Privacybeleid

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us within the European Union, both in the context of providing our services and in particular on our websites, mobile applications, as well as on external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Last updated: 16 August 2024

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Disclosure of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Use of Online Platforms for Sales and Distribution
• Service Providers and Tools Used in Business Operations
• Payment Methods
• Provision of Online Services and Web Hosting
• Use of Cookies
• Registration, Login and User Accounts
• Single Sign-On Login
• Blogs and Publishing Media
• Contact and Inquiry Management
• Communication via Messenger
• Chatbots and Chat Functions
• Push Notifications
• Cloud Services
• Newsletters and Electronic Notifications
• Surveys and Questionnaires
• Web Analytics, Monitoring and Optimization
• Online Marketing
• Affiliate Programs and Links
• Offering an Affiliate Program
• Customer Reviews and Rating Procedures
• Social Media Presences
• Plug-ins and Embedded Features and Content
• Changes and Updates
• Definitions

Controller

RoyalesPortrait
An offering of DealBee UG (limited liability)
Südring 69a
65795 Hattersheim am Main
Germany

Authorized Representatives: Managing Directors Carl August Dauer and Jan Niklas Trier

Email: info@royalesportrait.de

Legal Notice: https://royalesportrait.de/policies/legal-notice

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects concerned, in accordance with the General Data Protection Regulation (GDPR) and applicable EU-wide data protection laws.

Types of Data Processed

• Inventory data.
• Employee data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Metadata, communication, and procedural data.
• Contact information (Facebook).
• Event data (Facebook).
• Log data.
• Creditworthiness data.

Categories of Data Subjects

• Service recipients and clients.
• Employees.
• Prospective customers.
• Communication partners.
• Users.
• Business and contractual partners.
• Participants.
• Third parties.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Audience measurement.
• Tracking.
• Office and organizational procedures.
• Remarketing.
• Conversion measurement.
• Click tracking.
• Audience building.
• Affiliate tracking.
• A/B testing.
• Organizational and administrative procedures.
• Content Delivery Network (CDN).
• Feedback collection.
• Heatmaps.
• Surveys and questionnaires.
• Marketing.
• User profile creation with related information.
• Registration and authentication processes.
• Cross-device tracking.
• Provision of our online offering and user-friendliness.
• Assessment of creditworthiness.
• IT infrastructure management.
• Financial and payment management.
• Public relations.
• Sales promotion.
• Business processes and economic procedures.

Applicable Legal Bases

Legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we rely when processing personal data. Please note that in addition to the GDPR, further data protection requirements may apply under the national laws of EU/EEA Member States. Where more specific legal bases apply in certain cases, we will inform you of these in this Privacy Policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject under EU or Member State law.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests, fundamental rights, and freedoms of the data subject which require protection of personal data.

Security Measures

In accordance with legal requirements, we take appropriate technical and organizational measures, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Such measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, input, disclosure, availability, and separation of data. Furthermore, we have implemented procedures to ensure the exercise of data subject rights, the erasure of data, and responses to potential risks to the data. We also take into account the protection of personal data when developing or selecting hardware, software, and processes, in accordance with the principles of privacy by design and privacy by default.

Securing online connections with TLS/SSL encryption (HTTPS): To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the foundations of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thus safeguarding the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. A website secured with an SSL/TLS certificate is indicated by “HTTPS” in the URL, signaling to users that their data is being transmitted securely and in encrypted form.

Disclosure of Personal Data

In the course of processing personal data, it may be disclosed or transferred to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude the necessary contracts or agreements with the recipients to safeguard your data.

Data transfers within a corporate group: We may transfer personal data to other companies within our corporate group or grant them access to such data. Where this is carried out for administrative purposes, the transfer of data is based on our legitimate business and economic interests, or it takes place where necessary for the fulfillment of our contractual obligations, or with the data subjects’ consent or legal permission.

International Data Transfers

Processing of data in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosure/transfer of data to other persons or entities, this will only occur in compliance with legal requirements. Where the European Commission has recognized an adequate level of protection in a third country by means of an adequacy decision (Art. 45 GDPR), this serves as the legal basis for the transfer. In all other cases, data transfers will only take place where appropriate safeguards are in place, in particular Standard Contractual Clauses (Art. 46(2)(c) GDPR), explicit consent, or where the transfer is necessary for contractual or legal reasons (Art. 49(1) GDPR). Adequacy decisions always take precedence as the preferred basis. More information about international transfers and adequacy decisions is available from the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Data Privacy Framework: Under the so-called “Data Privacy Framework” (DPF), the European Commission has also recognized an adequate level of protection for certified organizations in the USA, by adequacy decision of 10 July 2023. The list of certified companies and further information on the DPF can be found on the U.S. Department of Commerce’s website: https://www.dataprivacyframework.gov/.

General Information on Data Retention and Deletion

We delete personal data we process in accordance with legal requirements as soon as the underlying consent is withdrawn or there is no other legal basis for processing. This includes situations where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where statutory obligations or legitimate interests require longer retention or archiving.

In particular, data that must be retained for commercial, tax, or regulatory reasons, or data necessary for legal claims or the protection of others’ rights, must be archived accordingly.

Our privacy notices may contain additional information on retention and deletion specific to certain processing activities.

Where multiple retention periods or deletion deadlines apply to the same data, the longest period shall prevail.

If a period does not explicitly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, the triggering event is the effective date of termination or other conclusion of the legal relationship.

Data that is no longer stored for the originally intended purpose but must be retained due to legal or other obligations is processed solely for those purposes that justify its retention.

Rights of Data Subjects

Under the GDPR, you have the following rights as a data subject, particularly arising from Articles 15–21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where your personal data is processed for direct marketing purposes, you also have the right to object at any time to such processing, including profiling related to direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the data and additional information, as well as a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to obtain the correction of inaccurate personal data concerning you and, where applicable, the completion of incomplete data, in accordance with legal requirements.
• Right to erasure and restriction of processing: You have the right to request the erasure of personal data concerning you without undue delay, or alternatively, restriction of processing, in accordance with legal requirements.
• Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller, where technically feasible.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

Business Services

We process the data of our contractual and business partners, e.g. customers and prospects (collectively referred to as “contractual partners”), in the context of contractual or comparable legal relationships, as well as associated measures, and for communication with contractual partners (including pre-contractual), such as responding to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the performance of agreed services, any update obligations, and remedies in case of warranty or performance issues. Furthermore, we use the data to safeguard our rights, for administrative purposes, and for organizational needs. In addition, we process data on the basis of our legitimate interests in proper and efficient business management, as well as in security measures to protect our contractual partners and our business operations against misuse, threats to data, confidential information, and rights (e.g., involvement of telecommunications, transport, or other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In accordance with applicable law, we only disclose contractual partners’ data to third parties where necessary for these purposes or to fulfill legal obligations. Contractual partners are informed of further types of processing, such as for marketing, in this Privacy Policy.

We inform contractual partners in advance, or at the point of data collection, of which data is necessary for the aforementioned purposes, e.g., in online forms, through special labeling (such as colors or symbols like asterisks), or in person.

We delete data after the expiry of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account (e.g., where statutory archiving is required, typically ten years for tax purposes). Data disclosed to us by contractual partners as part of an order is deleted in accordance with legal requirements, and generally after the end of the order.

• Categories of data processed: Inventory data (e.g., full name, home address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; Prospects. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organizational procedures; Business processes and economic management.
• Retention and deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing activities, procedures, and services:

• Online shop, order forms, e-commerce, and delivery: We process our customers’ data to enable them to select, purchase, and order chosen products, goods, and related services, as well as payment and delivery/fulfillment. Where necessary to fulfill an order, we use service providers, in particular postal, shipping, and transport companies, to deliver or fulfill the order for our customers. For payment processing, we rely on banks and payment service providers. The required data is marked as such in the order or comparable acquisition process and includes the information needed for delivery, provision, and invoicing, as well as contact details in case clarification is required; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients – including customers, clients, or in certain cases mandatees, patients, or business partners, as well as other third parties – is processed in the context of contractual or comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This processing supports and facilitates business operations in areas such as customer management, sales, payment processing, accounting, and project management.

The collected data is used to fulfill contractual obligations and to ensure efficient business processes. This includes the handling of business transactions, the management of customer relationships, the optimization of sales strategies, and the functioning of internal accounting and financial processes. In addition, the data helps safeguard the controller’s rights, supports administrative tasks, and enables efficient organizational management.

Personal data may be disclosed to third parties where this is necessary to fulfill the stated purposes or legal obligations. After expiry of statutory retention periods or once the processing purpose no longer applies, the data is deleted. This also applies to data that must be stored for longer periods due to tax law or other legal obligations.

• Categories of data processed: Inventory data (e.g., full name, home address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, and related information such as authorship and timestamps); Contract data (e.g., subject matter, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved); Log data (e.g., logfiles relating to logins, data access, or access times); Creditworthiness data (e.g., received credit score, estimated probability of default, risk classification, past payment behavior). Employment data (information about employees or other persons in an employment relationship).
• Data subjects: Service recipients and clients; Prospects; Communication partners; Business and contractual partners; Customers; Third parties; Users (e.g., website visitors, users of online services). Employees (e.g., staff, applicants, temporary workers, and other personnel).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures; Business processes and economic management; Security measures; Provision of our online offering and user experience; Communication; Marketing; Sales promotion; Public relations; Assessment of creditworthiness and credit risk; Financial and payment management; IT infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.).
• Retention and deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR); Legal obligation (Art. 6(1)(c) GDPR).

Customer Management and Customer Relationship Management (CRM): Processes required within the scope of customer management and Customer Relationship Management (CRM) (e.g., customer acquisition in compliance with EU data protection regulations, measures to promote customer retention and loyalty, effective customer communication, complaint handling and customer service with due consideration of data protection, data management and analysis to support customer relationships, administration of CRM systems, secure account management, customer segmentation and target group identification); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Contact Management and Maintenance: Processes necessary for the organization, maintenance, and safeguarding of contact information (e.g., establishing and maintaining a central contact database, regular updates of contact details, monitoring of data integrity, implementation of data protection measures, ensuring access controls, performing backups and restoration of contact data, training staff in the effective use of contact management software, regular review of communication history and adjustment of contact strategies); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Customer Accounts: Customers may create an account within our online services (e.g., customer or user account, hereinafter "customer account"). If the registration of a customer account is required, customers are informed accordingly, as well as about the information necessary for registration. Customer accounts are not public and cannot be indexed by search engines. As part of registration, subsequent logins, and use of the customer account, we store customers’ IP addresses together with access times, in order to be able to verify registration and to prevent potential misuse of customer accounts. If a customer account is terminated, the associated data will be deleted after termination unless retention is required for other purposes (e.g., internal record-keeping of customer data, order processes, or invoices) or due to legal obligations under EU law (e.g., retention for tax or accounting purposes). It is the responsibility of customers to secure their data prior to termination of the customer account; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Wish List/Favorites List: Customers may create a product wish list. In this case, products are stored as part of fulfilling our contractual obligations until the account is deleted, unless customers remove the product entries themselves or we expressly inform customers of different retention periods; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Loyalty Program/Customer Card: Within the scope of the loyalty program, the controller processes the data of participating customers for the purpose of providing the services offered under the program. For this purpose, the controller stores the information provided by customers, as required and designated, in a customer profile. Within this profile, information regarding use of the loyalty program and the associated services and benefits is also processed. This information is shared with third parties (e.g., service providers) only where necessary for the aforementioned purposes. Customer profiles are deleted once participation in the program ends. Retention of specific data occurs only insofar as required for statutory retention obligations under EU law (e.g., up to eleven years for tax-related information from the end of the year in which it arose) or for the fulfillment of contractual or legal claims (up to three years from the end of the year of termination). This is documented in the record of processing activities; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

General Payment Transactions: Processes necessary for the execution of payment transactions, monitoring of bank accounts, and controlling of payment flows (e.g., creation and verification of transfers, processing of direct debits, monitoring of account statements, supervision of incoming and outgoing payments, management of returned debits, account reconciliation, cash management); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Accounting, Accounts Payable, Accounts Receivable: Processes required for recording, processing, and monitoring business transactions in the area of accounts payable and accounts receivable (e.g., creation and verification of incoming and outgoing invoices, monitoring and management of outstanding items, execution of payment transactions, dunning procedures, reconciliation of receivables and payables, accounts payable and accounts receivable management); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Financial Accounting and Taxation: Processes required for recording, managing, and monitoring financial business transactions as well as for calculating, reporting, and paying taxes (e.g., classification and posting of transactions, preparation of quarterly and annual financial statements, execution of payment transactions, dunning procedures, account reconciliation, tax consulting, preparation and filing of tax returns, handling of tax-related matters); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Procurement: Processes required for the acquisition of goods, raw materials, or services (e.g., supplier selection and evaluation, price negotiations, order placement and monitoring, inspection and verification of deliveries, invoice verification, order management, inventory management, creation and maintenance of procurement policies); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Sales: Processes required for planning, implementation, and monitoring of activities related to the marketing and sale of products or services (e.g., customer acquisition, preparation and follow-up of offers, order processing, customer consulting and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Marketing, Advertising, and Promotion: Processes required in the context of marketing, advertising, and promotional activities (e.g., market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotions, performance measurement and optimization of marketing activities, budget management and cost control); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Where applicable and required by EU law, consent (Art. 6(1)(a) GDPR) will be obtained, particularly for electronic direct marketing.

Economic Analyses and Market Research: For business management purposes and to identify market trends and the needs of contractual partners and users, existing data on business transactions, contracts, inquiries, etc. are analyzed. Affected data subjects may include contractual partners, prospective customers, clients, visitors, and users of the controller’s online services. Analyses serve business evaluations, marketing, and market research (e.g., identifying customer groups with different characteristics). Where applicable, profiles of registered users including details of services used may be considered. Analyses are conducted exclusively for the controller and are not disclosed externally unless in the form of anonymous, aggregated data. The privacy of users is respected; data is pseudonymized for analytical purposes whenever possible and, where feasible, anonymized (e.g., in aggregated datasets); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Where required under EU or national regulations, consent (Art. 6(1)(a) GDPR) will be obtained.

Public Relations: Processes required in the context of public relations and corporate communications (e.g., development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media coverage, organization of press conferences and public events, crisis communication, creation of content for social media and corporate websites, management of corporate branding); Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Use of Online Platforms for Offering and Distribution Purposes

We offer our services on online platforms operated by other providers. In this context, in addition to our own privacy notice, the privacy notices of the respective platforms also apply. This is particularly relevant with regard to the processing of payment transactions, reach measurement, and interest-based marketing practices implemented by those platforms. Please note that processing may also occur outside the EU/EEA, in which case appropriate safeguards under Chapter V of the GDPR (e.g., adequacy decisions, Standard Contractual Clauses) will apply.

• Types of Data Processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses, phone numbers); contract data (e.g., subject matter, duration, customer category); usage data (e.g., page views, session duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data Subjects: Service recipients and clients; business and contractual partners; prospective customers.
• Purposes of Processing: Fulfillment of contractual services and obligations; marketing; business processes and operational management; conversion measurement (evaluation of marketing effectiveness); provision of our online services and user-friendliness.
• Storage and Deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
• Legal Bases: Performance of contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing activities, procedures, and services:

• CopeCart: Online marketplace for e-commerce; Service Provider: CopeCart GmbH, Ufnaustraße 10, 10553 Berlin, Germany; Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.copecart.com/; Privacy Policy: https://www.copecart.com/datenschutz/. Legal Basis for Third-Country Transfers: Adequacy decision (Switzerland).
• Digistore24: Automation of sales and billing processes, provision of affiliate marketing tools, customer relationship management, execution of payments; Service Provider: Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim, Germany; Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.digistore24.com/; Privacy Policy: https://www.digistore24.com/de/home/extern/cms/page/frontend/legal/privacy. Legal Basis for Third-Country Transfers: Adequacy decision (Switzerland).
• Shopify: Platform through which e-commerce services are offered and carried out. These services and related processes include in particular online shops, websites and their content, community features, purchasing and payment transactions, customer communication, as well as analytics and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.shopify.com; Privacy Policy: https://www.shopify.com/legal/privacy. Basis for third-country transfers: EU/EEA – GDPR compliance (Ireland), Adequacy decisions for transfers to Switzerland and other recognized jurisdictions under GDPR.

Service Providers and Platforms Used in the Course of Business Activities

In the course of our business operations, we use additional services, platforms, interfaces, or plug-ins from third-party providers (collectively “services”) in compliance with EU data protection law. Their use is based on our legitimate interest in ensuring the proper, lawful, and efficient conduct of our business operations and internal organization across the EU/EEA.

• Categories of processed data: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses, phone numbers); Content data (e.g., written or visual messages and posts, including related metadata such as authorship or time of creation); Contract data (e.g., subject matter, duration, customer category).
• Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
• Purposes of processing: Fulfillment of contractual obligations and provision of contractual services; office and organizational procedures; business and economic processes.
• Storage and deletion: Deletion in accordance with the provisions set out in the section “General Information on Data Storage and Deletion.”
• Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Additional notes on processing activities, procedures, and services:

• Lexoffice: Online software for invoicing, accounting, banking, and tax submission with document storage; Service provider: Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.lexoffice.de; Privacy Policy: https://www.lexoffice.de/datenschutz/; Data Processing Agreement: https://www.lexoffice.de/auftragsverarbeitung/. Basis for third-country transfers: EU/EEA – GDPR compliance, Adequacy decision for transfers to Switzerland.
• Loox: Creation of customer testimonials, reviews, and experience reports, as well as loyalty and reward systems; Service provider: Loox Online Ltd., Rehov Har Sinai 2, 6581602 Tel Aviv-Yafo, Israel; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://loox.app/; Privacy Policy: https://loox.io/legal/privacy_policy_users.pdf. Basis for third-country transfers: EU/EEA – Adequacy decision (Israel), Switzerland – Adequacy decision (Israel).

Payment Methods

As part of contractual and other legal relationships, or on the basis of our legitimate interests, we offer data subjects efficient and secure payment options. For this purpose, we work not only with banks and credit institutions, but also with additional third-party providers (collectively referred to as “payment service providers”).

The data processed by payment service providers may include inventory data such as name and address, banking data such as account numbers or credit card numbers, authentication data (e.g., passwords, TANs, checksums), as well as contractual, transaction-related, and recipient-related information. This information is required to execute transactions. The entered data is processed and stored exclusively by the payment service providers. We do not receive account or credit card details, but only information confirming or rejecting the payment. In some cases, payment service providers may transfer data to credit agencies for identity and credit checks. For further details, please refer to the general terms and conditions and privacy policies of the respective payment service providers.

Payment transactions are subject to the contractual terms and privacy policies of the respective payment service providers, which are accessible via their websites or transaction applications. We refer to these for additional information and to exercise rights of withdrawal, access, or other data subject rights under the GDPR.

• Categories of Data Processed: Master data (e.g., full name, residential address, contact details, customer number, etc.); Payment data (e.g., bank account details, invoices, payment history); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Contact data (e.g., postal and email addresses or telephone numbers).
• Data Subjects: Service recipients and clients; Business and contractual partners; Interested parties.
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Business processes and administrative/economic operations.
• Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
• Legal Bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing Activities, Procedures and Services:

• Amazon Payments: Payment services (technical integration of online payment methods); Service provider: Amazon Payments Europe S.C.A., 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Website: https://pay.amazon.de/; Privacy Policy: https://pay.amazon.de/help/201212490. Basis for third-country transfers: Adequacy decision (Luxembourg).
• American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Website: https://www.americanexpress.com/de/; Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/. Basis for third-country transfers: Adequacy decision (EEA).
• Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Website: https://www.apple.com/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/. Basis for third-country transfers: Standard Contractual Clauses (SCCs) approved by the European Commission.
• Giropay: Payment services (technical integration of online payment methods); Service provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Website: https://www.giropay.de; Privacy Policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/. Basis for third-country transfers: Adequacy decision (EEA).
• Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); Website: https://pay.google.com/intl/en_en/about/; Privacy Policy: https://policies.google.com/privacy. Basis for third-country transfers: Adequacy decision (EEA).
• Klarna: Payment services (technical integration of online payment methods); Service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://www.klarna.com/; Privacy Policy: https://www.klarna.com/privacy/. Basis for third-country transfers: Adequacy decision (Sweden, EU-wide applicable).
• Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://www.mastercard.com/; Privacy Policy: https://www.mastercard.com/privacy. Basis for third-country transfers: Adequacy decision (Belgium, EU-wide applicable).
• PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://www.paypal.com/; Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full. Basis for third-country transfers: Adequacy decision (Luxembourg, EU-wide applicable).
• Shop Pay (Shopify): Payment services (technical integration of online payment methods); Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://www.shopify.com/; Privacy Policy: https://www.shopify.com/legal/privacy. Basis for third-country transfers: Adequacy decision (Ireland, EU-wide applicable).
• Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/privacy. Basis for third-country transfers: Participation in the EU-U.S. Data Privacy Framework (DPF) and use of Standard Contractual Clauses (where required).
• Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom; Legal basis: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Website: https://www.visa.com; Privacy Policy: https://www.visa.com/privacy-center.html. Basis for third-country transfers: Adequacy decision for the United Kingdom (EU and EEA), applicable also for Switzerland.

Provision of Online Services and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process users’ IP addresses, which are necessary to deliver the content and functionalities of our online services to the users’ browser or device.

• Types of data processed: Usage data (e.g. page views, dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); metadata, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); log data (e.g. log files concerning logins or data access or access times); content data (e.g. textual or visual messages and contributions as well as related information such as authorship details or time of creation).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); security measures; content delivery network (CDN); audience measurement (e.g. access statistics, detection of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); audience segmentation; marketing; creation of user profiles with personal information.
• Storage and Deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Storage and Deletion".
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing Procedures, Methods, and Services:

• Provision of Online Services on Rented Hosting: To provide our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider (also referred to as "web host"); Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Provision of Online Services on Own/Dedicated Server Hardware: To provide our online services, we use server hardware operated by us, along with associated storage, computing capacity, and software; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of Access Data and Log Files: Access to our online services is logged in the form of "server log files." These log files may include the address and name of requested pages and files, date and time of access, transferred data volume, status of the request, browser type and version, user operating system, referrer URL (previously visited page), and typically IP addresses and requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in case of abusive attacks, such as DDoS attacks), and to monitor server usage and ensure stability; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes will be exempt from deletion until the respective case is fully resolved.
• Email Transmission and Hosting: Our web hosting services also cover the sending, receiving, and storage of emails. For these purposes, recipient and sender addresses, as well as additional information regarding email transmission (e.g., involved providers) and email contents, are processed. These data may also be used to detect spam. Please note that emails are generally not encrypted over the Internet. While emails are usually encrypted during transmission, they are not encrypted on the servers from which they are sent or received unless end-to-end encryption is used. Therefore, we cannot assume responsibility for the security of emails during transit between the sender and our servers; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Content Delivery Network (CDN): We use a Content Delivery Network (CDN), which is a service that allows online content, especially large media files such as graphics or scripts, to be delivered more quickly and securely using geographically distributed and internet-connected servers; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Cloudflare: Content Delivery Network (CDN) service that accelerates and secures the delivery of online content, including large media files like graphics and scripts, using geographically distributed servers; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/; Basis for International Data Transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).
• netcup: Services in the area of IT infrastructure and related services (e.g., storage space and/or computing capacity); Service Provider: netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.netcup.de/; Privacy Policy: https://www.netcup.de/kontakt/datenschutzerklaerung.php; Data Processing Agreement: https://helpcenter.netcup.com/de/wiki/general/avv/; Basis for International Data Transfers: Switzerland – Adequacy Decision (Germany).
• Wistia: Video marketing platform for businesses, including services to support marketers in creating and managing videos, hosting webinars, generating leads, and measuring video performance; Service Provider: Wistia, Inc., 120 Brookline St, Cambridge, MA 02139-4503, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://wistia.com; Privacy Policy: https://wistia.com/privacy; Data Processing Agreement: Provided by the service provider; Basis for International Data Transfers: EU/EEA – Data Privacy Framework (DPF).
• Netlify: Creation, management, and hosting of websites, online forms, and other web elements; Service Provider: Netlify, Inc, 2343 3rd Street, Suite 296, San Francisco, California 94107, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.netlify.com/; Privacy Policy: https://www.netlify.com/privacy/; Data Processing Agreement: https://www.netlify.com/gdpr-ccpa/. Basis for International Data Transfers: EU/EEA - Standard Contractual Clauses (https://www.netlify.com/gdpr-ccpa/), Switzerland - Standard Contractual Clauses (https://www.netlify.com/gdpr-ccpa/).
• Akamai: Content Delivery Network (CDN) – service that enables faster and more secure delivery of online content, especially large media files such as graphics or scripts, via regionally distributed servers connected over the internet; Service Provider: Akamai Technologies GmbH, Parkring 22, D-85748 Garching, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.akamai.com/de; Privacy Policy: https://www.akamai.com/de/legal/compliance/privacy-trust-center; Data Processing Agreement: https://www.akamai.com/de/legal/compliance/privacy-trust-center (Akamai Data Processing Agreement for customers). Basis for International Data Transfers: EU/EEA - Standard Contractual Clauses (https://www.akamai.com/de/legal/compliance/privacy-trust-center), Switzerland - Adequacy Decision (Germany).
• Amazon CloudFront: Content Delivery Network (CDN) – service that enables faster and more secure delivery of online content, especially large media files such as graphics or scripts, via regionally distributed servers connected over the internet; Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/cloudfront/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for International Data Transfers: EU/EEA - Standard Contractual Clauses (provided by the service provider), Switzerland - Adequacy Decision (Luxembourg).
• bunny.net: Content Delivery Network (CDN) – service that enables faster and more secure delivery of online content, especially large media files such as graphics or scripts, via regionally distributed servers connected over the internet; Service Provider: BUNNYWAY d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://bunny.net; Privacy Policy: https://bunny.net/privacy/. Basis for International Data Transfers: Switzerland - Adequacy Decision (Slovenia).
• Google Cloud CDN: Content Delivery Network (CDN) – service that enables faster and more secure delivery of online content, especially large media files such as graphics or scripts, via regionally distributed servers connected over the internet; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/cdn; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• gstatic.com: Content Delivery Network (CDN) – service that enables faster and more secure delivery of online content, especially large media files such as graphics or scripts, via regionally distributed servers connected over the internet; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.de/; Privacy Policy: https://policies.google.com/privacy. Basis for International Data Transfers: Switzerland - Adequacy Decision (Ireland).

Use of Cookies

Cookies are small text files or other storage markers that store information on devices and allow it to be read. For example, they can be used to remember login status in a user account, the contents of a shopping cart in an e-shop, the content accessed, or functions used within an online service. Cookies can also serve different purposes, such as ensuring the functionality, security, and convenience of online services, as well as enabling the analysis of visitor traffic and behavior across the EU.

Consent Information: We use cookies in accordance with applicable EU data protection laws. Therefore, we obtain prior consent from users unless such consent is not required by law. Consent is particularly not required if storing or accessing information, including cookies, is strictly necessary to provide a telemedia service explicitly requested by the user (i.e., our online offering). Any revocable consent is clearly communicated to users and includes information about the respective use of cookies.

Legal Basis for Data Processing: The legal basis on which we process users’ personal data through cookies depends on whether we request their consent. If users give consent, the legal basis for processing their data is that consent. Otherwise, data collected via cookies is processed based on our legitimate interests (e.g., the operation of our online offering and improving its usability) or, if necessary to fulfill our contractual obligations, where cookie use is required to meet these obligations. The purposes for which cookies are used will be explained throughout this privacy policy or within our consent and processing procedures.

Retention Period: Regarding retention, the following types of cookies are distinguished:

• Temporary Cookies (Session Cookies): Temporary cookies are deleted at the latest when a user leaves the online service and closes their device (e.g., browser or mobile application).
• Persistent Cookies: Persistent cookies remain stored even after closing the device. For example, login status can be saved, and preferred content displayed immediately when a user revisits a website. Data collected via cookies may also be used for audience measurement. If we do not provide users with explicit information about the type and retention of cookies (e.g., during consent collection), users should assume that cookies are persistent and may be stored for up to two years.

General Information on Revocation and Objection (Opt-out): Users may revoke their consent at any time and also object to processing in accordance with legal requirements, including via their browser’s privacy settings.

• Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online services and user-friendliness.
• Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Additional Information on Processing, Procedures, and Services:

• Processing Cookie Data Based on Consent: We use a consent management solution to obtain, log, manage, and allow the withdrawal of user consent for cookies or the procedures and providers listed within the consent management system. This process ensures the collection, recording, and revocation of consent, particularly for cookies and similar technologies used to store, read, and process information on users’ devices. Within this framework, users can manage and revoke their consents. Consent statements are stored to avoid repeated requests and to provide evidence of consent in accordance with legal requirements. Storage occurs server-side and/or in a cookie (so-called opt-in cookie) or comparable technologies, linking consent to a specific user or device. If no specific provider details are given, general information applies: consent is stored for up to two years. A pseudonymous user identifier is generated, stored along with the time of consent, the scope of consent (e.g., cookie categories or service providers), and information about the browser, system, and device used; Legal Basis: Consent (Art. 6(1)(a) GDPR).
• Cookie Opt-Out: In the footer of our website, a link is provided to change cookie settings and revoke consents; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• BorlabsCookie: Consent management: Process for obtaining, logging, managing, and revoking consents, particularly for cookies and similar technologies for storing, reading, and processing information on users’ devices; Provider: Operated on servers and/or computers under our data protection responsibility; Website: https://de.borlabs.io/borlabs-cookie/. Additional Information: Individual user ID, language, consent types, and timestamps are stored server-side and in cookies on users’ devices.
• Cookiefirst: Consent management: Process for obtaining, logging, managing, and revoking consents, particularly for cookies and similar technologies for storing, reading, and processing information on users’ devices; Provider: Digital Data Solutions B.V., Plantage Middenlaan 42a, 1018 DH Amsterdam, Netherlands; Website: https://cookiefirst.com/de/; Privacy Policy: https://cookiefirst.com/legal/privacy-policy/; Legal Basis for Transfers to Third Countries: Switzerland – Adequacy Decision (Netherlands); Additional Information: Stored data (on the provider’s server) includes IP address, date and time of consent, browser details, URL from which consent was submitted, and an anonymous, randomly generated, encrypted key representing the user’s consent status.
• GDPR Legal Cookie: Consent Management: Procedures for obtaining, recording, managing, and withdrawing user consent, particularly for the use of cookies and similar technologies to store, read, and process information on users' devices; Service Provider: beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://gdpr-legal-cookie.myshopify.com/; Privacy Policy: https://gdpr-legal-cookie.myshopify.com/pages/datenschutzerklarung. Basis for Transfers to Third Countries: Switzerland – Adequacy Decision (EU/EEA).

Registration, Login, and User Account

Users may create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on contractual obligations. The data processed includes, in particular, login information (username, password, and email address).

When using our registration and login functions and the user account, we record the IP address and the time of the respective user action. This processing is based on our legitimate interests, as well as the users' interest in protection against misuse and other unauthorized use. Sharing of this data with third parties generally does not occur unless necessary for asserting our claims or required by law.

Users may be informed via email about activities relevant to their user account, such as technical changes.

• Types of Data Processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and contributions, including related information such as authorship or creation date); Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Log data (e.g., log files regarding logins, data retrieval, or access times).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Organizational and administrative procedures; Provision and usability of our online services.
• Retention and Deletion: Deletion according to the section "General Information on Data Storage and Deletion." Deletion upon account termination.
• Legal Basis: Performance of contract and pre-contractual requests (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Additional Notes on Processing Activities, Procedures, and Services:

• Data Deletion after Account Termination: When users terminate their account, their data related to the user account will be deleted, subject to legal permissions, obligations, or user consent; Legal Basis: Performance of contract and pre-contractual requests (Art. 6(1)(b) GDPR).
• No Obligation to Retain Data: It is the users’ responsibility to secure their data before the end of the contract. We are entitled to irreversibly delete all user data stored during the contract period; Legal Basis: Performance of contract and pre-contractual requests (Art. 6(1)(b) GDPR).

Single Sign-On (SSO) Login

"Single Sign-On" or "SSO login/authentication" refers to processes that allow users to log in to our online services using a user account from an SSO provider (e.g., a social network). Users must be registered with the respective SSO provider and enter the required credentials in the designated online form or be already logged in with the SSO provider and confirm login via a button.

Authentication occurs directly with the respective SSO provider. In this process, we receive a user ID indicating that the user is logged in with the SSO provider and a non-reusable ID for other purposes (so-called "User Handle"). Any additional data shared depends solely on the SSO provider, the permissions granted during authentication, and the user’s privacy settings at the SSO provider. Data may include email address and username. Passwords entered with the SSO provider are neither visible to us nor stored by us.

Users should note that information stored with us may automatically sync with their SSO account, although this may not always be possible. If, for example, a user's email address changes, they must manually update it in their account with us.

SSO login may be used in accordance with user agreements and consent for contract performance, or otherwise based on our legitimate interests and the users’ interest in an effective and secure login system.

If users wish to disconnect their account from the SSO provider, they must do so within their SSO account. To delete their data with us, users must terminate their registration.

• Types of Data Processed: Master data (e.g., full name, address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Usage data (e.g., page views, duration, click paths, intensity and frequency, device types and OS, interactions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, involved persons); Event data (Facebook) (information sent via Meta-Pixels or other channels, related to persons or their actions, such as website visits, interactions, app installs, product purchases, used for creating target groups (Custom Audiences). Event data do not include comments, login info, or direct contact information. Meta deletes event data after max. two years, and corresponding audiences disappear with deletion of our Meta user accounts).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; login procedures; provision and usability of our online services.
• Retention and Deletion: Deletion according to the section "General Information on Data Storage and Deletion." Deletion after account termination.
• Legal Basis: Performance of contract and pre-contractual requests (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing, Procedures, and Services:

• Apple Single Sign-On: Authentication services for user logins, provision of Single Sign-On functionality, management of identity information, and application integrations; Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
• Facebook Single Sign-On: Authentication service provided by the Facebook platform; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing. International Data Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
• Google Single Sign-On: Authentication services for user logins, provision of Single Sign-On functionality, management of identity information, and application integrations; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.de; Privacy Policy: https://policies.google.com/privacy; International Data Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Opt-Out Options: Ad personalization settings: https://myadcenter.google.com/.
• Instagram Single Sign-On: Authentication services for user logins, provision of Single Sign-On functionality, management of identity information, and application integrations. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt, within the context of a transfer (but not further processing), of “Event Data” collected by Facebook via Instagram Single Sign-On on our website for the following purposes: a) Display of content and advertising relevant to users’ presumed interests; b) Delivery of commercial and transactional messages (e.g., communication via Facebook Messenger); c) Improvement of ad delivery and personalization of features and content (e.g., identifying which content or ads likely match user interests). We have a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which regulates required security measures (https://www.facebook.com/legal/terms/data_security_terms) and ensures Facebook fulfills data subject rights (users can request access or deletion directly from Facebook). If Facebook provides us with aggregated reports or metrics (containing no individual user data), this processing is based on a Data Processing Agreement ("DPA", https://www.facebook.com/legal/terms/dataprocessing), data security terms, and, for U.S. processing, EU Standard Contractual Clauses ("EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (access, deletion, objection, complaint to supervisory authority) remain fully preserved.
  ; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. International Data Transfer Basis: Switzerland – Adequacy Decision (Ireland).
• X Single Sign-On: Authentication services for user logins, provision of Single Sign-On functionality, management of identity information, and application integrations; Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://x.com; Privacy Policy: https://x.com/privacy, (Settings: https://x.com/personalization); Data Processing Agreement: https://privacy.x.com/en/for-our-partners/global-dpa. International Data Transfer Basis: EU/EEA – Standard Contractual Clauses (https://privacy.x.com/en/for-our-partners/global-dpa), Switzerland – Adequacy Decision (Ireland).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter referred to as "publication medium"). Reader data is processed for the purposes of the publication medium only to the extent necessary for its display, communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the framework of this privacy policy.

• Types of Data Processed: Account data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information about them, such as authorship or creation time); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Feedback (e.g., collecting feedback via online forms); provision of our online services and user-friendliness; security measures; organizational and administrative procedures.
• Retention and Deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion".
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Procedures, Methods, and Services:

• Comments and Posts: If users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone posts illegal content (insults, prohibited political propaganda, etc.). In such cases, we could be held liable for the comment or post, and therefore have an interest in identifying the author.
  
  Furthermore, we reserve the right, based on our legitimate interests, to process user data to detect spam.
  
  On the same legal basis, we may store users' IP addresses temporarily in surveys and use cookies to prevent multiple submissions.
  
  Information provided in comments and posts, including personal details, contact information, website information, and content, will be stored permanently by us until the user objects; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Retrieval of WordPress Emojis and Smilies: Within our WordPress blog, graphical emojis (or smilies), i.e., small graphic files expressing emotions, are used to efficiently display content elements and are retrieved from external servers. The providers of these servers collect users' IP addresses. This is necessary to deliver the emoji files to users' browsers; Service Provider: Automattic Inc., 25 Herbert Pl, Grand Canal Dock, Dublin, D02 AY86, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy Policy: https://automattic.com/privacy. Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Akismet Anti-Spam Check: We use the "Akismet" service based on our legitimate interests. Akismet helps distinguish comments from real people from spam comments. All comment information is sent to a server in the USA, where it is analyzed and stored for comparison purposes for four days. If a comment is classified as spam, the data is stored beyond this period. This includes the entered name, email address, IP address, comment content, referrer, browser and computer system information, and timestamp.
  
  Users may use pseudonyms or omit providing a name or email address. They can completely prevent data transmission by not using our comment system. Although this is less convenient, no equally effective alternatives are available; Service Provider: Automattic Inc., 25 Herbert Pl, Grand Canal Dock, Dublin, D02 AY86, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy Policy: https://automattic.com/privacy/. Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• DISQUS Comment Function: Based on our legitimate interests in efficient, secure, and user-friendly comment management, we use the DISQUS commenting service.
  
  To use the DISQUS comment function, users can log in with a DISQUS account or an existing social media account (e.g., OpenID, Facebook, Twitter, or Google). DISQUS retrieves the login data from these platforms. It is also possible to use the DISQUS comment function as a guest without creating or using a DISQUS account or a social media account.
  
  We only embed DISQUS with its features on our website, where we can influence the comments. However, users enter into a direct contractual relationship with DISQUS, under which DISQUS processes users’ comments and is the contact for any data deletion requests. We refer to the DISQUS privacy policy and inform users that DISQUS may store, in addition to the comment content, their IP address and the timestamp of the comment. Cookies may also be stored on users' devices and used for advertising purposes; Service Provider: DISQUS, Inc., 301 Howard St, Floor 3 San Francisco, California-94105, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://disqus.com/; Privacy Policy: https://help.disqus.com/en/articles/1717103-disqus-privacy-policy; Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF). Opt-Out Option: https://disqus.com/data-sharing-settings/.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) as well as within the framework of existing user and business relationships, the data of the contacting persons is processed to the extent necessary to respond to inquiries and any requested actions.

• Types of Data Processed: Account data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information about them, such as authorship or creation time); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data Subjects: Communication partners.
• Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online forms); provision of our online services and user-friendliness.
• Retention and Deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion".
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR).

Additional Information on Processing Procedures, Methods, and Services:

• Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data you provide to respond to and handle your inquiry. This typically includes information such as your name, contact details, and any other data you voluntarily provide that is necessary for adequate handling of your request. We use this data exclusively for the specified purpose of communication and correspondence; Legal basis: Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Communication via Messenger

We use messaging services for communication purposes and ask that you note the following information regarding the functionality of these messengers, encryption, the use of metadata, and your rights to object.

You may also contact us via alternative means, such as telephone or email. Please use the contact options provided to you or those listed on our online offerings.

In cases where end-to-end encryption is employed (i.e., the content of your message and attachments), we emphasize that the message contents are encrypted from end to end. This means that the content of the messages cannot be accessed, not even by the messaging service providers themselves. Always ensure you are using the latest version of the messenger with encryption enabled to maintain message confidentiality.

However, we also inform our communication partners that while the messenger providers cannot view the message content, they may still process metadata, such as whether and when communication occurs, technical details about the device used, and—depending on your device settings—location information.

Legal basis: If we request consent from our communication partners before initiating contact via messenger, the legal basis for processing is their consent. Otherwise, if no consent is requested and contact is initiated by the user, we use messenger either as part of contract execution or pre-contractual negotiations (for contractual partners) or based on our legitimate interests in efficient communication and fulfilling user needs (for other users). We will not transmit your contact data to the messenger provider without your consent for the first time.

Revocation, objection, and deletion: You can revoke any consent at any time and object to communication via messenger. Messages will be deleted in accordance with our general retention policies (e.g., after the end of contractual relationships, in compliance with archiving requirements, or once we can reasonably assume that responses have been received and no further reference to prior communication is necessary, unless legal retention obligations exist).

Reference to other communication channels: To ensure your security, please understand that we may not respond to inquiries via messenger in certain situations. This applies to cases where contract details are highly confidential or responses via messenger do not meet formal requirements. In such cases, we recommend using more appropriate communication channels.

• Types of data processed: Contact details (e.g., postal and email addresses, phone numbers); content data (e.g., text or image messages, information about authorship or creation date); usage data (e.g., page views, dwell time, click paths, frequency of use, device types, operating systems, interactions with content and features); metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data subjects: Communication partners.
• Purpose of processing: Communication; direct marketing (e.g., by email or postal mail).
• Retention and deletion: Deletion according to the section "General information on data storage and deletion".
• Legal bases: Consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing, procedures, and services:

• Instagram: Message transmission via the social network Instagram; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for international data transfers: EU adequacy decision (Ireland).
• Facebook Messenger: Sending and receiving text messages, making voice and video calls, creating group chats, sharing files and media, transmitting location information, synchronizing contacts, encrypting messages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Telegram: Sending and receiving messages, voice and video calls; creating groups and channels; sharing files and media; using bots for automation; end-to-end encryption for secret chats; multi-device synchronization; Service provider: EU representative: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://telegram.org/; Privacy Policy: https://telegram.org/privacy/de. Basis for international data transfers: Switzerland - Adequacy Decision (Belgium).
• WhatsApp: Text messaging, voice and video calls, sending images, videos, and documents, group chat functionality, end-to-end encryption for enhanced security; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal. Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

Chatbots and Chat Functions

We provide online chat and chatbot functions as a means of communication (collectively referred to as "chat services"). A chat is an online conversation conducted in near real-time. A chatbot is software that responds to user questions or provides information via messages. When you use our chat functions, we may process your personal data.

If you use our chat services within an online platform, your identification number within that platform may also be stored. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations via the chat services and log registration and consent activities to comply with legal requirements.

We inform users that the respective platform provider may determine if and when users communicate via our chat services, as well as collect technical information about the device used and, depending on the device settings, location information (so-called metadata) for purposes of optimizing the services and ensuring security. Metadata from communication via chat services (e.g., who communicated with whom) may also be used by the platform providers, according to their policies, for marketing purposes or to display personalized advertising.

If users agree to receive information via regular chatbot messages, they can unsubscribe at any time. The chatbot will inform users how to unsubscribe and which commands to use. Upon unsubscribing, the user's data will be deleted from the list of message recipients.

We use the above information to operate our chat services, e.g., to address users personally, respond to their inquiries, provide requested content, and improve our chat services (e.g., to "train" chatbots to answer frequently asked questions or identify unanswered requests).

Notes on legal basis: We operate chat services based on consent when we have previously obtained user permission to process their data within our chat services (e.g., when users are asked for consent for a chatbot to send regular messages). When chat services are used to respond to user inquiries regarding our services or company, this is done based on contractual or pre-contractual communication. Otherwise, chat services are based on our legitimate interests in optimizing the chat services, their operational efficiency, and enhancing user experience.

Withdrawal, objection, and deletion: You may withdraw consent at any time or object to the processing of your data in the context of our chat services.

• Types of data processed: Master data (e.g., full name, address, contact information, customer number); contact data (e.g., postal and email addresses, phone numbers); content data (e.g., text or media messages and related information such as authorship or creation time); usage data (e.g., page views, duration of use, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Communication partners, users (e.g., website visitors, users of online services).
• Purpose of processing: Communication; organizational and administrative procedures; user profiling.
• Retention and deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR); contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Additional notes on processing activities, procedures, and services:

• LiveChat: Chatbot and assistance software and related services; Service provider: LiveChat Inc., One International Place, Suite 1400 Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.livechatinc.com/de; Privacy Policy: https://www.livechatinc.com/legal/privacy-policy/. Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF).
• ManyChat: Chatbot and assistance software and related services; Service provider: ManyChat, Inc., 535 Everett Ave, Palo Alto, CA 94301, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://manychat.com; Privacy Policy: https://manychat.com/legal/privacy; Data Processing Agreement: https://manychat.com/legal/dpa. Basis for international data transfers: EU/EEA - Standard Contractual Clauses (https://manychat.com/legal/dpa), Switzerland - Standard Contractual Clauses (https://manychat.com/legal/dpa).
• Tidio: Chat and chatbot software and related services; Service provider: Tidio LLC, 180 Steuart St, CA 94119, San Francisco, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tidio.com/; Privacy Policy: https://www.tidio.com/privacy-policy/; Data Processing Agreement: Provided by the service provider. Basis for international data transfers: EU/EEA - Standard Contractual Clauses (provided by the service provider), Switzerland - Standard Contractual Clauses (provided by the service provider).
• tawk.to: Chatbot and assistance software, including related services; Service provider: tawk.to inc., 187 East Warm Springs Rd, SB298, Las Vegas, NV, 89119 USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tawk.to/. Privacy Policy: https://www.tawk.to/privacy-policy/.

Push Notifications

With the users’ consent, we can send so-called "push notifications" to users. These are messages displayed on the users' screens, devices, or browsers even when our online service is not actively used.

To subscribe to push notifications, users must confirm the prompt from their browser or device requesting permission to receive push notifications. This consent process is documented and stored. Storage is necessary to determine whether users have consented to receive push notifications and to provide evidence of consent. For this purpose, a pseudonymous browser identifier (so-called "push token") or a device ID may be stored.

Push notifications may be necessary for the performance of contractual obligations (e.g., providing technical and organizational information relevant to using our online service) or, unless otherwise stated, sent based on users’ consent. Users can change their push notification preferences at any time via the notification settings of their respective browsers or devices.

• Types of data processed: Usage data (e.g., page views, duration of visits, click paths, intensity and frequency of use, device types, operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved); location data (information about the geographic location of a device or person).
• Data subjects: Communication partners.
• Purposes of processing: Communication; provision of our online services and user-friendliness; reach measurement (e.g., access statistics, detection of returning visitors); direct marketing (e.g., via email or postal mail).
• Retention and deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion". Deletion after termination of services.
• Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing activities, procedures, and services:

• Push notifications containing advertising content: Push notifications may include promotional information. Advertising push notifications are processed based on users’ consent. Where the content of promotional notifications is described as part of consent, such descriptions determine the scope of consent. Otherwise, our notifications contain information about our services and the company; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Location-based push notifications: Push notifications may be displayed depending on the users’ location using data transmitted by their devices; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Analysis and performance measurement: We statistically evaluate push notifications to determine whether and when notifications were displayed or clicked. This information is used to improve the technical performance of our push notifications based on technical data, user groups, their behavior, or access times. The analysis also tracks whether notifications are opened, when they are opened, and interactions with content or buttons. Although the data can technically be associated with individual recipients, our goal, and that of the push notification service provider if used, is not to monitor individual users. The evaluations primarily help us understand user behavior and adapt or target push notifications accordingly.
  
  The analysis and performance measurement are carried out based on users’ explicit consent when subscribing to push notifications. Users may object by unsubscribing. A separate withdrawal solely for analysis and measurement is not possible; Legal basis: Consent (Art. 6(1)(a) GDPR).
• OneSignal: Automation and personalization of content and marketing information, campaigns across various communication channels, remarketing, A/B testing, messaging, and reach measurement; Service provider: OneSignal, Inc., 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://onesignal.com; Privacy Policy: https://onesignal.com/privacy_policy; Data Processing Agreement: Provided by the service provider. International data transfers: EU/EEA – Standard Contractual Clauses (provided by the service provider), Switzerland – Standard Contractual Clauses (provided by the service provider).

Cloud Services

We use internet-accessible software services hosted on the providers’ servers (so-called "cloud services" or "Software as a Service") for storing and managing content (e.g., document storage and management, sharing documents, content, and information with specific recipients, or publishing content and information).

Within this context, personal data may be processed and stored on the providers’ servers if it is part of communications with us or otherwise processed by us as described in this privacy policy. This may include user master data and contact information, data on transactions, contracts, other processes, and their content. Cloud service providers also process usage data and metadata for security and service optimization purposes.

If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, providers may store cookies on users’ devices for web analysis or to remember user settings (e.g., for media controls).

• Types of data processed: Account data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses, phone numbers); content data (e.g., textual or visual messages and posts, including information such as authorship or creation time); usage data (e.g., page views, duration of visits, click paths, intensity and frequency of use, device types, operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Prospective clients; communication partners; business and contractual partners; users (e.g., website visitors, online service users).
• Purpose of Processing: Office and organizational procedures; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.); provision of our online services and ensuring user-friendliness.
• Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion".
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing operations, procedures, and services:

• Dropbox: Cloud storage service; Service Provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.dropbox.com/de; Privacy Policy: https://www.dropbox.com/privacy; Data Processing Agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf. Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Standard Contractual Clauses (https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf).
• Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). More Information: https://cloud.google.com/privacy.
• Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). More Information: https://cloud.google.com/privacy.
• Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Microsoft Azure: API access to AI-based services designed to understand and generate natural language and related inputs, analyze information, and make predictions ("AI", i.e., "Artificial Intelligence", as legally defined in the applicable jurisdiction); Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://azure.microsoft.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Data Processing Agreement: https://azure.microsoft.com/de-de/support/legal/. Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "Newsletters") exclusively based on the consent of recipients or on a legal basis. If the content of the Newsletter is mentioned during registration, this content is decisive for the user’s consent. Usually, providing your email address is sufficient to register for our Newsletter. However, to offer you a personalized service, we may request your name for personal address in the Newsletter or other information if necessary for the purpose of the Newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to demonstrate previously given consent. The processing of this data is limited to the purpose of potentially defending claims. Individual deletion requests can be made at any time, provided the previous existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is carried out based on our legitimate interests for the purpose of demonstrating its proper execution. If we engage a service provider to send emails, this is done based on our legitimate interest in an efficient and secure mailing system.

Content:

Information about us, our services, promotions, and offers.

• Processed types of data: Master data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses, phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
• Purposes of processing: Direct marketing (e.g., via email or post). Fulfillment of contractual services and obligations.
• Retention and deletion: 3 years – Contractual claims (AT) (Data necessary to consider potential warranty, compensation, or similar contractual claims and associated requests, based on previous business experience and standard industry practices, are stored for the duration of the statutory limitation period of three years). 10 years – Contractual claims (CH) (Data necessary to consider potential claims or similar contractual rights and for processing associated requests, based on previous business experience and standard industry practices, are stored for the duration of the statutory limitation period of ten years, unless a shorter period of 5 years applies in specific cases).
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
• Opt-out option: You can unsubscribe from our Newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe is provided at the end of each Newsletter or via one of the contact options mentioned above, preferably by email.

Additional information on processing procedures, methods, and services:

• Measurement of open and click rates: Newsletters may contain a "web beacon," i.e., a pixel-sized file retrieved from our or a service provider's server upon opening. During this retrieval, technical information (e.g., browser, system), IP address, and timestamp are collected. These data are used to technically improve the Newsletter, analyze target groups, reading behavior, and access times. The analysis also determines whether and when Newsletters are opened and which links are clicked. This data is linked to individual recipients’ profiles and stored until deletion. Analysis serves to understand user reading habits and tailor content accordingly. Processing occurs based on user consent. Separate withdrawal of tracking is not possible; in this case, the entire Newsletter subscription must be canceled, and stored profile information will be deleted; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Requirement for free services: Consent to receiving Mailings may be required to access free services (e.g., access to certain content or participation in offers). If users wish to access the free service without subscribing to the Newsletter, they should contact us.
• Reminder emails for order processes: If users do not complete an order, we may send a reminder email with a link to continue the process. This is useful in cases such as browser crashes, mistakes, or forgetfulness. Sending is based on user consent, which can be revoked at any time; Legal basis: Consent (Art. 6(1)(a) GDPR).
• SMS delivery: Electronic notifications may also be sent via SMS (or exclusively via SMS if the sending authorization covers only SMS); Legal basis: Consent (Art. 6(1)(a) GDPR).
• Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/legal/privacy-notice; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF).

Surveys and Questionnaires

We conduct surveys and questionnaires to collect information for the communicated survey or questionnaire purposes. Surveys and questionnaires (hereinafter "Surveys") are evaluated anonymously. Personal data is processed only to the extent necessary for providing and technically conducting the surveys (e.g., processing IP addresses to display the survey in the user’s browser or using cookies to allow resuming a survey).

• Processed types of data: Master data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses, phone numbers); Content data (e.g., textual or visual messages and contributions, including author and timestamp information); Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features).
• Data subjects: Participants.
• Purposes of processing: Feedback (e.g., collecting feedback via online forms); Surveys and questionnaires (e.g., surveys with input options, multiple-choice questions); Tracking (e.g., interest- or behavior-based profiling, cookie usage); Click tracking; A/B testing; Heatmaps (mouse movements summarized for an overall view); User profile creation; Provision of our online services and user experience improvement.
• Retention and deletion: Deletion according to the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing procedures, methods, and services:

• Google Forms: Creation and evaluation of online forms, surveys, feedback forms, etc.; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.de/intl/de/forms; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Hotjar Ask: Software for analyzing and optimizing online offerings based on feedback features, which may include feedback forms and surveys; Service Provider: Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hotjar.com; Privacy Policy: https://www.hotjar.com/legal/policies/privacy; International Data Transfers: Switzerland - Adequacy Decision (Malta); Data Retention: Hotjar uses cookies with varying lifespans; some last up to 365 days, others only during the current visit; Cookie Policy: https://www.hotjar.com/legal/policies/cookie-information. Opt-Out: https://www.hotjar.com/legal/compliance/opt-out.
• Typeform: Creation of forms, surveys, and management of participant submissions; Service Provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.typeform.com/; Privacy Policy: https://admin.typeform.com/to/dwk6gt/; Data Processing Agreement: https://admin.typeform.com/to/dwk6gt/; International Data Transfers: Switzerland - Adequacy Decision (Spain).

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as "audience measurement") is used to evaluate visitor flows on our online offerings and may include behavioral, interest-based, or demographic information about visitors, such as age or gender, as pseudonymous data. Through audience analysis, we can identify, for example, the times when our online offerings or their functions and content are most frequently used, or encourage repeated usage. It also allows us to determine which areas require optimization.

In addition to web analytics, we may conduct tests to evaluate different versions of our online offerings or their components for optimization purposes.

Unless otherwise stated below, profiles may be created for these purposes, i.e., data compiled for a single usage session, and information may be stored in a browser or device and later retrieved. The collected data includes, in particular, visited websites and used elements, as well as technical information such as browser type, operating system, and usage times. If users have consented to the collection of their location data, processing of such data is also possible.

Additionally, users' IP addresses are stored. We employ IP masking (pseudonymization through truncation of the IP address) to protect users. No personal identifiers (such as names or email addresses) are stored in web analytics, A/B testing, or optimization; only pseudonymous data is processed. Neither we nor the software providers know the real identity of users, only the pseudonymous data in the profiles.

Legal Basis: If users are asked for consent for third-party services, consent constitutes the legal basis. Otherwise, data is processed based on legitimate interests (i.e., interest in efficient, cost-effective, and user-friendly services). See also the cookie usage information in this privacy statement.

• Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties).
• Data Subjects: Users (e.g., website visitors, online service users).
• Purpose of Processing: Audience measurement (e.g., access statistics, recognition of returning visitors); user profiling (creating user profiles); provision and usability of our online offerings; tracking (e.g., interest/behavior-based profiling, use of cookies); click tracking; A/B testing; heatmaps (user mouse movements summarized into an overall view); remarketing; conversion measurement (measuring marketing effectiveness); marketing purposes.
• Retention and Deletion: Deleted according to the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years unless otherwise stated.
• Security Measures: IP masking (IP address pseudonymization).
• Legal Basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing, Methods, and Services:

• Google Analytics: We use Google Analytics to measure and analyze usage of our online offerings based on a pseudonymous user ID. This ID does not contain personally identifiable information such as names or email addresses. It is used to assign analytics data to a device to track which content users have accessed, search terms used, repeated visits, or interactions with our online offerings. The time and duration of usage, referral sources, and technical details of devices and browsers are also recorded.
  Pseudonymous user profiles may be created across multiple devices, and cookies may be used. Google Analytics does not log or store individual IP addresses of EU users. It provides approximate geographic data derived from IP metadata: city (and derived latitude/longitude), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP data is used only for geolocation purposes and then immediately deleted. It is not logged, accessible, or used for other purposes. EU-based IP requests are handled on EU servers before being sent to Analytics servers; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security Measures: IP masking (IP pseudonymization); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-Out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff. More Information: https://business.safety.google/adsservices/ (types of processing and processed data).
• Information on Consent Recipients and Cookie-Free Analytics: Consent Recipients: Consent provided by users through a consent dialog (also known as "Cookie Opt-In/Consent", 'Cookie Banner', etc.) serves multiple purposes. First, it allows us to comply with our obligation to obtain consent for storing and accessing information on users' devices (in accordance with the ePrivacy Directive). Second, it covers the processing of users' personal data in line with EU data protection regulations. This consent also applies to Google, as the company is legally required under the Digital Markets Act to obtain consent for personalized services. Consequently, we share the status of user consents with Google. Our consent management software informs Google whether consent has been granted or not. The goal is to ensure that users’ consent choices—or withdrawals—are respected when using Google Analytics and integrating features or external services. This allows consents to be dynamically applied depending on the user's selection within Google Analytics and other Google services.
  Cookie-Free Analytics: We use the enhanced implementation of Google Analytics’ consent mode. This means that if users do not consent to the storage and reading of information on their devices—especially regarding cookies—no cookies or similar information are stored on the users’ devices, and no user profiles are created.
  In this case, Google’s code generates a random identification number on the user's device and transmits it to Google (so-called "ping"). This identifier is not stored in browsers, apps, or other user devices. The identification number is unique for each website visit, so users’ behavior or interests are not tracked across devices or sessions. Only minimal information on user activity is sent, such as consent status and conversion measurement data, e.g., whether a user reached our website via a Google advertisement.
  Additionally, the following information may be transmitted if available: a) functional information such as headers (technical details sent by the browser), b) timestamp (date and time of access), c) user-agent (browser and device information, web only), d) referrer URL (the page from which the user arrived), e) aggregated/pseudonymous information: this includes a note on whether the current or a previous page in the user’s navigation history contains click information in the URL (e.g., GCLID/DCLID, Google tracking codes), a random number generated for each page load, and information about the consent management platform used by the website owner (e.g., developer ID); Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de; Privacy Policy: https://policies.google.com/privacy. Basis for Transfers to Third Countries: Switzerland - Adequacy Decision (Ireland).
• Google Analytics (Server-Side Implementation): We use Google Analytics to measure and analyze how users interact with our online services. In this implementation, user data is processed but not directly transmitted from users’ devices to Google. Specifically, users’ IP addresses are not sent to Google. Instead, data is first transmitted to our server, where user records are associated with our internal user identification number. Subsequent transmission to Google occurs only in this pseudonymized form. The identification number does not contain any personally identifiable information such as names or email addresses. It serves to associate analytics data with a device to understand which content users accessed, which search terms they used, repeated visits, and their interactions with our online services. Usage times, duration, referral sources, and technical details of devices and browsers are also recorded. Pseudonymous profiles may be created from usage across multiple devices, and cookies may be used. Analytics provides geographic data at a higher level by capturing metadata based on IP lookups: “City” (and derived latitude/longitude), “Continent,” “Country,” “Region,” and “Subcontinent” (with ID-based equivalents); Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: https://business.safety.google/adsservices/ (types of processing and data processed).
• Google Signals (Google Analytics Feature): Google Signals refers to session data from websites and apps that Google associates with users logged into their Google accounts who have enabled ad personalization. This data linkage is used to provide cross-device reports, cross-device remarketing, and cross-device conversion tracking. This includes: Cross-device reports – connecting data across devices and sessions using your User ID or Google Signals data to understand user behavior at each stage of the conversion process; Remarketing with Google Analytics – creating remarketing audiences from Google Analytics data and sharing these with linked advertising accounts; Demographics and Interests – collecting additional demographic and interest data for users logged into Google accounts with ad personalization enabled; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=de; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: https://business.safety.google/adsservices/ (types of processing and data processed).
• Google Tag Manager: We use Google Tag Manager, a software solution from Google that allows us to manage website tags centrally via a user interface. Tags are small code elements on our website used to capture and analyze visitor activity. This technology helps us improve our website and its content. Google Tag Manager itself does not create user profiles, store cookies with user profiles, or perform independent analytics. Its function is limited to simplifying and streamlining the integration and management of tools and services used on our website. However, using Google Tag Manager can result in the transmission of users’ IP addresses to Google, which is technically necessary to implement the services we use. Cookies may also be set in this process. This data processing occurs only when services are integrated via Tag Manager. For detailed information on these services and their data processing, please refer to the relevant sections of this privacy policy; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Google Tag Manager (Server-Side Usage): The Google Tag Manager is a tool that allows us to manage so-called website tags via an interface and thereby integrate other services into our online offering (see also the further information in this privacy policy). The Tag Manager itself (which implements the tags) does not store user profiles or cookies. The integration of other services is performed server-side. This means that user data is not directly transmitted from the end device to the respective service or Google. In particular, the users' IP addresses are not transmitted to the other service. Instead, the data is first sent to our server, where the user records are assigned to our internal user identification number. The subsequent transmission of data from our server to the servers of the respective service providers occurs only in this pseudonymized form. The user identification number contains no identifiable data, such as names or email addresses; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; International Data Transfers Basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). More Information: https://business.safety.google/adsservices/ (types of processing and processed data).
• Hotjar Observe: Software for analyzing and optimizing online offerings based on pseudonymized measurements and analysis of user behavior, including A/B testing (to measure the popularity and usability of different content and features), tracking click paths, and interactions with content and functions of the online offering (so-called heatmaps and recordings); Service Provider: Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hotjar.com; Privacy Policy: https://www.hotjar.com/legal/policies/privacy; International Data Transfers Basis: Switzerland - Adequacy Decision (Malta); Data Retention: The cookies used by Hotjar have varying lifespans; some remain valid for up to 365 days, while others only last for the current visit; Cookie Policy: https://www.hotjar.com/legal/policies/cookie-information. Opt-Out: https://www.hotjar.com/legal/compliance/opt-out.
• Yandex Metrica: Collection and analysis of website data, generation of detailed reports on visitor activities, tracking click paths, session recordings, heatmaps for visualizing user behavior, conversion tracking, and audience segmentation to optimize website performance; Service Provider: Global DC Oy (Yandex), Moreenikatu 6, 04600 Mantsala, Finland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://yandex.com; Privacy Policy: https://yandex.com/legal/confidential/; International Data Transfers Basis: EU/EEA - Standard Contractual Clauses (between Yandex Oy and YANDEX LLC, 16 Lva Tolstogo St., Moscow, 119021, Russia), Switzerland - Adequacy Decision (Finland).
• SmartBear: Monitoring and analyzing application stability, detecting and diagnosing software errors, prioritizing bug fixes based on impact; Service Provider: SmartBear Software Inc., General Counsel, Legal Dept., Mayoralty House, Flood Street, Galway, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://smartbear.com/; Privacy Policy: https://smartbear.com/privacy/; Data Processing Agreement: Provided by the service provider. International Data Transfers Basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Microsoft Clarity: Web analytics, measuring reach and analyzing user behavior regarding usage and interests related to features and content, as well as usage duration, based on a pseudonymized user ID and profiling; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://clarity.microsoft.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. International Data Transfers Basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

Online Marketing

We process personal data for the purpose of online marketing, which may include, in particular, the promotion of advertising spaces or the display of advertising and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar methods are used to store information relevant to displaying the aforementioned content. This may include, for example, viewed content, visited websites, online networks used, as well as communication partners and technical information such as the browser used, the computer system, and information on usage times and utilized functions. If users have consented to the collection of their location data, this may also be processed.

We also store users' IP addresses. However, we apply available IP masking procedures (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clear personal data (such as email addresses or names) is stored in the context of online marketing, only pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual user identity, only the information stored in their profiles.

The data in the profiles is usually stored in cookies or using similar methods. These cookies can generally be read later on other websites using the same online marketing system and can be analyzed for content display purposes, supplemented with additional data, and stored on the server of the online marketing provider.

In exceptional cases, personal data may be associated with the profiles, mainly if users are members of a social network whose online marketing system we use and the network links the user profiles with the above-mentioned information. Please note that users may make additional agreements with the providers, e.g., by giving consent during registration.

We generally only gain access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, such as concluding a contract with us. Conversion measurement is used solely for evaluating the effectiveness of our marketing activities.

Unless stated otherwise, please assume that the cookies used are stored for a period of two years.

Legal Basis Information: Whenever we ask users for their consent to the use of third-party services, the legal basis for data processing is the permission granted by the user. Otherwise, users’ data are processed on the basis of our legitimate interests (i.e., interest in providing efficient, economical, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Information on Withdrawal and Objection:

We refer to the privacy notices of the respective providers and the objection options ("opt-out") they offer. If no explicit opt-out option is provided, you may disable cookies in your browser settings. However, this may limit some functions of our online services. Therefore, we also recommend the following opt-out options, offered for different regions:

a) Europe: https://www.youronlinechoices.eu

b) Canada: https://www.youradchoices.ca/choices

c) USA: https://www.aboutads.info/choices

d) Cross-region: https://optout.aboutads.info

• Types of Data Processed: Content data (e.g., textual or visual messages and contributions, as well as related information such as authorship or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Event data (Facebook) ("Event Data" refers to information sent to Meta, for example via Meta Pixels (through apps or other channels), relating to persons or their actions. This includes details about website visits, interactions with content and functions, app installations, and product purchases. Event data are processed for the purpose of creating target audiences for content and advertising (Custom Audiences). Event data do not include actual content like comments, login information, or contact information such as names, emails, or phone numbers. Event data are deleted by Meta after a maximum of two years, and the audiences created from them are removed when our Meta user accounts are deleted.); Contact information (Facebook) ("Contact Information" refers to data that clearly identifies individuals, such as names, email addresses, and phone numbers, which may be sent to Facebook, e.g., via Facebook Pixel or upload for matching purposes to create Custom Audiences; the contact information is deleted after matching for audience creation). Contact details (e.g., postal and email addresses, or phone numbers).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Audience measurement (e.g., access statistics, identification of returning visitors); Tracking (e.g., interest- or behavior-based profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing activities); Audience creation; Marketing; User-related profiling; Provision of our online services and usability; Remarketing; Click tracking; Cross-device tracking (processing user data across devices for marketing purposes); Surveys and questionnaires (e.g., surveys with input fields or multiple-choice questions); A/B testing.
• Storage and Deletion: Deletion according to the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for up to two years).
• Security Measures: IP masking (pseudonymization of IP addresses).
• Legal Bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Procedures, Methods, and Services:

• Meta Pixel and Audience Creation (Custom Audiences): Using the Meta Pixel (or similar functions to transmit Event Data or Contact Information via app interfaces), Meta can determine visitors of our online services as target audiences for displaying ads ("Meta Ads"). Accordingly, we use the Meta Pixel to ensure that Meta Ads we display are shown only to users on Meta platforms and Meta partner services (so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have shown interest in our online offerings or exhibit certain characteristics (e.g., interest in topics or products indicated by visited pages) that we transmit to Meta (so-called "Custom Audiences"). The Meta Pixel also helps ensure that Meta Ads correspond to users’ potential interests and are not intrusive. Additionally, the Meta Pixel allows us to measure the effectiveness of Meta Ads for statistical and market research purposes, for example by tracking whether users are redirected to our website after clicking a Meta Ad ("conversion measurement"); Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further Information: Users’ Event Data, i.e., behavioral and interest-related information, are processed for targeted advertising and audience creation based on the joint controller agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including transfers to its parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Legal Basis Information:

• Advanced Matching for Meta Pixel: In addition to the processing of event data when using the Meta Pixel (or similar functions, e.g., in apps), contact information (personally identifiable data such as names, email addresses, and phone numbers) is also collected by Meta within our online offerings or transmitted to Meta. The processing of this contact information is used to create audiences (so-called "Custom Audiences") for the display of content and advertising tailored to the presumed interests of users. The collection, transmission, and matching with data held by Meta is not done in plain text, but as so-called "hash values," i.e., mathematical representations of the data (this method is also used, for example, for password storage). After matching for audience creation, the contact information is deleted; Legal Basis: Consent (Art. 6(1)(a) GDPR); Privacy Policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further Information: https://www.facebook.com/legal/terms/data_security_terms.
• Meta - Audience Creation via Data Upload: Audience creation for marketing purposes - We transmit contact information (names, email addresses, and phone numbers) in list form to Meta to create audiences (so-called "Custom Audiences") for displaying content and advertising tailored to the presumed interests of users. The transmission and matching with data held by Meta is not done in plain text, but as "hash values," i.e., mathematical representations of the data. After matching for audience creation, the contact information is deleted; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Facebook Ads: Placement of advertisements within the Facebook platform and evaluation of ad performance; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-Out Option: Users can access privacy and advertising settings in their Facebook profile, as well as Facebook’s consent management and contact options to exercise data subject rights as described in Facebook’s privacy policy; Further Information: User event data, i.e., behavioral and interest information, is processed for targeted advertising and audience creation based on the joint controller agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including transfer to its parent company Meta Platforms, Inc. in the USA under the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.
• Google Ad Manager: We use "Google Ad Manager" to place ads in the Google advertising network (e.g., in search results, videos, on websites, etc.). Google Ad Manager displays ads in real-time based on presumed user interests. This allows us to show ads for our online offering to users who may have an interest in it and measure the success of the ads; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/; Data processing terms for Google advertising products, including standard contractual clauses for transfers outside the EU/EEA: https://business.safety.google/adscontrollerterms. If Google acts as a processor, processing terms and standard contractual clauses for data transfers outside the EU/EEA: https://business.safety.google/adsprocessorterms.
• AdMob: Platform for displaying advertisements in mobile applications; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://admob.google.com/home/; Privacy Policy: https://policies.google.com/privacy; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further Information: Processing by Google as controller: https://business.safety.google/adscontrollerterms/.
• Google Ads and Conversion Measurement: Online marketing to place content and ads within the provider's advertising network (e.g., in search results, videos, on websites, etc.) so that they are shown to users likely interested in the ads. Additionally, we measure conversions, i.e., whether users interact with the ads and use the promoted offerings. We only receive anonymous information and no personal data about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms and standard contractual clauses for transfers outside the EU/EEA: https://business.safety.google/adscontrollerterms.
• Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that places users who visit an online service on a pseudonymous remarketing list, allowing them to be shown ads on other online services based on their visit; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms.
• Enhanced Conversions for Google Ads: If users click on our Google Ads and subsequently use the advertised service (a "conversion"), the data provided by the user, such as email address, name, home address, or phone number, may be transmitted to Google. The hashed values are then matched with existing Google accounts to better evaluate and improve user interactions with ads (e.g., clicks or views); Legal basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
• Instagram Ads: Placement of ads within the Instagram platform and evaluation of ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-out: Users can manage their privacy and ad preferences via Instagram account settings and the consent procedures provided by Instagram, as well as exercise data subject rights directly via Instagram’s privacy policy; Further information: Event data, including behavioral and interest information, is processed for targeted advertising and audience creation under the joint controller agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint responsibility is limited to data collection and transmission to Meta Platforms Ireland Limited, an EU-based company. Further processing, including transfer to Meta Platforms, Inc. in the USA, is solely the responsibility of Meta Platforms Ireland Limited under the standard contractual clauses.
• ManyChat Pixel: Service provider: ManyChat, Inc., 535 Everett Ave, Palo Alto, CA 94301, USA; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://manychat.com; Privacy Policy: https://manychat.com/privacy.html; Data Processing Agreement: https://manychat.com/legal/dpa; Basis for international data transfers: EU/EEA - Standard Contractual Clauses (https://manychat.com/legal/dpa), Switzerland - Standard Contractual Clauses (https://manychat.com/legal/dpa).
• Microsoft Advertising: Online marketing methods to display content and ads within the provider's advertising network (e.g., in search results, videos, websites), targeting users likely to be interested. Conversion tracking measures whether users interact with ads and use promoted offers, but only anonymous data is received; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://about.ads.microsoft.com/en-us; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-out: https://account.microsoft.com/privacy/ad-settings/.
• Pinterest Tag: Interest- and behavior-based measurement and analysis of user interaction with our online services (e.g., page visits, search entries, transactions, video and page views, and timing) to create audiences for displaying content and ads on Pinterest and its partner networks; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://help.pinterest.com/en/business/article/track-conversions-with-pinterest-tag; Privacy Policy: https://policy.pinterest.com/de/privacy-policy; Basis for international data transfers: Switzerland - Adequacy Decision (Ireland); Opt-out: https://help.pinterest.com/de/article/personalized-ads-on-pinterest; Further information: Joint controller agreement in the "Pinterest Advertising Services Agreement, Annex B: Pinterest Annex for Joint Controllers" https://business.pinterest.com/de/pinterest-advertising-services-agreement/.
• Taboola: Provides functions for displaying personalized advertising based on interest- and behavior-based information, which may include demographic characteristics, interests, and users’ browsing history stored in user profiles; Service Provider: Taboola, Inc., 16 Madison Square West, 7th Floor, New York, NY 10010, USA; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.taboola.com/de; Privacy Policy: https://www.taboola.com/privacy-policy; Data Processing Agreement: Provided by the service provider; International Data Transfers: EU/EEA - Standard Contractual Clauses (provided by the service provider), Switzerland - Standard Contractual Clauses (provided by the service provider); Data Retention: Taboola retains user information collected directly for advertising purposes for a maximum of eighteen (18) months after the user’s last interaction with Taboola services and anonymizes it by removing personal identifiers or aggregating the data. Anonymous or aggregated data that cannot identify an individual or device is retained as long as commercially necessary for reporting and analysis purposes. Opt-Out: https://www.taboola.com/privacy-policy#user-choices-and-optout.
• Facebook Conversions API: We use Facebook's "Conversions API." The Conversions API is an interface that allows event data to be sent directly from our servers to Facebook. The functioning and processing of data via the Conversions API is equivalent to the processing performed with the Facebook Pixel. For detailed information, please refer to Facebook’s privacy notices regarding the Pixel and audience creation; Legal Basis: Consent (Art. 6(1)(a) GDPR).
• TikTok Pixel: Code loaded when a user visits our online service that tracks user behavior and conversions and stores them in a profile (possible purposes: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences). We and TikTok are jointly responsible for the collection and transmission of event data and for generating insights reports (statistics) for profile holders. Event data includes information about the types of content users view or interact with, the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and profile information such as country or location. Privacy information regarding TikTok's processing of user data can be found in TikTok's privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have a joint responsibility agreement with TikTok, specifying the security measures TikTok must follow and confirming that TikTok will uphold users’ rights (e.g., users can submit access or deletion requests directly to TikTok). Users' rights (in particular, rights of access, deletion, objection, and lodging complaints with the relevant supervisory authority) are not restricted by this agreement. The joint responsibility agreement can be found in TikTok’s "Jurisdiction Specific Terms": https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms; Service Providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://ads.tiktok.com/help/article/tiktok-pixel; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de; International Data Transfers: EU/EEA - Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), Switzerland - Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
• Yahoo Advertising: Provision of features for displaying personalized advertising based on interest- and behavior-based information, which may include demographic characteristics, interests, and users' browsing history, stored in user profiles; Service Provider: Yahoo EMEA Limited, Point Square 5-7, North Wall Quay, Dublin 1, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://advertising.yahoo.com/; Privacy Policy: https://legal.yahoo.com/ie/de/yahoo/privacy/overview/index.html. Basis for International Data Transfers: Switzerland - Adequacy Decision (Ireland).
• Advanced Analytics: Analytics software that allows us to measure usage and interaction with our services on or in connection with Meta platforms (via so-called events, such as viewing posts or clicking "Like" buttons) and to obtain demographic information about our users (e.g., average age, location, language used). User data is processed by Meta for the purpose of displaying content and ads based on users’ presumed interests by creating user profiles. The data is provided to us only in aggregated form, so we cannot see individual user data. We use the results to optimize our content and services; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://about.meta.com/; Data Processing Agreement: Provided by the service provider. Basis for International Data Transfers: EU/EEA - Standard Contractual Clauses (provided by the service provider), Switzerland - Adequacy Decision (Ireland).

Affiliate Programs and Affiliate Links

Our online services may include so-called affiliate links or other references (which can include, for example, search forms, widgets, or discount codes) to the offers and services of third parties (collectively referred to as "Affiliate Links"). When users follow these Affiliate Links or subsequently use the offers, we may receive a commission or other benefits from these third parties (collectively referred to as "Commission").

In order to track whether users have utilized an offer via an Affiliate Link we use, it is necessary for the respective third parties to know that users have followed an Affiliate Link placed within our online services. The assignment of Affiliate Links to specific transactions or other actions (e.g., purchases) serves solely the purpose of commission accounting and is deleted as soon as it is no longer required for that purpose.

For the purposes of assigning Affiliate Links, the Affiliate Links may be supplemented with certain values that are part of the link itself or stored otherwise, e.g., in a cookie. These values may include, in particular, the referring website, the timestamp, an online identifier of the operator of the website where the Affiliate Link was placed, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Notes on Legal Basis: If we request users’ consent for the use of third-party services, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in providing efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of Data Processed: Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Master data (e.g., full name, residential address, contact details, customer number, etc.); Payment data (e.g., bank account information, invoices, payment history).
• Data Subjects: Prospective customers; Users (e.g., website visitors, users of online services); Service recipients and clients.
• Purposes of Processing: Affiliate tracking; Provision of contractual services and fulfillment of contractual obligations.
• Storage and Deletion: Deletion in accordance with the specifications in the section "General Information on Data Storage and Deletion".
• Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing Activities, Procedures, and Services:

• Amazon Associates Program: Affiliate marketing program (Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates); Service Provider: Amazon EU S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.amazon.de; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010. Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Luxembourg).
• AWIN Affiliate Program (formerly Zanox and Affilinet): Affiliate marketing program; Service Provider: AWIN AG, Eichhornstr. 3, 10785 Berlin, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.awin.com/de; Privacy Policy: https://www.awin.com/de/rechtliches/privacy-policy-DACH. Basis for International Data Transfers: Switzerland - Adequacy Decision (Germany).
• Digistore24 Affiliate Program: Affiliate marketing program; Service Provider: Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.digistore24.com; Privacy Policy: https://www.digistore24.com/page/privacy. Basis for International Data Transfers: Switzerland - Adequacy Decision (Germany).
• eBay Partner Network: Affiliate marketing program; Service Provider: eBay Partner Network, Inc., 2145 Hamilton Ave., San Jose, CA 95125, USA; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://partnernetwork.ebay.de; Privacy Policy: https://partnernetwork.ebay.de/legal#privacy-policy. Basis for International Data Transfers: Standard Contractual Clauses (SCCs) approved by the European Commission.
• Tradedoubler Affiliate Program: Affiliate marketing program; Service Provider: Tradedoubler GmbH, Herzog-Wilhelm-Straße 26, 80331 Munich, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tradedoubler.com/de; Privacy Policy: https://www.tradedoubler.com/de/privacy-policy. Basis for International Data Transfers: Switzerland - Adequacy Decision (Germany).
• TradeTracker Affiliate Program: Affiliate marketing program; Service Provider: TradeTracker Deutschland GmbH, Uhlandstraße 26, 22087 Hamburg, Germany (additional addresses: https://tradetracker.com/contact/); Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://tradetracker.com/de; Privacy Policy: https://tradetracker.com/de/privacy-policy. Basis for International Data Transfers: Standard Contractual Clauses (SCCs) approved by the European Commission.
• WEBGAINS Affiliate Program: Affiliate marketing program; Service Provider: ad pepper media GmbH, FrankenStraße 150C, FrankenCampus 90461, Nuremberg, Germany; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.webgains.com/public/de; Privacy Policy: https://www.webgains.com/public/de/datenschutzerklaerung. Basis for International Data Transfers: Switzerland - Adequacy Decision (Germany).

Offering of an Affiliate Program

We offer an affiliate program, meaning commissions or other benefits (collectively referred to as "Commission") for users (referred to as "Affiliates") who refer our services and offerings. Referrals are made via links or other methods assigned to each affiliate (e.g., discount codes) that allow us to identify that the use of our services was based on the referral (collectively referred to as "Affiliate Links").

In order to track whether users have used our services because of the Affiliate Links provided by the Affiliates, it is necessary for us to know that users followed an Affiliate Link. The attribution of Affiliate Links to specific transactions or other use of our services is solely for the purpose of calculating commissions and will be deleted once it is no longer required for this purpose.

For the purpose of the aforementioned attribution of Affiliate Links, the Affiliate Links may contain certain values, which may either be part of the link itself or stored elsewhere, e.g., in a cookie. These values may include, in particular, the originating website (referrer), the timestamp, an online identifier of the website operator where the Affiliate Link was located, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Legal basis: The processing of our partners’ data is carried out for the provision of our (pre-)contractual services. User data is processed based on their consent in accordance with the EU General Data Protection Regulation (GDPR).

• Types of data processed: Contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); log data (e.g., log files concerning logins, data retrieval, or access times).
• Data subjects: Users (e.g., website visitors, users of online services) and business or contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; affiliate tracking and commission attribution.
• Retention and deletion: Data will be deleted in accordance with the section "General Information on Data Storage and Deletion."
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) and, for users, consent (Art. 6(1)(a) GDPR) where required.

Customer Reviews and Rating Procedures

We participate in review and rating processes to evaluate, optimize, and promote our services. When users provide ratings or feedback via the participating review platforms or processes, the respective general terms of service and privacy policies of these providers also apply. In most cases, submitting a review requires registration with the respective provider.

To ensure that reviewers have actually used our services, we transmit the necessary data regarding the customer and the utilized service to the respective review platform with the customer’s consent (including name, email address, and order or item number). These data are used solely to verify the authenticity of the user.

• Types of Data Processed: Contractual data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data Subjects: Service recipients and clients. Users (e.g., website visitors, users of online services).
• Purposes of Processing: Feedback (e.g., collecting feedback via online forms). Marketing.
• Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Additional Information on Processing, Procedures, and Services:

• Review Widget: We embed so-called "review widgets" into our online offerings. A widget is a functional and content element integrated into our website that displays dynamic information. It may appear, for example, as a seal or similar element, sometimes called a "badge." While the content of the widget is displayed on our site, it is retrieved from the servers of the respective widget provider at that moment. This ensures that the most current content is always displayed, especially the latest ratings. To do this, a data connection is established from the web page accessed within our online offering to the widget provider's server. The widget provider receives certain technical data (access data, including IP address) necessary to deliver the widget content to the user's browser. Additionally, the widget provider may receive information indicating that users have visited our website. This information may be stored in a cookie and used by the widget provider to recognize which online offerings participating in the review process have been visited by the user. The information may also be stored in a user profile and used for advertising or market research purposes; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and opinions; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for International Data Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Further Information: In the context of obtaining customer reviews, an identification number and timestamp for the transaction being reviewed, the customer’s email address (for reviews requested directly from customers), their country of residence, and the review content itself are processed; More details on the types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on services, processing terms between controllers, and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms.
• Trusted Shops (Trustedbadge): Review platform – Within the framework of the joint responsibility between us and Trusted Shops, for any privacy-related questions or to exercise your rights, please primarily contact Trusted Shops using the contact options provided in their privacy information. Regardless, you may always contact the data controller of your choice. If necessary, your request will be forwarded to the other controller for response.
  
  The Trustbadge is provided via a U.S.-based Content Delivery Network (CDN). An adequate level of data protection is ensured through standard contractual clauses and additional contractual measures.
  When the Trustbadge is accessed, the web server automatically stores a server log file, which includes your IP address, date and time of access, transferred data volume, and the requesting provider (access data) to document the access. The IP address is anonymized immediately after collection, ensuring that the stored data cannot be linked to your person. The anonymized data is primarily used for statistical purposes and error analysis.
  
  If you have given your consent, the Trustbadge accesses order information stored on your end device after the completion of your order (order amount, order number, and, if applicable, purchased product) as well as your email address, which is hashed using a one-way cryptographic function. The hash value is then transmitted along with the order information to Trusted Shops in accordance with Art. 6(1)(a) GDPR. This is used to verify whether you are already registered for Trusted Shops services. If you are, further processing is carried out according to the contractual agreement between you and Trusted Shops. If you are not yet registered or do not consent to automatic recognition via the Trustbadge, you will have the option to manually register for the services or complete buyer protection under any existing agreement.
  
  For this purpose, the Trustbadge accesses the following information stored on your end device after your order is completed: order amount, order number, and email address. This is necessary to offer you buyer protection. Data is only transmitted to Trusted Shops once you actively choose to activate buyer protection by clicking the designated button in the so-called Trustcard. If you decide to use the services, further processing is based on the contractual agreement with Trusted Shops in accordance with Art. 6(1)(b) GDPR, enabling registration for buyer protection and securing your order, as well as possibly sending follow-up review invitations via email.
  
  Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Art. 6(1)(f) GDPR to ensure uninterrupted operation. Processing may occur in third countries (USA and Israel). Adequate data protection is ensured in the USA through standard contractual clauses and additional contractual measures, and in Israel through an adequacy decision.
  ; Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal bases: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de; Privacy Policy: https://www.trustedshops.de/impressum-datenschutz/. Basis for third-country transfers: Switzerland - adequacy decision (EU-wide applicability).
• Trustpilot: Review platform; Service provider: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://de.trustpilot.com. Privacy Policy: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms.

Social Media Presence

We maintain online presences within social networks and, in this context, process user data to communicate with users active on those platforms or to provide information about us.

We point out that user data may be processed outside the European Union. This can pose risks for users, for example because enforcing user rights may be more difficult in such cases.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For instance, usage profiles may be created based on user behavior and resulting interests. These profiles may, in turn, be used to display advertisements both within and outside the networks that are likely to correspond to the users' interests. Therefore, cookies are usually stored on users' devices, in which usage behavior and interests are recorded. Additionally, usage profiles may store data independently of the devices used by the users (particularly if they are members of the respective platforms and logged in there).

For detailed information about the respective processing types and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also, in the case of requests for information and the exercise of data subject rights, we point out that these are most effectively asserted directly with the providers. Only the providers have access to the user data and can take appropriate measures and provide information. If you still need assistance, you may contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information related to them, such as authorship or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Account data (e.g., full name, address, contact details, customer number, etc.).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; Feedback (e.g., collecting feedback via online forms); Public relations; Marketing; Provision of our online services and ensuring user-friendliness.
• Retention and deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Additional information on processing activities, procedures, and services:

• Instagram: Social network that allows sharing photos and videos, commenting and liking posts, sending messages, and following profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Ireland).
• Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called "Fanpage"). This data includes information about the types of content users view or interact with, actions taken by users (see "Things You and Others Do and Provide" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/). As explained in Facebook's Data Policy under "How We Use This Information," Facebook also collects and uses information to provide analytics services, so-called "Page Insights," to page operators so they can understand how people interact with their pages and content. We have entered into a special agreement with Facebook ("Page Insights Data," https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, in particular, the security measures Facebook must follow and ensures that Facebook will fulfill data subject rights (i.e., users can submit access or deletion requests directly to Facebook). Users' rights (in particular, the right to access, delete, object, and lodge a complaint with the competent supervisory authority) are not limited by the agreements with Facebook. Further details can be found in "Page Insights Data" (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including any transfer to its parent company, Meta Platforms, Inc., in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for international data transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Ireland).
• Facebook Groups: We use the "Groups" feature of the Facebook platform to create interest-based communities where Facebook users can interact with each other and with us, and share information. In doing so, we process personal data of our group members to the extent necessary for group usage and moderation. Our group rules may contain additional requirements and information regarding the use of each specific group. This data includes first and last names, publicly shared or privately communicated content, as well as information regarding group membership status and group-related activities, such as joining or leaving the group and timestamps associated with these activities. Furthermore, we refer to the processing of user data by Facebook itself. This includes information about the types of content users view or interact with, actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/). As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called “Insights”, to group administrators so that they can gain insights into how people interact with their groups and associated content. Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Transfers to Third Countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Pinterest: Social network enabling sharing of photos, commenting, favoriting, curating posts, sending messages, and following profiles; Service Provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com; Privacy Policy: https://policy.pinterest.com/de/privacy-policy. Basis for Transfers to Third Countries: Switzerland - Adequacy Decision (Ireland).
• TikTok: Social network, allows sharing of photos and videos, commenting and liking posts, sending messages, and following accounts; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/de/privacy-policy. Basis for international data transfers: EU/EEA – Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), Switzerland – Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
• TikTok Business: Social network, allows sharing of photos and videos, commenting and liking posts, sending messages, and following accounts. TikTok and we are jointly responsible for the collection and transfer of event data as well as for measuring and generating insights reports (statistics) for profile owners. Event data includes information about the types of content users view or interact with, actions they perform, information about the devices they use (e.g., IP addresses, operating system, browser type, language settings, cookie data), and profile information such as country or location. Privacy information regarding TikTok’s processing of user data can be found in TikTok’s privacy notices: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a joint controller agreement with TikTok which defines the security measures TikTok must follow and ensures TikTok fulfills data subject rights (e.g., users can make access or deletion requests directly to TikTok). Users’ rights (including access, deletion, objection, and complaint to the competent supervisory authority) are not limited by the agreement with TikTok. The joint controller agreement can be found in TikTok’s "Jurisdiction Specific Terms": https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for international data transfers: EU/EEA – Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), Switzerland – Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
• X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://x.com; Privacy Policy: https://x.com/de/privacy. Basis for international data transfers: Switzerland – Adequacy decision (Ireland).
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for international data transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy decision (Ireland). Opt-out options: https://myadcenter.google.com/personalizationoff.

Plugins and embedded features and content

We integrate functional and content elements into our online offerings that are retrieved from the servers of their respective providers (hereinafter referred to as "third parties"). This can include, for example, graphics, videos, or maps (hereinafter collectively referred to as "content").

Embedding such content always requires that the third-party providers process users’ IP addresses, as they would not be able to deliver the content to users’ browsers without them. The IP address is therefore necessary for displaying these contents or functions. We endeavor to use only content whose providers utilize the IP address solely for delivering the content. Third parties may also employ so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. These pixel tags allow information such as visitor traffic on this website to be evaluated. Pseudonymous information may additionally be stored in cookies on users’ devices and may include technical details about the browser and operating system, referring websites, visit duration, and other information about the use of our online services, and may be combined with information from other sources.

Notes on Legal Basis: Whenever we request users’ consent for the use of third-party services, the legal basis for data processing is the consent itself. Otherwise, user data is processed based on our legitimate interests (i.e., the interest in efficient, economic, and user-friendly services). In this context, we also refer you to the information regarding the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Event data (Meta/Facebook) ("Event data" refers to information sent to Meta via Meta Pixel or other channels relating to users or their actions. This includes details about website visits, interactions with content and features, app installations, and product purchases. Event data is used to create target audiences for content and advertising messages (Custom Audiences). Event data does not include actual content such as written comments, login credentials, or contact information such as names, email addresses, or phone numbers. Event data is deleted by Meta after a maximum of two years, and the corresponding audiences disappear upon deletion of our Meta user accounts.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, including related information such as authorship or creation time).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; provision of contractual services and fulfillment of contractual obligations; creation of user profiles (profiling); marketing; reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest/behavior-based profiling, use of cookies).
• Retention and deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years (unless otherwise specified, cookies and similar storage methods may remain on users’ devices for up to two years).
• Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

• Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online services that we retrieve from servers of other providers (e.g., functional libraries used to enhance the presentation or user-friendliness of our online services). In doing so, the respective providers may collect the IP addresses of users and process them for the purposes of delivering the software to the users' browsers, security, as well as analyzing and optimizing their offerings; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Facebook Plugins and Content: Facebook social plugins and content may include, for example, images, videos, text, or buttons that allow users to share content from our online services on Facebook. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt of "event data" through the Facebook social plugins (and embedding functions for content) executed on our online services, solely for the purpose of transmission, but not for further processing, for the following purposes: a) displaying content and advertising information matching the presumed interests of users; b) delivery of commercial and transactional messages (e.g., messaging users via Facebook Messenger); c) improving ad delivery and personalization of functions and content (e.g., improving the recognition of content or ads likely to match users' interests). We have a specific agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which regulates the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and ensures that Facebook complies with data subject rights (i.e., users can directly request information or deletion from Facebook). Note: If Facebook provides us with aggregated metrics, analyses, and reports (i.e., no individual user data and anonymous to us), this processing is not part of the joint responsibility but occurs under a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms), and, regarding processing in the USA, based on Standard Contractual Clauses ("Facebook EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (especially to access, deletion, objection, and complaints to the competent supervisory authority) are not restricted by agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Google Fonts (Served from Our Own Server): Provision of font files to ensure a user-friendly presentation of our online services; Service provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Google Fonts (Loaded from Google Servers): Fonts (and icons) are loaded to ensure a technically secure, maintenance-free, and efficient use of fonts and icons with regard to up-to-dateness, loading times, consistent display, and possible licensing restrictions. The IP address of the user is shared with the font provider so that the fonts can be provided in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, and hardware used) necessary for delivering the fonts depending on the devices and technical environment are transmitted. These data may be processed on servers of the font provider in the USA. When visiting our website, users’ browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for fetching the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) HTTP headers, including the User-Agent, which describes the browser and operating system version of the website visitor, as well as the referring URL (i.e., the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, User-Agent, and referring URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font families the user wants to load. These data are logged so that Google can determine how often a specific font family is requested. The User-Agent must adjust the font for the respective browser type and is primarily logged for debugging and used to generate aggregated usage statistics, which measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referring URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to Google, none of the information collected by Google Fonts is used to create end-user profiles or for targeted advertising; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for International Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: https://developers.google.com/fonts/faq/privacy?hl=de.
• Font Awesome (Hosted on Our Own Server): Display of fonts and icons; Service Provider: The Font Awesome icons are hosted on our server, and no data is transmitted to the Font Awesome provider; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Instagram Plugins and Content: Instagram plugins and content may include, for example, images, videos, text, and buttons that allow users to share content from this website within Instagram. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt of "event data" transmitted by Facebook via Instagram features (e.g., embedded content functions) executed on our website, but not for further processing. The purposes include: a) displaying content and advertising relevant to users’ presumed interests; b) delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger); c) improving ad delivery and personalization of functions and content (e.g., better recognition of content or advertising likely to match user interests). We have a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum) that regulates the security measures Facebook must follow (https://www.facebook.com/legal/terms/data_security_terms) and ensures that Facebook fulfills data subject rights (i.e., users can submit requests for information or deletion directly to Facebook). Note: If Facebook provides us with aggregated metrics, analytics, and reports that do not contain individual user information and are anonymous to us, this processing is based on a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing) and the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms), as well as on Standard Contractual Clauses for transfers to the USA ("Facebook EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (especially access, deletion, objection, and complaints to supervisory authorities) are not restricted by these agreements. Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Switzerland - Adequacy Decision (Ireland).
• Pinterest Plugins and Content: Pinterest plugins and content may include, for example, images, videos, text, and buttons that allow users to share content from this website within Pinterest; Provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com; Privacy Policy: https://policy.pinterest.com/de/privacy-policy. Basis for transfers to third countries: Standard Contractual Clauses (SCC) for the USA.
• reCAPTCHA: We use "reCAPTCHA" to determine whether inputs (e.g., in online forms) are made by humans or automated bots. Collected data may include IP addresses, information about operating systems, devices, browsers, language settings, location, mouse movements, keystrokes, time spent on pages, previously visited websites, interactions with reCAPTCHA on other websites, cookies, and results from manual verification tasks (e.g., answering questions or selecting objects in images). Processing is based on our legitimate interest in protecting our website from abusive automated crawling and spam; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, ad personalization settings: https://myadcenter.google.com/personalizationoff.
• YouTube Videos: Video content; YouTube videos are embedded using a special domain (identified by "youtube-nocookie") in the "Enhanced Privacy Mode," so that no cookies are set for personalizing playback. However, information about user interaction with the video (e.g., remembering the last playback position) may still be stored; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy. Basis for transfers to third countries: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
• Vimeo Video Player: Integration of a video player; Service Provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Data Processing Agreement: https://vimeo.com/enterpriseterms/dpa. International Data Transfers: EU/EEA - Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa), Switzerland - Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa).
• Elfsight: Provision of widgets for website integration, including contact forms, social media feeds, reviews, and galleries. Customization of widgets to match website design. Collection and processing of user data to provide and improve services. Storage and analysis of interactions to optimize user experience; Service Provider: Elfsight, LLC, Paronyana str. 19/3, 201, 0015 Yerevan, Armenia; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://elfsight.com/; Privacy Policy: https://elfsight.com/privacy-policy/.
• Imgur: Embedded plugins and content – this may include images, videos, text, and buttons; Service Provider: Imgur, Inc., 600 California Street, Fl. 11, San Francisco, California, 94108, USA; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://imgur.com; Privacy Policy: https://imgur.com/privacy.
• Google Hosted Libraries: Google Hosted Libraries is a globally available Content Delivery Network (CDN) for the most popular open-source JavaScript libraries. It provides web libraries to optimize website load times, reduce bandwidth usage, and improve performance by using shared public resources; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://developers.google.com/speed/libraries/; Privacy Policy: https://policies.google.com/privacy. International Data Transfers: Switzerland – Adequacy Decision (Ireland).
• TikTok Plugins and Content: TikTok plugins and content – this may include images, videos, text, and buttons; Service Providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de.

Changes and Updates

We encourage you to regularly review the content of our privacy policy. We update the privacy policy whenever changes to our data processing activities make it necessary. We will inform you if any changes require your involvement (e.g., consent) or other individual notification.

If we provide addresses or contact details of companies and organizations in this privacy policy, please note that addresses may change over time and we recommend verifying the information before contacting them.

Definitions

This section provides an overview of the terminology used in this Privacy Policy. Where terms are legally defined, their statutory definitions apply. The explanations below are primarily intended to aid understanding.

• A/B Testing: A/B testing is used to improve the usability and performance of online services. Users are shown different versions of a website or its elements, such as input forms, where the placement of content or the labels of navigation elements may vary. Based on user behavior, such as longer time spent on the website or more frequent interaction with elements, it can be determined which versions better meet user needs.
• Affiliate Tracking: In affiliate tracking, links that direct users from referring websites to websites offering products or services are logged. Operators of the referring websites may receive a commission if users follow these so-called affiliate links and subsequently use the offers (e.g., purchase goods or use services). To enable this, providers need to track whether users interested in specific offers subsequently act based on the affiliate links. Therefore, affiliate links are supplemented with certain values that become part of the link or are otherwise stored, e.g., in a cookie. These values typically include the referring website, timestamp, an online identifier for the website operator hosting the affiliate link, an identifier for the specific offer, a user identifier, as well as tracking-specific values such as ad ID, partner ID, and categorizations.
• Employees: Employees are individuals engaged in an employment relationship, whether as staff, salaried employees, or in similar positions. An employment relationship is a legal connection between an employer and an employee, established by an employment contract or agreement. It includes the employer’s obligation to provide compensation while the employee performs work. The employment relationship covers various stages, including formation (signing the contract), execution (performing work duties), and termination (through resignation, contract termination, or otherwise). Employee data includes any information relating to these individuals in the context of their employment, such as personal identification data, identification numbers, salary and bank details, working hours, vacation entitlements, health data, and performance evaluations.
• Master Data: Master data includes essential information necessary for identifying and managing contractual partners, user accounts, profiles, and similar assignments. This can include personal and demographic information such as names, contact details (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (e.g., user IDs). Master data forms the basis for formal interactions between individuals and services, institutions, or systems by enabling unique identification and communication.
• Content Delivery Network (CDN): A Content Delivery Network (CDN) is a service that allows content from an online offering, particularly large media files such as graphics or program scripts, to be delivered faster and more securely using geographically distributed servers connected via the internet.
• Cross-Device Tracking: Cross-device tracking is a form of tracking where user behavior and interest data are collected across multiple devices in so-called profiles by assigning an online identifier to users. This allows user information to be analyzed for marketing purposes independently of the browsers or devices used (e.g., mobile phones or desktop computers). In most cases, the online identifier is not linked to clear personal data such as names, postal addresses, or email addresses.
• Heatmaps: Heatmaps are visual representations of user mouse movements aggregated to show, for example, which website elements are most frequently interacted with and which elements users engage with less.
• Content Data: Content data includes information generated during the creation, editing, and publication of any type of content. This category of data may encompass texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited to the content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
• Click Tracking: Click tracking allows monitoring of user interactions within an entire online offering. Since the results of such tests are more accurate when user interactions are tracked over time (e.g., to determine whether a user tends to return), cookies are generally stored on users' devices for these testing purposes.
• Contact Information: Contact information consists of essential details that enable communication with individuals or organizations. This includes phone numbers, postal addresses, email addresses, as well as communication handles such as social media accounts and instant messaging identifiers.
• Conversion Measurement: Conversion measurement (also referred to as "visit action analysis") is a process used to determine the effectiveness of marketing activities. Typically, a cookie is stored on users' devices on websites where marketing measures are implemented and later retrieved on the target website. This allows us to understand, for example, whether advertisements displayed on other websites were successful.
• Meta, Communication, and Procedural Data: Meta, communication, and procedural data are categories containing information about how data is processed, transmitted, and managed. Metadata, also known as data about data, describes the context, origin, and structure of other data. It may include file size, creation date, document author, and revision history. Communication data captures information exchange between users across various channels, such as emails, call logs, social media messages, and chat histories, including participants, timestamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used for tracking and verification of operations.
• Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes details about how users use applications, which features they prefer, how long they spend on certain pages, and the paths they take through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data plays a key role in identifying trends, preferences, and potential problem areas within digital offerings.
• Personal Data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter "data subject"). A natural person is considered identifiable if they can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
• User Profile Data: The processing of "user profile data," or simply "profiles," includes any type of automated processing of personal data used to analyze, evaluate, or predict certain personal aspects relating to a natural person. Depending on the profiling type, this may involve information on demographics, behavior, and interests, such as interactions with websites and their content. Profiling purposes often include assessing interests in specific content or products, click behavior on a website, or user location. Cookies and web beacons are commonly used for profiling purposes.
• Log Data: Log data consists of information about events or activities recorded within a system or network. This data typically includes timestamps, IP addresses, user actions, error messages, and other details about system use or operation. Log data is often used for analyzing system issues, monitoring security, or generating performance reports.
• Audience Measurement: Audience measurement (also referred to as web analytics) is used to analyze visitor flows on an online service and may include information about users' behavior or interests regarding specific content, such as website pages. Audience analysis allows operators of online services to determine, for example, when users visit their websites and which content interests them. This enables them to better tailor website content to the needs of their visitors. For audience measurement purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and provide more accurate analyses of how the online service is used.
• Remarketing: "Remarketing" or "retargeting" refers to the practice of noting, for advertising purposes, which products a user has shown interest in on a website, in order to remind the user of these products on other websites, for example through ads. This processing is conducted in compliance with the EU General Data Protection Regulation (GDPR) and requires proper user consent where applicable.
• Location Data: Location data is generated when a mobile device (or another device with location-determining capabilities) connects to a cell tower, Wi-Fi network, or similar technical means that allow for determining the device's location. Location data indicates the geographic position of the device and may be used, for example, to provide map functions or other location-based services. Collection and use of location data must comply with GDPR requirements, including obtaining explicit consent from users.
• Tracking: "Tracking" refers to monitoring user behavior across multiple online services. Typically, behavioral and interest information related to the online services used is stored in cookies or on the servers of the tracking technology providers (so-called profiling). This information may subsequently be used, for example, to display advertisements that are likely to correspond to the user's interests. Tracking is subject to GDPR rules, and users must be informed and give consent where legally required.
• Data Controller: The "Data Controller" is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.
• Processing: "Processing" is any operation or set of operations performed on personal data, whether or not by automated means. This term is broad and encompasses virtually any handling of personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction of data. All processing must comply with GDPR requirements throughout the EU.
• Contract Data: Contract data refers to specific information related to the formalization of an agreement between two or more parties. This data documents the terms under which services or products are provided, exchanged, or sold. It is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of agreed services or products, pricing arrangements, payment terms, termination rights, renewal options, and special conditions or clauses. This information serves as the legal basis for the relationship between parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes. Under the General Data Protection Regulation (GDPR), the processing of contract data must be limited to what is necessary for performance of the contract and must comply with principles of transparency, purpose limitation, and data minimization applicable across the EU.
• Payment Data: Payment data includes all information necessary to process payment transactions between buyers and sellers. This data is critical for e-commerce, online banking, and any other form of financial transaction. It may include credit card numbers, bank account details, payment amounts, transaction dates, verification numbers, and billing information. Payment data may also contain information about payment status, chargebacks, authorizations, and fees. In accordance with EU-wide data protection laws, such as the GDPR, processing of payment data must ensure confidentiality, integrity, and secure handling, and it should only be used for the purposes of completing the transaction or complying with legal obligations.
• Audience Targeting: Audience targeting (also known as "Custom Audiences") refers to defining groups of users for advertising purposes, such as displaying tailored ads. For example, a user's interest in certain products or topics online may indicate that they are likely to be interested in advertisements for similar products or the online shop where they viewed those products. "Lookalike Audiences" (or similar audiences) refer to users whose profiles or interests are presumed to resemble those of the original audience used to create the custom audience. Typically, cookies and web beacons are used to create Custom and Lookalike Audiences. Under the GDPR, users must be informed about such processing and, where required, provide consent before such tracking or profiling occurs. Data collected for audience targeting should be minimized, anonymized where possible, and handled in compliance with EU privacy standards.