug-ins and embedded functions as well as content
  • Deletion of data
  • Amendment and updating of the data privacy statement
  • Rights of the data subjects
  • Definitions of terms

Controller

Xolaro e.U.
Dorfplatz 4/1
8302 Nestelbach bei Graz Österreich

Persons authorised to represent the company: Franz Seelaus
E-mail address: office@xolaro.com
Telephone: +43 677 61250012
Company details: https://www.xolaro.com/impressum

Overview of processing

The following overview summarises the types of data processed and the purposes of their processing and makes reference to the data subjects.

Types of data processed

  • User data (e.g. names, addresses).
  • Content data (e.g. text entries, photographs, videos).
  • Contact details (e.g. e-mail, telephone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in content, access times).
  • Social data (data that is subject to social secrecy [Section 35 of the Social Code I] and is processed e.g. by social insurance organisations, social welfare organisations or care authorities).
  • Location data (data that indicate the location of the terminal of an end user).
  • Contract data (e.g. subject of contract, term, customer category).
  • Payment data (e.g. bank details, invoices, payment history).

Categories of data subjects

  • Employees (e.g. staff, applicants, former employees).
  • Business and contractual partners.
  • Prospective customers.
  • Communication partners.
  • Customers.
  • Users (e.g. website visitors, users of online services).
  • Participants in sweepstakes and competitions.

Purposes of the processing

  • Provision of our online offering and user-friendliness.
  • Conversion tracking.
  • Office and organisational procedures.
  • Click tracking.
  • Cross-device tracking (cross-device processing of user data for marketing purposes).
  • Direct marketing (e.g. by e-mail or by post).
  • Conducting of sweepstakes and competitions.
  • Feedback (e.g. collection of feedback via online form).
  • Interest-based and behavioural marketing.
  • Contact requests and communication.
  • Conversion measurement (measurement of the effectiveness of marketing measures).
  • Profiling (creation of user profiles).
  • Remarketing.
  • Measurement of reach (e.g. access statistics, recognition of returning visitors).
  • Security measures.
  • Tracking (e.g. interest-based/behavioural profiling, usage of cookies).
  • Contractual performance and service.
  • Administration and answering of requests.
  • Target group formation (determination of target groups relevant for marketing purposes or other content output).

Relevant legal bases

In the following, we give notification about the legal bases of the General Data Protection Regulation (GDPR) on the basis of which we process the personal data. Please note that in addition to the regulations of the GDPR the national data privacy specifications in your or our place of residence or domicile may apply. If in addition more specific legal bases should be relevant in individual cases, we will inform you of this in the data privacy statement

  • Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR) – The data subject has given their consent to the processing of the personal data relating to them for a specific purpose or several specific purposes.
  • Contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR) – The processing is necessary for the fulfilment of a contract to which the data subject is a contractual party, or for the implementation of pre-contractual measures that are done at the data subject’s request.
  • Legal obligation (Art. 6 Para. 1 Clause 1 Letter c. GDPR) – The processing is necessary for the fulfilment of a legal obligation by the controller.
  • Legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR) – The processing is necessary to safeguard the legitimate interests of the controller or a third party unless the interests or basic rights or basic freedoms of the data subject that require the protection of personal data outweigh them.

National data privacy regulations in Austria: In addition to the data privacy regulations of the General Data Protection Regulation, national regulations on data privacy also apply in Austria. This includes in particular the Federal Act on the Protection of Private Individuals in the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains in particular special regulations regarding the right to information, the right to rectification or erasure, to the processing of special categories of personal data, to the processing for other purposes and for the transmission and for the automated decision making in individual cases.

Security measures

In accordance with the statutory specifications and taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing and the different probabilities of occurrence and the extent of the threat to the rights and freedoms of private individuals, we take suitable technical and organisational measures in order to guarantee a level of protection appropriate to the risk.

The measures include in particular the safeguarding of the confidentiality, integrity and availability of data through the checking of the physical and electronic access to the data as well as the access relating to them, the input, the transfer, the safeguarding of the availability and their separation. In addition, we have set up procedures that guarantee the safeguarding of data subject rights, the deletion of data and responses to risks to the data. We also already take the protection of personal data into account in the development or selection of hardware, software and procedures in accordance with the principle of data privacy, through technology design and through data privacy-friendly default settings.

Shortening of the IP address:
Where it is possible for us or a saving of the IP address is not necessary, we will shorten your IP address or have it shortened. In the event of the IP address being shortened, also called “IP masking”, the last octet, i.e. the last two numbers in an IP address, is deleted (in this context, the IP address is an identifier individually assigned to an Internet connection by the online access provider. With the shortening of the IP address, the identification of a person based on their IP address is to be prevented or made substantially more difficult.

SSL encryption (https): We use an SSL encryption to protect your data transmitted via our online offering. You can recognise connections encrypted in this way by the prefix https:// in the address line of your browser.

Transfer and disclosure of personal data

During our processing of personal data, it may be the case that the data are transmitted to other organisations, companies, legally independent organisational units or persons or disclosed to them. The recipients of these data can include e.g. payment institutions within the framework of payment transactions, service providers commissioned with IT tasks, or providers of services and content that are integrated into a website. In such a case, we comply with the statutory provisions and conclude in particular corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data processing in third countries

If we process data in a third country (i.e. outside of the European Union [EU] or of the European Economic Area [EEA]) or the processing takes place within the framework of the use of services of third parties or the disclosure or transfer of data to other persons, organisations or companies, this is only done in compliance with the statutory provisions.

Subject to explicit consent or transfer required by contract or the law, we process the data or have it processed only in third countries with a recognised level of data privacy which include the US processors certified under the Privacy Shield, or on the basis of special guarantees, such as the contractual obligation by so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data privacy provisions (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Use of cookies

Cookies are text files that contain data of websites or domains visited and are saved by a browser on the user’s computer. A cookie primarily serves to save the information about a user during or after his/her visit within an online offering. The saved information can include e.g. the language settings on a website, the login status, a shopping cart or the place at which a video is watched. We also include under the term “cookies”, other technologies that have the same functions as cookies (e.g. if information of the users is saved based on pseudonymous online identifiers, also called “user IDs”.

The following types and functions of cookies are differentiated:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed his/her browser.
  • Permanent cookies: Permanent cookies remain saved even after the browser has been closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users that are used to measure reach or for marketing purposes can also be saved in such a cookie.
  • First-Party cookies: First-party cookies are set by us ourselves.
  • Third-party cookies (also: third-party provider cookies): Third-party provider cookies are primarily used by advertisers (so-called third parties) to process user information.
  • Required (also essential or absolutely necessary) cookies: Cookies can firstly be absolutely necessary for the operation of a website (e.g. in order to save logins or other user entries or for reasons of security).
  • Statistics, marketing and personalisation cookies: In addition, cookies are usually also used within the framework of reach measurement and when the interests of a user or his/her behaviour (e.g. viewing of certain content, usage of functions, etc.) are saved on individual web pages in a user profile. Such profiles are used to display e.g. content to the users that corresponds to their potential interests. This procedure is also called “tracking”, i.e. tracing of the potential interests of the users. If we use cookies or tracking technologies, we will inform you of this separately in our data privacy statement or when we obtain your consent.

Notes on legal bases: The legal basis on which we process your personal data with the aid of cookies depends on whether we ask for your consent. If this applies and you agree to the usage of cookies, the legal basis for the processing of your data is the declared consent. Otherwise, the data processed with the aid of cookies will be processed on the basis of our legitimate interests (e.g. in an economic running of our online offering and its processing) or, if the use of cookies is necessary, in order to meet our contractual obligations.

General information about revocation and objection (opt-out): Depending on whether the processing is done on the basis of consent or statutory authorisation, you have the option at any time to revoke consent that has been given or to object to the processing of your data by cookie technologies (in summary referred to as “opt-out”). You can initially declare your objection using the settings of your browser, e.g. by deactivating the usage of cookies (whereby the functionality of our online offering can also be restricted as a result). An objection to the use of cookies for the purposes of online marketing can also be declared by means of a large number of services, particularly in the case of tracking, via the websites https://optout.aboutads.info und https://www.youronlinechoices.com/. In addition, you can also get additional information about objecting to the use of cookies as part of the information provided on the service providers used and cookies.

Processing of cookie data on the basis of consent: Before we process data within the framework of the usage of cookies, or have such data processed, we ask the users for their consent and this consent can be revoked at any time. Before the consent is declared, cookies may be set that are necessary to run our online offering. Their use is done on the basis of our interest and the interest of the users in the expected functionality of our online offering.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Error: The domain is not authorized to show the cookie declaration. Please add it in the cookie manager to authorize the domain.

This website uses cookies. We use cookies to personalise content and ads, to be able to offer functions for social media and to analyse access to our website. We also forward information on your use of our website to our partners for social media, advertising and analyses. Our partners may merge this information with other data that you have provided to them or that they have collected within the framework of your usage of the services. You consent to our cookies if you continue to use our website.

Cookies are small text files that are used by websites to make the user experience more efficient.

You may change or revoke your consent at any time by using the cookie declaration on our website.

Find out more in our data privacy policy who we are, how you can contact us and how we process personal data.

Please enter your consent ID and the date when you contacted us with regard to your consent.

Your consent applies to the following domains: www.xolaro.com

Commercial and business services

We process data of our contractual and business partners, e.g. existing and prospective customers (referred to jointly as “contractual partners”) within the framework of contractual and comparable legal relationships and associated measures and within the framework of the communication with the contractual partners (or in pre-contractual form), e.g. to answer requests.

We process this data to fulfil our contractual obligations, to safeguard our rights and for the purposes of administrative tasks associated with this information and for the corporate organisation. We only pass on the data of the contractual partners within the framework of applicable law if this is necessary for the aforementioned purposes or to fulfil statutory obligations or is done with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services and to subcontractors, banks, tax and legal advisers, payment service providers or tax authorities). The contractual partners will be informed about other forms of processing, e.g. for purposes of marketing, within the framework of this data privacy statement.

We will notify the contractual partners of which data is necessary for the aforementioned purposes before or within the framework of the data collection, e.g. in online forms, by special marking (e.g. colours) or symbols (e.g. asterisk etc.) or in person.

We delete the data after the expiry of the statutory warranty and comparable obligations, i.e. fundamentally after the expiry of 4 years unless the data is saved in a customer account, e.g. as long as they have to be retained for statutory archiving reasons (e.g. for tax purposes usually for 10 years). Data that has been disclosed to us within the framework of an order by the contractual partner is deleted in accordance with the specifications of the order, fundamentally after the end of the order.
If we use third-party providers or platforms to provide our services, the terms and conditions of business and the data privacy information of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Customer account: Contractual partners can create an account within our online offering (e.g. customer or user account, in brief “customer account”). If the registration of a customer account is necessary, this will also be pointed out to contract partners, as will the information necessary for registration. The customer accounts are not public and cannot be indexed by search engines. During registration and the subsequent logins and usage of the customer account, we save the IP addresses of the customers in addition to the times of access in order to be able to provide proof of the registration and to prevent any misuse of the customer account.

If customers have terminated their customer account, the data relating to the customer account will be deleted unless its retention is necessary for statutory reasons. It is the customer’s responsibility to back up their data when they have terminated the customer account.

Economic analyses and market research: For business reasons and in order to be able to detect market tendencies, wishes of the contractual partners and users, we analyse the data available to us regarding business transactions, contracts, requests, etc. whereby the group of the data subjects can include contractual partners, prospective customers, customers, visitors and users to our online presence.

The analyses are done for the purpose of business analyses, marketing and market research (e.g. to determine customer groups with different characteristics). In the process, we can, if available, take the profiles of registered users and their information, e.g. services used, into account. The analyses are solely for our own purposes and will not be disclosed externally if they are not anonymous analyses with summarised, i.e. anonymised data. We also take into account the users’ privacy and, where possible, process the data for the analysis purposes in pseudonymous form and, if feasible, in anonymous form (e.g. as consolidated data).

Shop and e-commerce: We process the data of our customers in order to make it possible for them to select, acquire or order the selected products, goods and associated services, as well as to facilitate their payment, delivery and implementation.

The required information is marked as such within the framework of the order or comparable purchase transaction and includes the information necessary for delivery, provision and billing as well as contact information if consultation is necessary.

  • Types of data processed: User data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact details (e.g. e-mail, telephone numbers), contract data (e.g. subject of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Prospective customers, business and contractual partners, customers.
  • Purposes of the processing: Contractual performance and service, contact requests and communication, office and organisational procedures, administration and answering of requests, security measures, conversion tracking, interest-based and behavioural marketing, profiling (creation of user profiles).
  • Legal bases: Contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR), legal obligation (Art. 6 Para. 1 Clause 1 Letter c. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Use of online marketplaces for e-commerce

We offer our services on online platforms that are operated by other service providers. In this context, the data privacy information of the respective platforms applies in addition to our data privacy information. This applies in particular with regard to the procedures used on the platforms for reach measurement and for interest-based marketing.

  • Types of data processed: User data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact details (e.g. e-mail, telephone numbers), contract data (e.g. subject of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers.
  • Purposes of the processing: Contractual performance and service.
  • Legal bases: Contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Payment service providers

Within contractual and other legal relationships, as the result of statutory obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and for this purpose, in addition to banks and credit institutions, use other payment service providers (collectively referred to as “payment service providers”).

The data processed by the payment service providers includes user data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as the contract amounts and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored at these companies. In other words, we do not receive any account or credit card-related information but only information with a confirmation or negative notification with regard to the payment. Under certain circumstances, the data may be transferred to credit agencies by the payment service providers. This transmission aims to check the identity and creditworthiness of the user. In this regard, we refer to the general terms and conditions of business and the data privacy information of the payment service providers.

For the payment transactions, the terms and conditions of business and the data privacy information of the respective payment service providers that can be retrieved within the respective websites or transaction applications apply. We also make reference to them for the purpose of further information and the filing of revocation, information and other data subject rights.

  • Types of data processed: User data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Existing and prospective customers.

Provision of the online offering and web hosting

So that we can provide our online offering in a secure and efficient way, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering is retrieved. For these purposes, we can use infrastructure and platform services, computing capacity, memory space and database services as well as security services and technical maintenance services.

The data processed within the framework of the provision of the hosting offering can include all information relating to the users of our online offering which is incurred during the usage and the communication. This regularly includes the IP address that is necessary in order to be able to deliver the content of online offerings to browsers and all entries made within our online offering or from websites.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data about every access to the server (so-called server log files). The server log files can include the address and name of the retrieved websites and files, data and time of the retrieval, transmitted data volumes, report on successful retrieval, browser type in addition to version, the operating system of the user, referral URL (the page visited beforehand) and usually IP addresses and the requesting provider.

The server log files can firstly be used for purposes of security, e.g. to avoid an overload of the servers (in particular in the case of improper attacks, so-called DDoS attacks) and secondly in order to ensure utilisation of the servers and their stability.

  • Types of data processed: Content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 Para. 1 Clause 1 Letter f GDPR).

Contact

When contacting us (e.g. by contact form, e-mail, telephone or via social media), the information from the requesting persons is processed if this is necessary to answer the contact requests and for any requested measures.

The answering of the contact requests within the framework of contractual or pre-contractual relationships is only done to meet our contractual obligations or to answer (pre-)contractual requests and for the rest on the basis of the legitimate interests in the answering of the requests.

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).
  • Data subjects: Communication partners.
  • Purposes of the processing: Contact requests and communication.
  • Legal bases: Contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Communication via Messenger

For purposes of communication, we use Messenger and therefore ask that the following information regarding the functionality of Messenger, encryption, usage of meta data of the communication, and your possibilities to object to the communication is noted.

You can also contact us via alternative means, e.g. via telephone or e-mail. Please use the contact options notified to you or the contact options indicated within our online offering.

In the event of an end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content (i.e. the content of the messages and attached images) is encrypted from end to end. This means that the content of the messages is not visible, not even to the Messenger providers themselves. You should always use a current version of Messenger so that the encryption of the message content is ensured.

However, we also point out to our communication partners that the providers of Messenger cannot see the content but can find out that and when communication partners are communicating with us and technical information about the device used by the communication partners and depending on the settings of their device according to their location information (so-called meta data) is being processed.

Notes on legal bases: If we ask communication partners for consent before communicating with them via Messenger, the legal basis for our processing of their data is their consent. For the rest, if we do not ask them for their consent and they contact us, e.g. on their own initiative, we use Messenger in the relationship with our contractual partners and within the framework of the contract preparation as a contractual measure and in the event of other prospective customers and communication partners on the basis of our legitimate interests in a prompt and efficient communication and fulfilment of the requirements of our communication partners with regard to communication via Messenger. We also point out to you that we do not first transmit the contact details notified to us to Messenger without your consent.

Revocation, objection and deletion:
You may revoke consent that you have given us at any time and object to the communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e. e.g. as described above, after the end of the contractual relationships, in the context of archiving specifications, etc.) and otherwise as soon as we can assume that we have answered any information requests from the communication partners if no reference to a previous conversation is to be expected and the deletion does not conflict with any statutory retention obligations.

Reservation of referral to other means of communication:
To conclude, we would like to point out that we reserve the right, for reasons of your security, not to answer requests via Messenger. This is the case when e.g. contract details require special confidentiality or an answer via Messenger does not meet the formal requirements. In such cases, we refer you to more appropriate communication routes.

  • Types of data processed: Contact details (e.g. e-mail, telephone numbers), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partners.
  • Purposes of the processing: Contact requests and communication, direct marketing (e.g. by e-mail or by post).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Services and service providers used:

  • Facebook Messenger: Facebook Messenger with end-to-end encryption (the end-to-end encryption of the Facebook Messenger requires activation if it is not activated by default); service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; data privacy statement: https://www.facebook.com/about/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status =Active; opportunity to opt out: https://www.facebook.com/settings?tab=ads.
  • WhatsApp: WhatsApp Messenger with end-to-end encryption; service provider: WhatsApp Inc. WhatsApp Legal 1601 Willow Road Menlo Park, California 94025, USA; website: https://www.whatsapp.com/; data privacy statement: https://www.whatsapp.com/legal; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status =Active.

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as “third-party providers”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings. We comply with the statutory specifications when selecting the third-party providers and their services.

Within this framework, data of the communication participants is processed and saved on the services of the third-party providers if this is part of communication processes with us. This data can in particular include registration and contact details, visual and vocal contributions as well as input to chats and shared screen content.

If users are referred to the third-party providers or their software or platforms during the communication, business or other relationships with us, the third-party providers can process usage data and meta data for security purposes, service optimisation or marketing purposes. We therefore request that they note the data privacy information of the respective third-party providers.

Notes on legal bases: If we ask the users for their consent to the use of the third-party providers or of certain functions (e.g. consent with a recording of conversations), the legal basis for the processing is the consent. In addition, their use can be a component of our (pre-)contractual services if the use of the third-party providers has been agreed in this framework. Otherwise, the data of the users is processed on the basis of our legitimate interests in an efficient and secure communication with our communication partners. In this context, we would also like to refer you to the information regarding the use of cookies in this data privacy statement.

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partners, users (e.g. website visitors, users of online services).
  • Purposes of the processing: Contractual performance and service, contact requests and communication, office and organisational procedures.
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 letter a GDPR), contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Services and service providers used:

  • Skype: Messenger and conference software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://www.skype.com/de/; data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status =Active.

Cloud services

We use software services accessible via the Internet and carried out on the services of their providers (so-called “cloud services”, also referred to as “Software as a Service”) for the following purposes: saving of documents and administration, calendar administration, sending of e-mails, spreadsheet calculations and presentations, exchange of documents, content and information with certain recipients or publication of websites, forms or other content and information as well as chats and participation in audio and video conferences.

Within this framework, personal data can be processed and saved on the servers of the providers if this is a component of communication processes with us or is processed by us otherwise, as shown within the framework of this data privacy statement. This data can include in particular master data and contact details of the users, data on transactions, contracts, other processes and their content. The providers of the cloud services also process usage data and meta data that are used by them for security purposes and to optimise their service.

If we provide website forms or other documents and content with the aid of the cloud services and these forms, documents or content are accessible for other users or the general public, the providers can save cookies on the devices of the users for purposes of web analysis or in order to note settings by the users (e.g. in the event of media control).

Notes on legal bases: If we request consent to the use of cloud services, the legal basis for the processing is your consent. In addition, their use can be a component of our (pre-)contractual services if the use of the cloud services has been agreed in this framework. Otherwise, the data of the users is processed on the basis of our legitimate interests (i.e. interest in efficient and secure administration and collaboration processes).

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Existing customers, employees (e.g. staff, applicants, former employees), prospective customers, communication partners.
  • Purposes of the processing: Office and organisational procedures.
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 letter a GDPR), contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Services and service providers used:

  • Dropbox: Cloud storage services; service provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; website: https://www.dropbox.com/de; data privacy statement: https://www.dropbox.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000GnCLAA0&status =Active; standard contractual clauses (guaranteeing data privacy level in the event of processing in third countries): https://www.dropbox.com/terms/business-agreement-2016.

Newsletters and mass communication

We send out newsletters, e-mails and other electronic notifications (hereinafter “newsletters”) only with the consent from the recipients or a statutory authorisation. If, during the registration for a newsletter, its content has been specifically described, it is fundamental for the consent by the users. For the rest, our newsletters contain information about our services and us.

To register for your newsletters, it is fundamentally sufficient if you provide your e-mail address. However, we may ask you to provide a name so that we can address you in person in the newsletter, or further information if this is necessary for the purposes of the newsletter.

Double opt-in procedure: The registration for our newsletter is fundamentally done in a so-called double opt-in procedure. In other words, after registering, you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary to prevent anybody registering with third-party e-mail addresses. The registrations for the newsletter are logged so that the registration process can be proved in accordance with the legal requirements. This includes the saving of the time of registration and of confirmation as well as the IP address. The changes to your data saved at your shipping service provider are logged.

Deletion and restriction of the processing: We can save the deregistered e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove any consent given in the past. The processing of this data is restricted to the purpose of averting possible claims. An individual application for deletion is possible at any time if the former existence of consent is confirmed at the same time. In the event of obligations to permanently take objections into account, we reserve the right to save the e-mail address solely for this purpose in a so-called blacklist.

The logging of the registration procedure is done on the basis of our legitimate interests for the purposes of proving its orderly procedure. If we commission a service provider with dispatching e-mails, this is done on the basis of our legitimate interest in an efficient and secure mailing system.

Notes on legal bases: The newsletter is dispatched on the basis of consent from the recipients or, if consent is not required, on the basis of our legitimate interests in direct marketing if and to the extent that this is permitted by law, e.g. in the case of advertising for existing customers. If we commission a service provider with the dispatching of e-mails, this is done on the basis of our legitimate interests. The registration procedure is recorded on the basis of our legitimate interests in order to prove that it was carried out in compliance with the law.

Content: Information about us, our services, promotions and offers.

Analysis and performance measurement: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is called up when the newsletter is opened from our server or if we use a mailing service provider, from the latter’s server. Within the framework of this retrieval, firstly technical information such as information about the browser and your system as well as your IP address and the time of the retrieval is collected.

This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behaviour on the basis of their retrieval locations (that can be determined with the aid of the IP address) or the access times. This analysis also includes the establishment as to whether the newsletters are opened, when they are opened and which links are clicked on. This information can be assigned to the individual newsletter recipients for technical reasons. However, it is not our aim to monitor individual users or, if used, the shipping service provider. Rather, the analysis helps us to recognise the reading habits of our users and to adapt our content to them or to send different content in accordance with the interests of our users.

The analysis of the newsletter and the performance measurement are done, subject to explicit consent from the users, on the basis of our legitimate interests for the purpose of using a user-friendly and secure newsletter system that corresponds both to our business interests as well as the expectations of the users.

A separate revocation of the performance measurement is unfortunately not possible; in this case, the entire newsletter subscription has to be terminated or an objection raised to it.

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
  • Data subjects: Communication partners.
  • Purposes of the processing: Direct marketing (e.g. by e-mail or by post).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).
  • Opportunity to opt out: You can terminate the receipt of our newsletter at any time, i.e. revoke your consent or object to receiving it further. You will find a link to terminate the newsletter either at the end of each newsletter or can otherwise use one of the aforementioned contact options, preferably e-mail, for this purpose.

Services and service providers used:

  • Newsletter2Go: E-mail marketing platform; service provider: Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; website: https://www.newsletter2go.com; data privacy statement: https://www.newsletter2go.de/datenschutz/.

Advertising communication via e-mail, post, fax or telephone

We process personal data for purposes of advertising communication that can be done via various channels, e.g. e-mail, telephone, post or fax, in accordance with the statutory provisions.

The recipients have the right to revoke consent given at any time or to object to advertising communication at any time.

After revocation or objection, we can retain the data necessary to prove consent for up to three years on the basis of our legitimate interests before we delete it. The processing of this data is restricted to the purpose of averting possible claims. An individual application for deletion is possible at any time if the former existence of consent is confirmed at the same time.

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers).
  • Data subjects: Communication partners.
  • Purposes of the processing: Direct marketing (e.g. by e-mail or by post).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Sweepstakes and competitions

We process personal data of the participants in sweepstakes and competitions only in compliance with the relevant data privacy provisions if the processing is necessary to provide, implement and handle the competition, the participants have consented to the processing or the processing serves our legitimate interests (e.g. in the security of the competition or the protection of our interests against misuse through possible recording of IP addresses when competition entries are submitted).

If entries from the participants are published during the competitions (e.g. within the framework of voting or presentation of the competition entries or of the winners or of the reporting on the competition), we point out that the names of the participants may also be published in this context. The participants can object to this at any time.

If the competition takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as “online platform”), the terms and conditions of usage and data privacy of the respective platforms also apply. In these cases, we point that we are responsible for the information about the participants notified within the framework of the competition and enquires with regard to the competition are to be addressed to us.

The participants’ data will be deleted as soon as the sweepstake or the competition has ended and the data is no longer required in order to inform the winners or because queries regarding the competition are to be expected. As a fundamental rule, the participants’ data will be deleted at the latest 6 months after the end of the competition. The winners’ data may be retained for a longer period of time in order to be able to e.g. answer queries regarding the prizes or to fulfil the prizes; in this case, the duration of retention is oriented to the type of prize and is up to three years e.g. with items or services in order to be able to handle warranty cases. In addition, the data of the participants can be saved for a longer period of time, e.g. in the form of reporting on the competition in online and offline media.

If data has been collected within the framework of the competition also for other purposes, its processing and the duration of retention will be oriented to the data privacy information regarding this usage (e.g. in the event of a registration for the newsletter within the framework of a competition).

  • Types of data processed: User data (e.g. names, addresses), content data (e.g. text entries, photographs, videos).
  • Data subjects: Participants in sweepstakes and competitions.
  • Purposes of the processing: Conducting of sweepstakes and competitions.
  • Legal bases: Contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR).

Polls and surveys

The polls and surveys conducted by us (hereinafter “surveys”) are analysed in anonymous form. There will only be a processing of personal data to the extent that this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user’s browser or to facilitate a resumption of the survey with the aid of a temporary cookie (session cookie) or users have given their consent.

Notes on legal bases: If we ask the participants for their consent to the processing of their data, this is the legal basis for the processing; otherwise, the processing of the participants’ data will be done on the basis of our legitimate interest in the conducting of an objective survey.

  • Types of data processed: Contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partners, users (e.g. website visitors, users of online services).
  • Purposes of the processing: Contact requests and communication, direct marketing (e.g. by e-mail or by post), tracking (e.g. interest-based/behavioural profiling, usage of cookies), feedback (e.g. collection of feedback via online form).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Web analysis and optimisation

The web analysis (also called “reach measurement”) serves to analyse the visitor streams to our online offering and can incorporate behaviour, interests or demographic interests about the visitors such as the age or the gender, as pseudonymous data. With the help of the reach analysis, we can e.g. recognise in which period of time our online offering or its functions or content are used most often or invite visitors to use them again. We can also trace which areas need optimising.

In addition to the web analysis, we can also use test procedures in order to e.g. test and optimise different versions of our online offering or its components.

For these purposes, so-called user profiles can be created and saved in a file (so-called “cookie”) or similar procedures used with the same purpose. This information can include e.g. content viewed, websites visited and elements used there and technical information regarding the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can be processed too, depending on the provider.

The IP addresses of the users are also saved. However, we use an IP masking procedure (i.e. pseudonymisation through shortening of the IP address) to protect the users. In general, no plain data of the users (such as e-mail addresses or names) but rather pseudonyms are saved during the web analysis, A/B testing and optimisation. In other words, we as well as the providers of the software used do not know the actual identity of the users but only the information saved in their profiles for the purposes of the respective procedures.

Notes on legal bases:
If we ask the users for their consent to the use of the third-party providers, the legal basis for the processing of data is the consent. Otherwise, the data of the users will be processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to refer you to the information regarding the use of cookies in this data privacy statement.

  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of the processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. Interest-based/behavioural profiling, usage of cookies), conversion tracking, profiling (creation of user profiles).
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

HubSpot

We use HubSpot for our online marketing activities. This is an integrated software solution with which we cover various aspects of our online marketing.

These include, among others:

  • E-mail marketing (newsletters and automated mailings, e.g. to provide downloads).
  • Social media publishing & reporting Reporting (e.g. sources of traffic, access, etc. …).
  • Contact management (e.g. user segmentation & CRM).
  • Landing pages and contact forms.

Our website makes it possible for visitors to find out more about our company, to download content and to provide their contact details and other information.

This information and the content of our website are saved on servers of HubSpot. It can be used by us to contact visitors to our website and in order to determine which services of our company are interesting for them.

All information recorded by us is subject to this data privacy provision. We use all the information recorded solely to optimise our marketing.

HubSpot is a software company from the US with a brand in Ireland. Contact details: Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland, Tel.: +353 1 5187500

HubSpot is certified under the Privacy Shield agreement and thus offers a guarantee of compliance with European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active). More information on the data privacy provisions of HubSpot (https://legal.hubspot.com/de/privacy-policy).

Online marketing

We process personal data for the purposes of online marketing, which can include in particular the marketing of advertising spaces or the presentation of advertising and other content (referred to collectively as “content”) based on potential interests of the users, and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and saved in a file (so-called “cookie”) or similar procedures used by means of which the information regarding the user and relevant for the presentation of the aforementioned content is saved. This information can include e.g. content viewed, websites visited, online networks used, but also communication partners and technical information regarding the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can be processed too.

The IP addresses of the users are also saved. However, we use available IP masking procedures (i.e. pseudonymisation through shortening of the IP address) to protect the users. In general, no plain data of the users (such as e-mail addresses or names) but rather pseudonyms are saved during the online marketing procedures. In other words, we as well as the providers of the online marketing procedures do not know the actual identity of the users but only the information saved in their profiles.

The information in the profiles is usually saved in the cookies or by means of similar procedures. These cookies can subsequently generally also be used in the same online marketing procedure on other websites, read and analysed for purposes of presenting content and also supplemented with further data and saved on the server of the online marketing procedure provider.

In exceptional cases, plain data can be assigned to the profiles. This is the case when the users e.g. are members of a social network whose online marketing procedure is used by us and the network connects the profiles of the users with the aforementioned information. We ask that it be noted that users can make additional agreements with the providers, e.g. through consent within the framework of the registration.

We fundamentally only have access to consolidated information regarding the success of our advertisements. However, within the framework of so-called conversion measurements, we can check which of our online marketing procedures have resulted in a so-called conversion, i.e. e.g. in the conclusion of a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures.

Unless otherwise indicated, we ask you to assume that cookies used are saved for a period of two years.

Notes on legal bases: If we ask the users for their consent to the use of the third-party providers, the legal basis for the processing of data is the consent. Otherwise, the data of the users will be processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to refer you to the information regarding the use of cookies in this data privacy statement.

Target group formation with Google Analytics: We use Google Analytics in order to only show advertisements placed within the advertising services of Google and its partners to users who have also shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products that are determined based on the websites visited) which we communicate to Google (so-called “remarketing” or “Google Analytics Audiences”). With the help of the remarketing audiences, we would also like to ensure that our ads correspond to the potential interest of the users.

Facebook-Pixel: With the aid of the Facebook pixel, Facebook is firstly able to determine visitors to our online offering as a target group for the presentation of advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook pixel in order to display the Facebook ads placed by us only to those users of Facebook and within the services of the partners cooperating with Facebook (so-called “Audience Network” https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products that are discernible based on the websites visited) which we communicate to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we would also like to ensure that our Facebook ads correspond to the potential interest of the users and do not appear annoying. With the aid of the Facebook pixel, we can also trace the effectiveness of the Facebook advertisements for statistical and market research purposes by seeing whether users have been forwarded to our website after clicking on a Facebook ad (so-called “conversion measurement”).

Advanced matching for the Facebook pixel: The additional function “Advanced matching” is used when the Facebook pixel is used. In this context, data such as e-mail addresses or Facebook IDs of the users are transmitted to Facebook for the formation of target groups (in encrypted form).

Facebook – Target group formation via data upload: Uploading of data such as telephone numbers, e-mail addresses or Facebook IDs to the Facebook platform. The data is encrypted during this process. The upload process is only used to display ads to the owners of the data or persons whose user profiles correspond to any user profiles of the owners of the data at Facebook. We would thus like to ensure that the ads are only displayed to users who have an interest in our information and services.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data that indicates the location of the terminal of an end user), social data (data that is subject to social secrecy [Section 35 of the Social Code (SGB) I] and is processed by e.g. social insurance organisations, social welfare organisations or care authorities.).
  • Data subjects: Users (e.g. website visitors, users of online services), prospective customers, existing customers, employees (e.g. staff, applicants, former employees), communication partners.
  • Purposes of the processing: Tracking (e.g. interest-based/behavioural profiling, usage of cookies), remarketing, conversion tracking, interest-based and behavioural marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognition of returning visitors), target group formation (determination of target groups relevant for marketing purposes or other output of content), cross-device tracking (cross-device processing of user data for marketing purposes), click tracking.
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).
  • We refer to the data privacy information of the respective providers and the opt-out possibilities indicated for the providers. If no explicit opt-out possibility has been indicated, there is firstly the possibility that you switch off cookies in the settings of your browser. However, this can restrict the functions of our online offering. We therefore also recommend the following opt-out possibilities that are offered in consolidated form for the respective regions: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Multi-territory: https://optout.aboutads.info.

Services and service providers used:

  • Google Analytics: Online marketing and web analysis; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status= Active; opportunity to opt out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the presentation of ads: https://adssettings.google.com/authenticated.
  • Google Ads and conversion measurement: We use the online marketing procedure “Google Ads” in order to place ads in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. We also measure the conversion of the ads. However, we only learn of the anonymous overall number of users who have clicked on our ad and have been forwarded to a site with a so-called ”conversion tracking tag”. But we ourselves do not receive any information with which users can be identified. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status= Active.
  • • Facebook pixel: Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; data privacy statement: https://www.facebook.com/about/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status =Active; opportunity to opt out: https://www.facebook.com/settings?tab=ads.

Review platforms

We participate in review procedures in order to evaluate, optimise and advertise our services. When users give us a review via the participating review platforms or procedures or provide feedback otherwise, the General Terms and Conditions of Business or Usage and the data privacy information of the providers apply in addition. Normally, the review also requires registration with the respective providers.

In order to ensure that the reviewing persons have actually used our services, with the consent from the customers, we send the data required for this with regard to the customer and the service used to the respective review platform (including name, e-mail address and order number / product number respectively). This data is only used to verify the user’s authenticity.

Review widget: We integrate so-called “review widgets” in our online offering. A widget is a functional and content element that is integrated into our online offering and that displays variable content. It can be displayed e.g. in the form of a seal or a comparable element, in places also called “badge”. In the process, the corresponding content of the widget is shown within our online offering but retrieved at this moment from the servers of the respective widget provider. Only in this way can the current content be shown, above all the current review in each case. For this, a data connection must be established from the website retrieved within our online offering to the server of the widget provider and the widget provider receives certain technical details (access details, including IP address) that are necessary so that the content of the widget can be delivered to the user’s browser.

In addition, the widget provider receives information that users have visited our online offering. This information can be saved in a cookie and used by the widget provider in order to recognise which online offerings that participate in the review procedure have been visited by the user. The information can be saved in a user profile and used for advertising or market research purposes.

  • Types of data processed: Contract data (e.g. subject of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers, users (e.g. website visitors, users of online services).
  • Purposes of the processing: Feedback (e.g. collection of feedback via online form), reach measurement (e.g. access statistics, recognition of returning visitors), conversion tracking, interest-based and behavioural marketing, profiling (creation of user profiles).
  • Legal bases: Consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR).

Presence in social networks

We maintain online presences within social networks and process, within this framework, data of the users in order to communicate with the users active there or to offer information about us. We point out that data of the users may be processed outside the area of the European Union. As a result, risks can arise for the users because e.g. the assertion of the users’ rights could be made more difficult. With regard to US providers who are certified under the Privacy Shield or offer comparable guarantees of a secure level of data privacy, we point that they thus undertake to comply with the data privacy standards of the EU.

In addition, the users’ data is normally processed within social networks for market research and advertising purposes. In this way, usage profiles can be created e.g. based on the usage behaviour and the resulting interests of the users. The usage profiles can in turn be used in order to place ads within and outside of the networks that are presumed to correspond to the users’ interests. For these purposes, cookies are usually saved on the users’ computers and the usage behaviour and the interests of the users are saved in them. In addition, data can also be saved in the usage profiles irrespective of the devices used by the users (in particular if the users are members of the respective platforms and are logged onto them).

For a detailed presentation of the respective forms of processing and the possibilities to object to the processing (opt-out), we refer to the data privacy statements and information of the operators of the respective networks.

Also in the case of requests for information and the filing of data subjects’ rights, we point out that they can be filed most effectively with the providers. Only the providers have access in each case to the users’ data and can take corresponding measures and provide information directly. If you should nevertheless require help, you can contact us.

  • Types of data processed: User data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of the processing: Contact requests and communication, tracking (e.g. interest-based/behavioural profiling, usage of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).
  • Legal bases: Legitimate interests (Art. 6 Para. 1 Clause 1 Letter f GDPR).

Services and service providers used:

  • Instagram: Social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; data privacy statement: https://instagram.com/about/legal/privacy.
  • Facebook: Social network; service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; data privacy statement: https://www.facebook.com/about/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status =Active; opportunity to opt out: Settings for advertisements: https://www.facebook.com/settings?tab=ads; additional information on data privacy: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, data privacy information for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
  • Pinterest: Social network; service provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA,; website: https://www.pinterest.com; data privacy statement: https://about.pinterest.com/de/privacy-policy; opportunity to opt out: https://about.pinterest.com/de/privacy-policy.
  • YouTube: Social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status= Active; opportunity to opt out: https://adssettings.google.com/authenticated.

Plug-ins and embedded functions as well as content

We integrate function and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party” providers). In the process, these can be, for instance, graphics, videos or social media buttons as well as posts (hereinafter referred to uniformly as “content”).

The integration always requires that the third-party providers of this content process the IP address of the users as they could not send the content to their browsers without the IP address. The IP address is thus necessary for the presentation of this content or these functions. We will strive to only use such content whose respective providers only use the IP address to deliver the content. Third-party providers can also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Through the pixel tags, information such as the visitor traffic on the pages of this website can be analysed. The pseudonymous information can also be saved in cookies on the users’ devices and, among others, contain technical information about the browser and the operating system, referral websites, the time of visit and other information about the usage of our online offering as well as be linked with such information from other sources.

Notes on legal bases: If we ask the users for their consent to the use of the third-party providers, the legal basis for the processing of data is the consent. Otherwise, the data of the users will be processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to refer you to the information regarding the use of cookies in this data privacy statement.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data that indicates the location of the terminal of an end user), user data (e.g. names, addresses), contact details (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of the processing: Provision of our online offering and user-friendliness, contractual performance and service, security measures, administration and answering of requests.
  • Legal bases: Legitimate interests (Art. 6 Para. 1 Clause 1 Letter f. GDPR), consent (Art. 6 Para. 1 Clause 1 Letter a GDPR), contract fulfilment and pre-contractual requests (Art. 6 Para. 1 Clause 1 Letter b. GDPR).

Services and service providers used:

  • Google Fonts: We integrate the fonts (“Google Fonts”) of the provider Google, whereby the data of the users are only used for purposes of depicting the fonts in the browser of the users. The integration is done on the basis of our legitimate interests in a technically secure, maintenance-free and efficient usage of fonts, their uniform presentation and taking into account possible restrictions for their integration under licence law. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://fonts.google.com/; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status= Active.
  • Google Maps: We integrate the maps of the “Google Maps” service of the provider Google. The data processed can include in particular IP addresses and location data of the users that, however, may not be collected without their consent (usually carried out within the framework of the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/maps-platform; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt0000000TRkEAAW&status =Active; opportunity to opt out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the presentation of ads: https://adssettings.google.com/authenticated.
  • YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.youtube.com; data privacy statement: https://policies.google.com/privacy; Privacy Shield (guarantee of data privacy level in the event of data processing in the US): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status= Active; opportunity to opt out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the presentation of ads: https://adssettings.google.com/authenticated.

Deletion of data

The data processed by us will be deleted pursuant to the statutory provisions as soon as its permitted consents for the processing are revoked or other authorisations lapse (e.g. if the purpose of the processing 34 of this data has lapsed or if they are not necessary for the purpose).

If the data is not deleted because it is necessary for other purposes permitted by law, its processing will be restricted to these purposes. In other words, the data will be blocked and not processed for other purposes. This applies e.g. for data that has to be retained for commercial or tax law or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural person or legal entity.

Further information on the deletion of personal data can also be found within the framework of the individual data privacy information of this data privacy statement.

Amendment and updating of the data privacy statement

We ask you to regularly inform yourself about the content of our data privacy statement. We adapt the data privacy statement as soon as the changes to the data processing carried out by us so require. We will inform you as soon as collaboration on your part (e.g. consent) or other individual notification becomes necessary as a result of the changes.

If we provide addresses and contact information of companies and organisations in this data privacy statement, please note that the addresses can change over time and we ask you to check the details before contacting such companies or organisations.

Rights of the data subjects

As a data subject pursuant to the GDPR, you are entitled to various rights that arise in particular from Art. 15 to 18 and 21 GDPR:

  • Right to object: You have the right to object at any time to the processing of personal data relating to you that is done on the basis of Art. 6 Para. 1 Letter e or f GDPR for reasons that result from your special situation; this also applies for a profiling based on these provisions. If the personal data relating to you are processed in order to conduct direct advertising, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising; this also applies for profiling if it is associated with such direct advertising.
  • Right to object in the case of consent: You have the right to revoke consent that you have given at any time.
  • Right of access: You have the right to request a confirmation about whether respective data is processed and to information about this data and to further information and a copy of the data in accordance with the statutory provisions.
  • Right to rectification: In accordance with the statutory provisions, you have the right to demand the completion of the data relating to you or the rectification of the incorrect data relating to you.
  • Right to erasure and restriction of the processing: Pursuant to the statutory provisions, you have the right to demand that data relating to you is erased immediately or, alternatively, pursuant to the statutory provisions, to demand a restriction in the processing of the data.
  • Right to data portability: You have the right to receive data relating to you and that you have provided to us, pursuant to the statutory provisions, in a structured, conventional and machine-readable form or to demand their transmission to another control.
  • Complaint to a supervisory authority: In addition, pursuant to the statutory provisions, you have the right to complaint to a supervisory authority, in particular in the Member States of your usual domicile, your place of work or the place of the alleged breach if you are of the opinion that the processing of the personal data relating to you breaches the GDPR.

Definitions of terms

In this section, you gain an overview of the terms used in this data privacy statement. Many of the terms are taken from law and defined above all in Art. 4 GDPR. The statutory definitions are binding. The following explanations, however, aim to above all aid understanding. The terms are sorted alphabetically.

  • Conversion tracking: Conversion tracking is a procedure with which the effectiveness of marketing measures can be established. For this purpose, a cookie is usually saved on the users’ devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can thus trace whether the ads placed by us on other websites were successful.
  • Cross-device tracking: Cross-device tracking is a form of tracking in which behavioural and interest information of the users is recorded in cross-device form in so-called profiles by assigning an online identifier to the users. As a result, the user information can be analysed, normally for marketing purposes, irrespective of the browsers or devices used (e.g. mobile phones or desktop computers). With most providers, the online identifier is not linked to plain data such as names, postal addresses or e-mail addresses.
  • IP masking: “IP masking” denotes a method in which the last octet, i.e. the last two figures of an IP address is deleted so that the IP address can no longer be used for the clear identification of a person. That is why IP masking is a means to pseudonymise processing procedures, in particular in online marketing.
  • Interest-based and behavioural marketing: Interest-based and behavioural marketing is when potential interest of users in ads and other content is pre-determined as precisely as possible. This is done based on information regarding their prior behaviour (e.g. searching for certain websites and spending time on them, purchasing behaviour or interaction with other users) that is saved in a so-called profile. Cookies are normally used for these purposes.
  • Click tracking: Click tracking makes it possible to oversee the movements of the users within an entire online offering. As the results of these tests are more precise if the interaction of the users can be followed over a certain period of time (e.g. so that we can find out whether a user likes to return), cookies are usually saved on the users’ computers for these test purposes. Conversion measurement: Conversion measurement is a procedure with which the effectiveness of marketing measures can be established. For this purpose, a cookie is usually saved on the users’ devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can thus trace whether the ads placed by us on other websites were successful.
  • Personal data: “Personal data” is all information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is viewed as identifiable who can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, a code number, location data, an online ID (e.g. cookie) or to one or several particular characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
  • Profiling: “Profiling” denotes any type of automated processing of personal data that consists of this personal data being used to analyse or obtain certain personal aspects that relate to a natural person (depending on the type of profiling, these include information regarding the age, gender, location data and movement data, interaction with websites and their content, purchasing behaviour, social interactions with other people), or to predict such aspects (e.g. interests in particular content or products, the click behaviour on a website or the place of residence). Cookies and web beacons are frequently used for profiling purposes.
  • Reach measurement: Reach measurement (also called web analytics) serves to analyse the visitor streams of an online offering and can incorporate the behaviour or interests of the visitors in certain information, such as the content of websites. With the aid of the reach analysis, website owners, for instance, can recognise at what time visitors visit their website and which content they are interested in. They can thus adapt, for instance, the content of the website to the requirements of their visitors better. Pseudonymous cookies and web beacons are frequently used for purposes of reach analysis in order to recognise returning visitors and thus to obtain more precise analyses regarding the usage of an online offering.
  • Remarketing: “Remarketing” or “retargeting” denotes when, for example, it is noted for advertising purposes which products a user was interested in on a website in order to remind the user of these products, e.g. in ads, on other websites.
  • Tracking: “Tracking” denotes when the behaviour of users can be traced across several online offerings. Usually, with regard to the online offerings used, behavioural and interest information is saved in cookies or on servers of the providers of the tracking technologies (so-called profiling). This information can then be used, for instance, to display ads to the users that are likely to correspond to their interests.
  • Controller: “Controller” denotes the natural person or legal entity, authority, institution or other organisation that decides alone or together with others on the purposes and means of the processing of 38 personal data.
  • Processing: “Processing” is any process carried out with or without the aid of automated procedures or any such series of processes in connection with personal data. The term is far-reaching and incorporates virtually any handling of data, whether it involves the collection, the analysis, the saving, the transmission or the deletion of data.
  • Target group formation: Target group formation (or “Custom Audiences”) denotes when target groups are determined for advertising purposes, e.g. the displaying of ads. In this way, it can be concluded, for example, based on the interest of a user in certain products or topics on the Internet, that this user is interested in ads for similar products or the online shop in which he or she viewed the products. “Lookalike Audiences” in turn denotes when the content deemed to be suitable is displayed to users whose profiles or interests probably correspond to the users for whom the profiles were formed. Cookies and web beacons are usually used for the purpose of forming Custom Audiences and Lookalike Audiences.