Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Last updated: March 24, 2025

Created with the Datenschutz-Generator.de by Dr. Thomas Schwenke

Table of Contents

Controller

Lucid Page Media
(an imprint of Orbita Media GmbH)
Ericusspitze 4
20457 Hamburg
Germany

Email: contact@lucidpagemedia.com
Legal Notice: https://lucidpagemedia.com/legal-notice

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects.

Types of Data Processed

  • Inventory data.
  • Employee data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Social data.
  • Applicant data.
  • Image and/or video recordings.
  • Contact information (Facebook).
  • Event data (Facebook).
  • Log data.
  • Performance and behavioral data.
  • Working hours data.
  • Creditworthiness data.
  • Salary data.

Special Categories of Data

  • Health data.
  • Trade union membership.

Categories of Data Subjects

  • Service recipients and clients.
  • Employees.
  • Interested parties.
  • Communication partners.
  • Users.
  • Applicants.
  • Contest and competition participants.
  • Business and contractual partners.
  • Participants.
  • Third parties.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion tracking.
  • Audience targeting.
  • Affiliate tracking.
  • Management and response to inquiries.
  • Application procedures.
  • Execution of contests and competitions.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offering and user-friendliness.
  • Assessment of creditworthiness.
  • Establishment and execution of employment relationships.
  • Information technology infrastructure.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and economic procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases are relevant in individual cases, we will inform you of these in this privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR) – If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants as part of the application process, so that the controller or the data subject can exercise rights arising from labor law and the law on social security and social protection and comply with their corresponding obligations, their processing is based on Art. 9 para. 2 lit. b GDPR. In cases involving the protection of vital interests of applicants or other persons, processing is based on Art. 9 para. 2 lit. c GDPR. For purposes of preventive or occupational medicine, assessment of the employee's working capacity, medical diagnosis, health or social care or treatment, or the management of health or social care systems and services, processing is based on Art. 9 para. 2 lit. h GDPR. In the case of voluntary disclosure based on consent, processing is based on Art. 9 para. 2 lit. a GDPR.
  • Processing of special categories of personal data related to healthcare, employment, and social security (Art. 9 para. 2 lit. h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union law or the law of a Member State or pursuant to a contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection laws apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific regulations on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and data transmission, as well as automated individual decision-making including profiling. Furthermore, data protection laws of individual German federal states may also apply.

Relevant legal bases under the Swiss Federal Act on Data Protection (FADP): If you are located in Switzerland, we process your data based on the Swiss Federal Act on Data Protection (referred to as the “Swiss FADP”, effective from September 1, 2023). This also applies if our processing otherwise affects you in Switzerland and you are a data subject under this regulation. Unlike the GDPR, the Swiss FADP generally does not require a legal basis to be cited for processing personal data. We process data only if the processing is carried out in good faith, is lawful, and proportionate (Art. 6 paras. 1 and 2 of the Swiss FADP). Furthermore, we only collect personal data for a specific, recognizable purpose for the data subject, and we only process it in a manner compatible with that purpose (Art. 6 para. 3 of the Swiss FADP).

Notice on the applicability of GDPR and Swiss FADP: This privacy notice is intended to provide information in accordance with both the Swiss Federal Act on Data Protection (Swiss FADP) and the EU General Data Protection Regulation (GDPR). Therefore, please note that, for broader territorial applicability and easier understanding, we use the terminology of the GDPR. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data” used in the Swiss FADP, we refer to “processing” of “personal data,” “legitimate interest,” and “special categories of data” as used in the GDPR. However, the legal meaning of these terms shall still be interpreted according to the Swiss FADP where applicable.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, availability, and separation of the data itself. In addition, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services against unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transferred between the website or app and the user's browser (or between two servers), ensuring the data is protected from unauthorized access. TLS, being the more advanced and secure version of SSL, guarantees that all data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by the display of HTTPS in the URL. This serves as a signal to users that their data is being transmitted securely and encrypted.

Transfer of Personal Data

As part of our processing of personal data, it may happen that data is transferred to or disclosed to other entities, companies, legally independent units, or individuals. Recipients of such data may include service providers tasked with IT responsibilities or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate agreements or contracts with the recipients of your data to protect your personal data.

Data transfers within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to such data. If this transfer is for administrative purposes, it is based on our legitimate business and organizational interests or is necessary to fulfill contractual obligations, or if there is consent from the data subjects or a legal authorization exists.

Publishing Distribution: To fulfill our contractual obligations in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, we transfer your data to the service provider "Die Werkstatt Verlagsauslieferung GmbH", which is responsible for order management, invoicing, accounting, inventory management, and delivery.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosure or transfer of data to other persons, entities, or companies, this will only occur in accordance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers take place only if the data protection level is otherwise guaranteed, in particular through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR). In addition, we will inform you of the specific legal basis for data transfers to third countries for each respective provider, giving precedence to adequacy decisions. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the EU Commission has recognized the data protection level as adequate for certain U.S. companies by way of an adequacy decision dated July 10, 2023. A list of certified companies as well as further information about the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). Within this privacy notice, we inform you which service providers we use are certified under the Data Privacy Framework.

Disclosure of Personal Data Abroad (Switzerland): According to the Swiss Federal Act on Data Protection (FADP), we only disclose personal data abroad if adequate protection for the data subjects is ensured (Art. 16 Swiss FADP). If the Swiss Federal Council has not determined an adequate level of protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative safeguards. These may include international treaties, specific guarantees, contractual data protection clauses, standard data protection clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or binding corporate rules recognized in advance by the FDPIC or a competent foreign data protection authority.

According to Art. 16 of the Swiss FADP, exceptions for the disclosure of data abroad are permitted under certain conditions, including the data subject’s consent, contract performance, public interest, protection of life or physical integrity, publicly disclosed data, or data from a register that is legally intended to be accessible. Such disclosures are always made in compliance with the legal requirements.

Storage and Deletion of Data

We delete personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or no other legal grounds for processing exist. This applies in cases where the original purpose for processing no longer applies or the data is no longer needed. Exceptions apply where legal obligations or legitimate interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax reasons or that is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data that applies specifically to individual processing operations. In the case of multiple retention periods or deletion deadlines, the longest period shall always prevail. If a deadline is not explicitly tied to a specific date and is at least one year long, it will begin automatically at the end of the calendar year in which the event triggering the deadline occurred.

Data that is no longer retained for the original purpose, but instead due to legal regulations or other reasons, will only be processed for the purpose that justifies its continued storage.

Further Information on Processing, Procedures, and Services:

  • Storage and Deletion of Data (Germany): The following general retention and archiving periods apply under German law:
    • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as all necessary instructions and organizational documents, accounting records, and invoices (§ 147 para. 3 in conjunction with para. 1 nos. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 nos. 1 and 4, para. 4 HGB).
    • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, e.g., time sheets, cost accounting forms, calculation documents, price tags, and also payroll documents, if they are not already accounting records, and cash register strips (§ 147 para. 3 in conjunction with para. 1 nos. 2, 3, 5 AO, § 257 para. 1 nos. 2 and 3, para. 4 HGB).
    • 3 years – Data required for consideration of potential warranty and damage claims or similar contractual claims and rights, including related inquiries, based on past business experience and standard industry practice, will be stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).
  • Storage and Deletion of Data (Switzerland): The following general retention and archiving periods apply under Swiss law:

    • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting records and invoices, and all necessary instructions and organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).

    • 10 years – Data required to consider potential damage claims or similar contractual claims and rights, including related inquiries, based on past business experience and industry standards, is stored for the duration of the statutory limitation period of ten years, unless a shorter five-year period applies, which is relevant in certain cases (Art. 127, 130 CO). Claims related to rent, lease, interest, and other periodic payments, food delivery, catering, inn debts, manual labor, small retail sales, medical care, services by lawyers, agents, notaries, and employment contracts expire after five years (Art. 128 CO).

Rights of Data Subjects

Rights of Data Subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly those outlined in Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing; this includes profiling to the extent that it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw your previously given consent at any time.
  • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to such data and further information, including a copy of the data, in accordance with legal requirements.
  • Right to Rectification: You have the right to request the completion or correction of your data as required by law.
  • Right to Erasure and Restriction of Processing: You have the right to request the immediate deletion of your personal data or, alternatively, the restriction of its processing as permitted by law.
  • Right to Data Portability: You have the right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format and to request its transfer to another controller, as legally required.
  • Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Rights of Data Subjects under the Swiss FADP:

As a data subject under the Swiss Federal Act on Data Protection (FADP), you are entitled to the following rights:

  • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to exercise your rights under this law and ensure transparent data processing.
  • Right to Data Disclosure or Transfer: You have the right to request the disclosure of your personal data that you have provided to us in a commonly used electronic format.
  • Right to Rectification: You have the right to request the correction of inaccurate personal data concerning you.
  • Right to Object, Deletion, and Destruction: You have the right to object to the processing of your data and to request that personal data concerning you be deleted or destroyed.

Business Services

We process data from our contractual and business partners – e.g., customers and prospects (collectively referred to as "contractual partners") – as part of contractual and comparable legal relationships and related measures, as well as for communication with contractual partners (including pre-contractual), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes the obligation to provide agreed services, fulfill any update duties, and provide remedies in case of warranty or other performance issues. We also use the data to assert our rights and for administrative purposes related to these obligations as well as corporate organization. Furthermore, we process the data based on our legitimate interests in the proper and economically efficient management of our business and in security measures to protect our contractual partners and operations from misuse, data breaches, and threats to confidential information and rights (e.g., by involving telecommunications, logistics and support services, subcontractors, banks, tax and legal advisors, payment processors, or tax authorities). Within the scope of applicable law, we only disclose contractual partner data to third parties to the extent necessary for the above-mentioned purposes or to comply with legal obligations. Further processing for marketing purposes, for example, is explained separately in this privacy policy.

We inform contractual partners in advance or during data collection (e.g., via online forms, color codes, symbols such as asterisks, or in person) which data is required for the purposes described above.

We delete data after expiration of statutory warranty or comparable obligations, generally after four years, unless the data is stored in a customer account (e.g., for legal archiving requirements, such as for tax purposes, usually ten years). Data disclosed to us in the context of a contract is deleted in accordance with the contractual agreement and, in general, after completion of the contract.

  • Types of Data Processed: Inventory data (e.g., full name, home address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and time spent, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, involved persons); Employee data (e.g., information about staff and others in an employment relationship, including personal IDs, salary data, working hours, health data, etc.).
  • Data Subjects: Service recipients and clients; Prospective clients; Business and contractual partners; Employees (e.g., staff, applicants, temporary workers, and other personnel).
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organizational procedures; Management and response to inquiries; Conversion tracking (measurement of the effectiveness of marketing activities); Profiles containing user-related information (creation of user profiles).
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing, procedures, and services:

  • Customer Account: Customers may create an account within our online offering (e.g., customer or user account, hereinafter referred to as "customer account"). If registration is required, customers will be informed accordingly, as well as about the required information. Customer accounts are private and not indexed by search engines. During registration and subsequent logins or use of the account, we store customers’ IP addresses and access times to verify the registration and prevent misuse. If the account is terminated, its data will be deleted unless it is retained for purposes other than the provision within the customer account or must be retained for legal reasons (e.g., internal storage of customer data, order history, or invoices). Customers are responsible for backing up their data upon account termination; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Wishlist / Favorites List: Customers may create a product/wishlist. In this case, the selected items will be stored to fulfill our contractual obligations until the account is deleted, unless the items are removed by the customer or we explicitly notify the customer of different retention periods; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Loyalty Program / Customer Card: We process customer data in the context of our loyalty program to fulfill the services provided to participating customers. To this end, the information collected from customers is stored in a customer profile, including data marked as required. This profile may also include usage information of the loyalty program and use of related benefits and services, and – if necessary for the stated purposes – shared with third parties (e.g., service providers). Customer profiles are deleted after participation ends and only archived if required for legal retention or to fulfill legal (up to 11 years for tax records from the end of the calendar year of origin) or contractual claims (up to three years from the end of the calendar year of termination); Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Business Analysis and Market Research: For business management purposes and to recognize market trends and customer preferences, we analyze the available data related to business processes, contracts, inquiries, etc. Data subjects may include contractual partners, prospects, customers, visitors, and users of our online offering. The analyses serve our internal evaluations, marketing, and market research (e.g., to identify customer segments with varying characteristics). If applicable, we include registered user profiles and their data. Analyses are used internally and not shared externally unless in anonymized, aggregated form. We respect user privacy by using pseudonymization or anonymization wherever possible; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Online Shop, Order Forms, E-Commerce, and Delivery: We process customer data to allow them to select, purchase, and order products or services, including payment and delivery. We engage service providers such as postal, logistics, and shipping companies as needed to fulfill deliveries. We also use banks and payment service providers for payment processing. Required fields are marked during checkout and include data needed for delivery, availability, invoicing, and contact for clarification purposes; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Personnel Services: We process the data of our clients and candidates (collectively referred to as "clients") to provide personnel services including recruitment, personnel development, and payroll. Required data is identified during onboarding and includes all necessary information for service delivery and billing, as well as contact details for clarification. If we receive access to information about end clients, employees, or other individuals, we process such data in accordance with legal and contractual obligations; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Agency Services: We process the data of our clients in the context of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development or maintenance, campaign execution, project management, server administration, data analysis/advisory services, and training; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Coaching: We process the data of our clients, prospects, and other commissioning parties (collectively referred to as "clients") to provide coaching services. This includes contacting and communicating with clients, needs analysis, planning and conducting sessions, documentation of progress, managing client-specific data, scheduling, providing materials, billing, follow-up, and quality assurance/feedback processes.
    The type, scope, purpose, and necessity of processing are determined by the underlying contract and client relationship.
    Where necessary for contract fulfillment, the protection of vital interests, compliance with legal obligations, or with client consent, we may disclose or transfer client data to third parties or subcontractors (e.g., authorities, billing agencies, IT or office service providers), in accordance with professional regulations; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Consulting: We process the data of our clients, prospects, and other commissioning parties or contractual partners (collectively referred to as "clients") in order to provide them with our consulting services. The processes involved in and necessary for consulting services include: contacting and communicating with clients, conducting needs and requirements analyses, planning and implementation of consulting projects, documentation of project progress and results, recording and managing client-specific information and data, scheduling and organization, provision of consulting materials and resources, billing and payment management, follow-up on consulting projects, and quality assurance and feedback processes. The nature, scope, purpose, and necessity of the data processing are determined by the underlying contractual and client relationship.

    Where necessary for contract performance, protection of vital interests, legal compliance, or based on client consent, we may disclose or transfer client data in compliance with professional regulations to third parties or service providers such as authorities, subcontractors, or IT, office, or similar service providers; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Marketing Services: We process the data of our customers and commissioning parties (hereinafter collectively referred to as "customers") to provide marketing services such as market research, advertising campaigns, content creation, and social media management. Required information is marked as such during the commissioning process and includes the data needed for service delivery and billing, as well as contact details for potential follow-up. If we gain access to information about end customers, employees, or other individuals, we process this data in accordance with legal and contractual requirements; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Artistic and Literary Services: We process the data of our clients to enable them to select, purchase, or commission chosen services or works and any associated activities, as well as payment and delivery or performance.

    Required data is marked as such during the ordering, commissioning, or equivalent contractual process and includes the information necessary for delivery and invoicing, as well as contact information for clarifications; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Online Courses and Trainings: We process the data of participants in our online courses and trainings (collectively referred to as "participants") to deliver our educational services. The nature, scope, purpose, and necessity of the data processed are determined by the underlying contractual relationship. Typically, the data includes information about the courses and services used, as well as personal input and results of participants where part of the service offering. Processing may also include performance evaluation, assessment of our own services and those of the instructors, attendance tracking, progress monitoring (e.g., through test results), and analysis of interactions within learning platforms such as forum posts or assignment submissions; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Use of Online Platforms for Offering and Sales Purposes

We offer our services on online platforms operated by other service providers. In this context, in addition to our own privacy policy, the privacy policies of the respective platforms also apply. This is especially relevant regarding payment processing and procedures used on those platforms for reach measurement and interest-based marketing.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons).
  • Data Subjects: Service recipients and clients.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations. Marketing.
  • Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Operations, Procedures, and Services:

  • Amazon: Online marketplace for e-commerce; Provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.amazon.de/; Privacy Policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010. Legal Basis for Data Transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Luxembourg).
  • Shopify: Platform used to offer and conduct e-commerce services. Services and associated processes include, in particular, online shops, websites, offerings and content, community features, purchase and payment processing, customer communication, as well as analytics and marketing; Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.shopify.com/de/; Privacy Policy: https://www.shopify.com/de/legal/datenschutz. Legal Basis for Data Transfers: Switzerland – Adequacy Decision (Ireland).

Providers and Services Used in the Course of Business

In the course of our business operations, we use additional services, platforms, interfaces, or plug-ins from third-party providers (collectively referred to as "services") in accordance with legal requirements. Their use is based on our legitimate interest in the proper, lawful, and economically efficient operation of our business and internal organization.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, including related metadata such as authorship or creation time); Contract data (e.g., contract subject, duration, customer category).
  • Data Subjects: Service recipients and clients; Prospects; Users (e.g., website visitors, users of online services); Business and contractual partners.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures.
  • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Operations, Procedures, and Services:

  • sevDesk: Online software for invoicing, accounting, banking, and tax filing with document storage; Provider: sevDesk GmbH, Hauptstraße 115, 77652 Offenburg, Germany; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://sevdesk.de/; Privacy Policy: https://sevdesk.de/datenschutz/; Data Processing Agreement: https://sevdesk.de/datenschutz/. Legal Basis for Data Transfers: Switzerland – Adequacy Decision (Germany).
  • Typeform: Creation of forms, surveys, and management of participant responses; Provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.typeform.com/; Privacy Policy: https://admin.typeform.com/to/dwk6gt/; Data Processing Agreement: https://admin.typeform.com/to/dwk6gt/. Legal Basis for Data Transfers: Switzerland – Adequacy Decision (Spain).

Payment Processing

In the context of contractual or other legal relationships, legal obligations, or based on our legitimate interests, we offer data subjects efficient and secure payment options. For this purpose, we use banks and credit institutions as well as other service providers (collectively referred to as "payment service providers").

The data processed by the payment service providers includes inventory data such as name and address, bank details (e.g., account or credit card numbers), passwords, TANs, and verification codes, as well as contract-related, transaction-related, and recipient-related information. These details are necessary for processing the transaction. However, entered data is only processed and stored by the payment service providers. That is, we do not receive account or credit card information, but only confirmation or rejection of the payment. In some cases, the payment service providers may transmit data to credit agencies for identity and credit checks. For further information, we refer you to the terms and privacy policies of the respective payment service providers.

The terms and conditions and privacy policies of the respective payment service providers apply to all payment transactions. These can be accessed on their websites or transaction applications. We also refer you to these for additional information and to exercise your rights to withdraw consent, request access, or assert other data subject rights.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons); Contact data (e.g., postal and email addresses or phone numbers).
  • Data Subjects: Service recipients and clients; Prospects.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations.
  • Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further Information on Processing Operations, Procedures, and Services:

  • Amazon Payments: Payment services (technical integration of online payment methods); Service provider: Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://pay.amazon.de/; Privacy Policy: https://pay.amazon.de/help/201212490. Basis for third-country transfers: Switzerland - Adequacy decision (Luxembourg).
  • American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.americanexpress.com/de/; Privacy Policy: https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/. Basis for third-country transfers: Switzerland - Adequacy decision (Germany).
  • Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.apple.com/de/apple-pay/; Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
  • Giropay: Payment services (technical integration of online payment methods); Service provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.giropay.de; Privacy Policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/. Basis for third-country transfers: Switzerland - Adequacy decision (Germany).
  • Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://pay.google.com/intl/de_de/about/; Privacy Policy: https://policies.google.com/privacy. Basis for third-country transfers: Switzerland - Adequacy decision (Ireland).
  • Klarna: Payment services (technical integration of online payment methods); Service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.klarna.com/de; Privacy Policy: https://www.klarna.com/de/datenschutz. Basis for third-country transfers: Switzerland - Adequacy decision (Sweden).
  • Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.mastercard.de/de-de.html; Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html. Basis for third-country transfers: Switzerland - Adequacy decision (Belgium).
  • PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. Basis for third-country transfers: Switzerland - Adequacy decision (Luxembourg).
  • Shop Pay (Shopify): Payment services (technical integration of online payment methods); Service provider: Shopify International Limited, Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.shopify.de; Privacy Policy: https://www.shopify.de/legal/datenschutz. Basis for third-country transfers: Switzerland - Adequacy decision (Ireland).
  • Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., UK Branch, 1 Sheldon Square, London W2 6TT, UK; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Website: https://www.visa.de; Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html. Basis for third-country transfers: EU/EEA - Adequacy decision (UK), Switzerland - Adequacy decision (UK).

Provision of Online Services and Web Hosting

We process users' data in order to provide our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved individuals). Content data (e.g. text or image messages and contributions, and related metadata such as author information or creation time).
  • Data subjects: Users (e.g. website visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures; Office and organizational procedures.
  • Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional information on processing activities, procedures, and services:

  • Hosting of Online Services on Rented Storage Space: We use rented storage space, computing capacity, and software from appropriate server providers (also referred to as "web hosts") to provide our online services; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
  • Collection of Access Data and Log Files: Access to our online services is logged in the form of so-called "server log files". These may include the address and name of accessed web pages and files, date and time of access, data volume transferred, success status of access, browser type and version, the user's operating system, referrer URL (previously visited page), IP addresses, and the requesting provider. Log files are used to ensure security (e.g. to avoid server overload from abusive attacks like DDoS) and to maintain server load and stability; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR). Data Deletion: Log file information is stored for up to 30 days and then deleted or anonymized. Data required for evidence purposes is excluded from deletion until the respective incident is fully resolved.
  • Content Delivery Network (CDN): We use a CDN to deliver content (especially large media files like images or scripts) more securely and quickly via regionally distributed and internet-connected servers; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
  • ALL-INKL: IT infrastructure and related services (e.g. storage and computing capacity); Provider: ALL-INKL.COM - Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://all-inkl.com; Privacy Policy: https://all-inkl.com/datenschutzinformationen/; Data Processing Agreement: Provided by the provider. Third Country Transfer Basis: Switzerland – Adequacy Decision (Germany).
  • Webflow: Creation, management, and hosting of websites, forms, and other web elements; Provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://webflow.com; Privacy Policy: https://webflow.com/legal/eu-privacy-policy; Data Processing Agreement: https://webflow.com/legal/dpa; Third Country Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (link).
  • bunny.net: Content Delivery Network (CDN) for secure and fast delivery of content via distributed servers; Provider: BUNNYWAY d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://bunny.net; Privacy Policy: https://bunny.net/privacy/; Third Country Transfer Basis: Switzerland – Adequacy Decision (Slovenia).

Use of Cookies

Cookies are small text files or other storage markers that store and retrieve information on end devices. For example, to store login status, shopping cart contents, accessed content, or used functions. Cookies can also be used for functionality, security, convenience, and analytics of user behavior.

Consent Notice: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless not required by law. Consent is not necessary when storage and access (including cookies) are essential to provide the explicitly requested service. Consent is clearly communicated and includes information about cookie usage.

Legal Basis: The legal basis depends on whether we request user consent. If accepted, data is processed on that basis. Otherwise, cookies are used based on our legitimate interests (e.g. online service operation, usability improvements), or, if necessary, to fulfill contractual obligations. Specific purposes are explained in this policy or during consent processes.

Storage Duration: The following cookie types are distinguished:

  • Temporary Cookies (Session Cookies): Deleted after the user leaves the service or closes the device/browser.
  • Permanent Cookies: Remain stored after closing the browser. For example, login status and preferences are retained. Unless stated otherwise, users can assume cookies are permanent and may be stored for up to two years.

General Opt-Out & Withdrawal Notice: Users can withdraw consent at any time and object to processing in accordance with legal requirements, e.g. via their browser privacy settings.

  • Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Additional Information on Processing Activities:

Cookie Settings
  • Processing of cookie data based on consent: We use a consent management solution to obtain user consent for the use of cookies or for the procedures and providers mentioned in the consent management system. This procedure serves to collect, record, manage and revoke consents, especially in connection with cookies and similar technologies used to store, read and process information on users' devices. As part of this procedure, users’ consents for the use of cookies and related information processing — including the specific processes and providers named within the consent system — are collected. Users also have the option to manage and revoke their consent. Consent declarations are stored to avoid repeat requests and to provide proof of consent as required by law. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or through comparable technologies to associate the consent with a specific user or device. Unless specific details are given about consent management providers, the following general notes apply: the duration of consent storage is up to two years. A pseudonymous user identifier is created, stored together with the time of consent, details on the scope of the consent (e.g., categories of cookies and/or providers), and information about the browser, system, and device used; Legal basis: Consent (Art. 6(1)(1)(a) GDPR).

Registration, login and user account

Users can create a user account. During registration, the required mandatory information will be communicated to the users and processed for the purpose of providing the user account based on contractual obligations. The data processed includes login information (username, password, and an email address).

As part of the use of our registration and login functions and the use of the user account, we store the IP address and the time of each user action. This storage is based on our legitimate interests as well as those of the users in protecting against abuse and other unauthorized use. This data is not shared with third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users may be informed via email about events relevant to their user account, such as technical changes.

  • Types of data processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as related information such as authorship or creation time). Metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Performance of contractual services and fulfillment of contractual obligations; security measures; administration and response to inquiries; provision of our online offering and user-friendliness.
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional information on processing operations, procedures and services:

  • Deletion of data after termination: When users terminate their account, their data will be deleted with regard to the user account, unless there is a legal permission, obligation or consent by the user to retain it; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
  • No obligation to retain data: It is the responsibility of users to back up their data before the end of the contract. We are entitled to irretrievably delete all data stored during the contract period; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Contact and inquiry management

When contacting us (e.g., by post, contact form, email, phone or via social media), as well as in the context of existing user and business relationships, the details of the inquiring persons are processed to the extent necessary to respond to the contact inquiries and any requested actions.

  • Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts, including related metadata such as authorship or creation timestamp); usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; administration and response to inquiries; feedback (e.g., collecting feedback via online form); provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Additional information on processing operations, procedures and services:

  • Contact form: When users contact us via contact form, email or other communication channels, we process the data provided in that context to handle the respective inquiry; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Typeform: Creation of forms and surveys and management of participant responses; Service provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.typeform.com/; Privacy Policy: https://admin.typeform.com/to/dwk6gt/; Data Processing Agreement: https://admin.typeform.com/to/dwk6gt/. Third country transfer basis: Switzerland – Adequacy Decision (Spain).

Newsletter and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during registration, they are decisive for the user's consent. Normally, providing your email address is sufficient to register for our newsletter. However, to offer you a personalized service, we may ask for your name for a personal greeting or for additional information if necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to prove that consent was previously given. The processing of these data is restricted to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the previous existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is carried out based on our legitimate interests to verify its proper execution. If we engage a service provider to send emails, this is done based on our legitimate interest in an efficient and secure mailing system.

Contents:

Information about us, our services, campaigns, and offers.

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing: Direct marketing (e.g., via email or postal mail); reach measurement (e.g., access statistics, recognition of returning visitors). Provision of contractual services and fulfillment of contractual obligations.
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Opt-out option: You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to unsubscribe can be found at the end of each newsletter or you may otherwise use one of the contact options listed above, preferably email.

Additional information on processing operations, procedures, and services:

  • Measurement of open and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our or, if we use a mailing service provider, its server when the newsletter is opened. During this retrieval, technical information such as browser data and your system, as well as your IP address and the time of retrieval, is collected. This information is used to improve our newsletter technically based on technical data or the target groups and their reading behavior determined by their retrieval locations (identifiable via IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to identify our users' reading habits and adapt our content to them or send different content according to users’ interests. Measuring open and click rates, storing the measurement results in users’ profiles, and further processing are based on user consent. A separate revocation of performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to. In this case, stored profile information will be deleted; Legal basis: Consent (Art. 6(1)(1)(a) GDPR).
  • Condition for accessing free services: Consent to receive mailings may be a prerequisite for accessing free services (e.g., access to specific content or participation in specific campaigns). If users wish to access the free service without subscribing to the newsletter, we kindly ask you to contact us.
  • Reminder emails for incomplete orders: If users do not complete an order process, we may remind them via email and provide a link to continue the order. This feature may be useful if the order process was not completed due to a browser crash, mistake, or forgetfulness. Emails are sent based on user consent, which can be revoked at any time; Legal basis: Consent (Art. 6(1)(1)(a) GDPR).
  • Delivery via SMS: Electronic notifications may also be sent as SMS text messages (or exclusively via SMS if the consent only applies to SMS delivery); Legal basis: Consent (Art. 6(1)(1)(a) GDPR).
  • Brevo: Email delivery and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.brevo.com/; Privacy Policy: https://www.brevo.com/legal/privacypolicy/; Data Processing Agreement: Provided by the service provider. Third-country transfer basis: Switzerland – Adequacy Decision (Germany).

Marketing Communication via Email, Post, Fax, or Phone

We process personal data for the purposes of marketing communication, which may be carried out through various channels, such as email, phone, postal mail, or fax, in accordance with legal regulations.

Recipients have the right to revoke previously given consents or to object to marketing communication at any time.

After revocation or objection, we store the data required to prove prior authorization to contact or send materials for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of these data is limited to the purpose of potential defense against claims. Based on the legitimate interest of permanently honoring the revocation or objection, we also store the data necessary to avoid renewed contact (e.g., depending on the communication channel, the email address, phone number, name).

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.). Contact data (e.g., postal and email addresses or phone numbers).
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email or postal mail).
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Contests and Sweepstakes

We process the personal data of participants in contests and sweepstakes only in accordance with applicable data protection laws, insofar as the processing is contractually required for providing, executing, and handling the contest, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., the security of the contest or protecting our interests against misuse by possibly collecting IP addresses when entries are submitted).

If participants’ contributions are published as part of the contests (e.g., through voting or showcasing entries or winners, or reporting on the contest), we point out that participants’ names may also be published in this context. Participants may object at any time.

If the contest takes place on an online platform or social network (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the usage and privacy policies of the respective platforms also apply. In these cases, we point out that we are responsible for the information provided by participants in connection with the contest and that any inquiries regarding the contest should be directed to us.

The participants' data will be deleted once the contest or competition has ended and the data is no longer required to notify the winners or because no further inquiries about the contest are expected. As a rule, participants' data will be deleted no later than 6 months after the end of the contest. Winners' data may be retained for a longer period, e.g., to answer inquiries regarding the prizes or to fulfill the prize delivery; in this case, the retention period depends on the nature of the prize and may last up to three years for goods or services, e.g., to handle warranty claims. Furthermore, participants’ data may be retained for longer, e.g., in the context of reporting about the contest in online and offline media.

If data is collected for other purposes in connection with the contest, its processing and retention period are subject to the privacy information related to that usage (e.g., in the case of a newsletter registration within the contest).

  • Types of data processed: Inventory data (e.g., full name, home address, contact details, customer number, etc.); content data (e.g., text or image-based messages and contributions and associated metadata such as authorship or timestamps); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Contest and competition participants.
  • Purposes of processing: Execution of contests and competitions.
  • Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Surveys and Questionnaires

We conduct surveys and questionnaires to collect information for the purpose communicated in each case. The surveys and questionnaires we carry out (hereinafter "surveys") are evaluated anonymously. Personal data is processed only to the extent necessary to provide and technically carry out the surveys (e.g., processing IP addresses to display the survey in the user’s browser or to allow resumption via cookie).

  • Types of data processed: Contact data (e.g., postal and email addresses, phone numbers); content data (e.g., text or image-based messages and contributions and related metadata such as authorship or timestamps); usage data (e.g., page views, dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); meta, communication and procedural data (e.g., IP addresses, timestamps, IDs, involved persons).
  • Data subjects: Communication partners, participants.
  • Purposes of processing: Feedback (e.g., collecting feedback via online form).
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as "reach measurement") is used to evaluate visitor traffic on our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, in the form of pseudonymous values. With reach analysis, we can, for example, identify when our online offer or its features or content are used most frequently, or invite repeated use. It also allows us to determine which areas require optimization.

In addition to web analytics, we may use testing procedures to test and optimize different versions of our online offer or its components.

Unless otherwise specified below, profiles may be created for these purposes, i.e., data combined into a usage process, and information may be stored in a browser or on a device and later read out. Collected information may include websites visited and elements used, as well as technical details such as the browser used, operating system, and usage times. If users have agreed to share their location data with us or the providers of services we use, location data may also be processed.

In addition, users' IP addresses are stored. However, we use IP masking (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored during web analytics, A/B testing, or optimization procedures—only pseudonyms. This means that neither we nor the providers of the software used can identify users personally—only the data stored in their profiles for the respective procedure.

Legal basis information: If we ask users for their consent to use third-party services, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we also refer to the cookie usage information in this privacy policy.

  • Types of data processed: Usage data (e.g., page views, dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); meta, communication and procedural data (e.g., IP addresses, timestamps, IDs, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles); provision of our online offering and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing operations, procedures and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It serves to associate analytics information with a device to recognize which content users have accessed within one or multiple usage sessions, which search terms they used, whether they revisited the content, or interacted with our online offering. Furthermore, the time and duration of use as well as user sources referring to our online offering and technical aspects of their devices and browsers are stored.
    Pseudonymous profiles of users are created using cookies, which may combine data from multiple devices. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides general geographic location data by deriving the following metadata from IP addresses: city (and its corresponding latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is only used to derive geolocation data before being immediately deleted. It is neither logged nor accessible nor used for any further purposes. When Google Analytics collects measurement data, all IP lookups for EU users are performed on EU-based servers before the data is forwarded to Analytics servers for processing.
    Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security Measures: IP masking (pseudonymization of IP addresses); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Third-Country Transfer Basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-out Options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad display settings: https://myadcenter.google.com/personalizationoff. More Information: https://business.safety.google/adsservices/ (types of processing and processed data).

Online Marketing

We process personal data for the purposes of online marketing, which may include the marketing of advertising space or the display of promotional and other content (collectively referred to as "content") based on users' potential interests and the measurement of its effectiveness.

To this end, user profiles are created and stored in a file (known as a "cookie") or similar technologies are used, which store relevant user data for displaying the aforementioned content. This may include viewed content, visited websites, used online networks, as well as communication partners and technical details such as the browser used, operating system, usage times, and utilized features. If users have consented to the collection of their location data, this may also be processed.

Additionally, users’ IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) for user protection. Generally, no clear user data (e.g., email addresses or names) is stored in online marketing processes, but rather pseudonyms. This means that neither we nor the providers of the online marketing tools know the users' actual identities—only the data stored in their profiles.

The information in profiles is typically stored in cookies or through similar technologies. These cookies may later be read across other websites using the same online marketing technology, analyzed for content display, supplemented with additional data, and stored on the servers of the online marketing provider.

In exceptional cases, it is possible to assign clear data to profiles—primarily when users are members of a social network that uses the online marketing tool and the network links user profiles with the data mentioned above. Please note that users may enter into additional agreements with providers, such as providing consent during registration.

We generally only receive aggregated information about the success of our advertisements. However, within the scope of so-called conversion tracking, we can determine which of our online marketing tools have led to a so-called conversion, i.e., a contract being concluded with us. Conversion tracking is used solely to analyze the success of our marketing efforts.

Unless otherwise stated, please assume that cookies used are stored for a period of two years.

Legal Basis Information: If we ask users for consent to use third-party providers, the legal basis for processing is that consent. Otherwise, users’ data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, please also refer to the cookie information provided in this privacy policy.

  • Types of Data Processed: Content data (e.g., textual or visual messages and posts as well as information related to them, such as authorship details or creation timestamp); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Event Data (Facebook) ("Event Data" refers to information sent to Meta, e.g. via Meta Pixel (through apps or other channels), relating to individuals or their actions. This data may include website visits, interactions with content and functions, app installations, and product purchases. Event Data is processed for the purpose of creating audiences for content and advertising messages (Custom Audiences). It is important to note that Event Data does not include actual content such as written comments, login information, or contact details such as names, email addresses, or phone numbers. Event Data is deleted by Meta within a maximum of two years, and any resulting audiences are deleted when our Meta user accounts are removed.); Contact Information (Facebook) ("Contact Information" refers to data that clearly identifies individuals, such as names, email addresses, and phone numbers, which may be transmitted to Facebook, e.g. via Facebook Pixel or upload for the purpose of audience matching to create Custom Audiences; after audience matching, the contact information is deleted); Inventory data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Reach measurement (e.g., access statistics, detection of returning visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing activities); Audience creation; Marketing; Profiles with user-related information (creating user profiles); Provision of our online offering and user-friendliness; Remarketing; Affiliate tracking.
  • Security Measures: IP masking (pseudonymization of the IP address).
  • Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Opt-Out Options: Please refer to the privacy policies of the respective providers and the opt-out options provided by them. If no explicit opt-out option is provided, it is possible to disable cookies in your browser settings. However, this may restrict the functionality of our online services. We additionally recommend the following opt-out options offered for specific regions:

    a) Europe: https://www.youronlinechoices.eu
    b) Canada: https://www.youradchoices.ca/choices
    c) USA: https://www.aboutads.info/choices
    d) Cross-regional: https://optout.aboutads.info

Additional Notes on Processing Activities, Procedures, and Services:

  • Amazon: Marketing of advertising materials and ad spaces; Service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Website: https://www.amazon.de; Privacy policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010. Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Luxembourg).
  • Meta Pixel and Audience Building (Custom Audiences): The Meta Pixel (or comparable functions, for transmitting event data or contact information via interfaces in apps) allows Meta to determine visitors of our online offering as a target group for displaying ads ("Meta Ads"). We use the Meta Pixel to ensure that our Meta Ads are shown only to users who have shown an interest in our online offer or who have certain characteristics (e.g., interest in specific topics or products identified via visited websites) which we transmit to Meta ("Custom Audiences"). The Meta Pixel also helps ensure that our ads are aligned with users' potential interests and do not appear intrusive. Additionally, the Meta Pixel allows us to measure the effectiveness of Meta Ads for statistical and market research purposes, by seeing whether users were redirected to our website after clicking a Meta Ad ("conversion tracking"); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Additional information: Event data, i.e. behavioral and interest-based data, is processed for targeted advertising and audience creation purposes based on the joint controller agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). This joint responsibility is limited to data collection and transfer to Meta Platforms Ireland Limited, an EU-based company. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially regarding transfer to its parent company Meta Platforms, Inc. in the USA (based on standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Enhanced Matching for Meta Pixel: In addition to processing event data via Meta Pixel (or comparable functions in apps), contact information (personally identifiable data such as names, email addresses, and phone numbers) is collected or transmitted to Meta within our online offer. This data is used to build audiences ("Custom Audiences") for interest-based display of content and advertising. The collection or transmission and matching with data held by Meta does not occur in plain text but as so-called "hash values", i.e. mathematical representations of data (a method also used for storing passwords). After matching for audience building, the contact information is deleted; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Additional information: https://www.facebook.com/legal/terms/data_security_terms.
  • Meta – Audience Building via Data Upload: Audience building for marketing purposes – We transmit contact information (names, email addresses, and phone numbers) in list form to Meta to create audiences ("Custom Audiences") for interest-based display of content and advertisements. The transmission and matching with data held by Meta is done using hashed values (mathematical representations), not plain text. After the matching for audience creation, the contact information is deleted; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • Facebook Ads: Serving ads on the Facebook platform and evaluating ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-out options: We refer to the privacy and ad settings in the user's Facebook profile, as well as Facebook's consent procedures and contact options for asserting data subject rights, as outlined in Facebook’s privacy policy; Additional information: Event data, i.e. behavioral and interest-based data, is processed for targeted advertising and audience creation based on the joint controller agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). This joint responsibility is limited to data collection and transfer to Meta Platforms Ireland Limited, an EU-based company. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially regarding transfer to its parent company Meta Platforms, Inc. in the USA (based on standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ad Manager: We use the "Google Ad Manager" service to place ads within the Google advertising network (e.g., in search results, in videos, on websites, etc.). Google Ad Manager displays ads in real-time based on users' presumed interests. This allows us to show ads for our online offering to users who may have a potential interest in our offer or have previously shown such interest, and to measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third country transfer basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More information: Types of processing and processed data: https://business.safety.google/adsservices/; Data processing terms for Google advertising products: Information on controller-controller terms and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms. If Google acts as a processor: Data processing terms and standard contractual clauses for international data transfers: https://business.safety.google/adsprocessorterms.
  • Google Ads and Conversion Tracking: Online marketing method for placing content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.) to display them to users with a presumed interest in the ads. We also measure the conversions of the ads, i.e., whether users interact with them and use the advertised offers (so-called conversions). However, we only receive anonymized information and no personal data about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 s. 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third country transfer basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-controller data processing terms and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms.
  • Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that adds users who visit an online service to a pseudonymous remarketing list so that they can be shown ads on other online offers based on their visit to the service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 s. 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third country transfer basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-controller data processing terms and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms.
  • Enhanced Conversions for Google Ads: When customers click on our Google ads and then use the advertised service (so-called "conversion"), the data entered by the user, such as email address, name, home address, or phone number, may be transmitted to Google. The hashed values are then matched with existing Google accounts to better evaluate and improve user interaction with the ads (e.g., clicks or views); Legal basis: Consent (Art. 6 para. 1 s. 1 lit. a) GDPR); Website: https://support.google.com/google-ads/answer/9888656.
  • Google Adsense with Personalized Ads: We integrate the Google Adsense service, which allows us to place personalized ads within our online offering. Google Adsense analyzes user behavior and uses this data to deliver targeted ads tailored to the interests of our visitors. We receive financial compensation for each ad served or other usage of these ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 s. 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Third country transfer basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More information: Types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on controller-controller terms and standard contractual clauses for international data transfers: https://business.safety.google/adscontrollerterms.
  • Instagram Ads: Placement of advertisements on the Instagram platform and analysis of ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Legal basis for third country transfer: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Opt-out option: Refer to Instagram's privacy and ad settings in user profiles as well as Instagram’s consent procedures and contact options to exercise access and other data subject rights in Instagram’s privacy policy; Additional Information: Event data (i.e., behavioral and interest information) is processed for targeted advertising and audience creation under the Joint Controller Agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transfer of data to Meta Platforms Ireland Limited. Further data processing is the sole responsibility of Meta Platforms Ireland Limited, particularly the transfer to its parent company Meta Platforms, Inc. in the USA (based on standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • LinkedIn Insights Tag: Code that is triggered when a user visits our online offering, tracking their behavior and conversions, and saving it in a profile (possible uses: campaign performance measurement, ad delivery optimization, building custom and lookalike audiences); Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Cookie Policy: https://www.linkedin.com/legal/cookie_policy; Data Processing Agreement: https://www.linkedin.com/legal/l/dpa; Legal basis for third country transfer: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Microsoft Advertising: Online marketing methods for displaying content and ads within the provider’s advertising network (e.g., in search results, videos, websites), targeting users with presumed interest in the ads. We also measure ad conversions—whether users interacted with ads and used the advertised offers. However, we only receive anonymous information and no personal data on individual users; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR), Legitimate Interests (Art. 6 (1)(1)(f) GDPR); Website: https://about.ads.microsoft.com/en-us; Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement; Legal basis for third country transfer: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Opt-out option: https://account.microsoft.com/privacy/ad-settings/; More information: https://about.ads.microsoft.com/en-us/policies/legal-privacy-and-security.
  • TikTok Pixel: Code triggered when a user visits our online offering, tracking behavior and conversions and saving them in a profile (possible uses: campaign performance measurement, ad delivery optimization, creation of custom and similar audiences); Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR); Website: https://ads.tiktok.com/help/article/tiktok-pixel; Privacy Policy: https://www.tiktok.com/legal/privacy-policy.
  • TikTok Plugins and Content: TikTok plugins and content – including elements like images, videos, text, and buttons; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate Interests (Art. 6 (1)(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/privacy-policy?lang=en.
  • TikTok Ads: Placement of advertisements within the TikTok platform and analysis of ad results; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR); Website: https://www.tiktok.com/business/; Privacy Policy: https://www.tiktok.com/legal/privacy-policy.
  • TikTok: Social network / video platform; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate Interests (Art. 6 (1)(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/privacy-policy.
  • Pinterest Ads: Placement of ads on the Pinterest platform and analysis of ad results; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Consent (Art. 6 (1)(1)(a) GDPR); Website: https://ads.pinterest.com/; Privacy Policy: https://policy.pinterest.com/en/privacy-policy; Legal basis for third country transfer: Switzerland – Adequacy Decision (Ireland); More information: Pinterest Data Sharing Addendum (APPENDIX A): https://business.pinterest.com/en/pinterest-advertising-services-agreement/.
  • Amazon Ads and Amazon Pixel: Code that is loaded when a user visits our online offering and tracks and stores the user’s behavior and conversions in a profile (possible uses: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences), as well as providing functionality to display personalized advertising based on interest- and behavior-based information, including demographic characteristics, interests, and browsing history stored in user profiles; Service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://advertising.amazon.com/; Privacy policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Luxembourg). Further information: https://advertising.amazon.com/resources/ad-policy/eu-data-protection-and-privacy.
  • Amazon Affiliate Program: Affiliate partnership program (Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates); Service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.amazon.de; Privacy policy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Luxembourg).
  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Ireland).
  • YouTube Videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Ireland). Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff.
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy decision (Ireland). Opt-out option: https://myadcenter.google.com/personalizationoff.

Provision of an Affiliate Program

We offer an affiliate program, i.e., commissions or other benefits (collectively referred to as "commission") for users (referred to as "affiliates") who refer others to our offers and services. The referral is made using a link assigned to the respective affiliate or other methods (e.g., discount codes) that allow us to recognize that the use of our services was based on the referral (collectively referred to as "affiliate links").

In order to track whether users have accessed our services via affiliate links used by affiliates, it is necessary for us to know that users followed an affiliate link. The assignment of affiliate links to specific transactions or other use of our services serves solely the purpose of commission billing and is deleted as soon as it is no longer required for this purpose.

For the purposes of the aforementioned assignment of affiliate links, the links may be supplemented with certain values that are part of the link or stored elsewhere, e.g. in a cookie. These values may include in particular the originating website (referrer), the time, an online identifier of the operator of the website where the affiliate link was placed, an online identifier of the respective offer, the type of link used, the type of offer, and an online identifier of the user.

Legal basis information: The processing of our partners' data is carried out for the performance of our (pre-)contractual obligations. The users' data is processed based on their consent.

  • Types of data processed: Contract data (e.g. contract subject, term, customer category); usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta-, communication- and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved).
  • Data subjects: Users (e.g. website visitors, users of online services); business and contractual partners; service recipients and clients; prospects.
  • Purposes of processing: Performance of contractual services and fulfillment of contractual obligations; affiliate tracking; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behavior-based profiling, use of cookies); remarketing; audience building; marketing; profiles with user-related information (creation of user profiles).
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR); performance of contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Further information on processing operations, procedures, and services:

  • Goaffpro: Affiliate marketing management, partner commissions, tracking referrals and sales, creation of affiliate links; Service provider: Goaffpro, 16 Sector 20 Part 1 HUDA, 125055 Sirsa, India; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://goaffpro.com; Privacy Policy: https://goaffpro.com/policies/privacy.

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize, and promote our services. When users rate us or otherwise provide feedback via the participating review platforms or systems, the general terms and privacy policies of those providers also apply. As a rule, submitting a review also requires registration with the respective provider.

To ensure that the individuals providing reviews have actually used our services, we transmit the required customer and service-related data to the respective review platform with the customer's consent (including name, email address, and order or article number). This data is used solely for verifying the authenticity of the user.

  • Types of data processed: Contract data (e.g. contract subject, term, customer category); usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta-, communication- and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved).
  • Data subjects: Service recipients and clients; users (e.g. website visitors, users of online services).
  • Purposes of processing: Feedback (e.g. collection of feedback via online form); marketing.
  • Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further information on processing operations, procedures, and services:

  • Review widget: We integrate so-called “review widgets” into our online offering. A widget is a functional and content element embedded in our online offering that displays dynamic information. It may be displayed, for example, as a badge or seal. While the widget content is displayed on our website, it is retrieved in real time from the provider’s server. This is the only way to always display the current content, especially the latest reviews. For this, a data connection is established from the accessed website to the widget provider's server, and the widget provider receives technical access data (including IP address) necessary for delivering the content to the user's browser. The widget provider also learns that users have visited our site. This information may be stored in a cookie and used to identify which online offerings participating in the review system were visited by the user. The data may be stored in a user profile and used for advertising or market research purposes; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Third-country transfer basis: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Additional information: When collecting customer reviews, an identification number and timestamp of the transaction to be reviewed, the customer’s email address (if the request is sent directly), country of residence, and the review content itself are processed; More information about types of processing and data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and controller-controller terms with SCCs: https://business.safety.google/adscontrollerterms.

Social Media Presences

We maintain online presences on social networks and process user data in this context to communicate with active users there or to offer information about us.

Please note that user data may be processed outside the European Union. This may pose risks to users, for example, by making it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that presumably match users' interests. Therefore, cookies are usually stored on users' devices in which the usage behavior and interests of the users are saved. Additionally, data may also be stored in the usage profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective types of processing and opt-out options, please refer to the privacy policies and statements provided by the operators of the respective networks.

Also, in the case of information requests and the exercise of data subject rights, we point out that these can be most effectively asserted with the respective providers. Only the providers have access to the user data and can directly take appropriate measures and provide information. If you still require assistance, you may contact us.

  • Types of data processed: Contact data (e.g. postal and email addresses or phone numbers); content data (e.g. text or image messages and posts as well as related information such as author details or timestamps); usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta-, communication- and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; feedback (e.g. collecting feedback via online form); marketing.
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further information on processing operations, procedures, and services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
  • Facebook Pages: Profiles within the Facebook social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Further information: We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook Page ("Fanpage"). This includes information about content types users view or interact with, or actions taken by them (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), and information about devices used (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Data Policy). As explained in the section “How do we use this information?” of the Data Policy, Facebook also collects and uses information to provide analytics services (“Page Insights”) to page operators to help them understand how people interact with their pages and content. We have a special agreement with Facebook ("Page Insights Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum) outlining security measures and Facebook's commitment to honor data subject rights (e.g., users can contact Facebook directly for access or deletion requests). These rights (especially access, deletion, objection, and complaints to authorities) are not restricted by this agreement. Additional information is provided in the "Information about Page Insights Data" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to collection and transmission of data to Meta Platforms Ireland Limited, an EU-based entity. Further processing, including transfer to Meta Platforms, Inc. in the USA, is the sole responsibility of Meta Platforms Ireland Limited.
  • LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information: We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data used for generating “Page Insights” (statistics) for our LinkedIn profile. This includes data about content users view or interact with, actions taken, device data (e.g. IP addresses, OS, browser type, language settings, cookies), and user profile information like job title, country, industry, seniority, company size, and employment status. See LinkedIn’s privacy notice for user data processing: https://www.linkedin.com/legal/privacy-policy. We have a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum) defining LinkedIn’s security responsibilities and its obligation to fulfill data subject rights (e.g., users may submit access or deletion requests directly to LinkedIn). These rights are not limited by the agreement. Joint responsibility is limited to data collection and transmission to LinkedIn Ireland Unlimited Company, with all further processing by LinkedIn Ireland and possible transfer to its parent company LinkedIn Corporation in the USA.
  • Pinterest: Social network; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.pinterest.com; Privacy policy: https://policy.pinterest.com/de/privacy-policy. Third-country transfer basis: Switzerland – Adequacy Decision (Ireland).
  • TikTok: Social network / video platform; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.tiktok.com; Privacy policy: https://www.tiktok.com/de/privacy-policy.
  • X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Privacy policy: https://twitter.com/privacy (Settings: https://twitter.com/personalization); Third-country transfer basis: Switzerland – Adequacy Decision (Ireland).
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Privacy policy: https://policies.google.com/privacy; Third-country transfer basis: EU/EEa – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Opt-out option: https://myadcenter.google.com/personalizationoff.

Plugins and Embedded Functions or Content

We integrate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include graphics, videos, or maps (hereinafter collectively referred to as "content").

The integration always requires that these third-party providers process the users' IP addresses, as they could not send the content to their browsers without the IP address. The IP address is therefore required for the display of this content or functions. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags", information such as visitor traffic on the pages of this website may be evaluated. The pseudonymized information may also be stored in cookies on the users' devices and may contain technical information about the browser and operating system, referring websites, visit time, as well as other information about the use of our online offering, and may also be combined with such information from other sources.

Legal basis note: If we ask users for their consent to the use of third-party providers, the legal basis for processing the data is the granted consent. Otherwise, the users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, involved individuals); Inventory data (e.g., full name, address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts as well as related information such as authorship or creation time). Event data (Facebook) ("Event Data" refers to information transmitted to Meta via Meta Pixel (whether via apps or other channels) relating to individuals or their actions. This includes details about website visits, content and feature interactions, app installations, and product purchases. Event data is processed to create audiences for content and ad messages (Custom Audiences). It’s important to note that Event Data does not include actual content like comments, login information, or contact data such as names, emails, or phone numbers. Event data is deleted by Meta after a maximum of two years, and the resulting audiences are deleted when our Meta user accounts are deleted).
  • Data subjects: Users (e.g., website visitors, online service users), communication partners.
  • Purposes of processing: Provision of our online offering and user-friendliness; performance of contractual services and fulfillment of contractual obligations; marketing; profiles with user-related information (creating user profiles); communication; direct marketing (e.g., by email or post).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further notes on processing operations, procedures, and services:

  • Facebook Plugins and Content: Facebook social plugins and embedded content – this includes content such as images, videos, text, and buttons that allow users to share content from this online offering within Facebook. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/ – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the further processing) of “Event Data” that Facebook collects via the Facebook social plugins (and embedded content functions) executed on our online offering, or that Facebook receives through transmission, for the following purposes: a) Displaying content and advertising information that likely corresponds to users’ interests; b) Delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., better detection of content or ads likely matching users’ interests). We have entered into a special agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum) that specifically regulates which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and where Facebook agrees to fulfill data subject rights (i.e., users can, for example, direct information or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analytics, and reports (which are aggregated, i.e., do not contain details of individual users and are anonymous to us), such processing is not carried out within the scope of joint responsibility but on the basis of a data processing agreement (“Data Processing Terms”, https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and regarding processing in the USA, based on Standard Contractual Clauses (“Facebook-EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (particularly to information, deletion, objection, and complaints to the competent supervisory authority) are not restricted by agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
  • Google Fonts (Loaded from Google Server): Retrieval of fonts (and icons) for the purpose of technically secure, maintenance-free, and efficient use of fonts and icons regarding their up-to-dateness and loading times, consistent presentation, and consideration of potential licensing restrictions. The font provider is informed of the user's IP address so that fonts can be made available in the user's browser. Technical data (language settings, screen resolution, operating system, used hardware) necessary for font delivery depending on the device and technical environment are also transmitted. These data may be processed on the font provider’s server in the USA – When visiting our online offering, users' browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified therein. These HTTP requests include (1) the IP address used by the user to access the internet, (2) the requested URL on the Google server, and (3) HTTP headers, including the user agent describing the browser and operating system versions of the website visitors as well as the referrer URL (i.e., the page where the Google Font should be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referrer URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font families the user wishes to load. These data are logged so that Google can determine how often a specific font family is requested. The user agent must adapt the font rendered for the respective browser type. It is primarily logged for debugging and used to generate aggregated usage statistics to measure the popularity of font families. These aggregated usage statistics are published on Google Fonts' "Analytics" page. Finally, the referrer URL is logged to support maintenance and generate an aggregate report of top integrations based on the number of font requests. According to Google, no information collected via Google Fonts is used to create user profiles or serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • Instagram Plugins and Content: Instagram plugins and content – This may include content such as images, videos or text, and buttons that allow users to share content from this online offering within Instagram. – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the further processing) of “event data” transmitted by Instagram functionalities (e.g., embedding features) executed on our online offering for the following purposes: a) Displaying content and advertising information that likely match the interests of users; b) Delivery of commercial and transactional messages (e.g., reaching users via Facebook Messenger); c) Improving ad delivery and personalizing functions and content (e.g., better detection of what content or ads may match users’ interests). We have concluded a specific agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which defines the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook has agreed to fulfill data subject rights (i.e., users may address information or deletion requests directly to Facebook). Note: When Facebook provides us with measurement values, analyses, and reports (which are aggregated, i.e., contain no individual user data and are anonymous to us), this processing is not part of the joint responsibility, but rather governed by a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and, concerning processing in the USA, based on Standard Contractual Clauses ("Facebook EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (particularly rights to information, deletion, objection, and complaints to supervisory authorities) are not restricted by the agreements with Facebook; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy/. Third Country Transfer Basis: Switzerland – Adequacy Decision (Ireland).
  • LinkedIn Plugins and Content: LinkedIn plugins and content – This may include content such as images, videos, text, and buttons that allow users to share content from this online offering within LinkedIn; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://legal.linkedin.com/dpa; Third Country Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • reCAPTCHA: We integrate the "reCAPTCHA" function to determine whether entries (e.g., in online forms) are made by humans or by automated programs ("bots"). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other websites, possibly cookies, as well as results of manual recognition processes (e.g., answering questions or selecting items in images). Data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Third Country Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Opt-Out Option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Settings: https://myadcenter.google.com/personalizationoff.
  • X Plugins and Content: Plugins and buttons from the "X" platform – This may include content such as images, videos or texts and buttons allowing users to share content from this online offering within X; Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://twitter.com; Privacy Policy: https://twitter.com/privacy; (Settings: https://twitter.com/personalization); Data Processing Agreement: https://privacy.twitter.com/en/for-our-partners/global-dpa. Third Country Transfer Basis: EU/EEA – Standard Contractual Clauses (https://privacy.twitter.com/en/for-our-partners/global-dpa), Switzerland – Adequacy Decision (Ireland).
  • YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Third Country Transfer Basis: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Opt-Out Option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Settings: https://myadcenter.google.com/personalizationoff.
  • WhatsApp: WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR); Website: https://www.whatsapp.com/; Privacy policy: https://www.whatsapp.com/legal. Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).

Management, Organization and Support Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning, and delivering our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of the third-party providers. This may include various data we process in accordance with this privacy policy. These data may include, in particular, master and contact data of users, data related to transactions, contracts, other processes, and their content.

If users are referred to third-party providers or their software or platforms as part of communication, business, or other relationships with us, the third-party providers may process usage and metadata for security purposes, service optimization, or marketing. We therefore ask you to observe the data protection notices of the respective third-party providers.

  • Types of data processed: Content data (e.g., textual or visual messages and posts and the related information such as authorship or creation timestamp); Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Contact data (e.g., postal and email addresses or phone numbers).
  • Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

Application Process

The application process requires applicants to provide the data necessary for evaluation and selection. The required information is specified in the job description or, in the case of online forms, in the respective fields.

Generally, the required information includes personal details such as name, address, a way to contact the applicant, and documentation of the qualifications required for the position. Upon request, we are happy to inform you about the specific details we require.

Applicants may submit their applications using our online form, which is encrypted according to current technical standards. Alternatively, applications can be submitted by email. However, we note that emails are generally not encrypted on the internet. Although emails are typically encrypted during transmission, this does not apply to the servers from which they are sent or received. We therefore cannot take responsibility for the security of applications transmitted via email.

To search for candidates, receive applications, and select applicants, we may use applicant management or recruitment software and services of third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about the method of application submission or send their application by postal mail.

Processing of special categories of data: If special categories of personal data (Art. 9 para. 1 GDPR, e.g., health data such as disability status or ethnic origin) are requested or voluntarily submitted, their processing serves to exercise rights or fulfill obligations arising from employment law, social security, or social protection law, protect vital interests, or for preventive health care, occupational medicine, medical diagnosis, health or social care or treatment, or the management of health or social care systems and services.

Data deletion: Data provided by applicants may be further processed for employment purposes if the application is successful. Otherwise, if an application is unsuccessful or withdrawn, the data will be deleted. Deletion takes place no later than six months after the application process, unless a legitimate withdrawal is made earlier, to answer follow-up questions or meet equal treatment requirements. Any travel expense reimbursements will be archived in accordance with tax regulations.

Inclusion in an applicant pool: If offered, inclusion in a talent pool is based on consent. Applicants are informed that giving consent is voluntary, has no impact on the current application, and can be withdrawn at any time for the future.

  • Types of data processed: Inventory data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or visual messages and posts, including authorship and timestamps); Applicant data (e.g., personal details, addresses, application documents, such as cover letter, CV, certificates, and voluntarily provided information regarding a specific position or applicant qualifications).
  • Data subjects: Applicants.
  • Purposes of processing: Application process (initiation and possible conclusion and termination of employment relationship).
  • Legal basis: Application procedure as pre-contractual or contractual relationship (Art. 6 para. 1 s. 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 s. 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

  • WhatsApp: WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 (1) lit. f GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

Management, Organization and Support Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organization, administration, planning, and providing our services. When selecting third-party providers and their services, we comply with the legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may concern various data that we process in accordance with this privacy policy. This includes, in particular, master data and contact details of users, data relating to processes, contracts, and other procedures and their content.

Insofar as users are referred to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask you to observe the privacy notices of the respective third-party providers.

  • Types of data processed: Content data (e.g., textual or visual messages and posts as well as related information such as author details or creation timestamp); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); contact data (e.g., postal and email addresses or phone numbers).
  • Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
  • Legal basis: Legitimate interests (Art. 6 (1) lit. f GDPR).

Additional information on processing operations, procedures, and services:

Application Process

The application process requires applicants to provide the information necessary for their assessment and selection. The required information is specified in the job description or, in the case of online forms, in the corresponding fields.

Generally, the required information includes personal details such as name, address, contact information, and proof of qualifications for the position. Upon request, we are happy to provide additional information on what data is required.

Applicants can submit their applications via our online form, which is encrypted according to the latest technical standards. Alternatively, applications may also be submitted via email. However, we would like to point out that emails are generally not encrypted on the internet. Although emails are usually encrypted during transmission, this does not apply to the servers from which they are sent and received. Therefore, we cannot assume responsibility for the security of the application during transmission between the sender and our server.

For the purpose of candidate search, application submission, and applicant selection, we may use applicant management or recruitment software and platforms and services of third-party providers, in compliance with legal regulations.

Applicants may contact us about the submission method or send their application by post.

Processing of special categories of data: If special categories of personal data (Art. 9 (1) GDPR, e.g., health data such as disability status or ethnic origin) are requested or voluntarily provided during the application process, their processing is carried out so that the controller or the data subject can exercise rights or fulfill obligations arising from labor law, social security, or social protection law, or for the protection of vital interests of the applicants or others, or for purposes of preventive or occupational medicine, assessment of working capacity, medical diagnosis, health or social care or treatment, or the management of health or social care systems and services.

Deletion of data: Data provided by applicants may be further processed by us for the purpose of the employment relationship if the application is successful. Otherwise, if an application is unsuccessful, the applicants' data will be deleted. Data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will occur, unless a legitimate revocation is made by the applicant, no later than six months after the end of the application process so we can respond to any follow-up questions and fulfill our obligations under equal treatment laws. Any reimbursement invoices for travel costs will be archived in accordance with tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion is voluntary, does not affect the current application process, and can be withdrawn at any time with effect for the future.

  • Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts as well as related information such as author details or creation timestamp). Applicant data (e.g., personal information, postal and contact addresses, documents related to the application and their content, such as cover letter, CV, certificates, and other information voluntarily provided in relation to a specific position or qualification).
  • Data subjects: Applicants.
  • Purposes of processing: Application procedure (establishment and potential subsequent execution or termination of the employment relationship).
  • Legal basis: Application process as a pre-contractual or contractual relationship (Art. 6 (1) lit. b GDPR). Legitimate interests (Art. 6 (1) lit. f GDPR).

Additional information on processing operations, procedures, and services:

Changes and Updates

We kindly ask you to regularly inform yourself about the contents of our privacy policy. We update the privacy policy as soon as changes in our data processing activities make it necessary. We will notify you if the changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time. Please verify the information before contacting them.

Collaboration with Affiliated Companies

As part of processing applications submitted via our “Become a Book Tester” form and for certain internal technical payment procedures (e.g. PayPal payouts), we collaborate with Pegoa Books GmbH & Co. KG, Am Sandtorkai 27, 20457 Hamburg, Germany.

In this context, personal data such as name, email address, and any additional submitted information may be transferred to Pegoa Books GmbH & Co. KG. This processing is based on Art. 6 (1) lit. b GDPR (contract initiation) and Art. 6 (1) lit. f GDPR (legitimate interest in efficient operational handling). Pagoa processes the data exclusively for the specified purposes and within the framework of contractual agreements.

Definitions

This section provides an overview of the terminology used in this privacy policy. If terms are legally defined, their legal definitions apply. The following explanations are intended primarily to aid understanding.

  • Affiliate Tracking: Within affiliate tracking, links are recorded that allow referring websites to direct users to websites with product or other offers. Operators of the referring websites may receive a commission when users follow these so-called affiliate links and subsequently make use of the offers (e.g., purchase goods or use services). To enable this, providers must track whether users interested in certain offers actually use them via the affiliate links. Therefore, for affiliate links to work, they must be supplemented with certain values that become part of the link or are stored in other ways, such as in a cookie. These values include, in particular, the referring website (referrer), timestamp, an online identifier of the website operator, an online identifier of the specific offer, an online identifier of the user, and tracking-specific values such as ad ID, partner ID, and categorizations.
  • Employees: Employees are individuals in an employment relationship, whether as staff, workers, or in similar roles. An employment relationship is a legal agreement between employer and employee defined by a contract. It includes the employer’s obligation to pay remuneration while the employee provides labor. The employment relationship includes different stages: initiation (contract signing), execution (job performance), and termination (resignation, mutual agreement, or otherwise). Employee data refers to any personal data processed in this context, including identification details, salary, work time, health information, and performance evaluations.
  • Inventory Data: Inventory data includes essential information necessary for identifying and managing contract partners, user accounts, profiles, and similar assignments. This may include personal and demographic data such as name, contact details (addresses, phone numbers, emails), birthdates, and specific identifiers (user IDs). These data are fundamental for any formal interaction between individuals and services, allowing unambiguous identification and communication.
  • Content Data: Content data encompasses information generated during the creation, editing, and publication of all types of content. This includes texts, images, videos, audio files, and other multimedia content published across platforms. It also includes metadata such as tags, descriptions, author info, and publishing dates.
  • Contact Data: Contact data includes essential information for communication with individuals or organizations. This includes phone numbers, postal addresses, emails, and communication tools like social media handles or messaging identifiers.
  • Conversion Measurement: Conversion measurement (also known as “visit action evaluation”) is a method for evaluating the effectiveness of marketing efforts. Usually, a cookie is stored on the users’ devices within the websites where marketing campaigns run and is retrieved again on the target site. This allows us to determine whether our ads on other websites were successful.
  • Performance and Behavior Data: Performance and behavior data refer to how individuals perform tasks or behave in a given context (e.g., work, education, social settings). This may include metrics like productivity, efficiency, work quality, attendance, and compliance. Behavior data can include interaction styles, communication, decision-making processes, and responses to various situations. These data types are often used for performance reviews, training, and organizational decision-making.
  • Meta, Communication, and Procedural Data: These categories include information about how data are processed, transmitted, and managed. Metadata—data about data—describe context, origin, and structure (e.g., file size, creation date, author, revision history). Communication data record exchanges between users via different channels, such as emails, call logs, social media messages, or chats, including participants, timestamps, and transmission paths. Procedural data describe workflows and processes in systems or organizations, including transaction logs, audit trails, and documentation used for review and oversight.
  • Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This includes a wide range of data showing how applications are used, which features are preferred, how long users stay on certain pages, and how they navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is especially valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a key role in identifying trends, preferences, and potential problem areas in digital offerings.
  • Personal Data: "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles with User-Related Information: The processing of "profiles with user-related information", or simply "profiles", includes any form of automated processing of personal data where such data is used to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the profiling type, this may include demographic data, behavior, interests, e.g., interactions with websites and content, etc.). Cookies and web beacons are often used for profiling purposes.
  • Log Data: Log data refers to information about events or activities recorded in a system or network. These typically include timestamps, IP addresses, user actions, error messages, and other operational or usage details. Log data is often used to analyze system issues, monitor security, or generate performance reports.
  • Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate traffic on an online offering and may include behavior or interests of visitors regarding specific content such as web pages. It allows operators to identify when users visit and what content they are interested in. This helps tailor websites to user needs. Pseudonymous cookies and web beacons are frequently used for reach measurement to recognize returning visitors and enable more precise analysis of usage.
  • Remarketing: "Remarketing" or "retargeting" refers to the practice of noting what products a user showed interest in on a website to remind them of those products later through advertisements on other sites.
  • Tracking: "Tracking" refers to the ability to follow user behavior across multiple online offerings. Behavioral and interest data are typically stored in cookies or on the servers of tracking technology providers (so-called profiling). This data may then be used to serve ads that are likely to match the user’s interests.
  • Controller: The "controller" is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually all handling of data, including collection, analysis, storage, transmission, or deletion.
  • Contract Data: Contract data refers to specific information related to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This includes the identification of contracting parties, agreed services/products, pricing, payment terms, cancellation rights, renewal options, and special clauses. Contract data serves as the legal foundation of the relationship and helps clarify rights, obligations, claims, and dispute resolution.
  • Payment Data: Payment data includes all information necessary for processing payment transactions between buyers and sellers. This includes credit card numbers, bank details, transaction amounts, verification numbers, and billing information. Payment data may also cover payment statuses, chargebacks, authorizations, and fees.
  • Audience Building: Audience building ("custom audiences") refers to the creation of target audiences for advertising purposes, such as displaying ads. For instance, a user's interest in specific products or topics can imply a likely interest in similar products or stores. "Lookalike audiences" refers to users whose profiles or interests are presumed similar to those already profiled. Cookies and web beacons are typically used to create custom and lookalike audiences.

Want to see your book in every bookstore?

We distribute your book globally and help you
reach readers near and far

Start Publishing Today
Your book in every bookstore. No fees, no effort.
How It WorksGet PublishedAbout UsFree BooksLegal NoticePrivacy Policy
© 2025 Lucid Page Media