Privacy Policy

​

Preamble

​

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data conducted by us, both in the context of providing our services and notably on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The used terms are not gender-specific.

​

Date: November 5, 2024

​

Table of Contents

​

1. Preamble

2. Controller

3. Overview of Processing

4. Relevant Legal Bases

5. Security Measures

6. Transfer of Personal Data

7. International Data Transfers

8. General Information on Data Storage and Deletion

9. Rights of Data Subjects

10. Business Services

11. Business Processes and Procedures

12. Provision of the Online Offering and Web Hosting

13. Use of Cookies

14. Contact and Request Management

15. Communication via Messenger

16. Newsletters and Electronic Notifications

17. Promotional Communication via Email, Mail, Fax, or Phone

18. Web Analysis, Monitoring, and Optimization

19. Online Marketing

20. Presence in Social Networks (Social Media)

21. Changes and Updates

22. Definitions

 

Controller

​

Ernst Schnitzlein GmbH
Obere Waldstraße 26
D-89349 Burtenbach, Germany

Authorized Representative: Thorsten Schnitzlein

Email Address: info@schnitzleinconsulting.com

Imprint: https://www.schnitzleinconsulting.com/impressum

 

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the respective data subjects.

​

Types of Processed Data

• Inventory data.

• Payment data.

• Contact data.

• Content data.

• Contract data.

• Usage data.

• Meta, communication, and procedural data.

• Log data.

• Credit data.

 

Categories of Data Subjects

• Service recipients and clients.

• Employees.

• Prospective customers.

• Communication partners.

• Users.

• Business and contract partners.

• Third parties.

 

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.

• Communication.

• Security measures.

• Direct marketing.

• Audience measurement.

• Tracking.

• Office and organizational procedures.

• Conversion measurement.

• Creation of target audiences.

• Organizational and management procedures.

• Feedback.

• Marketing.

• Profiling with user-related information.

• Providing our online offering and user-friendliness.

• Assessment of creditworthiness.

• IT infrastructure.

• Financial and payment management.

• Public relations.

• Sales promotion.

• Business processes and economic procedures.

 

Relevant Legal Bases

Relevant legal bases under the GDPR: Below, you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that, in addition to the GDPR regulations, national data protection provisions may apply in your or our place of residence or business. Should more specific legal bases be relevant in a particular case, we will inform you about them in the privacy policy.

• Consent (Art. 6(1) sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Fulfillment of contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR) - The processing is necessary for the fulfillment of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.

• Legal obligation (Art. 6(1) sentence 1 lit. c) GDPR) - The processing is necessary for the fulfillment of a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR) - The processing is necessary to protect the legitimate interests of the controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not outweigh them.

 

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains specific provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer and automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which aims to protect against the misuse of personal data in data processing. The BDSG contains specific regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer and automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

 

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons.

Measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access, entry, transmission, securing availability, and separation of data. Additionally, we have established procedures that ensure the exercise of data subjects' rights, deletion of data, and responses to data threats. We also consider the protection of personal data during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

 

IP Address Truncation: If IP addresses are processed by us or the service providers and technologies used by us, and the processing of a full IP address is not required, the IP address is truncated (also known as "IP-Masking"). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced with placeholders. The truncation of the IP address is intended to prevent or significantly complicate the identification of a person using their IP address.

 

Securing Online Connections Through TLS/SSL Encryption Technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission over the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transfers meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and in an encrypted manner.

 

Transmission of Personal Data

In the context of our processing of personal data, it may occur that this data is transmitted to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include service providers tasked with IT tasks or providers of services and content embedded in a website. In such cases, we comply with legal requirements and particularly conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

 

Data Transfer Within the Organization: We may transfer personal data to other departments or units within our organization or grant them access to it. If the data transfer is for administrative purposes, it is based on our legitimate entrepreneurial and business interests or is carried out as necessary to fulfill our contractual obligations or if consent of the data subjects or a legal permission exists.

 

International Data Transfers

 

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs in the context of using third-party services or disclosing or transmitting data to other persons, bodies, or companies, this is done only in accordance with legal requirements. If the data protection level in the third country has been recognized as adequate by an adequacy decision (Art. 45 GDPR), this forms the basis of the data transfer. Otherwise, data transfers only occur if the data protection level is otherwise ensured, especially through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or in the case of contractual or legally required transmission (Art. 49 para. 1 GDPR). Additionally, we inform you about the bases for third-country transmission with the respective providers from the third country, with adequacy decisions as the primary bases. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's website: EU Commission on International Data Protection. Under the "Data Privacy Framework" (DPF), the EU Commission also recognized the data protection level for certain U.S. companies as safe within the framework of its adequacy decision as of 07/10/2023. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website: Data Privacy Framework. We inform you in our privacy notices which service providers employed by us are certified under the Data Privacy Framework.

 

General Information on Data Storage and Deletion

We delete personal data that we process according to legal requirements as soon as the underlying consents are revoked or no further legal grounds for processing exist. This applies in cases where the original purpose for processing ceases to exist or the data are no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of data.

In particular, data that must be retained for commercial or tax reasons, or the storage of which is necessary for legal prosecution or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically apply to certain processing operations.

Where multiple retention periods or deletion deadlines for a piece of data are indicated, the longest period applies.

If a period does not expressly begin on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships during which data are stored, the triggering event is the date of the termination or other ending of the legal relationship.

Data that are no longer needed for the originally intended purpose but are stored due to legal requirements or other reasons, we process solely for the reasons justifying their retention.

 

Additional Notes on Processing Operations, Procedures, and Services:

• Retention and Deletion of Data: The following general retention and archiving periods apply under German law:

  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the work instructions and other organizational documents necessary to understand them, booking receipts, and invoices (§ 147 para. 3 in conjunction with para. 1 No. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 No. 1 and 4, para. 4 HGB).

  • 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents, as far as these are of importance for taxation, e.g., time wage slips, operational accounting sheets, calculation documents, price lists, but also payroll records, as far as they are not already booking receipts and cash strips (§ 147 para. 3 in conjunction with para. 1 No. 2, 3, 5 AO, § 257 para. 1 No. 2 and 3, para. 4 HGB).

  • 3 years - Data necessary to account for potential warranty and compensation claims or similar contractual claims and rights as well as related inquiries, based on past business experience and usual industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

 

Rights of Data Subjects

 

Rights of Data Subjects under the GDPR: As a data subject, you have various rights under the GDPR, which are detailed in Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, which is based on Article 6 paragraph 1 lit. e or f GDPR; this also applies to any profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

• Right to Withdraw Consent: You have the right to withdraw consent at any time.

• Right of Access: You have the right to demand confirmation as to whether data concerning you is being processed, to obtain information about this data, as well as further information and a copy of the data in accordance with legal requirements.

• Right to Rectification: You have the right to demand the correction of inaccurate data concerning you or the completion of incomplete data according to legal requirements.

• Right to Erasure and Restriction of Processing: In accordance with legal requirements, you have the right to demand that data concerning you be deleted immediately, or alternatively, to demand a restriction of the processing of the data according to legal requirements.

• Right to Data Portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, according to legal requirements, or to request its transfer to another controller.

• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

 

Business Services

We process data from our contract and business partners, such as customers and interested parties (collectively referred to as "contract partners"), within the scope of contractual and similar legal relationships, as well as related measures and with regard to communication with contract partners (or pre-contractually), such as responding to inquiries.

We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations, and remedy any warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for purposes related to these obligations, administrative tasks, and company organization. Additionally, we process the data based on our legitimate interests both in proper and economically sound business management and in security measures to protect our contract partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax, and legal advisors, payment service providers, or financial authorities). In accordance with applicable law, we only disclose the data of contract partners to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners are informed of further forms of processing, such as for marketing purposes, within the framework of this privacy policy.

Which data is necessary for the aforementioned purposes is communicated to the contract partners before or during data collection, such as in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks, etc.), or in person.

We delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after four years unless the data is stored in a customer account, e.g., as long as they must be retained for legal reasons (such as for tax purposes, usually ten years). Data disclosed to us by the contract partner in the course of an assignment is deleted in accordance with the specifications and, in principle, after the end of the assignment.

• Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, term, customer category).

• Affected Persons: Service recipients and contractors; Interested parties; Business and contract partners.

• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and management procedures; Business processes and economic procedures.

• Retention and Deletion: Deletion in accordance with the details in the section "General Information on Data Storage and Deletion."

• Legal Bases: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Agency Services: We process our customers' data within the framework of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development/advice or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/advisory services, and training services; Legal Bases: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

 

Business Processes and Procedures

Personal data of service recipients and clients—such as customers, clients, or, in special cases, mandatees, patients, or business partners, as well as other third parties—are processed within the scope of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates economic processes in areas such as customer management, sales, payments, accounting, and project management.

The collected data serves to fulfill contractual obligations and efficiently organize business processes. This includes managing business transactions, handling customer relationships, optimizing sales strategies, and ensuring internal billing and financial processes. Additionally, the data supports the protection of the controller's rights and facilitates administrative tasks as well as the organization of the company.

Personal data may be disclosed to third parties if this is necessary for fulfilling the aforementioned purposes or legal obligations.

 

Provision of the Online Offering and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functionalities of our online services to the user's browser or end device.

• Types of Data Processed: Usage data (e.g., page visits and duration spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, participating persons); Log data (e.g., log files related to logins or access times). Content data (e.g., textual or visual messages and posts as well as the related information, such as authorship details or creation time).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures.

• Retention and Deletion: Deletion according to the details in the "General Information on Data Storage and Deletion" section.

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Provision of Online Offering on Rented Storage Space: To provide our online offering, we use storage space, computing capacity, and software that we rent or obtain from an appropriate server provider (also known as "web host"); Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files." These server log files may include the address and name of the accessed web pages and files, date and time of the access, transferred data quantities, message about successful retrieval, browser type with version, user's operating system, referrer URL (previously visited page), and usually IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks such as DDoS attacks), and to ensure the load and stability of the servers; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of Data: Logfile information is stored for a maximum duration of 30 days and thereafter deleted or anonymized. Data whose further storage is required for evidence purposes are exempted from deletion until the respective incident is finally clarified.

• Email Distribution and Hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of recipients and senders as well as other information regarding email distribution (e.g., involved providers) and the contents of respective emails are processed. The aforementioned data may also be processed for spam detection purposes. Please note that emails are generally not sent encrypted on the Internet. Typically, emails are encrypted during transport but not on the servers from which they are sent and received, unless end-to-end encryption is used. We cannot be held responsible for the transmission path of emails between the sender and reception on our server; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Wix: Hosting and software for creating, providing, and operating websites, blogs, and other online offerings; Service Provider: Wix.com Ltd., Nemal Street 40, 6350671 Tel Aviv, Israel; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://de.wix.com/; Privacy Policy: https://de.wix.com/about/privacy; Data Processing Agreement: https://www.wix.com/about/privacy-dpa-users. Third-country Transfer Basis: Adequacy Decision (Israel).

 

Use of Cookies

The term "cookies" refers to functions that store and retrieve information on users' devices. Cookies can be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings and creating analyses of visitor flows. We use cookies according to legal requirements. We obtain users' consent in advance if necessary. If consent is not required, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and functions. This includes storing settings and ensuring the functionality and security of our online offerings. Consent can be revoked at any time. We provide clear information about the scope and which cookies are used.

 

Notes on Data Protection Legal Bases: Whether we process personal data using cookies depends on consent. If consent is provided, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained in this section and in the context of the respective services and procedures.

 

Storage Duration: The following types of cookies are distinguished concerning storage duration:

• Temporary Cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).

• Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be saved, and preferred content can be displayed directly when the user re-visits a website. Similarly, the user data collected through cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., during consent collection), they should assume these cookies are permanent, and the storage period can be up to two years.

 

General Instructions on Revocation and Objection (Opt-out): Users can withdraw their given consents at any time and also declare an objection to processing in accordance with legal requirements, including through the privacy settings of their browsers.

• Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

 

Contact and Inquiry Management

When contacted (e.g., by mail, contact form, email, phone, or via social media) and within the context of existing user and business relationships, the information of the requesting persons is processed as necessary to respond to contact inquiries and any requested measures.

• Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts, and related information, such as authorship details or creation time); Usage data (e.g., page visits and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Communication partners.

• Purposes of Processing: Communication; Organizational and management procedures; Feedback (e.g., collecting feedback via an online form); Provision of our online offering and user-friendliness.

• Retention and Deletion: Deletion follows the details specified in the "General Information on Data Storage and Deletion" section.

• Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Contact Form: When contacted via our contact form, email, or other communication channels, we process the personal data submitted to respond to and handle the respective inquiry. This typically includes information such as the name, contact details, and any further information provided that is necessary for adequate processing. We use this data exclusively for the stated purpose of initiating contact and communication; Legal Bases: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Communication via Messenger

We use messengers for communication purposes and therefore ask you to note the following information regarding the functionality of messengers, encryption, the use of communication metadata, and your options to object.

You can also contact us via alternative methods, such as phone or email. Please use the provided contact options or those specified within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we note that communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of the messages is not viewable, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the confidentiality of message content.

However, we also point out to our communication partners that while messenger providers cannot access the content, they can ascertain that and when communication partners communicate with us and process technical information about the communication partners' device and, depending on their device settings, also location information (so-called metadata).

 

Notes on Legal Bases: If we request permission from communication partners before communicating with them via messenger, the legal basis for our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own, we use messengers in relation to our contract partners and in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, based on our legitimate interests in rapid and efficient communication and fulfilling the needs of our communication partners for communication via messenger. Furthermore, we inform you that we will not transmit the contact data provided to messengers for the first time without your consent.

 

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the recipients' consent or based on a legal foundation. If the content of the newsletter is specified in the context of newsletter registration, it is decisive for users' consent. Usually, providing your email address is sufficient for signing up for our newsletter. However, to offer you a personalized service, we may ask for your name for personal address in the newsletter or additional information if necessary for the newsletter's purpose.

 

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to prove previously given consent. The processing of these data is restricted to the purpose of potentially defending against claims. An individual deletion request is possible at any time if the previously existing consent is confirmed simultaneously. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called "blocklist").

The logging of the registration process is based on our legitimate interests in proving its proper execution. If we engage a service provider to send emails, this is done based on our legitimate interest in an efficient and secure dispatch system.

 

Contents:

​

Information about us, our services, campaigns, and offers.

• Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Usage data (e.g., page visits and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

• Affected Persons: Communication partners; Users (e.g., website visitors, users of online services).

• Purposes of Processing: Direct marketing (e.g., via email or postal); Provision of contractual services and fulfillment of contractual obligations.

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

• Opt-Out Option: You can cancel the receipt of our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to cancel the newsletter is either found at the end of each newsletter or you can use one of the contact methods provided above, preferably email.

 

Additional Notes on Processing Operations, Procedures, and Services:

• Condition of Receiving Free Services: Consent to receive mailings can be a condition of utilizing free services (e.g., access to certain content or participation in specific actions). If users want to access the free service without subscribing to the newsletter, we request that they contact us.

• Dispatch via SMS: Electronic notifications can also be sent as SMS text messages (or exclusively via SMS if the permission, e.g., consent, includes only SMS dispatch); Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

 

Promotional Communication via Email, Post, Fax, or Telephone

We process personal data for the purposes of promotional communication, which can take place through various channels such as email, telephone, mail, or fax, in accordance with legal requirements.

Recipients have the right to withdraw granted consents at any time or to object to promotional communication at any time.

After a withdrawal or objection, we store the data required to prove the previous authorization to contact or send communications for up to three years after the end of the year of the withdrawal or objection based on our legitimate interests. The processing of this data is restricted to the purpose of potentially defending against claims. Based on the legitimate interest of respecting users' withdrawals or objections permanently, we also store the data required to avoid re-contact (e.g., depending on the communication channel, the email address, phone number, name).

• Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts, and related information, such as authorship details or creation time).

• Affected Persons: Communication partners.

• Purposes of Processing: Direct marketing (e.g., via email or mail); Marketing; Sales Promotion.

• Retention and Deletion: Deletion follows the details specified in the "General Information on Data Storage and Deletion" section.

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Web Analysis, Monitoring, and Optimization

Web analysis (also known as "reach measurement") serves to evaluate visitor streams to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With reach analysis, we can, for example, identify when our online offering or its functions or content are most frequently used, or invite re-use. It also allows us to identify which areas require optimization.

In addition to web analysis, we may use testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise specified below, profiles—data combined into a usage process—and information can be created and stored in a browser or device and then read. This includes particularly visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have agreed with us or with the providers of the services we use to collect their location data, location data processing is also possible.

Furthermore, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization through IP address truncation) to protect users. Generally, no clear data of the users (such as email addresses or names) is stored as part of web analytics, A/B testing, and optimization, but pseudonyms. This means that we and the software providers used do not know the actual identity of users, only the information stored in their profiles for each procedure.

 

Notes on Legal Bases: If we ask users for consent to use third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• Types of Data Processed: Usage data (e.g., page visits and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Reach measurement (e.g., access statistics, identification of returning visitors); Profiles with user-related information (Creating user profiles); Provision of our online offering and user friendliness.

• Retention and Deletion: Deletion follows the details specified in the "General Information on Data Storage and Deletion" section. Storage of cookies for up to 2 years (Unless otherwise indicated, cookies and similar storage methods can be stored on users' devices for a period of two years).

• Security Measures: IP masking (Pseudonymization of IP address).

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offerings based on a pseudonymous user identification number. This identification number contains no specific data like names or email addresses. It serves to assign analysis information to a device to identify which content users have accessed within one or more usage processes, which search terms they have used, revisited, or interacted with our online offering. The time and duration of use, as well as the sources that refer users to our online offer, and technical aspects of their devices and browsers, are also stored. Pseudonymous profiles of users are created with information from the use of various devices using cookies. Google Analytics does not log or store individual IP addresses for EU users. Analytics, however, provides broad geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. They are not logged, accessible, and not used for any other purposes. When Google Analytics collects measurement data, all IP inquiries are conducted on EU-based servers before the traffic is routed to Analytics servers for processing; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security Measures: IP masking (Pseudonymization of IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Third-country Transfer Basis: Data Privacy Framework (DPF); Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the display of advertising: https://myadcenter.google.com/personalizationoff. More Information: https://business.safety.google/adsservices/ (Types of processing and processed data).

 

Online Marketing

We process personal data for the purpose of online marketing, which can include the marketing of advertising spaces or the presentation of advertising and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar processes are used, by which information relevant to the display of the aforementioned content is stored about the user. This may include viewed content, visited websites, online networks used, as well as communication partners and technical information, such as the browser used, the computer system used, and information on usage times and features used. If users have consented to the collection of their location data, this can also be processed.

Additionally, the IP addresses of users are stored. However, we use available IP masking methods (i.e., pseudonymization by truncating the IP address) to protect users. Generally, within the framework of online marketing procedures, no clear data of users (such as email addresses or names) are stored, but pseudonyms. This means we and the providers of the online marketing procedures do not know the actual identity of the users, only the information stored in their profiles.

The statements in the profiles are generally stored in the cookies or using similar methods. These cookies can later generally also be read out on other websites that use the same online marketing method, analyzed for the purpose of displaying content, and supplemented with further data stored on the server of the online marketing provider.

Exceptionally, it is possible to assign clear data to the profiles, mainly when users are, for example, members of a social network whose online marketing method we use and the network links the user profiles with the aforementioned information. We ask you to note that users can make additional agreements with the providers, for example, by consenting during registration.

We generally only have access to aggregated information about the success of our ads. However, we can review, as part of so-called conversion measurements, which of our online marketing methods have led to a so-called conversion, i.e., for example, a contract conclusion with us. The conversion measurement is solely used to analyze the success of our marketing measures.

Unless otherwise stated, please assume that cookies used are stored for up to two years.

 

Notes on Legal Bases: If we ask users for consent to use third-party providers, the legal basis for data processing is the permission granted. Otherwise, users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

 

Notes on Revocation and Objection:

We refer to the privacy notices of the respective providers and the objection options provided for the providers (so-called "Opt-Out"). Unless an explicit opt-out option has been provided, there is the possibility that you can disable cookies in your browser settings. However, this may result in limited functionality of our online offering. We therefore additionally recommend the following opt-out options that are offered for specific regions:

a) Europe: youronlinechoices.eu.

b) Canada: youradchoices.ca/choices.

c) USA: aboutads.info/choices.

d) Cross-Region: optout.aboutads.info.

• Types of Data Processed: Usage data (e.g., page visits and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Reach measurement (e.g., access statistics, identification of returning visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Target group formation; Marketing; Profiles with user-related information (Creating user profiles); Conversion measurement (Measuring the effectiveness of marketing measures).

• Retention and Deletion: Deletion follows the details specified in the "General Information on Data Storage and Deletion" section. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).

• Security Measures: IP masking (Pseudonymization of IP address).

• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Google Ads and Conversion Measurement: Online marketing method for placing content and ads within the service provider's ad network (e.g., in search results, in videos, on websites, etc.), displayed to users who supposedly have an interest in the ads. Furthermore, we measure the conversion of the ads, i.e., whether users interacted with the ads and utilized the promoted offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Third-country Transfer Basis: Data Privacy Framework (DPF); More Information: Types of processing and processed data: https://business.safety.google/adsservices/. Data Processing Terms between Controllers and Standard Contractual Clauses for Third-country Data Transfers: https://business.safety.google/adscontrollerterms.

• Google Adsense with Personalised Ads: We integrate the Google Adsense service, which allows personalized ads to be placed within our online offering. Google Adsense analyzes user behavior and uses this data to display targeted advertising tailored to our visitors' interests. We receive financial compensation for each ad display or other uses of these ads; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Third-country Transfer Basis: Data Privacy Framework (DPF); More Information: Types of processing and processed data: https://business.safety.google/adsservices/. Data Processing Terms for Google Advertising Products: Information about the services Data Processing Terms between Controllers and Standard Contractual Clauses for Third-country Data Transfers: https://business.safety.google/adscontrollerterms.

• Google Adsense with Non-personalised Ads: We use the Google Adsense service to place non-personalized ads in our online offering. These ads are not based on individual user behavior but are selected based on general characteristics, such as page content or approximate geographical location. We receive compensation for the display or other use of these ads; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Third-country Transfer Basis: Data Privacy Framework (DPF); More Information: Types of processing and processed data: https://business.safety.google/adsservices/. Data Processing Terms for Google Advertising Products: Information about the services Data Processing Terms between Controllers and Standard Contractual Clauses for Third-country Data Transfers: https://business.safety.google/adscontrollerterms.

 

Presence in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context to communicate with active users there or to offer information about us.

We point out that user data may be processed outside the European Union. As a result, users may face risks, for instance, that the enforcement of user rights could be complicated.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and resulting interests. These profiles may be used to display ads inside and outside of the networks that presumably reflect users' interests. Therefore, cookies are generally stored on users' devices, in which user behavior and interests are saved. Additionally, data independent of the devices used by users can be stored in the usage profiles (especially if users are members of the respective platforms and logged in there).

For a detailed description of the respective processing forms and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of information requests and the assertion of data subject rights, we also point out that these are most effectively asserted with the providers. Only they have access to the user data and can take direct action and provide information. Should you still need assistance, you can contact us.

• Types of Data Processed: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or image messages and posts and information relating to them, such as authorship details or creation time); Usage data (e.g., page visits and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

• Affected Persons: Users (e.g., website visitors, users of online services).

• Purposes of Processing: Communication; Feedback (e.g., collecting feedback via online form); Public Relations; Provision of our online offering and user friendliness; IT Infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).

• Retention and Deletion: Deletion follows the details specified in the "General Information on Data Storage and Deletion" section.

• Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Additional Notes on Processing Operations, Procedures, and Services:

• Instagram: Social network, enables sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Third-country Transfer Basis: Data Privacy Framework (DPF).

• LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as actions they take. It also collects details about the devices used, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as information from user profiles like job function, country, industry, seniority, company size, and employment status. Privacy information on LinkedIn's processing of user data can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which defines the security measures LinkedIn must adhere to and where LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can submit requests for information or deletion directly to LinkedIn). The rights of users (especially the right of access, deletion, objection, and complaint to the competent supervisory authority) are not limited by the agreements with LinkedIn. The joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is solely the responsibility of LinkedIn Ireland Unlimited Company, especially regarding the transmission of data to the parent company LinkedIn Corporation in the USA; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Third-country Transfer Basis: Data Privacy Framework (DPF). Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• Threads: Social network; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.threads.net. Privacy Policy: https://help.instagram.com/515230437301944.

• X (Twitter): Social network; Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://x.com. Privacy Policy: https://x.com/en/privacy.

 

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes in the data processing we conduct make this necessary. We will inform you as soon as changes require a cooperation or action on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that these addresses may change over time, and we ask you to verify the information before contacting.

​