Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to simply as "data") we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: May 2, 2024

Controller

Susanne Klaus
Marienstraße 9
10117 Berlin

Email address:
Legal notice: https://susanne.io/impressum

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

• Inventory data.
• Employee data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Social data.
• Image and/or video recordings.
• Audio recordings.
• Log data.
• Performance and behavioral data.
• Working time data.
• Salary data.

Special Categories of Data

• Health data.
• Religious or philosophical beliefs.
• Trade union membership.

Categories of Data Subjects

• Recipients of services and clients.
• Employees.
• Prospective customers.
• Communication partners.
• Users.
• Business and contractual partners.
• Depicted persons.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Remarketing.
• Conversion measurement.
• Target group formation.
• Organizational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Establishment and execution of employment relationships.
• Information technology infrastructure.
• Public relations.
• Business processes and business management procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. If more specific legal bases are relevant in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6(1) sentence 1 lit. a GDPR) - The data subject has given consent to the processing of personal data concerning them for one specific purpose or several specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1) sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not override those interests.
• Processing of special categories of personal data in relation to healthcare, occupation, and social security (Art. 9(2) lit. h GDPR) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems and services on the basis of Union law or the law of a Member State, or pursuant to a contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions, in particular on the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer as well as automated decision-making in individual cases, including profiling. In addition, the data protection laws of the individual German federal states may apply.

Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (referred to briefly as the "Swiss DPA"). Unlike the GDPR, for example, the Swiss DPA generally does not require that a legal basis for processing personal data be stated, and the processing of personal data must be carried out in good faith, lawfully, and proportionately (Art. 6(1) and (2) Swiss DPA). In addition, personal data is collected by us only for a specific purpose recognizable to the data subject and is processed only in a manner compatible with that purpose (Art. 6(3) Swiss DPA).

Notice regarding the application of the GDPR and Swiss DPA: These privacy notices serve to provide information under both the Swiss DPA and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that, due to the broader territorial application and comprehensibility, the terms used in the GDPR are used. In particular, instead of the terms used in the Swiss DPA, such as "processing" of "personal data", "overriding interest", and "particularly sensitive personal data", the GDPR terms "processing" of "personal data", "legitimate interest", and "special categories of data" are used. However, within the scope of the Swiss DPA, the legal meaning of the terms continues to be determined according to the Swiss DPA.

Security Measures

In accordance with legal requirements, and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, securing availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to threats to the data. We also take the protection of personal data into account already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the further developed and more secure version of SSL, ensures that all data transfers comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of Personal Data

As part of our processing of personal data, it may happen that such data is transmitted to, or disclosed to, other bodies, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to this data. If this disclosure is made for administrative purposes, the disclosure of the data is based on our legitimate corporate and business interests, or takes place where it is necessary for the fulfillment of our contract-related obligations, or where the consent of the data subjects or a legal permission exists.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies, or companies, this is done only in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers take place only if the level of data protection is otherwise ensured, in particular by standard contractual clauses (Art. 46(2) lit. c GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49(1) GDPR). Furthermore, we will inform you of the basis for third-country transfers for the individual providers from the third country, whereby adequacy decisions take precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA within the framework of the adequacy decision of July 10, 2023. The list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). In these privacy notices, we inform you which service providers used by us are certified under the Data Privacy Framework.

Disclosure of personal data abroad: In accordance with the Swiss DPA, we disclose personal data abroad only if adequate protection of the data subjects is ensured (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These may include international treaties, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or binding corporate rules previously recognized by the FDPIC or by a competent data protection authority of another country.

According to Art. 16 of the Swiss DPA, exceptions to the disclosure of data abroad may be permitted if certain conditions are met, including consent of the data subject, contract processing, public interest, protection of life or physical integrity, publicly disclosed data, or data from a legally provided register. Such disclosures always take place in accordance with legal requirements.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are withdrawn or no further legal bases for processing exist. This applies to cases in which the original processing purpose no longer applies or the data is no longer required. Exceptions to this rule exist where legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the assertion of legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

Where several retention periods or deletion periods apply to a data item, the longest period shall always be decisive.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the point in time at which the termination or other ending of the legal relationship becomes effective.

Data that is no longer retained for its originally intended purpose, but due to legal requirements or other reasons, is processed by us exclusively for the reasons that justify its retention.

Further information on processing operations, procedures, and services:

• Retention and deletion of data: The following general periods apply to retention and archiving under German law:
  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the work instructions and other organizational documents necessary for understanding them, accounting vouchers and invoices (§ 147(3) in conjunction with (1) Nos. 1, 4 and 4a AO, § 14b(1) UStG, § 257(1) Nos. 1 and 4, (4) HGB).
  • 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g. hourly wage slips, operating accounting sheets, calculation documents, price labels, as well as payroll documents insofar as they are not already accounting vouchers, and cash register tapes (§ 147(3) in conjunction with (1) Nos. 2, 3, 5 AO, § 257(1) Nos. 2 and 3, (4) HGB).
  • 3 years - Data required to take into account potential warranty and damages claims or similar contractual claims and rights, and to process related inquiries, based on previous business experience and customary industry practices, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

  .

• Retention and deletion of data: The following general periods apply to retention and archiving under Swiss law:
  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices, as well as all required work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).
  • 10 years - Data necessary for taking into account potential claims for damages or similar contractual claims and rights, as well as for processing related inquiries, based on previous business experience and customary industry practices, is stored for the statutory limitation period of ten years, unless a shorter period of five years is decisive and applicable in certain cases (Art. 127, 130 CO). Claims for rent, lease, and capital interest, as well as other periodic services, from the delivery of food, for board and lodging, for innkeeper debts, and from craft work, retail sale of goods, medical care, professional work by lawyers, legal agents, attorneys, and notaries, and from the employment relationship of employees expire after five years (Art. 128 CO).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, arising in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on those provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed, and to obtain access to this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request completion of the data concerning you or correction of inaccurate data concerning you.
• Right to deletion and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted without delay, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

Rights of data subjects under the Swiss DPA:

As a data subject, you have the following rights in accordance with the requirements of the Swiss DPA:

• Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information required for you to assert your rights under this law and to ensure transparent data processing.
• Right to data disclosure or transfer: You have the right to request the disclosure of your personal data that you have provided to us in a commonly used electronic format.
• Right to rectification: You have the right to request correction of inaccurate personal data concerning you.
• Right to object, deletion, and destruction: You have the right to object to the processing of your data and to request that personal data concerning you be deleted or destroyed.

Provision of the Online Offering and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary in order to transmit the content and functions of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles). Provision of contractual services and fulfillment of contractual obligations.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Consent (Art. 6(1) sentence 1 lit. a GDPR).

Further information on processing operations, procedures, and services:

• Provision of the online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a "web host"); Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
• Collection of access data and log files: Access to our online offering is recorded in the form of so-called "server log files". Server log files may include the address and name of the accessed web pages and files, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, for example to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks), and also to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
• Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders as well as further information relating to email transmission (e.g. the providers involved) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails are generally not sent encrypted over the Internet. As a rule, emails are encrypted during transport, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of emails between the sender and receipt on our server; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
• 1&1 IONOS WebAnalytics: Reach measurement and web analytics; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/; Basis for third-country transfers: Switzerland - adequacy decision (Germany); Further information: The data is collected either by a pixel or by a log file, without the use of cookies; the IP address of visitors is transmitted when a page view is transferred, anonymized immediately after transmission, and further processed without personal reference. The data is processed on the basis of a data processing agreement.
• 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third-country transfers: Switzerland - adequacy decision (Germany).
• Retrieval of WordPress emojis and smilies: Retrieval of WordPress emojis and smilies - Within our WordPress blog, graphical emojis (or smilies), i.e. small graphic files expressing emotions, are used for the efficient integration of content elements and are obtained from external servers. The providers of the servers collect users' IP addresses. This is necessary so that the emoji files can be transmitted to the users' browsers; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Jetpack (WordPress Stats): Jetpack provides analytics functions for WordPress software; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and read information from them. For example, they can be used to store the login status in a user account, the contents of a shopping cart in an online shop, the content accessed, or functions used in an online offering. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings, as well as creating analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless consent is not required by law. Permission is not required in particular where the storage and reading of information, including cookies, is strictly necessary in order to provide users with a telemedia service expressly requested by them (i.e. our online offering). The revocable consent is clearly communicated to them and includes information on the respective cookie use.

Notes on data protection legal bases: The legal basis under data protection law on which we process users' personal data with the help of cookies depends on whether we ask them for consent. If users accept, the legal basis for the use of their data is the consent given. Otherwise, the data used with the help of cookies is processed on the basis of our legitimate interests (e.g. in the business operation of our online offering and the improvement of its usability), or, if this takes place in the context of fulfilling our contractual obligations, where the use of cookies is necessary to meet our contractual obligations. We explain the purposes for which cookies are used by us in the course of this privacy policy or as part of our consent and processing procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g. browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, the login status can be stored and preferred content can be displayed directly when the user visits a website again. Likewise, usage data collected with the help of cookies may be used for reach measurement. Unless we provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that these are persistent and that the storage duration may be up to two years.

General information on withdrawal and objection (opt-out): Users may withdraw the consent they have given at any time and may also object to processing in accordance with legal requirements, including via the privacy settings of their browser.

• Types of data processed: Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Consent (Art. 6(1) sentence 1 lit. a GDPR).

Further information on processing operations, procedures, and services:

• Processing of cookie data on the basis of consent: We use a consent management solution through which users' consent to the use of cookies or to the procedures and providers named in the consent management solution is obtained. This procedure serves to obtain, record, manage, and withdraw consent, especially in relation to the use of cookies and comparable technologies that are used to store, read, and process information on users' end devices. As part of this procedure, users' consent is obtained for the use of cookies and the related processing of information, including the specific processing operations and providers named in the consent management procedure. Users also have the option to manage and withdraw their consent. Consent declarations are stored in order to avoid repeated requests and to be able to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to assign consent to a specific user or their device. Unless specific information on the providers of consent management services is available, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details on the scope of consent (e.g. relevant categories of cookies and/or service providers), and information about the browser, system, and end device used; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR).
• Real Cookie Banner: Consent management: procedure for obtaining, recording, managing, and withdrawing consent, especially for the use of cookies and similar technologies for storing, reading, and processing information on users' end devices as well as its processing; Service provider: Execution on servers and/or computers under our own responsibility under data protection law; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://devowl.io/de/wordpress-real-cookie-banner/. Privacy policy: https://devowl.io/de/datenschutzerklaerung/.

Obtaining Applications via App Stores

Our application is obtained via special online platforms operated by other service providers (so-called "app stores"). In this context, the privacy notices of the respective app stores apply in addition to our privacy notices. This applies in particular with regard to the reach measurement and interest-based marketing procedures used on the platforms, as well as any costs.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Recipients of services and clients. Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing. Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Apple App Store: App and software sales platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.apple.com/de/app-store/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). Readers' data is processed for the purposes of the publication medium only insofar as this is necessary for its presentation and communication between authors and readers, or for reasons of security. Otherwise, we refer to the information on the processing of visitors to our publication medium in the context of these privacy notices.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Feedback (e.g. collecting feedback via online form); provision of our online offering and user-friendliness. Security measures.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Retrieval of WordPress emojis and smilies: Retrieval of WordPress emojis and smilies - Within our WordPress blog, graphical emojis (or smilies), i.e. small graphic files expressing emotions, are used for the efficient integration of content elements and are obtained from external servers. The providers of the servers collect users' IP addresses. This is necessary so that the emoji files can be transmitted to the users' browsers; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Akismet anti-spam check: Akismet anti-spam check - We use the "Akismet" service on the basis of our legitimate interests. With the help of Akismet, comments from real people are distinguished from spam comments. For this purpose, all comment details are sent to a server in the USA, where they are analyzed and stored for comparison purposes for four days. If a comment has been classified as spam, the data is stored beyond this period. This information includes the entered name, email address, IP address, comment content, referrer, information about the browser used and the computer system, and the time of entry.

  Users are welcome to use pseudonyms or to refrain from entering their name or email address. They can completely prevent the transmission of data by not using our comment system. That would be a pity, but unfortunately we do not see any alternatives that work just as effectively; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).

Contact and Inquiry Management

When contacting us (e.g. by post, contact form, email, telephone, or via social media), as well as within existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Further information on processing operations, procedures, and services:

• Contact form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective matter. This generally includes information such as name, contact information, and, where applicable, further information that is communicated to us and is required for appropriate handling. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of messengers, encryption, the use of communication metadata, and your options to object.

You can also contact us via alternative means, e.g. by telephone or email. Please use the contact options communicated to you or the contact options provided within our online offering.

In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content (i.e. the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messengers with encryption enabled to ensure encryption of message content.

However, we also inform our communication partners that although the messenger providers cannot view the content, they can determine that and when communication partners communicate with us, and technical information about the device used by the communication partners and, depending on the settings of their device, also location information (so-called metadata) may be processed.

Notes on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own initiative, for example, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure, and in the case of other prospective customers and communication partners on the basis of our legitimate interests in fast and efficient communication and meeting the needs of our communication partners for communication via messenger. We further point out that we do not initially transmit the contact details provided to us to the messengers without your consent.

Withdrawal, objection, and deletion: You may withdraw any consent you have given at any time and object to communication with us via messenger at any time. In the case of communication via messenger, we delete messages in accordance with our general deletion guidelines (i.e. for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that any information requested by the communication partners has been answered, if no reference back to a previous conversation is to be expected and no statutory retention obligations prevent deletion.

Reservation of reference to other communication channels: To ensure your security, we ask for your understanding that we may not be able to respond to inquiries via messenger for certain reasons. This applies to situations where, for example, contract details must be treated particularly confidentially or a response via messenger does not meet formal requirements. In these cases, we recommend that you use more suitable communication channels.

• Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication. Direct marketing (e.g. by email or post).
• Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• WhatsApp: WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.whatsapp.com/; Privacy policy: https://www.whatsapp.com/legal. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as "conference"). When selecting conference platforms and their services, we observe the legal requirements.

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the participants' personal data listed below. The scope of processing depends, on the one hand, on which data is required in the context of a specific conference (e.g. provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the conduct of the conference, the participants' data may also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet connection, information on the participants' devices, their operating system, browser and its technical and language settings, information on communication processes in terms of content, i.e. entries in chats as well as audio and video data, and the use of other available functions (e.g. surveys). Communication content is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from surveys), or video or audio recordings are logged, this will be communicated transparently to participants in advance and, where necessary, their consent will be requested.

Data protection measures for participants: Please note the details of the processing of your data by the conference platforms in their privacy notices and select the security and privacy settings that are optimal for you within the settings of the conference platforms. Please also ensure data and personal privacy in the background of your recording for the duration of a video conference (e.g. by informing housemates, locking doors, and using, where technically possible, the function to blur the background). Links to conference rooms and access data must not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary for the fulfillment of our contractual obligations (e.g. in participant lists, in the case of processing meeting results, etc.). Otherwise, users' data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g. photographs or video recordings of a person); audio recordings. Log data (e.g. log files relating to logins or the retrieval of data or access times).
• Data subjects: Communication partners; users (e.g. website visitors, users of online services). Depicted persons.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication. Office and organizational procedures.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Microsoft Teams: Conference and communication software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Skype: Messenger and conference software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.skype.com/de/; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• TeamViewer: Conference and communication software; Service provider: TeamViewer GmbH, Jahnstr. 30, 73037 Göppingen, Germany; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.teamviewer.com/de/; Privacy policy: https://www.teamviewer.com/de/legal/privacy-and-cookies/. Basis for third-country transfers: Switzerland - adequacy decision (Germany).
• Zoom: Conference and communication software; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://zoom.us; Privacy policy: https://explore.zoom.us/docs/de-de/privacy-and-legal.html; Data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - standard contractual clauses (https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA)).

Cloud Services

We use software services accessible via the Internet and operated on the servers of their providers (so-called "cloud services", also referred to as "Software as a Service") for the storage and management of content (e.g. document storage and management, exchange of documents, content, and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers' servers insofar as it is part of communication processes with us or is otherwise processed by us as described in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes, and their content. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimization.

If, with the help of cloud services, we provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analytics purposes or to remember users' settings (e.g. in the case of media control).

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation). Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Data subjects: Prospective customers; communication partners; business and contractual partners. Users (e.g. website visitors, users of online services).
• Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Apple iCloud: Cloud storage service; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.
• Google Cloud services: Cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://cloud.google.com/privacy.
• Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://cloud.google.com/privacy.
• Google Workspace: Cloud-based application software (e.g. word processing and spreadsheets, appointment and contact management), cloud storage, and cloud infrastructure services; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://workspace.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://cloud.google.com/privacy.
• Microsoft cloud services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as "reach measurement") serves to evaluate visitor flows to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are used most frequently, or invite reuse. We can also identify which areas require optimization.

In addition to web analytics, we may also use testing procedures, for example to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data summarized for a usage process, may be created for these purposes, and information may be stored in and read from a browser or device. The information collected includes, in particular, websites visited and elements used there, as well as technical information, such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data vis-à-vis us or the providers of the services we use, location data may also be processed.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization, but rather pseudonyms. This means that both we and the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, users' data is processed on the basis of our legitimate interests (i.e. an interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Remarketing; target group formation; reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g. interest-/behavior-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); marketing. Provision of our online offering and user-friendliness.
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• 1&1 IONOS WebAnalytics: Reach measurement and web analytics; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/; Basis for third-country transfers: Switzerland - adequacy decision (Germany); Further information: The data is collected either by a pixel or by a log file, without the use of cookies; the IP address of visitors is transmitted when a page view is transferred, anonymized immediately after transmission, and further processed without personal reference. The data is processed on the basis of a data processing agreement.
• Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a device in order to identify which content users have accessed within one or more usage processes, which search terms they used, whether they accessed them again, or whether they interacted with our online offering. The time of use and its duration are also stored, as are the sources of users who refer to our online offering and technical aspects of their devices and browsers.
  Pseudonymous profiles of users with information from the use of different devices are created, whereby cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data).
• Notes on consent recipients and cookieless analytics: Notes on consent recipients: Consent given by users within a consent dialog (also known as "cookie opt-in/consent", "cookie banner", etc.) fulfills several purposes. On the one hand, it serves to fulfill our obligation to obtain consent for storing and reading information on and from users' end devices (in accordance with ePrivacy guidelines). On the other hand, it covers the processing of users' personal data in accordance with data protection requirements. In addition, this consent also applies to Google, as the company is required under the Digital Markets Act to obtain consent for personalized services. We therefore share the status of the consent given by users with Google. Our consent management software informs Google whether consent has been given or not. The aim is to ensure that users' granted or withheld consent is taken into account when using Google Analytics and integrating functions and external services. In this way, users' consent and withdrawal of consent can be dynamically adapted within Google Analytics and other Google services in our online offering, depending on the user's selection.
  Cookieless analytics: We use the advanced implementation of Google Analytics consent mode. This means that if users do not give consent to store and read information on their end devices — in particular with regard to cookies — no cookies or comparable information will be stored on users' devices. Likewise, no user profiles are created.
  In this case, Google's code generates a random identification number on the user's device and transmits it to Google (a so-called "ping"). The identification is not stored in the browser, in apps, or on other users' devices. This identification number is unique for each website visit, so that users' behavior or interests are not recorded across devices or pages. Only a minimum amount of information on user activity is sent. This includes information on consent status and information for conversion measurement, i.e. whether a user was directed to our online offering by a Google advertisement.
  In addition, where available, the following information may be transmitted: a) function-related information such as headers (technical details transmitted by the browser), b) timestamps (date and time of access), c) user agent (information about the browser and device used, web only), d) referrer URL (the URL of the page from which the user came), e) aggregated/pseudonymous information: This includes an indication of whether the current or a previous page in the user's navigation history contains information about the ad click in the URL (e.g. GCLID/DCLID, special tracking codes from Google), a random number generated with each page load, and information on the consent management platform used by the website owner (e.g. developer ID); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de; Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Switzerland - adequacy decision (Ireland).
• Google Analytics (server-side use): We use Google Analytics to measure and analyze users' use of our online services. Users' data is processed, but not transmitted directly from users' devices to Google. In particular, users' IP addresses are not transmitted to Google. Instead, the data is first transmitted to our server, where users' data records are assigned to our internal user identification number. The subsequent transmission takes place only in this pseudonymized form from our server to Google. The identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a device in order to identify which content users have accessed within one or more usage processes, which search terms they used, whether they accessed them again, or whether they interacted with our online offering. The time of use and its duration are also stored, as are the sources of users who refer to our online offering and technical aspects of their devices and browsers. Pseudonymous profiles of users with information from the use of different devices are created, whereby cookies may be used. Analytics provides higher-level geographic location data by collecting the following metadata based on IP lookup: "city" (and the derived latitude and longitude of the city), "continent", "country", "region", "subcontinent" (and the ID-based equivalents); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://business.safety.google/adsservices/ (types of processing and processed data).
• Google Signals (Google Analytics function): Google Signals are session data from websites and apps that Google associates with users who are signed in to their Google accounts and have enabled ad personalization. This association of data with these signed-in users is used to enable cross-device reporting, cross-device remarketing, and cross-device conversion measurement. This includes: cross-platform reports - linking data across devices and activities from different sessions using your user ID or Google Signals data, enabling an understanding of user behavior at every step of the conversion process, from first contact to conversion and beyond; remarketing with Google Analytics - creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; demographics and interests - Google Analytics collects additional information about demographic data and interests from users who are signed in to their Google accounts and have enabled ad personalization; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=de; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://business.safety.google/adsservices/ (types of processing and processed data).
• Target group formation with Google Analytics: We use Google Analytics to present advertisements placed via Google's advertising services and those of its partners specifically to those users who have already shown interest in our online offering or who have certain characteristics (e.g. interests in specific topics or products determined based on the websites they have visited). We transmit this data to Google as part of so-called "remarketing" or "Google Analytics audiences". The aim of using remarketing audiences is to ensure that our advertisements correspond as closely as possible to users' potential interests; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Legal bases: https://business.safety.google/adsprocessorterms/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and standard contractual clauses for third-country transfers of data: https://business.safety.google/adsprocessorterms.
• No collection of detailed location and device data (Google Analytics function): No detailed location and device data is collected (further information: https://support.google.com/analytics/answer/12017362).
• Google Tag Manager: We use Google Tag Manager, software by Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that are used to record and analyze visitor activities. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, store cookies with user profiles, or perform independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when Google Tag Manager is used, users' IP addresses are transmitted to Google, which is technically necessary in order to implement the services we use. Cookies may also be set in this process. However, this data processing takes place only if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement:
  https://business.safety.google/adsprocessorterms. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Google Tag Manager (server-side use): Google Tag Manager is an application with which we can manage so-called website tags via an interface and thereby integrate other services into our online offering (see also the further information in this privacy policy). The Tag Manager itself (which implements the tags) therefore does not store user profiles or cookies. The integration of the other services takes place server-side. This means that users' data is not transmitted directly from their device to the respective service or to Google. In particular, users' IP addresses are not transmitted to the other service. Instead, the data is first transmitted to our server, where users' data records are assigned to our internal user identification number. The subsequent transmission of data from our server to the servers of the respective service providers takes place only in this pseudonymized form. The user identification number does not contain any unique data, such as names or email addresses; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://business.safety.google/adsservices/ (types of processing and processed data).

Online Marketing

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on users' potential interests, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar procedures are used, by means of which the information relevant to the display of the aforementioned content about the user is stored. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information, such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

In addition, users' IP addresses are stored. However, we use available IP masking procedures (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of the online marketing process, but rather pseudonyms. This means that both we and the providers of the online marketing procedures do not know the actual identity of the users, but only the information stored in their profiles.

The statements in the profiles are generally stored in cookies or by means of similar procedures. These cookies may later generally also be read on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing procedure provider.

Exceptionally, it is possible to assign clear data to the profiles, primarily where the users are, for example, members of a social network whose online marketing procedures we use and the network links the users' profiles with the aforementioned information. We ask you to note that users may enter into additional agreements with the providers, for example by giving consent during registration.

We generally receive access only to aggregated information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, i.e. for example to the conclusion of a contract with us. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, please assume that cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, users' data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Notes on withdrawal and objection:

We refer to the privacy notices of the respective providers and the objection options specified for the providers (so-called "opt-out"). Where no explicit opt-out option has been specified, you have the option of disabling cookies in your browser settings. However, this may restrict functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for the respective territories:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) USA: https://www.aboutads.info/choices.

d) Across territories: https://optout.aboutads.info.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved). Contact data (e.g. postal and email addresses or telephone numbers).
• Data subjects: Users (e.g. website visitors, users of online services). Communication partners.
• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); target group formation; marketing; profiles with user-related information (creation of user profiles); conversion measurement (measurement of the effectiveness of marketing measures); provision of our online offering and user-friendliness; remarketing; communication. Direct marketing (e.g. by email or post).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Google Ad Manager: We use the "Google Ad Manager" service to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.). Google Ad Manager is characterized by the fact that advertisements are displayed in real time based on users' presumed interests. This allows us to show advertisements for our online offering to users who may have a potential interest in our offering or who had previously been interested in it, and to measure the success of the advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/; data processing terms for Google advertising products: information on the services, controller-to-controller data protection terms, and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms. Where Google acts as a processor, data processing terms for Google advertising products and standard contractual clauses for third-country transfers of data: https://business.safety.google/adsprocessorterms.
• AdMob: Platform for displaying advertising content in mobile applications; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://admob.google.com/home/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: Processing by Google as controller: https://business.safety.google/adscontrollerterms/.
• Google Ads and conversion measurement: Online marketing procedure for the purpose of placing content and advertisements within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the advertisements. In addition, we measure the conversion of the advertisements, i.e. whether users used them as an opportunity to interact with the advertisements and use the advertised offers (so-called conversions). However, we receive only anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-to-controller data protection terms and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Google Ads Remarketing: Google Remarketing, also called retargeting, is a technology by which users who use an online service are added to a pseudonymous remarketing list so that advertisements can be displayed to users on other online offerings based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-to-controller data protection terms and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Enhanced conversions for Google Ads: When users click on our Google advertisements and subsequently use the advertised service (so-called "conversion"), the data entered by the user, such as email address, name, residential address, or telephone number, may be transmitted to Google. The hash values are then matched with existing Google accounts of users in order to better evaluate and improve users' interaction with the advertisements (e.g. clicks or views) and thus their performance; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Website: https://support.google.com/google-ads/answer/9888656.
• Google AdSense with personalized ads: We integrate the Google AdSense service, which enables personalized advertisements to be placed within our online offering. Google AdSense analyzes user behavior and uses this data to display targeted advertising tailored to the interests of our visitors. For each ad placement or other use of these advertisements, we receive financial compensation; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: information on the services, controller-to-controller data protection terms, and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized advertisements in our online offering. These advertisements are not based on individual user behavior, but are selected based on general characteristics such as the content of the page or your approximate geographic location. We receive compensation for the display or other use of these advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland); Further information: Types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: information on the services, controller-to-controller data protection terms, and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Facebook pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information on the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Page Insights", for page operators so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ("Page Insights Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill data subject rights (i.e. users may, for example, direct requests for information or deletion directly to Facebook). Users' rights (in particular to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns in particular the transfer of the data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• WhatsApp: WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.whatsapp.com/; Privacy policy: https://www.whatsapp.com/legal. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).

Presences in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users, because, for example, it may make it more difficult to enforce users' rights.

Furthermore, users' data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests of users. These may in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to users' interests. Therefore, cookies are generally stored on users' computers in which users' usage behavior and interests are stored. In addition, data may also be stored in the usage profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to users' data and can take appropriate measures and provide information directly. If you nevertheless need assistance, you may contact us.

• Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts as well as related information, such as details of authorship or time of creation). Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g. collecting feedback via online form). Public relations.
• Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Facebook pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information on the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Page Insights", for page operators so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ("Page Insights Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill data subject rights (i.e. users may, for example, direct requests for information or deletion directly to Facebook). Users' rights (in particular to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns in particular the transfer of the data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• Facebook events: Event profiles within the social network Facebook - We use the "Events" function of the Facebook platform to draw attention to events and appointments, to contact users (participants and interested parties), and to exchange information. In doing so, we process personal data of users of our event pages insofar as this is necessary for the purpose of the event page and its moderation. This data includes first and last names, published or privately communicated content, values relating to participation status, and time information regarding the aforementioned data. We also refer to the processing of users' data by Facebook itself. This data includes information on the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Insights", for event providers so that they can gain insights into how people interact with their event pages and the content associated with them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data from visitors that is created for the purpose of preparing the "Page Insights" (statistics) of our LinkedIn profiles.
  This data includes information on the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data), and information from users' profiles, such as job function, country, industry, seniority level, company size, and employment status. Data protection information on the processing of users' data by LinkedIn can be found in LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy
  We have concluded a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum (the ‘Addendum’)", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill data subject rights (i.e. users may, for example, direct requests for access or deletion directly to LinkedIn). Users' rights (in particular to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of the data by and transfer to Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of Ireland Unlimited Company, which concerns in particular the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process users' IP addresses, since without the IP address they could not send the content to the users' browser. The IP address is therefore required for the display of this content or these functions. We endeavor to use only such content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags", information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on users' devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and further information on the use of our online offering, and may also be linked with such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, users' data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, time information, identification numbers, persons involved). Location data (information on the geographical position of a device or person).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness. Provision of contractual services and fulfillment of contractual obligations.
• Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

• Google Fonts (provided on our own server): Provision of font files for the user-friendly display of our online offering; Service provider: Google Fonts are hosted on our server; no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
• Google Fonts (obtained from Google server): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform display, and consideration of possible licensing restrictions. The provider of the fonts is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for providing the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA - When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e. the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a specific font family is requested. In the Google Fonts Web API, the user agent must customize the font generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts "Analytics" page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations can be generated based on the number of font requests. According to Google's own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to display targeted advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
• Font Awesome (provided on our own server): Display of fonts and symbols; Service provider: The Font Awesome icons are hosted on our server; no data is transmitted to the Font Awesome provider; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
• Google Maps: We integrate the maps of the "Google Maps" service provided by Google. The processed data may include, in particular, users' IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland).
• reCAPTCHA: We integrate the "reCAPTCHA" function in order to determine whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called "bots"). The processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other websites, and, under certain circumstances, cookies as well as results of manual recognition processes (e.g. answering questions or selecting objects in images). Data processing is carried out on the basis of our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - adequacy decision (Ireland). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an action on your part (e.g. consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and we ask you to check the information before contacting them.

Definitions

In this section, you will find an overview of the terms used in this privacy policy. Where the terms are legally defined, their statutory definitions apply. The following explanations, however, are primarily intended to aid understanding.

• Employees: Employees are persons who are in an employment relationship, whether as workers, salaried employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee that is established by an employment contract or agreement. It includes the employer's obligation to pay the employee remuneration while the employee performs their work. The employment relationship comprises various phases, including establishment, during which the employment contract is concluded, execution, during which the employee performs their work, and termination, when the employment relationship ends, whether by notice, termination agreement, or otherwise. Employee data is all information relating to these persons and connected with their employment. This includes aspects such as personal identification data, identification numbers, salary and bank data, working hours, vacation entitlements, health data, and performance assessments.
• Inventory data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include, among other things, personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between persons and services, institutions, or systems by enabling clear assignment and communication.
• Content data: Content data includes information generated in the course of creating, editing, and publishing content of all kinds. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited only to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information, and publication dates.
• Contact data: Contact data is essential information that enables communication with persons or organizations. It includes, among other things, telephone numbers, postal addresses, and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
• Conversion measurement: Conversion measurement (also referred to as "visit action evaluation") is a procedure by which the effectiveness of marketing measures can be determined. As a rule, a cookie is stored on users' devices within the websites on which the marketing measures take place and is then retrieved again on the target website. For example, this allows us to understand whether the advertisements we placed on other websites were successful.
• Performance and behavioral data: Performance and behavioral data relates to information connected with how persons perform tasks or behave in a specific context, such as in an educational, work, or social environment. This data may include metrics such as productivity, efficiency, work quality, attendance, and compliance with guidelines or procedures. Behavioral data may include interactions with colleagues, communication styles, decision-making processes, and reactions to various situations. These types of data are often used for performance evaluations, training and development measures, and decision-making within organizations.
• Meta, communication, and procedural data: Meta, communication, and procedural data are categories containing information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information that describes the context, origin, and structure of other data. It may include details such as file size, creation date, author of a document, and change histories. Communication data records the exchange of information between users via various channels, such as email traffic, call logs, messages in social networks, and chat histories, including the persons involved, timestamps, and transmission paths. Procedural data describes the processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used for tracking and reviewing operations.
• Usage data: Usage data refers to information that records how users interact with digital products, services, or platforms. This data includes a wide range of information showing how users use applications, which functions they prefer, how long they remain on certain pages, and which paths they take through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more special characteristics that are an expression of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: The processing of "profiles with user-related information", or simply "profiles", includes any type of automated processing of personal data consisting of the use of such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.) (e.g. interests in certain content or products, click behavior on a website, or location). Cookies and web beacons are often used for profiling purposes.
• Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system problems, for security monitoring, or to create performance reports.
• Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate visitor flows to an online offering and may include visitors' behavior or interests in certain information, such as website content. With the help of reach analysis, operators of online offerings can, for example, recognize at what time users visit their websites and which content they are interested in. This enables them, for example, to better adapt website content to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more precise analyses of the use of an online offering.
• Remarketing: "Remarketing" or "retargeting" refers, for example, to noting for advertising purposes which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in advertisements.
• Location data: Location data is generated when a mobile device (or another device with the technical prerequisites for location determination) connects to a cell tower, Wi-Fi network, or similar technical means and functions of location determination. Location data indicates the geographically determinable position on Earth where the respective device is located. Location data can be used, for example, to display map functions or other information dependent on location.
• Tracking: "Tracking" refers to the ability to trace the behavior of users across multiple online offerings. As a rule, behavioral and interest information relating to the online offerings used is stored in cookies or on the servers of the providers of the tracking technologies (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to correspond to their interests.
• Controller: The "controller" is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether collection, evaluation, storage, transmission, or deletion.
• Contract data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for the administration and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of agreed services or products, price agreements, payment terms, termination rights, renewal options, and special terms or clauses. It serves as the legal basis for the relationship between the parties and is essential for clarifying rights and obligations, enforcing claims, and resolving disputes.
• Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is of critical importance for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.
• Target group formation: Target group formation (English: "custom audiences") refers to determining target groups for advertising purposes, e.g. the display of advertisements. For example, based on a user's interest in certain products or topics on the Internet, it can be inferred that this user is interested in advertisements for similar products or the online shop in which they viewed the products. "Lookalike audiences" (or similar target groups), in turn, refers to showing content deemed suitable to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purposes of forming custom audiences and lookalike audiences.