The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Types of Processed Data
Inventory data.
Location data.
Contact data.
Content data.
Usage data.
Meta, communication, and procedural data.
Log data.
Categories of Data Subjects
Communication partners.
Users.
Purposes of Processing
Communication.
Security measures.
Reach measurement.
Organizational and administrative procedures.
Feedback.
Profiles with user-related information.
Provision of our online offer and user-friendliness.
Information technology infrastructure.
Relevant Legal Bases
Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection provisions in your or our country of residence or headquarters may apply. If more specific legal bases are relevant in individual cases, we will inform you in the data protection declaration.
Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - processing is necessary to protect the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the law on protection against misuse of personal data in data processing (Federal Data Protection Act - BDSG). The BDSG, in particular, contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes and the transfer as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.
Notice of applicability GDPR and Swiss DSG: These data protection notices serve both to provide information in accordance with the Swiss DSG and in accordance with the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the wider spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms "processing" of "personal data", "overriding interest" and "especially protected personal data" used in the Swiss DSG, the terms used in the GDPR "processing" of "personal data" as well as "legitimate interest" and "special categories of data" are used. However, the legal meaning of the terms will still be determined within the framework of the applicability of the Swiss DSG according to the Swiss DSG.
General Information on Data Storage and Deletion
We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or no further legal grounds for processing exist. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for the pursuit of rights or the protection of the rights of other natural or legal persons must be archived accordingly.
Our data protection notices contain additional information on the retention and deletion of data that specifically apply to certain processing processes.
If there are multiple retention periods or deletion deadlines for a date, the longest period always applies.
If a deadline does not explicitly start on a certain date and is at least one year, it will automatically begin at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, in which data is stored, the triggering event is the time of the effectiveness of the termination or other termination of the legal relationship.
Data that is no longer kept for its originally intended purpose but due to legal requirements or other reasons will be processed exclusively for the reasons that justify its retention.
Further notes on processing processes, procedures, and services:
Retention and deletion of data: The following general periods apply for retention and archiving under German law:
10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the working instructions and other organizational documents required for their understanding (Section 147 para. 1 no. 1 in conjunction with para. 3 AO, Section 14b para. 1 UStG, Section 257 para. 1 no. 1 in conjunction with para. 4 HGB).
8 years - Booking documents, such as invoices and cost receipts (Section 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and Section 257 para. 1 no. 4 in conjunction with para. 4 HGB).
6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant to taxation reasons, e.g., hourly wage slips, business accounting sheets, calculation documents, price lists, as well as salary calculation documents unless they are already booking documents, and cash register strips (Section 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, Section 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).
3 years - Data required to take into account potential warranty and damage claims or similar, contractual rights and claims, and associated inquiries are stored for the duration of the regular statutory limitation period of three years (Secs. 195, 199 BGB).
Rights of Data Subjects
Rights of data subjects under the GDPR: As data subjects, you have various rights under the GDPR, in particular as defined in Art. 15 to 21 GDPR:
Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing purposes at any time, including profiling to the extent it is related to such direct marketing.
Right to revoke consent: You have the right to revoke, at any time, consents granted.
Right to information: You have the right to request confirmation as to whether data is being processed, to receive information about this data and to obtain further information and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right to request the completion or correction of incomplete or inaccurate data concerning you in accordance with legal requirements.
Right to deletion and restriction of processing: You have the right under the legal requirements to demand that your data be deleted immediately, or alternatively, under the legal requirements, to request a restriction of the processing of the data.
Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format according to legal requirements, or to request their transmission to another controller.
Complaint to supervisory authorities: You have the right, without prejudice to another administrative or judicial remedy, to lodge a complaint with a supervisory authority, specifically in the Member State of your habitual residence, workplace, or the place of the alleged infringement, if you believe that the processing of your data violates the GDPR.
Provision of the Online Offer and Web Hosting
We process users' data to provide them with our online services. To this end, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the browser or device of the users.
Types of data processed: Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Log data (e.g., logs concerning logins or data retrieval or access times.). Content data (e.g., textual or visual messages and posts and the information concerning them, such as indications of authorship or creation time).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
Retention and deletion: Deletion according to details in the section "General Information on Data Storage and Deletion".
Further notes on processing processes, procedures, and services:
Provision of online offer on rented storage space: For the provision of our online offer, we utilize storage space, computing capacity, and software rented or otherwise obtained from a corresponding server provider (also called "hosting providers"); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Collection of access data and log files: The access to our online offer is logged in the form of so-called "server log files". The server log files can include the address and name of the accessed web pages and files, date and time of access, transferred data amounts, notification of successful access, browser types and versions, the user's operating system, referrer URL (previously visited page), and generally IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, known as DDoS attacks), as well as to ensure the stability of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that requires further storage for evidence purposes must be withheld until the incident in question is ultimately resolved.
Email shipping and hosting: The web hosting services we use also include the transmission, receipt, and storage of emails. To this end, the addresses of recipients and senders as well as additional information regarding email transmission (e.g., the involved providers) and the contents of respective emails are processed. The aforesaid data can also be processed for SPAM detection purposes. Please be aware that emails are generally not encrypted on the Internet. Emails are typically encrypted during transport but are not encrypted on the servers from which they are sent and received (unless an end-to-end encryption procedure is employed). We therefore cannot assume responsibility for the transmission path of emails between sender and reception on our server; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Content-Delivery-Network: We use a "Content-Delivery-Network" (CDN). A CDN is a service that assists in delivering web content, particularly large media files such as graphics or program scripts fast and securely using regionally distributed servers connected over the Internet; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Instart: Content-Delivery-Network (CDN) - service that helps deliver online content, particularly large media files, such as graphics or program scripts, quicker and more securely using regionally distributed servers connected via the Internet; Service provider: Instart Logic, Inc., 450 Lambert Avenue, Palo Alto, CA 94306, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:https://www.instart.com. Privacy policy:https://www.instart.com/company/legal/privacy-policy.
Use of Cookies
The term "cookies" refers to functions that store information on users' devices and allow information retrieval from them. Cookies can also be used for different purposes, such as the functionality, security, and comfort of online services and the creation of visitor flows analyses. We use cookies in accordance with legal regulations. If necessary, we obtain users' consent in advance. If consent is not necessary, we rely on our legitimate interests. This applies if storing and reading out information is essential to explicitly requested content and functions. These include, for instance, the storage of settings and ensuring the functionality and security of our online offer. Consent can be revoked at any time. We inform clearly about their extent and which cookies are used.
Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is present, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained in this section and in the context of the respective services and procedures.
Storage duration: The following types of cookies are distinguished regarding storage duration:
Temporary cookies (also: Session or session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the device is closed. Thus, for example, the login status can be saved, and preferred content can be displayed directly when the user visits a website again. Similarly, the usage data collected using cookies can be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g., when obtaining consent), they should assume these are permanent and the storage duration can last up to two years.
General notes on revocation and objection (opt-out): Users can revoke the consents given and also object to processing in accordance with legal requirements, including through the privacy settings of their browser.
Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Users (e.g., website visitors, users of online services).
Further notes on processing processes, procedures, and services:
Processing of cookie data based on consent: We employ a consent management solution to obtain user consent for the use of cookies or the procedures and providers mentioned within the consent management solution. This procedure serves to obtain, log, manage, and revoke consents, particularly related to the deployment of cookies and similar technologies used to store, read, and process information on user devices. Users' consent for the use of cookies and related information processing, including specific processing and providers mentioned in the consent management procedure, is obtained. Users can also manage and withdraw their consents. The consent declarations are stored to avoid re-query and provide evidence of consent as per legal requirements. Storage occurs server-side and/or in a cookie (so-called opt-in cookie) or by comparable technologies to assign the consent to a specific user or their device. If there is no specific information on the providers of consent management services, the following general information applies: The duration of the storage of the consent amounts to up to two years. Meanwhile, a pseudonymous user identifier is created, stored together with the time of consent, the information on the scope of the consent (e.g., relevant categories of cookies and/or service providers), as well as information on the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Contact and Inquiry Management
When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within existing user and business relationships, the information provided by the requesting persons is processed to the extent necessary to answer the contact inquiries and any requested measures.
Types of data processed: Inventory data (e.g., the full name, residential address, contact details, customer number, etc.); Contact data (e.g., mailing and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts and the information concerning them, such as indications of authorship or creation time); Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Communication partners.
Purposes of processing: Communication; Organizational and management procedures; Feedback (e.g., collecting feedback via online forms). Provision of our online offer and user-friendliness.
Retention and deletion: Deletion according to details in the section "General Information on Data Storage and Deletion".
Further notes on processing processes, procedures, and services:
Contact form: When contacting us via our contact form, by email, or other communication methods, we process the personal data provided to us to respond and handle the respective issues. This typically includes information such as name, contact details, and possibly further information communicated to us and necessary for proper handling. We use this data solely for the stated purpose of contact and communication; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis (also called "reach measurement") serves to evaluate the visitor flows of our online offer and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. Using reach analysis, we can recognize, for example, at what time our online offer or its functions, or content, is used most frequently, or invite to reuse. Additionally, it is possible for us to identify which areas require optimization.
Aside from web analysis, we can also employ testing procedures to, for example, test and optimize different versions of our online offer or its components.
If not otherwise specified below, profiles may be created for these purposes, meaning data connected to a usage process, and information can be stored and then read in a browser or device. The collected information includes specifically visited websites and elements used there, as well as technical details such as the used browser, computer system information, and information on usage times. Provided users have consented to the collection of their location data to us or the providers of the services we use, processing of location data is also possible.
Furthermore, users' IP addresses are stored. However, to protect users, we utilize an IP masking procedure (i.e., pseudonymization by shortening the IP address). Generally, no clear user data (such as email addresses or names) is stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means, neither we nor the suppliers of tools used know the true identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
Notes on legal bases: If we ask users for their consent for the use of the third-party providers, the legal basis of data processing is the consent. Otherwise, the users' data will be processed based on our legitimate interests (i.e., interest in efficient, economically viable, and recipient-friendly services). In this context, we also wish to draw your attention to the information on the use of cookies in this privacy statement.
Types of data processed: Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); Profiles with user-related information (creation of user profiles). Provision of our online offer and user-friendliness.
Retention and deletion: Deletion according to details in the section "General Information on Data Storage and Deletion". Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for two years).
Security measures: IP masking (pseudonymization of the IP address).
Further notes on processing processes, procedures, and services:
Google Analytics: We use Google Analytics to measure and analyze the usage of our online offer on the basis of a pseudonymous user identification number. This identification number contains no unique data, such as names or email addresses. It is used to assign analysis information to a device to recognize, which content users have called up within one or various usage processes, which search terms they have used, called them up again, or interacted with our online offer. The time of use and its duration are saved, as well as the sources of the users referring to our online offer and technical aspects of their devices and browsers. In doing so, pseudonymous profiles of users are created with information from the use of various devices, with cookies possibly being used. Google Analytics does not record or store individual IP addresses for EU users. Analytics provides, however, rough geographic location data by deriving the following metadata from IP addresses: city (and its derived latitude and longitude), continent, country, region, and subcontinent (and ID-based counterparts). When handling EU data traffic, IP address data is used solely for deriving geolocation data and then immediately deleted. They are not logged, are inaccessible, and not used for further purposes. When Google Analytics collects measurement data, all IP requests are performed on EU-based servers before being forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy:https://policies.google.com/privacy; Contract processing information:https://business.safety.google/adsprocessorterms/; Basis of third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF) Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out possibility: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. More information:https://business.safety.google/adsservices/ (types of processing as well as processed data).
Google Tag Manager: We use Google Tag Manager, a software from Google, that allows us to centrally manage so-called website tags over one user interface. Tags are small pieces of code on our website that serve to record and analyze visitor activities. This technology supports us in improving our website and the contents offered there. The Google Tag Manager itself does not create any user profiles, save cookies without user profiles, or perform independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services we use on our website. Nevertheless, the IP address of users is transmitted to Google when using the Google Tag Manager, which is technically necessary to implement the services we use. Similarly, cookies may be set. However, this data processing only takes place if services are incorporated via the Tag Manager. For more detailed information on those services and their data processing, we refer to the further sections of this privacy statement; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://marketingplatform.google.com; Privacy policy:https://policies.google.com/privacy; Contract processing information:https://business.safety.google/adsprocessorterms. Basis of third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF) Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).
Plug-ins and Embedded Functions and Content
We integrate function and content elements into our online offer retrieved from the servers of their respective providers (referred to as "third-party providers" below). This can include graphics, videos, or maps (collectively referred to as "content").
The integration always requires that these third-party providers of the content process the users' IP address, as they could not send the content to their browser without the IP address. The IP address is therefore required for presenting these contents or functions. We make an effort to use only such content, whose respective providers solely use the IP address for the delivery of the content. Third-party providers may further use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through the pixel tags, information such as the visitor traffic on the pages of this website can be evaluated. The pseudonymous information can be stored in cookies on the device of the users and contain, among other things, technical information on the browser and operating system, referring websites, visiting time, and other details on the use of our online offer, as well as being associated with similar information from other sources.
Notes on legal bases: If we ask users for their consent to the use of the third-party providers, the legal basis of data processing is the permission. Otherwise, the users' data will be processed based on our legitimate interests (i.e., interest in efficient, economically viable, and recipient-friendly services). In this context, we also wish to draw attention to the information on using cookies in this privacy statement.
Types of data processed: Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties). Location data (information on the geographic position of a device or a person).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of our online offer and user-friendliness.
Retention and deletion: Deletion according to details in the section "General Information on Data Storage and Deletion". Storage of cookies for up to two years (unless otherwise stated, cookies and comparable storage methods may be stored on users' devices for two years).
Further notes on processing processes, procedures, and services:
Google Fonts (obtained from Google server): Retrieval of fonts (and symbols) for the purposes of a technically secure, maintenance-free, and efficient use of fonts and symbols concerning currency and load times, their uniform representation, and consideration of possible license restrictions. The IP address of the user is disclosed to the font's provider to make the fonts available in the user's browser. Additionally, technical data (language settings, screen resolution, operating system, used hardware) that are necessary for providing the fonts in dependency of the used devices and technical environment are transmitted. These data can be processed on a server of the fonts provider in the USA. When visiting our online offer, users' browsers send their browser HTTP requests can be protocoled, which includes (1) the IP address, respectively, used by users for accessing the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user-agent describing the browser and OS versions of the visitors, as well as the referrer URL (i.e., the webpage displaying the Google font). Google-servers do not log or store IP addresses, nor do they analyze these. The Google Fonts Web API logs details of HTTP requests (requested URL, user-agent, and referrer URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font-family, of which the user wants to load fonts. These data are logged to allow Google to determine how often a particular font family is requested. In the Google Fonts Web API, the user-agent needs to adjust the font that will be generated for the particular browser-type. The user-agent is logged and primarily used for debugging and generating aggregated usage statistics aimed at measuring font families' popularity. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referrer URL is logged, ensuring the data is utilized for maintaining the production, creating an aggregated report on the top integrations based on the number of font requests. According to their information, Google does not utilize any information collected by Google Fonts to create end-user profiles or display targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:https://fonts.google.com/; Privacy policy:https://policies.google.com/privacy; Basis of third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF). More information:https://developers.google.com/fonts/faq/privacy?hl=en.
Google Maps: We integrate the maps of the "Google Maps" service from the provider Google. The processed data may specifically include IP addresses and location data of the users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website:https://mapsplatform.google.com/; Privacy policy:https://policies.google.com/privacy. Basis of third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
Change and Update
We ask you to regularly inform yourself about the content of our privacy statement. We adapt the privacy statement as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require cooperation on your part (e.g., consent) or any other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy statement, please note that addresses can change over time, and we ask you to check the information before contacting us.