Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of: May 4, 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing Operations
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Use of Online Platforms for Offering and Sales Purposes
• Providers and Services Used in Business Operations
• Provision of Online Offering and Web Hosting
• Use of Cookies
• Blogs and Publication Media
• Contact and Inquiry Management
• Artificial Intelligence (AI)
• Cloud Services
• Newsletters and Electronic Notifications
• Promotional Communication via Email, Post, Fax, or Telephone
• Prize Draws and Competitions
• Web Analytics, Monitoring, and Optimization
• Online Marketing
• Presence on Social Networks (Social Media)
• Plugins and Embedded Functions and Content
• Processing of Data in Employment Relationships
• Changes and Updates
• Definitions of Terms

Controller

Yachten Meltl GmbH
Chiemseestraße 65
83233 Bernau am Chiemsee, Germany

Authorized Representatives: Represented by Management: Klaus Pitter, Marko Zacherl, Johannes Kratz

Email address: mail@yachten-meltl.de

Telephone: +49(0)8051/96553-0

Imprint: https://www.yachten-meltl.de/impressum/

Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data.
• Employee data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Social data.
• Event data (Facebook).
• Log data.
• Performance and behavioral data.
• Working time data.
• Salary data.

Categories of Data Subjects

• Service recipients and clients.
• Employees.
• Prospects.
• Communication partners.
• Users.
• Prize draw and competition participants.
• Business and contractual partners.
• Third parties.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Remarketing.
• Conversion measurement.
• Audience building.
• Organizational and administrative procedures.
• Conducting prize draws and competitions.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Establishment and execution of employment relationships.
• Information technology infrastructure.
• Financial and payment management.
• Public relations.
• Sales promotion.
• Business processes and operational procedures.
• Artificial Intelligence (AI).

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Processing of special categories of personal data in relation to health, employment, and social security (Art. 9(2)(h) GDPR) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Relevant legal bases under Swiss data protection law: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (Swiss DPA). Unlike the GDPR, for example, Swiss DPA does not generally require that a legal basis for the processing of personal data be specified and that the processing of personal data is carried out in good faith, is lawful and proportionate (Art. 6(1) and (2) Swiss DPA). In addition, personal data is only collected by us for a specific purpose that is recognizable to the data subject and is only processed in a manner compatible with that purpose (Art. 6(3) Swiss DPA).

Note on applicability of GDPR and Swiss DPA: This privacy notice serves to provide information under both Swiss DPA and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in Swiss DPA "processing" of "personal data", "overriding interest", and "particularly sensitive personal data", the terms used in the GDPR "processing" of "personal data", "legitimate interest", and "special categories of data" are used. However, the legal meaning of the terms will continue to be determined in accordance with Swiss DPA within the scope of its applicability.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, ensuring availability of, and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data compromise. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

IP address shortening: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a period is removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly impede the identification of a person by their IP address.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users' data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

In the course of our processing of personal data, it may occur that this data is transmitted to other entities, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data transmission within the corporate group: We may transmit personal data to other companies within our corporate group or grant them access to it. This data sharing is based on our legitimate business and operational interests. This includes, for example, the improvement of business processes, ensuring efficient and effective internal communication, optimal use of our human and technological resources, and the ability to make informed business decisions. In certain cases, data sharing may also be necessary to fulfill our contractual obligations, or it may be based on the consent of the data subjects or a legal authorization.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transmission of data to other persons, entities, or companies (which becomes apparent from the postal address of the respective provider or if the privacy policy expressly refers to data transfer to third countries), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes occur within the framework of the DPF, the standard contractual clauses act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of any political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding security measures apply, in particular standard contractual clauses, explicit consent, or legally required transfers. Information on third country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of personal data abroad: In accordance with Swiss DPA, we only disclose personal data abroad if adequate protection of the data subjects is ensured (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of Switzerland dated September 15, 2024. In addition, we have concluded standard data protection clauses with the respective providers that have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the standard data protection clauses serve as additional security. Should changes occur within the framework of the DPF, the standard data protection clauses act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of any political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether standard data protection clauses are in place. The list of certified companies and further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, corresponding security measures apply, including international treaties, specific guarantees, standard data protection clauses approved by the FDPIC, or binding corporate rules previously recognized by the FDPIC or a competent data protection authority of another country.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consent is revoked or there are no further legal bases for processing. This applies to cases in which the original processing purpose no longer applies or the data is no longer required. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

If multiple retention periods or deletion deadlines are specified for a piece of data, the longest period always applies. Data that is no longer retained for the originally intended purpose but due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general periods apply to retention and archiving under German law:

• 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the work instructions and other organizational documents required for their understanding (§ 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
• 8 years - Accounting documents, such as invoices and cost documents (§ 147(1) Nos. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) No. 4 in conjunction with (4) HGB).
• 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g., hourly wage slips, operating accounting sheets, calculation documents, price markings, but also payroll accounting documents insofar as they are not already accounting documents and cash register receipts (§ 147(1) Nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) Nos. 2 and 3 in conjunction with (4) HGB).
• 3 years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and customary industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Retention and deletion of data: The following general periods apply to retention and archiving under Swiss law:

• 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (OR)).
• 10 years - Data necessary to consider potential compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and customary industry practices, are stored for the period of the statutory limitation period of ten years, unless a shorter period of five years is applicable, which is relevant in certain cases (Art. 127, 130 OR). Claims for rent, lease and capital interest, and other periodic payments, from the supply of foodstuffs, for board and lodging and for debts to innkeepers, as well as from craftwork, retail sale of goods, medical care, professional work of lawyers, legal agents, proctors and notaries, and from the employment relationship of employees become time-barred after five years (Art. 128 OR).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject under the GDPR, you have various rights, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without delay, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

Rights of data subjects under Swiss DPA:

As a data subject, you have the following rights in accordance with the provisions of Swiss DPA:

• Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary for you to assert your rights under this Act and to ensure transparent data processing.
• Right to data disclosure or transfer: You have the right to request the disclosure of your personal data that you have provided to us in a common electronic format.
• Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
• Right to object, erasure, and destruction: You have the right to object to the processing of your data and to request that personal data concerning you be erased or destroyed.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospects, suppliers, and other cooperation partners (collectively "contractual partners"), for the initiation, execution, and settlement of contractual relationships and comparable legal relationships. This also includes pre-contractual measures carried out upon request, as well as communication in connection with the respective contractual relationship.

The processing serves in particular to fulfill our contractual main and ancillary obligations. This includes the provision of agreed services, any update and information obligations, the handling of warranty and other performance disruptions, the processing of withdrawals, terminations of continuing obligations, reversals, refunds, and the handling of other contract-related declarations and inquiries. This covers both one-time contracts and ongoing contractual relationships.

In particular, master data such as name, address, and, if applicable, company name, contact data such as email address and telephone number, contract and service data such as contract object, contract duration, order or transaction number, usage and service data, payment and billing data, as well as communication content and histories are processed. If necessary, we also process data that is disclosed or transmitted to us in the course of executing an order.

In addition, we process the data to protect our rights and to fulfill legal obligations. This includes in particular commercial and tax law retention obligations, documentation obligations, and, if applicable, proof and accountability obligations. Furthermore, processing is carried out on the basis of our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners from misuse, endangerment of data, secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other agents, insofar as this is necessary for contract execution or to fulfill legal obligations.

Personal data is only disclosed to third parties if this is necessary for contract fulfillment, for carrying out pre-contractual measures, for protecting legitimate interests, or for fulfilling legal obligations. We provide separate information about further processing, in particular for marketing purposes, within this privacy policy.

We inform contractual partners which data is required in individual cases during data collection, for example in online forms through appropriate labeling or in personal contact.

Data is deleted as soon as it is no longer required for the aforementioned purposes and there are no legal retention obligations to the contrary. Legal retention periods, in particular under commercial and tax law, may require longer storage. Data transmitted in the context of a specific order is deleted after completion of the order and expiry of any retention periods, unless there are further legal or contractual obligations to store it.

The legal basis for processing is Art. 6(1)(b) GDPR for carrying out pre-contractual measures and for fulfilling the respective contractual relationship, as well as Art. 6(1)(c) GDPR for fulfilling legal obligations. Insofar as the processing is based on legitimate interests, it is carried out on the basis of Art. 6(1)(f) GDPR. Insofar as the processing is based on Art. 6(1)(f) GDPR, it is carried out to protect our legitimate interests in proper and efficient business organization, internal administration and documentation of business transactions, enforcement and defense of legal claims, ensuring IT and data security, prevention of misuse and fraud, as well as economic management and further development of our business operations. These interests exist in particular in ensuring secure and legally compliant business operations and in safeguarding our entrepreneurial capacity to act.

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Contract data (e.g., contract object, duration, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Service recipients and clients; Prospects. Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and operational procedures.
• Retention and deletion: Deletion in accordance with information in the section "General Information on Data Storage and Deletion".
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Online shop, order forms, e-commerce, and service fulfillment: We process the data of our customers to enable them to select, purchase, or order the selected products, goods, and related services, as well as their payment and provision, or delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, freight forwarding, and shipping companies, to carry out the delivery or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is identified as such in the context of the order or comparable acquisition process and includes the information required for delivery or provision and billing, as well as contact information to enable any consultation; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Rental services: We process the data of our tenants and prospective tenants in accordance with the underlying rental agreement. We may also process information about the characteristics and circumstances of persons or property belonging to them if this is necessary in the context of the rental relationship. This may include, for example, information about personal living circumstances, mobile or immobile property, and financial situation, as well as the use of ancillary services (such as water or energy supply). In the course of our engagement, it may be necessary for us to process special categories of data within the meaning of Art. 9(1) GDPR, in particular information about a person's health. The processing is carried out to protect the health interests of the tenants and otherwise only with the consent of the tenants.

  If necessary for contract fulfillment or legally required or authorized by the tenants or based on our legitimate interests, we disclose or transmit the data of tenants in the context of coverage inquiries, conclusions and settlements of contracts, e.g., to financial service providers, credit institutions, suppliers (e.g., electricity), or authorities.

  Furthermore, we process data of tenants if this is necessary to fulfill legal obligations (e.g., information obligations in connection with ancillary services and ancillary costs); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients—including customers, clients, or in special cases mandators, patients, or business partners as well as other third parties—are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data serves to fulfill contractual obligations and to design operational processes efficiently. This includes the processing of business transactions, the management of customer relationships, the optimization of sales strategies, and the assurance of internal accounting and financial processes. Additionally, the data supports the protection of the controller's rights and promotes administrative tasks as well as the organization of the company.

Personal data may be disclosed to third parties if this is necessary to fulfill the stated purposes or legal obligations. After the expiry of statutory retention periods or when the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored longer due to tax and legal documentation requirements.

• Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts as well as information concerning them, such as details on authorship or time of creation); contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files regarding logins or the retrieval of data or access times); employee data (information on employees and other persons in an employment relationship).
• Data subjects: Service recipients and clients; interested parties; communication partners; business and contractual partners; third parties; users (e.g., website visitors, users of online services); employees (e.g., staff, applicants, temporary workers, and other employees). Customers.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and commercial procedures; communication; marketing; sales promotion; public relations; financial and payment management. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR). Legal obligation (Art. 6 (1) (c) GDPR).

Further information on processing operations, procedures, and services:

• Customer management and Customer Relationship Management (CRM): Procedures required within the scope of customer management and customer relationship management (CRM) (e.g., customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service considering data protection, data management and analysis to support the customer relationship, administration of CRM systems, secure account management, customer segmentation, and target group formation); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Contact management and maintenance: Procedures required within the scope of organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restorations of contact data, training employees in the effective use of contact management software, regular review of communication history, and adjustment of contact strategies); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• General payment transactions: Procedures required for the execution of payment transactions, monitoring of bank accounts, and control of payment flows (e.g., creation and verification of transfers, processing of direct debit transactions, monitoring of bank statements, monitoring of incoming and outgoing payments, chargeback management, account reconciliation, cash management); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Accounting, accounts payable, accounts receivable: Procedures required for the recording, processing, and control of business transactions in the area of accounts payable and accounts receivable (e.g., creation and verification of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, processing of dunning procedures, account reconciliation within the scope of receivables and payables, accounts payable and accounts receivable); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Financial accounting and taxes: Procedures required for the recording, management, and control of financially relevant business transactions as well as for the calculation, reporting, and payment of taxes (e.g., account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of dunning procedures, account reconciliation, tax consulting, preparation and submission of tax returns, processing of tax matters); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Sales: Procedures required for the planning, execution, and control of measures for marketing and selling products or services (e.g., customer acquisition, preparation and follow-up of offers, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Marketing, advertising, and sales promotion: Procedures required within the scope of marketing, advertising, and sales promotion (e.g., market analysis and target group determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management, and cost control); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
• Economic analyses and market research: To fulfill business purposes and to identify market trends, wishes of contractual partners and users, the available data on business transactions, contracts, inquiries, etc., are analyzed. The group of data subjects may include contractual partners, interested parties, customers, visitors, and users of the controller's online offer. The analyses serve the purposes of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). In this process, profiles of registered users, including their information on services used, are taken into account, if available. The analyses serve the controller exclusively and are not disclosed externally, unless they are anonymous analyses with aggregated, i.e., anonymized values. Furthermore, the privacy of users is respected; the data is processed as pseudonymously as possible for analysis purposes and, if feasible, anonymized (e.g., as aggregated data); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
• Public relations: Procedures required within the scope of public relations (e.g., development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organization of press conferences and public events, crisis communication, creation of content for social media and corporate websites, management of corporate branding); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Use of online platforms for offering and sales purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our privacy policy. This applies in particular with regard to the execution of the payment process and the procedures used on the platforms for reach measurement and interest-based marketing.

• Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients. Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing. Business processes and commercial procedures.
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Providers and services used in the course of business activities

In the course of our business activities, we use additional services, platforms, interfaces, or plug-ins from third-party providers (collectively "services") in compliance with legal requirements. Their use is based on our interests in the proper, lawful, and economic management of our business operations and our internal organization.

• Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation). Contract data (e.g., subject matter of the contract, term, customer category).
• Data subjects: Service recipients and clients; interested parties. Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures. Business processes and commercial procedures.
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Provision of the online offer and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

• Processed data types: Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved); protocol data (e.g., log files concerning logins or the retrieval of data or access times). Content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web hoster"); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
• Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". The server log files may include the address and name of the retrieved websites and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the utilization of the servers and their stability; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Deletion of data: Log file information is stored for a maximum duration of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until final clarification of the respective incident.
• Email dispatch and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders as well as further information regarding the email dispatch (e.g., the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. We ask you to note that emails on the internet are generally not sent encrypted. As a rule, emails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of the emails between the sender and the receipt on our server; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
• STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.strato.de; Privacy policy: https://www.strato.de/datenschutz/. Data processing agreement: Provided by the service provider.
• WordPress.com: Hosting and software for the creation, provision, and operation of websites, blogs, and other online offers; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://wordpress.com; Privacy policy: https://automattic.com/de/privacy/; Data processing agreement: https://wordpress.com/support/data-processing-agreements/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider).

Use of cookies

The term "cookies" refers to functions that store information on users' terminal devices and read information from them. Cookies can also be used for various purposes, such as the functionality, security, and convenience of online offers, as well as the creation of analyses of visitor flows. We use cookies in accordance with legal regulations. For this purpose, we obtain the users' prior consent if necessary. If consent is not required, we rely on our legitimate interests. This applies if the storage and reading of information is essential to provide explicitly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offer. Consent can be revoked at any time. We provide clear information about their scope and which cookies are used.

Information on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their terminal device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the terminal device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information on the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are permanent and the storage duration can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also declare an objection to the processing in accordance with legal requirements, including by means of the privacy settings of their browser.

• Processed data types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Consent (Art. 6 (1) (a) GDPR).

Further information on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution in which the users' consent to the use of cookies or to the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, in particular regarding the use of cookies and similar technologies used to store, read, and process information on users' terminal devices. Within the scope of this procedure, users' consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The declarations of consent are stored in order to avoid a new query and to be able to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of similar technologies to be able to assign the consent to a specific user or their device. Unless specific information on the providers of consent management services is available, the following general information applies: The duration of storage of the consent is up to two years. In this process, a pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, the system, and the terminal device used; Legal bases: Consent (Art. 6 (1) (a) GDPR).

Blogs and publication media

We use blogs or similar means of online communication and publication (hereinafter "publication medium"). The readers' data is processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of this privacy policy.

• Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation); usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Feedback (e.g., collecting feedback via online form); provision of our online offer and user-friendliness. Security measures.
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• UpdraftPlus: Backup software and backup storage; Service provider: Simba Hosting Ltd., 11, Barringer Way, St. Neots, Cambs., PE19 1LW, GB; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://updraftplus.com/. Privacy policy: https://updraftplus.com/data-protection-and-privacy-centre/.

Contact and inquiry management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) as well as within the scope of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to answer the contact inquiries and any requested measures.

• Processed data types: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing operations, procedures, and services:

• Contact form: When contacting us via our contact form, by email, or other communication channels, we process the personal data transmitted to us to answer and process the respective request. This usually includes information such as name, contact information, and, if applicable, further information provided to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Artificial Intelligence (AI)

We use Artificial Intelligence (AI), whereby personal data is processed. The specific purposes and our interest in using AI are mentioned below. By AI, we mean, in accordance with the term "AI system" pursuant to Article 3 No. 1 of the AI Act, a machine-based system designed to operate with varying levels of autonomy, which may be adaptable after deployment and which, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for Artificial Intelligence and data protection requirements. In doing so, we particularly adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, and integrity as well as confidentiality. We ensure that the processing of personal data always takes place on a legal basis. This can be either the consent of the data subjects or a legal permission.

When using external AI systems, we carefully select their providers (hereinafter "AI providers"). In accordance with our legal obligations, we ensure that the AI providers comply with the applicable regulations. Likewise, we observe the obligations incumbent upon us when using or operating the AI services obtained. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or legal authorization. In doing so, we attach particular importance to transparency, fairness, and the preservation of human control over AI-supported decision-making processes.

To protect the processed data, we implement appropriate and robust technical and organizational measures. These ensure the integrity and confidentiality of the processed data and minimize potential risks. Through regular reviews of the AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

• Processed data types: Content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation). Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Data subjects: Users (e.g., website visitors, users of online services). Third parties.
• Purposes of processing and legitimate interests: Artificial Intelligence (AI).
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• ChatGPT: AI-based service designed to understand and generate natural language and associated inputs and data, analyze information, and make predictions ("AI", i.e., "Artificial Intelligence", is to be understood in the respective applicable legal sense of the term); Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://openai.com/en-GB/chatgpt/overview/; Privacy policy: https://openai.com/en-GB/policies/privacy-policy/. Opt-out option: https://privacy.openai.com/policies?modal=select-subject.
• Google Gemini: AI-supported system developed to provide advanced language and image processing functions. It uses machine learning to understand and generate natural language and analyze images, offering versatile application possibilities in various areas; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/processorterms/?hl=en. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/processorterms/?hl=en), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/processorterms/?hl=en).
• Midjourney: Creation of AI-generated images based on text inputs, adjustment and refinement of the generated images through iterative inputs, storage and management of created content, provision of an online platform for interaction with other users and for sharing results; Service provider: Midjourney, Inc., 795 Folsom Street, 1st Floor, San Francisco, CA 94107 USA; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.midjourney.com/. Privacy policy: https://docs.midjourney.com/docs/privacy-policy.

Cloud services

We use software services accessible via the internet and executed on the servers of their providers (so-called "cloud services", also referred to as "Software as a Service") for the storage and management of content (e.g., document storage and management, exchange of documents, content, and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers' servers, provided that it is part of communication processes with us or is otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes, and their contents. The providers of the cloud services also process usage data and metadata used by them for security purposes and for service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites with the help of cloud services, the providers may store cookies on the users' devices for web analysis purposes or to remember user settings (e.g., in the case of media control).

• Processed data types: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as information concerning them, such as authorship details or time of creation). Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Data subjects: Interested parties; communication partners. Business and contractual partners.
• Purposes of processing and legitimate interests: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
• Retention and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy.
• Microsoft 365 and Microsoft Cloud Services: Provision of applications, protection of data and IT systems, and use of system-generated log, diagnostic, and metadata for contract execution by Microsoft. Processed data includes contact details (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe), as well as log and metadata. Processing is carried out for purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security, and Microsoft's business operations. Data retention is based on the respective documents and corporate policies; for Defender (protection of data and IT systems) up to 12 months, for print management 10 days. Additionally, diagnostic data is collected for product stability and improvement; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://microsoft.com/en-us; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement, security information: https://www.microsoft.com/en-us/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

Newsletters and electronic notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or on a legal basis. Insofar as the contents of a newsletter are specified during registration, these contents are decisive for the user's consent. To register for our newsletter, providing your email address is usually sufficient. However, to offer you a personalized service, we may ask for your name for a personal address in the newsletter or for further information if necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove previously given consent. The processing of this data is limited to the purpose of a potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. Insofar as we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure delivery system.

Contents: Information about us, our services, promotions, and offers.

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Direct marketing (e.g., by email or post). Reach measurement (e.g., access statistics, recognition of returning visitors).
• Legal basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).
• Right of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options specified above, preferably email, for this purpose.

Further information on processing operations, procedures, and services:

• Measurement of opening and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server or its server, if we use a delivery service provider, when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information collected is assigned to individual newsletter recipients and stored in their profiles until deletion. Based on this, user profiles are created in which usage behavior and user characteristics are stored. The measurement of opening and click rates as well as the storage of measurement results in the users' profiles and their further processing are based on the users' consent. A separate revocation of the performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In that case, the stored profile information will be deleted; Legal basis: Consent (Art. 6 (1) (a) GDPR).
• Brevo: Email delivery and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/legal/privacypolicy/. Data processing agreement: Provided by the service provider.

Promotional communication via email, post, fax, or telephone

We process personal data for the purposes of promotional communication, which can take place via various channels, such as email, telephone, post, or fax, in accordance with legal requirements.

Recipients have the right to revoke granted consent at any time or to object to promotional communication at any time free of charge via the contact options mentioned above.

After revocation or objection, we store the data required to prove the previous authorization for contact or delivery for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on the legitimate interest in permanently observing the revocation or objection of users, we also store the data required to avoid renewed contact (e.g., depending on the communication channel, the email address, telephone number, name).

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers). Content data (e.g., text or image messages and posts as well as information concerning them, such as authorship details or time of creation).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Direct marketing (e.g., by email or post); marketing. Sales promotion.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Sweepstakes and competitions

We process personal data of participants in sweepstakes and competitions only in compliance with the relevant data protection regulations, insofar as the processing is contractually necessary for the provision, execution, and handling of the sweepstakes, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., in the security of the sweepstakes or the protection of our interests against abuse by potentially recording IP addresses when submitting sweepstakes entries).

If participants' entries are published as part of the sweepstakes (e.g., as part of a vote or presentation of the sweepstakes entries or the winners or reporting on the sweepstakes), we point out that the names of the participants may also be published in this context. Participants can object to this at any time.

If the sweepstakes takes place within an online platform or a social network (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and data protection regulations of the respective platforms also apply. In these cases, we point out that we are responsible for the information provided by participants as part of the sweepstakes and that inquiries regarding the sweepstakes should be directed to us.

Participants' data will be deleted as soon as the sweepstakes or competition has ended and the data is no longer required to inform the winners or because inquiries about the sweepstakes are no longer to be expected. In principle, participants' data will be deleted no later than 6 months after the end of the sweepstakes. Winners' data may be retained longer, e.g., to answer inquiries about the prizes or to fulfill the prize services; in this case, the retention period depends on the type of prize and is, for example, up to three years for goods or services, e.g., to process warranty cases. Furthermore, participants' data may be stored longer, e.g., in the form of reporting on the sweepstakes in online and offline media.

If data was also collected for other purposes as part of the sweepstakes, its processing and retention period are based on the privacy policy for that use (e.g., in the case of registration for the newsletter as part of a sweepstakes).

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers). Content data (e.g., text or image messages and posts as well as information concerning them, such as authorship details or time of creation).
• Data subjects: Sweepstakes and competition participants.
• Purposes of processing and legitimate interests: Execution of sweepstakes and competitions.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Web analysis, monitoring, and optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offer and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or content are used most frequently, or invite users to reuse them. It also allows us to understand which areas require optimization.

In addition to web analysis, we can also use testing procedures to test and optimize different versions of our online offer or its components, for example.

Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created for these purposes and information can be stored in a browser or on an end device and then read out. The information collected includes, in particular, websites visited and elements used there, as well as technical information, such as the browser used, the computer system used, and information on usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

Furthermore, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of web analysis, A/B testing, and optimization, but rather pseudonyms. This means that both we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offer based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to assign analysis information to an end device in order to recognize which content users have accessed within one or different usage processes, which search terms they have used, whether they have accessed it again, or interacted with our online offer. Likewise, the time of use and its duration are stored, as well as the sources of users who refer to our online offer and technical aspects of their end devices and browsers.
  In the process, pseudonymous profiles of users are created with information from the use of different devices, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. It is not logged, is not accessible, and is not used for further purposes. When Google Analytics collects measurement data, all IP lookups are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms); Right of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).
• Google Tag Manager: We use Google Tag Manager, a software from Google that allows us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that serve to record and analyze visitor activities. This technology helps us to improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not perform independent analyses. Its function is limited to simplifying and making the integration and management of tools and services that we use on our website more efficient. Nevertheless, when using Google Tag Manager, the IP address of users is transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the subsequent sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement:
  https://business.safety.google/adsprocessorterms. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms).

Online marketing

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the presentation of promotional and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar procedures are used, by means of which the information relevant to the presentation of the aforementioned content about the user is stored. This can include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information, such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, this can also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) for user protection. In general, no clear data of users (such as email addresses or names) is stored as part of the online marketing process, but rather pseudonyms. This means that both we and the providers of the online marketing processes do not know the actual user identity, but only the information stored in their profiles.

The statements in the profiles are usually stored in cookies or by means of similar procedures. These cookies can generally also be read out later on other websites that use the same online marketing process and analyzed for the purpose of presenting content, as well as supplemented with further data and stored on the server of the online marketing process provider.

Exceptionally, it is possible to assign clear data to the profiles, primarily if the users are, for example, members of a social network whose online marketing process we use and the network connects the user profiles with the aforementioned information. We ask you to note that users can make additional agreements with the providers, for example, by giving consent as part of the registration.

In principle, we only receive access to summarized information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing processes have led to a so-called conversion, i.e., for example, to a contract conclusion with us. Conversion measurement is used solely for the success analysis of our marketing measures.

Unless otherwise stated, we ask you to assume that cookies used will be stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Notes on revocation and objection:

We refer to the privacy policies of the respective providers and the objection options (so-called "opt-out") specified for the providers. If no explicit opt-out option has been specified, there is the possibility, on the one hand, that you switch off cookies in the settings of your browser. However, this may restrict functions of our online offer. We therefore additionally recommend the following opt-out options, which are offered collectively for respective areas:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://youradchoices.ca/.

c) USA: https://optout.aboutads.info/.

d) Cross-regional: https://optout.aboutads.info.

• Types of data processed: Content data (e.g., text or image messages and posts as well as information concerning them, such as authorship details or time of creation); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Event data (Facebook) ("Event data" is information that is sent to the provider Meta, for example via Meta Pixel (whether via apps or other channels), and relates to persons or their actions. This data includes, for example, details of website visits, interactions with content and functions, app installations, and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as comments written, no login information, and no contact information such as names, email addresses, or telephone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups formed from it disappear with the deletion of our Meta user accounts).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest/behavior-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles); provision of our online offer and user-friendliness. Remarketing.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Meta Pixel and target group formation (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), it is possible for the company Meta, on the one hand, to determine the visitors to our online offer as a target group for the display of advertisements (so-called "Meta Ads"). Accordingly, we use the Meta Pixel to display the Meta Ads placed by us only to those users on Meta platforms and within the services of partners cooperating with Meta (so-called "Audience Network" https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offer or who exhibit certain characteristics (e.g., interest in certain topics or products that become apparent based on the websites visited) that we transmit to Meta (so-called "Custom Audiences"). With the help of the Meta Pixel, we also want to ensure that our Meta Ads correspond to the potential interest of users and do not appear annoying. With the help of the Meta Pixel, we can also track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called "conversion measurement"); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Event data of users, i.e., behavior and interest information, are processed for the purposes of targeted advertising and target group formation on the basis of the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transmission of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Facebook Advertisements: Placement of advertisements within the Facebook platform and evaluation of the advertisement results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF); Right of objection (opt-out): We refer to the privacy and advertising settings in the user's profile on the Facebook platforms as well as to Facebook's consent procedures and contact options for exercising information and other data subject rights, as described in Facebook's privacy policy; Further information: Event data of users, i.e., behavior and interest information, are processed for the purposes of targeted advertising and target group formation on the basis of the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transmission of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Google Ads and Conversion Measurement: Online marketing process for the purpose of placing content and advertisements within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the advertisements. Furthermore, we measure the conversion of the advertisements, i.e., whether users have taken them as an opportunity to interact with the advertisements and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Google Ads - Enhanced Conversions: Enhanced conversions are used to measure and optimize advertising success. This is an extension of existing conversion tracking (measurement of user actions such as purchases or inquiries), in which certain first-party data provided by users (data collected directly by the website operator, e.g., email address or phone number) is technically processed in order to assign conversions more reliably to an advertisement. Processing takes place exclusively in hashed form using the cryptographic one-way hash algorithm SHA-256 (a mathematical process for the irreversible conversion of data). In this process, personal data is encrypted before transmission so that it is not available in plain text and cannot be calculated back. The hashed data is transmitted to Google either at the time of a conversion on the website or – in the case of so-called lead conversions (conclusions outside the website, e.g., by telephone or email) – with a time delay. The transmission takes place either on the client side via a tag (tracking code, e.g., via the Google Tag Manager) or on the server side via an API (programming interface for system-side data transmission). In the case of server-side transmission, the data is transmitted via an HTTPS connection (encrypted internet connection). The purpose of the processing is to correctly record and assign conversions even when conventional tracking methods such as cookies (small text files or functions for recognizing users) or device identifiers are restricted or unavailable. The transmitted hashed data can be matched with existing Google accounts, provided users are logged in at the time of conversion. The processing serves exclusively for conversion measurement, the evaluation of the success of advertising campaigns, and the optimization of automated bidding strategies (automatic adjustment of ad bids based on measured conversions) on the basis of first-party data; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology with which users who use an online service are included in a pseudonymous remarketing list so that advertisements can be displayed to the users on other online offers based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Enhanced Conversions for Google Ads: When users click on our Google ads and subsequently use the advertised service (so-called "conversion"), the data entered by the user, such as email address, name, home address, or phone number, can be transmitted to Google. The hash values are then matched with existing Google accounts of the users in order to better evaluate and improve the interaction of the users with the ads (e.g., clicks or views) and thus their performance; Legal basis: Consent (Art. 6 (1) (a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
• Instagram Ads: Placement of advertisements within the Instagram platform and evaluation of the ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF); Right to object (Opt-Out): We refer to the privacy and advertising settings in the user's profile on the Instagram platform as well as within the framework of Instagram's consent process and Instagram's contact options for exercising information and other data subject rights in Instagram's privacy policy; Further information: Event data of the users, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the agreement on joint responsibility ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which specifically concerns the transmission of the data to the parent company Meta Platforms, Inc. in the USA.

Social Media Presence

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We point out that user data may be processed outside the European Union. This can result in risks for users because, for example, the enforcement of user rights could be made more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on usage behavior and the resulting interests of the users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For this purpose, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in the usage profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we also point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. Should you nevertheless require help, you can contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts as well as information concerning them, such as authorship details or time of creation). Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Communication; Feedback (e.g., collecting feedback via online form). Public relations.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Instagram: Social network, enables the sharing of photos and videos, commenting and favoriting of posts, messaging, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF).
• Facebook Pages: Profiles within the social network Facebook - The controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page ("Fanpage"). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions performed) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical evaluations via the "Page Insights" service, which provide information on how people interact with our page and its content. This is based on an agreement with Facebook ("Information about Page Insights": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users can therefore send requests for information or deletion directly to Facebook. The rights of users (in particular information, deletion, objection, complaint to a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including a possible transmission to Meta Platforms Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
• Facebook Events: Event profiles within the social network Facebook - We use the "Events" function of the Facebook platform to point out events and dates, as well as to get in touch with users (participants and interested parties) and to be able to exchange information. In this context, we process personal data of the users of our event pages insofar as this is necessary for the purpose of the event page and its moderation. This data includes information on first and last names, as well as published or privately communicated content, as well as values on the status of participation and the time information for the aforementioned data. Furthermore, we refer to the processing of user data by Facebook itself. This data includes information on the types of content that users view or interact with, or the actions they take (see under "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under "Device information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analysis services, so-called "Insights", for event providers so that they can gain insights into how people interact with their event pages and with the content associated with them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF).
• LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors used to create the "Page Insights" (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. In addition, details about the devices used are recorded, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles, such as job function, country, industry, hierarchy level, company size, and employment status. Privacy information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
  We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of the data subjects (i.e., users can, for example, send requests for information or deletion directly to LinkedIn). The rights of users (in particular the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular as regards the transmission of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Right to object (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF). Right to object (Opt-Out): https://myadcenter.google.com/personalizationoff.

Plugins and embedded functions and content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

Integration always presupposes that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functions. We endeavor to use only such content whose respective providers use the IP address merely for the delivery of the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through the "pixel tags", information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offer, but can also be combined with such information from other sources.

Notes on legal bases: Insofar as we ask users for their consent to the use of third-party providers, the legal basis for data processing is the permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved). Location data (information on the geographical position of a device or a person).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of our online offer and user-friendliness; Range measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Target group formation; Marketing. Provision of contractual services and fulfillment of contractual obligations.
• Retention and deletion: Deletion according to the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
• Legal basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

• Google Fonts (Provision on own server): Provision of font files for the purpose of a user-friendly display of our online offer; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).
• Font Awesome (Provision on own server): Display of fonts and symbols; Service provider: The Font Awesome icons are hosted on our server, no data is transmitted to the provider of Font Awesome; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).
• Google Maps: We integrate the maps of the "Google Maps" service provided by Google. The processed data may include, in particular, IP addresses and location data of the users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF).
• reCAPTCHA: We integrate the "reCAPTCHA" function to be able to recognize whether entries (e.g., in online forms) are made by humans and not by automatically acting machines (so-called "bots"). The processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, duration of stay on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies, and results of manual recognition processes (e.g., answering questions asked or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offer from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum (from 02.04.2026). Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p (from 02.04.2026)), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p (from 02.04.2026)).
• YouTube Videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Data Privacy Framework (DPF). Right to object (Opt-Out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

Processing of data in the context of employment relationships

In the context of employment relationships, personal data is processed with the aim of effectively shaping the establishment, implementation, and termination of such relationships. This data processing supports various operational and administrative functions required for the management of employee relations.

Data processing covers various aspects ranging from contract initiation to contract termination. Included are the organization and management of daily working hours, the management of access rights and authorizations, as well as the handling of personnel development measures and employee appraisals. The processing also serves the billing and management of wage and salary payments, which represent critical aspects of contract implementation.

In addition, data processing takes into account legitimate interests of the responsible employer, such as ensuring safety at the workplace or recording performance data for the evaluation and optimization of operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes where this is necessary for operational or legal purposes.

The processing of this data is always carried out in compliance with the applicable legal framework, whereby the goal is always to create and maintain a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, the anonymization or deletion of data after fulfillment of the processing purpose or in accordance with statutory retention periods.

• Types of data processed: Employee data (information on employees and other persons in an employment relationship); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter of the contract, term, customer category); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts as well as information concerning them, such as authorship details or time of creation); Social data (data subject to social secrecy and processed, for example, by social security institutions, social welfare agencies, or pension authorities); Log data (e.g., log files concerning logins or the retrieval of data or access times); Performance and behavioral data (e.g., performance and behavioral aspects such as performance evaluations, feedback from superiors, participation in training, compliance with company guidelines, self-assessments, and behavioral assessments); Working time data (e.g., start of working time, end of working time, actual working time, target working time, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); Salary data (e.g., basic salary, bonus payments, premiums, tax class information, supplements for night work/overtime, tax deductions, social security contributions, net payout amount); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
• Data subjects: Employees (e.g., employees, applicants, temporary workers, and other staff).
• Purposes of processing and legitimate interests: Establishment and implementation of employment relationships (processing of employee data in the context of the establishment and implementation of employment relationships); Business processes and operational procedures; Provision of contractual services and fulfillment of contractual obligations. Security measures.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legal obligation (Art. 6 (1) (c) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR). Processing of special categories of personal data relating to health care, occupation, and social security (Art. 9 (2) (h) GDPR).

Further information on processing operations, procedures, and services:

• Working time recording: Procedures for recording the working hours of employees include both manual and automated methods, such as the use of time clocks, time recording software, or mobile apps. Activities such as entering clock-in and clock-out times, break times, overtime, and absences are carried out. Checking and validating the recorded working hours includes comparison with deployment or shift plans, checking absences, and approval of overtime by superiors. Reports and analyses are created on the basis of the recorded working hours in order to provide evidence of working hours, overtime reports, and absence statistics for management and the human resources department; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Authorization management: Procedures required for the definition, management, and control of access rights and user roles within a system or organization (e.g., creation of authorization profiles, role- and access-based control, checking and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Purposes of data processing: The personal data of employees is primarily processed for the establishment, implementation, and termination of the employment relationship. In addition, the processing of this data is necessary to fulfill legal obligations in the field of tax and social security law. In addition to these primary purposes, employee data is also used to fulfill regulatory and supervisory requirements, to optimize electronic data processing processes, and to compile internal or cross-company data, possibly including statistical data. Furthermore, employee data can be processed for the assertion of legal claims and for defense in legal disputes; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Business trips and travel expense accounting: Procedures required for the planning, implementation, and accounting of business trips (e.g., booking trips, organizing accommodation and means of transport, managing travel expense advances, submitting and checking travel expense reports, checking and posting the costs incurred, compliance with travel policies, handling travel expense management); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Payroll and wage accounting: Procedures required for the calculation, payment, and documentation of wages, salaries, and other remuneration of employees (e.g., recording working hours, calculating deductions and supplements, paying taxes and social security contributions, creating payroll and salary statements, maintaining wage accounts, reporting to the tax office and social security institutions); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR).
• Personnel file management: Procedures required for the organization, updating, and management of employee data and documents (e.g., recording personnel master data, storing employment contracts, certificates, and attestations, updating data in the event of changes, compiling documents for employee appraisals, archiving personnel files, compliance with data protection regulations); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR), Processing of special categories of personal data relating to health care, occupation, and social security (Art. 9 (2) (h) GDPR).
• Personnel development, performance evaluation, and employee appraisals: Procedures required in the area of promotion and further development of employees as well as in the assessment of their performance and in the context of employee appraisals (e.g., needs analysis for further training, planning and implementation of training measures, creation of performance evaluations, implementation of target agreement and feedback discussions, career planning and talent management, succession planning); Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR), Processing of special categories of personal data relating to health care, occupation, and social security (Art. 9 (2) (h) GDPR).

Changes and Updates

We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

Insofar as we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the details before contacting them.

Definitions

In this section, you will find an overview of the terminology used in this privacy policy. Insofar as the terms are legally defined, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.

• Employees: Employees are individuals in an employment relationship, whether as staff members, employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee, established through an employment contract or agreement. It includes the employer's obligation to pay the employee remuneration while the employee provides their work performance. The employment relationship encompasses various phases, including establishment, where the employment contract is concluded, execution, where the employee performs their work activities, and termination, when the employment relationship ends, whether through dismissal, termination agreement, or otherwise. Employee data refers to all information relating to these individuals in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and banking data, working hours, vacation entitlements, health data, and performance evaluations.
• Master Data: Master data comprises essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, facilities, or systems by enabling clear assignment and communication.
• Content Data: Content data comprises information generated in the course of creating, editing, and publishing content of all kinds. This category of data may include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
• Contact Data: Contact data is essential information that enables communication with individuals or organizations. It includes telephone numbers, postal addresses, and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
• Conversion Measurement: Conversion measurement (also referred to as "visit action evaluation") is a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on users' devices within the websites where the marketing measures take place and is then retrieved again on the target website. For example, this allows us to track whether the advertisements we placed on other websites were successful.
• Artificial Intelligence (AI): The purpose of processing data through Artificial Intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions, and improve the efficiency and quality of our services. This includes the collection, cleansing, and structuring of data, the training and application of AI models, as well as the continuous review and optimization of results, and is carried out exclusively with user consent or based on legal authorization grounds.
• Performance and Behavioral Data: Performance and behavioral data refers to information related to how individuals complete tasks or behave in a particular context, such as in an educational, work, or social environment. This data may include metrics such as productivity, efficiency, work quality, attendance, and compliance with policies or procedures. Behavioral data could include interactions with colleagues, communication styles, decision-making processes, and responses to various situations. These types of data are often used for performance evaluations, training and development measures, and decision-making within organizations.
• Meta, Communication, and Process Data: Meta, communication, and process data are categories that contain information about how data is processed, transmitted, and managed. Meta-data, also known as data about data, includes information describing the context, origin, and structure of other data. It may include information about file size, creation date, document author, and modification histories. Communication data captures the exchange of information between users across various channels, such as email traffic, call logs, messages on social networks, and chat histories, including the parties involved, timestamps, and transmission paths. Process data describes the processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, as well as audit logs used to track and verify operations.
• Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data encompasses a wide range of information showing how users utilize applications, which features they prefer, how long they remain on certain pages, and through which paths they navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
• Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with User-Related Information: The processing of "profiles with user-related information," or "profiles" for short, includes any type of automated processing of personal data that consists of using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). For profiling purposes, cookies and web beacons are frequently used.
• Log Data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system problems, for security monitoring, or to create performance reports.
• Reach Measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows to an online offering and may include the behavior or interests of visitors in certain information, such as website content. With the help of reach analysis, operators of online offerings can, for example, identify at what time users visit their websites and which content they are interested in. This allows them, for example, to better adapt the website content to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are frequently used to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.
• Remarketing: "Remarketing" or "retargeting" refers to the practice of, for example, noting for advertising purposes which products a user was interested in on a website in order to remind the user of these products on other websites, e.g., in advertisements.
• Location Data: Location data is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, WLAN, or similar technical means and functions for location determination. Location data serves to indicate at which geographically determinable position on Earth the respective device is located. Location data can, for example, be used to display map functions or other location-dependent information.
• Tracking: "Tracking" refers to the ability to trace users' behavior across multiple online offerings. As a rule, behavioral and interest information regarding the online offerings used is stored in cookies or on servers of the tracking technology providers (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that are likely to correspond to their interests.
• Controller: The "controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses practically every handling of data, whether it be collection, evaluation, storage, transmission, or deletion.
• Contract Data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for the management and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of agreed services or products, pricing agreements, payment terms, termination rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
• Payment Data: Payment data comprises all information required to process payment transactions between buyers and sellers. This data is of crucial importance for electronic commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction data, verification numbers, and billing information. Payment data may also contain information about payment status, chargebacks, authorizations, and fees.
• Audience Building: Audience building ("Custom Audiences") refers to the determination of target groups for advertising purposes, e.g., display of advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be concluded that this user is interested in advertisements for similar products or the online shop in which they viewed the products. "Lookalike Audiences" (or similar audiences) refers to when content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. For the purposes of creating Custom Audiences and Lookalike Audiences, cookies and web beacons are typically used.