Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both as part of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: March 27, 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Contact and Inquiry Management
• Newsletter and Electronic Notifications
• Privacy Information for Whistleblowers
• Changes and Updates
• Definitions

Controller

First Name, Last Name / Company
Street, House No.
Zip Code, City, Country

Email address: firstname.lastname@exampledomain.eu

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the affected individuals.

Types of processed data

• Inventory data.
• Employee data.
• Contact data.
• Content data.
• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Data Subjects

• Employees.
• Communication partners.
• Users.
• Third parties.
• Whistleblowers.

Purposes of Processing

• Communication.
• Security measures.
• Direct marketing.
• Organizational and administrative procedures.
• Feedback.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.
• Whistleblower protection.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR upon which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 Para. 1 lit. a GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and prior to entering into a contract (Art. 6 Para. 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 Para. 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 Para. 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific rules on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission as well as automated decision-making in individual cases, including profiling. Furthermore, the state data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, entry, transfer, securing availability, and segregation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. In addition, we consider the protection of personal data right from the development or selection of hardware, software, and procedures, following the principles of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies (which can be identified by the postal address of the respective provider or if explicitly stated in the privacy policy), this will only take place in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, which meet the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the Standard Contractual Clauses serve as additional security. Should changes occur within the framework of the DPF, the Standard Contractual Clauses act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

We inform you for individual service providers whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, corresponding security measures apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with statutory provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original purpose of processing ceases to exist or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data specific to certain processing operations.

If multiple retention periods or deletion deadlines apply to a piece of data, the longest period is always decisive. We process data that is no longer retained for its originally intended purpose, but due to legal requirements or other reasons, exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general periods apply to retention and archiving under German law:

• 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the working instructions and other organizational documents required to understand them (§ 147 Para. 1 No. 1 in conjunction with Para. 3 AO, § 14b Para. 1 UStG, § 257 Para. 1 No. 1 in conjunction with Para. 4 HGB).
• 8 years - Accounting vouchers, such as invoices and receipts (§ 147 Para. 1 No. 4 and 4a in conjunction with Para. 3 Clause 1 AO and § 257 Para. 1 No. 4 in conjunction with Para. 4 HGB).
• 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g., timesheets, cost accounting sheets, calculation documents, price tags, but also payroll documents insofar as they are not already accounting vouchers and cash register tapes (§ 147 Para. 1 No. 2, 3, 5 in conjunction with Para. 3 AO, § 257 Para. 1 No. 2 and 3 in conjunction with Para. 4 HGB).
• 3 years - Data required to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the period at the end of the year: If a period does not explicitly start on a specific date and is at least one year long, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the effective date of termination or other end of the legal relationship.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 Para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and further information and a copy of the data in accordance with statutory requirements.
• Right to rectification: You have the right to demand the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with statutory requirements.
• Right to erasure and restriction of processing: You have the right, in accordance with statutory requirements, to demand that data concerning you be deleted without delay, or alternatively, in accordance with statutory requirements, to demand a restriction of the processing of the data.
• Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format in accordance with statutory requirements, or to demand its transmission to another controller.
• Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of the Online Offer and Web Hosting

We process the users' data to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or end device.

• Processed data types: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, persons involved). Log data (e.g., log files regarding logins or the retrieval of data or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
• Retention and deletion: Deletion in accordance with the details in the section "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR).

Further details on processing operations, procedures, and services:

• Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from an appropriate server provider (also called "web host"); Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR).
• Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". The server log files may include the address and name of the accessed websites and files, date and time of access, transferred data volumes, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Use of Cookies

The term "cookies" refers to functions that store information on users' end devices and read it from them. Cookies can also be used for various purposes, such as the functionality, security, and convenience of online offers, as well as the creation of analyses of visitor flows. We use cookies in accordance with legal regulations. If necessary, we obtain the prior consent of the users. If consent is not necessary, we rely on our legitimate interests. This applies when the storage and reading of information is essential to provide explicitly requested content and functions. This includes storing settings and ensuring the functionality and security of our online offer. Consent can be revoked at any time. We inform clearly about its scope and which cookies are used.

Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The user data collected using cookies can also be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are permanent and the storage duration can be up to two years.

General notes on revocation and objection (opt-out): Users can revoke their given consent at any time and also declare an objection to processing in accordance with statutory requirements, including by using their browser's privacy settings.

• Processed data types: Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR). Consent (Art. 6 Para. 1 lit. a GDPR).

Further details on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution where user consent for the use of cookies or the procedures and providers mentioned within the consent management solution is obtained. This procedure is used to obtain, log, manage, and revoke consent, in particular regarding the use of cookies and comparable technologies used to store, read, and process information on users' end devices. Within this procedure, user consent for the use of cookies and the associated processing of information, including specific processing and providers named in the consent management procedure, is obtained. Users also have the opportunity to manage and revoke their consent. Declarations of consent are saved to avoid repeated requests and to be able to provide proof of consent according to legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign the consent to a specific user or their device. Unless specific information on the providers of consent management services is available, the following general instructions apply: The duration of storage of consent is up to two years. A pseudonymous user identifier is created, which is saved together with the time of consent, information on the scope of consent (e.g., regarding categories of cookies and/or service providers), and information about the browser, system, and end device used; Legal bases: Consent (Art. 6 Para. 1 lit. a GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) as well as in the context of existing user and business relationships, the details of the inquiring persons are processed to the extent necessary to answer contact requests and any requested measures.

• Processed data types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and contributions as well as related information, such as authorship or creation time). Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the details in the section "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR). Performance of a contract and prior to entering into a contract (Art. 6 Para. 1 lit. b GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletter") only with the consent of the recipient or based on a legal basis. If the contents of the newsletter are specifically described when subscribing, these contents are decisive for user consent. To subscribe to our newsletter, it is generally sufficient to provide your email address. However, to provide a personalized service, we may ask you to provide your name for a personal address in the newsletter, or other information if necessary for the purpose of the newsletter.

Deletion and restriction of processing: We can store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove previously given consent. Processing of this data is limited to the purpose of a potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist solely for this purpose.

Logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure dispatch system.

Content:

Information about us, our services, promotions, and offers.

• Processed data types: Inventory data (e.g., full name, residential address, contact info, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedural data. Usage data.
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Direct marketing (e.g., via email or post).
• Legal bases: Consent (Art. 6 Para. 1 lit. a GDPR).
• Right to object (Opt-Out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter at the end of every newsletter, or you can use one of the contact options provided above, preferably email, for this purpose.

Further details on processing operations, procedures, and services:

• Measurement of open and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server (or that of our dispatch service provider) when the newsletter is opened. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (their IP address), the time of access, and which links were clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of our service provider to monitor individual users. The evaluations serve strictly to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users; Legal bases: Consent (Art. 6 Para. 1 lit. a GDPR).

Definitions

This section provides an overview of the terms used in this privacy policy. If the terms are defined by law, the legal definitions apply. The following explanations are primarily intended to aid understanding.

• Employees: Persons in an employment relationship.
• Inventory data: Essential information necessary for identifying and managing contractual partners, user accounts, profiles, etc.
• Content data: Information generated during the creation, editing, and publication of content of all kinds (texts, images, videos, etc.).
• Contact data: Essential information enabling communication (phone numbers, postal and email addresses).
• Meta, communication, and procedural data: Categories containing information about the way data is processed, transmitted, and managed.
• Usage data: Information capturing how users interact with digital products, services, or platforms.
• Personal data: Any information relating to an identified or identifiable natural person ("data subject").
• Log data: Information about events or activities logged in a system or network.
• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke