Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: August 30, 2023

  

Table of Contents

 

• Preamble
• Responsible
• Overview of processes
• Relevant legal bases
• Security measures
• Transmission of personal data
• International Data Transfers
• Data deletion
• Rights of the affected persons
• Use of Cookies
• Payment methods
• Provision of the online offer and web hosting
• Blogs and publication media
• Contact and Inquiry Management
• Chatbots and chat functions
• Newsletter and electronic notifications
• Contests and competitions
• Web analysis, monitoring, and optimization
• Online marketing
• Customer reviews and rating procedures
• Presences in social networks (Social Media)
• Plugins and embedded functions as well as content
• Change and update of the privacy policy
• Definitions of terms

Responsible

Dr. Emi Arpa Skin GmbH | Fasanenstraße 65 | 10719 Berlin
Berlin Charlottenburg Commercial Register | HRB 248486B
VAT ID: DE358543091
Managing Directors: Dr. med. Emi Arpa, Sebastian Dahlem
Email: hello@dr-emiskin.de +49 (0)30 88675777

Authorized representatives:

Sebastian Dahlem
Email address: hello@dr-emiskin.de

Imprint:
www.dr-emiskin.de/pages/impressum

Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. If, in individual cases, more specific legal bases should be decisive, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR): The data subject has given their consent to the processing of their personal data for a specific purpose or multiple specific purposes.
• Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR): The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures that are taken at the request of the data subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR): The processing is necessary for the protection of the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh them.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the law for the protection against the misuse of personal data in data processing (Federal Data Protection Act – BDSG). The BDSG contains specific regulations regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Relevant legal bases according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (short "Swiss DPA"). This also applies if our processing of your data otherwise affects you in Switzerland and you are affected by the processing. The Swiss DSG does not generally require (unlike, for example, the GDPR) that a legal basis for the processing of personal data must be specified. We process personal data only when the processing is lawful, carried out in good faith, and is proportionate (Art. 6 para. 1 and 2 of the Swiss DSG). Furthermore, personal data will only be collected by us for specific purposes that are identifiable to the affected person and will only be processed in a manner that is compatible with these purposes (Art. 6 para. 3 of the Swiss DSG).

Notice on the applicability of the GDPR and Swiss Data Protection Act: These privacy notices serve to provide information in accordance with the Swiss Federal Act on Data Protection (Swiss DPA) as well as the General Data Protection Regulation (GDPR). For this reason, we ask you to note that the terms of the GDPR are used due to the broader spatial application and comprehensibility. In particular, instead of the terms "processing" of "personal data", "legitimate interest" and "special categories of data" used in the Swiss DSG, the terms "processing" of "personal data" as well as "legitimate interest" and "special categories of data" used in the GDPR are used. The legal meaning of the terms, however, will continue to be determined in accordance with the Swiss DSG within the scope of its applicability.

Overview of processes

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected individuals.

Types of processed data

• Inventory data.
• Payment data.
• Contact details.
• Content data.
• Contract data.
• Usage data.
• Meta-, communication, and procedural data.
• Contact information (Facebook).
• Event data (Facebook).

Categories of affected persons

• Customers.
• Interested parties.
• Communication partner.
• Users.
• Contest and competition participants.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Contact inquiries and communication.
• Security measures.
• Direct marketing.
• Range measurement.
• Tracking.
• Remarketing.
• Conversion tracking.
• Click tracking.
• Target group formation.
• A/B tests.
• Management and response to inquiries.
• Conducting sweepstakes and competitions.
• Feedback.
• Heatmaps.
• Marketing.
• Profile with user-related information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Security measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access related to it, input, sharing, ensuring availability, and their separation. Furthermore, we have established procedures that ensure the exercise of the rights of affected individuals, the deletion of data, and responses to data breaches. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software, and procedures in accordance with the principle of data protection, through technical design and through data protection-friendly default settings.

Shortening of the IP address: If IP addresses are processed by us or by the service providers and technologies used, and the processing of a full IP address is not necessary, the IP address will be shortened (also referred to as "IP masking"). The last two digits, or the last part of the IP address after a dot, are removed or replaced with placeholders. The shortening of the IP address is intended to prevent or significantly complicate the identification of a person based on their IP address.

TLS encryption (https): To protect the data you transmit via our online service, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of personal data

As part of our processing of personal data, it may occur that the data is transmitted to other entities, companies, legally independent organizational units, or individuals, or that it is disclosed to them. The recipients of this data may include, for example, service providers assigned IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and particularly conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Shopify: In order to process the order and thus provide the service, the data is transmitted to our shop system Shopify.

shopify: Platform through which e-commerce services are offered and conducted. The services and the processes carried out in connection with them include, in particular, online shops, websites, their offers and content, community elements, purchase and payment transactions, customer communication, as well as analysis and marketing; service provider: Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.shopify.de; Privacy Policy: https://www.shopify.de/legal/datenschutz.

Billbee: To create customer invoices, we use the tool Billbee.

Billbee: Billbee Limited Liability Company, Arolser Str. 10, 34477 Twistetal, Authorized Managing Directors: Jan Krause, David Pohlmann, Registration Court: District Court Korbach, Registration Number: HRB 2482, Registered Office: Twistetal; Website:https://www.billbee.io/; Privacy Policy: https://www.billbee.io/rechtliches/datenschutz.

HIVE: To process our orders and ship them to the customer, we use the fulfillment service provider HIVE.

Hive: Fulfillment service provider, Hive Technologies GmbH, Rosenstraße 16-17, 10178 Berlin, Germany, VAT Number: DE330492525; Website: https://www.hive.app/de/, Privacy Policy: https://www.hive.app/de/datenschutz.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of using third-party services or the disclosure or transmission of data to other persons, entities, or companies, this will only be done in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. In addition, data transfers only take place if the level of data protection is secured in another way, particularly through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent or in the case of contractual or legally required transmission (Art. 49 para. 1 GDPR). Furthermore, we inform you about the principles of third country transfers with respect to the individual providers from the third country, whereby the adequacy decisions are considered as the primary basis. Information on transfers to third countries and existing adequacy decisions can be found in the information provided by the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as safe for certain companies from the USA under the adequacy decision of July 10, 2023. The list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We inform you in the context of the data protection notices which service providers we use are certified under the Data Privacy Framework.

Disclosure of personal data abroad: According to the Swiss Data Protection Act (DSG), we only disclose personal data abroad if an adequate level of protection for the affected individuals is ensured (Art. 16 Swiss DSG). If the Federal Council has not determined adequate protection (List: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These may include international contracts, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or company internal data protection regulations recognized in advance by the FDPIC or a competent data protection authority of another country.

According to Art. 16 of the Swiss DSG, exceptions for the disclosure of data abroad may be permitted if certain conditions are met, including the consent of the affected person, contract processing, public interest, protection of life or physical integrity, publicly disclosed data, or data from a legally established register. These announcements are always made in accordance with the legal requirements.

Data deletion

The data we process will be deleted in accordance with legal requirements as soon as the consents permitted for processing are revoked or other permissions lapse (e.g., when the purpose of processing this data is no longer applicable or they are no longer necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. That is, the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons, or whose storage is necessary for the assertion, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person.  

As part of our privacy policy, we can provide users with additional information regarding the deletion and retention of data that specifically applies to the respective processing processes.

Rights of the affected persons

Rights of the data subjects under the GDPR: As data subjects, you have various rights under the GDPR, which are particularly derived from Articles 15 to 21 of the GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f of the GDPR,; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
• Right of withdrawal for consents: You have the right to revoke consents given at any time.
• Right to information: You have the right to request confirmation as to whether relevant data is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of your relevant data or the correction of any inaccurate data concerning you.
• Right to deletion and restriction of processing: You have the right, in accordance with legal requirements, to request that your data be deleted immediately, or alternatively, to request a restriction on the processing of the data in accordance with legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us, in accordance with legal requirements, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller.
• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular with a supervisory authority in the member state where you usually reside, the supervisory authority of your workplace, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Rights of the data subjects under the Swiss DSG:

As an affected person, you have the following rights in accordance with the provisions of the Swiss Data Protection Act (DSG):

• Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary for you to assert your rights under this law and to ensure transparent data processing.
• Right to data release or transfer: You have the right to request the release of your personal data that you have provided to us in a common electronic format.
• Right to rectification: You have the right to request the correction of inaccurate personal data concerning you.
• Right to object, deletion, and destruction: You have the right to object to the processing of your data, as well as to request that the personal data concerning you be deleted or destroyed.

Use of Cookies

Cookies are small text files or other storage notes that store information on devices and read information from the devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the functions used in an online offer. Cookies can also be used for various purposes, e.g. for the functionality, security, and comfort of online offerings as well as for creating analyses of visitor flows.  

Consent Information: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Consent is not necessary, especially when storing and retrieving information, including cookies, is absolutely required to provide users with a telemedia service they have explicitly requested (i.e., our online offering). The strictly necessary cookies usually include cookies with functions that serve the display and functionality of the online offering, load balancing, security, storing user preferences and options, or similar purposes related to providing the main and secondary functions of the online offering requested by users. The revocable consent is clearly communicated to the users and contains information about the respective cookie usage.

Notes on data protection legal bases: The legal basis on which we process users' personal data using cookies depends on whether we ask users for consent. If the users consent, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies will be processed based on our legitimate interests (e.g., in the economic operation of our online offerings and improving its usability) or, if this occurs in the context of fulfilling our contractual obligations, when the use of cookies is necessary to meet our contractual commitments. We will clarify the purposes for which the cookies are processed by us in the course of this privacy policy or as part of our consent and processing processes.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
• Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Similarly, the data collected from users through cookies can be used for measuring reach. Unless we provide users with explicit information about the type and duration of cookies (e.g., in the context of obtaining consent), users should assume that cookies are permanent and that the storage duration can be up to two years.

General information on withdrawal and objection (so-called "Opt-Out"): Users can revoke the consents they have given at any time and object to the processing in accordance with legal requirements. Users can restrict the use of cookies in their browser settings (which may also limit the functionality of our online offerings). A contradiction against the use of cookies for online marketing purposes can also be declared through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/ can be explained.

• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Processing of cookie data based on consent: We use a cookie consent management procedure, in which the consents of users for the use of cookies, or the processing and providers mentioned in the cookie consent management procedure, are obtained, managed, and can be revoked by the users. This consent declaration is stored to avoid having to query it again and to be able to prove the consent in accordance with legal obligations. The storage can take place server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) in order to assign the consent to a user or their device. Subject to individual information about the providers of cookie management services, the following notes apply: The duration of consent storage can be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• BorlabsCookie: Cookie consent management; Service provider: Hosted locally on our server, no data transfer to third parties; Website: https://de.borlabs.io/borlabs-cookie/. More information: A unique user ID, language, as well as types of consents and the time of their submission are stored server-side and in the cookie on the user's device.

Payment methods

As part of contractual and other legal relationships, based on legal obligations or otherwise on the basis of our legitimate interests, we offer affected individuals efficient and secure payment options and additionally use other service providers (collectively referred to as "payment service providers") alongside banks and credit institutions.

The data processed by payment service providers includes inventory data, such as names and addresses, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related information. The information is required to carry out the transactions. The entered data is only processed by the payment service providers and stored with them. That is, we do not receive account or credit card related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies. This transmission is intended for identity and creditworthiness verification. We refer to the terms and conditions and the privacy notices of the payment service providers.

For payment transactions, the terms and conditions and the privacy notices of the respective payment service providers apply, which can be accessed on their respective websites or transaction applications. We refer to this also for further information and the assertion of withdrawal, information, and other rights of the affected parties.

• Processed types of data: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject of the contract, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Contact details (e.g. email, phone numbers).
• Affected persons: customers. Interested parties.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations.
• Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:

• American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal bases: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.americanexpress.com/en. Privacy Policy: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html.
• Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.apple.com/de/apple-pay/.  Privacy Policy: https://www.apple.com/legal/privacy/en-ww/.
• Giropay: Payment services (technical integration of online payment methods); Service provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal basis: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.giropay.de.  Privacy Policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/.
• Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://pay.google.com/intl/en/about/.  Privacy Policy: https://policies.google.com/privacy.
• Klarna: Payment services (technical integration of online payment methods); Service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.klarna.com/de.  Privacy Policy: https://www.klarna.com/de/datenschutz.
• Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html.  Privacy Policy: https://www.mastercard.de/de-de/datenschutz.html.
• PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A.,22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/en. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
• Shop Pay (Shopify): Payment services (technical integration of online payment methods); Service provider: Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.shopify.de.  Privacy Policy: https://www.shopify.de/legal/datenschutz.
• Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc.,Branch office London, 1 Sheldon Square, London W2 6TT, GB; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.visa.de.  Privacy Policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

Provision of the online offer and web hosting

We process user data to provide them with our online services. To this end, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Processed types of data: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); content data (e.g., entries in online forms); inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers). Contract data (e.g. subject matter of the contract, duration, customer category).
• Affected persons: Users (e.g., website visitors, users of online services). Customers.
• Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). ;Security measures. Provision of contractual services and fulfillment of contractual obligations.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity, and software that we rent or obtain from a corresponding server provider (also referred to as "web host"); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". The server log files may include the address and name of the retrieved web pages and files, the date and time of the retrieval, the amount of data transferred, a message about successful retrieval, the browser type along with its version, the user's operating system, the referrer URL (the previously visited page), and usually IP addresses and the requesting provider.
  
  The server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability;
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Logfile information will be stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
• Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients as well as the senders, as well as other information regarding the email dispatch (e.g., the involved providers) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. We ask you to note that emails are generally not sent encrypted over the internet. In general, emails are encrypted during transmission, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot take responsibility for the transmission of emails between the sender and the recipient on our server; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• shopify: Platform through which e-commerce services are offered and carried out. The services and the processes carried out in connection with them include, in particular, online shops, websites, their offers and content, community elements, purchase and payment processes, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.shopify.de.  Privacy Policy: https://www.shopify.de/legal/datenschutz.

Blogs and publication media

We use blogs or similar means of online communication and publication (hereinafter referred to as "publication medium"). Readers' data is processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers or for security reasons. Furthermore, we refer to the information regarding the processing of visitors to our publication medium within the scope of this privacy notice.

• Processed data types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); payment data (e.g., bank details, invoices, payment history). Contract data (e.g. subject matter of the contract, duration, customer category).
• Affected persons: Users (e.g., website visitors, users of online services). Customers.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Feedback (e.g., collecting feedback via online form); Providing our online offerings and user-friendliness; Security measures. Management and response to inquiries.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Comments and contributions: When users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests. This is done for our safety in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we can be held liable for the comment or post ourselves and are therefore interested in the identity of the author.
  
  Furthermore, we reserve the right to process user information for the purpose of spam detection based on our legitimate interests.
  
  On the same legal basis, we reserve the right to store users' IP addresses for the duration of surveys and to use cookies to prevent multiple voting.
  
  The information about the person communicated in the context of comments and contributions, any contact and website information as well as the content-related details will be permanently stored by us until the users object;
  Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• shopify: Platform through which e-commerce services are offered and carried out. The services and the processes carried out in connection with them include, in particular, online shops, websites, their offers and content, community elements, purchase and payment processes, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.shopify.com.  Privacy Policy: https://www.shopify.de/legal/datenschutz.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) as well as in the context of existing user and business relationships, the information of the inquiring individuals will be processed as far as necessary to respond to the inquiries and any requested actions.

• Processed data types: Contact data (e.g. email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. visited websites, interest in content, access times). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: communication partners.
• Purposes of processing: Contact inquiries and communication; management and response to inquiries; feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:

• Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to address the stated concern; Legal bases: Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/privacy. Basis for third country transfer: EU-US Data Privacy Framework (DPF).

Chatbots and chat functions

We offer online chats and chatbot features as a means of communication (collectively referred to as "chat services"). A chat is an online conversation conducted with a certain proximity in time. A chatbot is a software that answers users' questions or informs them through messages. If you use our chat features, we may process your personal data.

If you use our chat services within an online platform, your identification number within the respective platform will also be stored. We can also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations through the chat services and log registration and consent processes to be able to provide evidence of these in accordance with legal requirements.  

We inform users that the respective platform provider can find out if and when users communicate with our chat services, as well as technical information about the users' devices and, depending on their device settings, also location information (so-called metadata) for the purposes of optimizing the respective services and for security purposes. The metadata of communication via chat services (i.e., for example, the information about who communicated with whom) could also be used by the respective platform providers in accordance with their regulations, which we refer to for further information, for marketing purposes or to display user-targeted advertising.

If users agree to activate information with regular messages from a chatbot, they have the option to unsubscribe from the information for the future at any time. The chatbot informs users how and with which terms they can unsubscribe from the messages. By unsubscribing from the chatbot messages, user data will be deleted from the directory of message recipients.

We use the aforementioned information to operate our chat services, e.g., to address users personally, to respond to their inquiries, to deliver any requested content, and also to improve our chat services (e.g., to teach chatbots responses to frequently asked questions or to recognize unanswered inquiries).

Notes on legal bases: We use the chat services based on consent when we have previously obtained permission from users to process their data in the context of our chat services (this applies in cases where users are asked for consent, e.g., so that a chatbot can regularly send them messages). If we use chat services to respond to user inquiries about our services or our company, this is done for contractual and pre-contractual communication. Furthermore, we use chat services based on our legitimate interests in optimizing the chat services, their cost-effectiveness, and enhancing the positive user experience.

Revocation, objection, and deletion: You can revoke any consent given at any time or object to the processing of your data in the context of our chat services.

• Processed data types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: communication partners.
• Purposes of processing: Contact inquiries and communication; management and response to inquiries. Direct marketing (e.g., via email or postal mail).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:

• LiveChat: Chatbot and assistance software as well as related services; Service provider: LiveChat Inc., One International Place, Suite 1400 Boston, Massachusetts 02110, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.livechatinc.com/en; Privacy Policy: https://www.livechatinc.com/legal/privacy-policy/. Basis for third country transfer: EU-US Data Privacy Framework (DPF).

Newsletter and electronic notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the contents of a newsletter are specifically described as part of a registration, they are decisive for the users' consent. Furthermore, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we can ask you to provide a name for personal address in the newsletter, or additional information if it is necessary for the purposes of the newsletter.

Double Opt-In Procedure: The registration for our newsletter is generally done using a so-called double opt-in procedure. That is,You will receive an email after registering, asking you to confirm your registration. This confirmation is necessary so that no one can register with foreign email addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation timestamps as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

Deletion and restriction of processing: We can store the unsubscribed email addresses for up to three years based on our legitimate interests before we delete them, in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist (so-called "Blocklist").

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of proving its proper course. As far as we engage a service provider for the dispatch of emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Contents:

 

Information about us, our products & services, promotions, and offers.

• Processed data types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Usage data (e.g., visited websites, interest in content, access times).
• Affected persons: communication partners.
• Purposes of processing: Direct marketing (e.g., via email or postal mail).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Right to object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., revoke your consents or object to further receipt. You can find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options provided above, preferably email, for this purpose.

Further information on processing processes, procedures, and services:

• Measurement of open and click rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened, or, if we use a mailing service provider, from their server. As part of this retrieval, technical information will first be collected, such as information about the browser and your system, as well as your IP address and the time of the retrieval.
  
  This information is used for the technical improvement of our newsletter based on technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes the determination of whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until their deletion. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
  
  The measurement of open rates and click rates, as well as the storage of measurement results in user profiles and their further processing, is based on the consent of the users.
  
  A separate revocation of the success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or opposed. In this case, the stored profile information will be deleted;
  Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Reminder emails for the ordering process: If users do not complete an ordering process, we can remind them via email about the ordering process and send them a link to continue it. This function can be useful, for example, when the purchase process could not be continued due to a browser crash, oversight, or forgetfulness. The shipping is based on consent, which users can revoke at any time; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/privacy. Basis for third country transfer: EU-US Data Privacy Framework (DPF).

Contests and competitions

We process personal data of participants in competitions and contests only in compliance with the relevant data protection regulations, as far as the processing is contractually necessary for the provision, execution, and settlement of the competition, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., regarding the security of the competition or the protection of our interests against abuse through possible collection of IP addresses when submitting contest entries).

If, in the context of the competitions, contributions from participants are published (e.g., as part of a vote or presentation of the competition entries or the winners or reporting on the competition), we would like to point out that the names of the participants may also be published in this context. Participants can object to this at any time.

If the competition takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and data protection regulations of the respective platforms also apply. In these cases, we would like to point out that we are responsible for the information provided by the participants in the context of the competition and that inquiries regarding the competition should be directed to us.

The participants' data will be deleted as soon as the raffle or competition has ended and the data is no longer required to inform the winners or because inquiries regarding the raffle are expected. Basically, the participants' data will be deleted no later than 6 months after the end of the competition. Winners' data may be retained for a longer period to answer inquiries about the prizes or to fulfill the prize services; in this case, the retention period depends on the type of prize and is, for example, up to three years for items or services, in order to handle warranty cases. Furthermore, the participants' data can be stored for a longer period, e.g., in the form of reporting on the competition in online and offline media.

If data was also collected for other purposes in the context of the competition, their processing and retention period are governed by the privacy notices for this use (e.g., in the case of a newsletter subscription in the context of a competition).

• Processed data types: Inventory data (e.g., names, addresses); content data (e.g., inputs in online forms). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: raffle and competition participants.
• Purposes of processing: Conducting sweepstakes and competitions.
• Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Registration for and participation in events

From time to time, we hold events to which we invite. Participation in these events usually requires prior registration or sign-up. In addition, we process data for the execution (e.g., entry handling) of the event and the reporting on it.  

In detail:

• Processed data types: 

Event data: For the preparation and (digital) sending of invitations as well as the execution of the event, we process particularly your following data: salutation, title, name, first name, position, company, address data (city, street, postal code), email address, data regarding any accompanying persons: salutation, title, name, first name, as well as information about affiliations and relationships between individuals, data that you may provide to us in the context of further correspondence, as well as in the case of acceptance or rejection of participation in the event: registration status and, if applicable, registration code.

Logfile data: For digital registration or cancellation of the event, we particularly process the following data: IP address, product and version information about the browser and operating system (so-called User Agent) of the device you use to access our website, date and time of the request (so-called Timestamp), http status, and the amount of data transmitted in the context of your request.

Photo and video recordings: For the (post-)reporting on the event, photographers commissioned by us will take photo and video recordings during the event. This includes both recordings of the overall events as well as individual persons or groups of people. As far as you are recognizable here, we may collect and process the following data: photo and video recordings, names.

• Affected persons: Persons who are invited to the event and/or participate in the event.

Scope of processing and purpose:

Preparation of the event and sending out the invitations for the event: With the exception of the information regarding the registration status and possibly the registration code, we will store, check, organize, and if necessary, correct your event data. The purpose is the planning, preparation, organization, and execution of the event.  

We use the email address you provided to send you an invitation to the event. The purpose is to invite you to participate in the event and to enable your participation.  

Furthermore, we use your email address to send you additional information, reminders, or notices about the event.  

In addition, we store your contact information in order to invite you to further events if necessary.  

Registration process: To participate in the event, it is necessary for you to register. After receiving the invitation email, you have the option to click a link in the invitation email to register or unregister for the event.  

The registration tool opens via the link. When calling the registration tool, we collect and store your log file data. We collect and store your log file data in order to provide you with the registration tool and ensure its functionality. Furthermore, the log file data serves to ensure the security of our information technology systems (e.g., for attack detection) as well as for analyzing load and troubleshooting.

If you register or unregister for the event using the registration tool, we will link your event data stored with us to your acceptance or rejection of the event and save the information regarding your acceptance or rejection as well as any additional details (e.g., regarding accompanying persons) to your event data. The purpose of processing your event data is the organization and planning of the event, ensuring a proper course of events as well as proper access control and safety on site.

Contact: If you use the email address provided through the registration tool or in the invitation email to send us inquiries, we will process your personal data transmitted to us with the inquiry. The purpose of processing is to respond to your inquiries and provide you with information.  

Entry handling at the event: We will conduct an entry control at the event location. As part of the entry control, we match your name with the event data you have provided to us. This is done to ensure the proper and safe execution of the event and to control entry to the event.

Creation and publication of photo and video recordings: During the event, we will take photos and videos in which you may be recognizable. We may store and publish individual photo and video recordings in our internal company intranet, on our website (https://dr-emi.de), and on our social media channels (e.g., Instagram, YouTube, TikTok). The purpose is to document the event and report on the event, to present our company to the outside world, as well as to support our PR and public relations work. Selected photo and video footage may be provided to media as press material for their reporting.  

• Legal basis: Balancing of interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Our legitimate interests:

Event data: Ensuring the proper execution of the event and safe participation in the event.

Log file data: Providing a registration tool and thus a simple and efficient sign-up and sign-off.

Photo and video recordings: Documentation of and reporting on the event, positive external representation of our company as well as external communication.

• Duration of storage: Your aforementioned data will be deleted as soon as they are no longer necessary for the purpose of their collection.  

For the log file data this is the case when the respective session is ended. An additional storage is possible for system technical reasons. In this case, the respective IP address will be deleted or anonymized (hashed) by us, so that it is no longer possible to assign it to the calling client and the data contained no longer has any personal reference.  

Furthermore, we delete your event data fourteen days after the event has taken place. If necessary, your data may still be stored with us after the event has concluded, because their processing is either required for another purpose and/or we can rely on another legal basis for their storage. In particular, we store your name and contact details for invitations to further events.   The storage duration or duration of publication of the photo and video recordings is determined by their informational value and the general public interest in the event. The internal long-term archiving of individual photo and video recordings is carried out with restricted processing to safeguard our copyright claims on the photo and video recordings we have created, as well as for potential future publication, for example, as part of the company history.

• Necessity of provision: The provision of your data is neither legally nor contractually required. However, the collection and storage of the log file data is necessary for the operation of the registration tool. It is also necessary to provide your event data for the invitation and registration or cancellation for the event as well as participation in the event. The non-provision of the aforementioned personal data may lead to disadvantages for you. This could mean that you do not register for participation in the event and/or cannot participate in the event.  

Transfer of data to third parties, recipients of data: We transmit your data, with the exception of the transmission of individual photo and video recordings, which we may share with selected media as press material, not to third parties. For the planning and execution of the event, we work with selected service providers who process personal data for specific purposes on our behalf. We only pass on personal data to carefully selected and contractually appointed service providers within the framework of a legal order processing. They only receive the data that is necessary for the fulfillment of the order. The following categories of contractors are included: event service providers, photographers.

• Right to object: You can object to the processing of your event data and log file data at any time in accordance with Art. 21 GDPR, via email to […] , contradict. You can object to the creation and publication of photo and video recordings concerning you in accordance with Art. 21 GDPR by informing an on-site photographer that no recordings of you should be made, or also by email to […].  

Web analysis, monitoring, and optimization

Web analytics (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offerings and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, determine when our online offerings or their functions or content are used most frequently or invite reuse. We can also understand which areas need optimization.  

In addition to web analytics, we can also use testing methods to test and optimize different versions of our online offerings or its components.

Unless otherwise specified below, profiles can be created for these purposes, i.e., data aggregated for a usage process can be created and information can be stored in a browser or on a device and read from it. The collected data includes, in particular, visited websites and the elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data with us or with the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking method (i.e.,Pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) is stored in the context of web analysis, A/B testing, and optimization, but rather pseudonyms. That is, we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

• Processed data types: Usage data (e.g., visited websites, interest in content, access times). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Remarketing; audience building; reach measurement (e.g., access statistics, identification of returning visitors); profiles with user-related information (creating user profiles); provision of our online offerings and user-friendliness; tracking (e.g., interest-/behavior-based profiling, use of cookies); click tracking; A/B testing. Heatmaps (mouse movements from users that are summarized into an overall picture.)
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Google Optimize: Software for analyzing and optimizing online offerings based on feedback functions as well as pseudonymously conducted measurements and analyses of user behavior, which can particularly include A/B tests (measuring the popularity and user-friendliness of different content and features), measuring click paths and interaction with content and features of the online offering; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://optimize.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:  https://business.safety.google/adsprocessorterms; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms). More information: https://privacy.google.com/businesses/adsservices (Types of processing and the data processed).
• Google Analytics 4: We use Google Analytics to measure and analyze the use of our online offerings based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed during one or various usage processes, which search terms they have used, have accessed again, or have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their devices and browsers. In doing so, pseudonymous profiles of users are created using information from the use of various devices, with the possibility of using cookies. Google Analytics does not log or store individual IP addresses for EU users. However, analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, the IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible, and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are conducted on EU-based servers before the traffic is forwarded for processing to Analytics servers; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Right to Object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout? hl=en, settings for the display of advertisements: https://adssettings.google.com/authenticated. More information: https://privacy.google.com/businesses/adsservices (Types of processing and the data processed).
• Target group formation with Google Analytics: We use Google Analytics to display ads served through Google's advertising services and its partners only to users who have shown an interest in our online offerings or who exhibit certain characteristics (e.g., interests in specific topics or products determined by the visited websites) that we transmit to Google (so-called "Remarketing-" or "Google-Analytics-Audiences"). With the help of remarketing audiences, we also want to ensure that our ads correspond to the potential interests of users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Legal basis: https://business.safety.google/adsprocessorterms/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfer:  EU-US Data Privacy Framework (DPF); Further information: Types of processing and the data processed: https://privacy.google.com/businesses/adsservices. Data processing terms for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
• Google Tag Manager: Google Tag Manager is a solution that allows us to manage so-called website tags through an interface and thus integrate other services into our online offering (further information is referenced in this privacy policy). Therefore, the Tag Manager itself (which implements the tags) does not create user profiles or store cookies yet. Google only receives the user's IP address, which is necessary to run the Google Tag Manager; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).
• Hotjar Observe: Software for analyzing and optimizing online offerings based on pseudonymously conducted measurements and analyses of user behavior, which can particularly include A/B tests (measuring the popularity and user-friendliness of different content and features), measuring click paths and interaction with content and features of the online offering (so-called heatmaps and recordings); Service provider: Hotjar Ltd. 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta ; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.hotjar.com; Privacy Policy:  https://www.hotjar.com/legal/policies/privacy; Data Deletion: The cookies used by Hotjar have different "lifespans"; some last up to 365 days, while others are only valid during the current visit; Cookie Policy: https://www.hotjar.com/legal/policies/cookie-information. Right to object (Opt-Out): https://www.hotjar.com/legal/compliance/opt-out.

Online marketing

We process personal data for online marketing purposes, which may include the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.  

For these purposes, so-called user profiles are created and stored in a file (commonly referred to as a "cookie") or similar methods are used to store the information relevant to the user for the display of the aforementioned content. This information may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical details, such as the browser used, the computer system used, as well as information on usage times and utilized functions. If users have consented to the collection of their location data, this data can also be processed.

The IP addresses of the users are also stored. However, we use available IP masking methods (i.e.,Pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the context of online marketing procedures, but rather pseudonyms. That is, we as well as the providers of online marketing methods do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or through similar methods. These cookies can later also be read on other websites that use the same online marketing method, analyzed for the purpose of content presentation, supplemented with additional data, and stored on the server of the online marketing method provider.

Exceptionally, clear data can be assigned to the profiles. This is the case when users are, for example, members of a social network whose online marketing methods we use and the network connects the users' profiles with the aforementioned information. We ask you to note that users may make additional agreements with the providers, e.g. by consenting during the registration process.

We generally only gain access to summarized information about the success of our advertisements. However, we can check within the framework of so-called conversion measurements which of our online marketing methods have led to a so-called conversion, i.e., for example, to a contract conclusion with us. The conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, we ask you to assume that cookies used will be stored for a period of two years.

• Processed types of data: Content data (e.g., inputs in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Event data (Facebook) ("Event data" refers to data that can be transmitted to Facebook by us via Facebook Pixel (through apps or other means) and relates to individuals or their actions; This data includes, for example, information about visits to websites, interactions with content, features, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences); Event data does not include the actual content (such as written comments), no login information, and no contact information (i.e., no names, email addresses, or phone numbers). Event data will be deleted by Facebook after a maximum of two years, the audiences formed from them with the deletion of our Facebook account); contact information (Facebook) ("Contact information" refers to data that can clearly identify affected individuals, such as names, email addresses, and phone numbers, which can be transmitted to Facebook, e.g., via Facebook Pixel or upload for matching purposes to create Custom Audiences. After the matching for the formation of target groups, the contact information will be deleted).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, detection of returning visitors); Tracking (e.g., interest-/behavior-based profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing measures); Audience formation; Marketing; Profiles with user-related information (creating user profiles); Providing our online offerings and user-friendliness; Remarketing. Click tracking.
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Right to object (Opt-Out): We refer to the privacy notices of the respective providers and the objection options provided for the providers (so-called "Opt-Out"). Unless an explicit opt-out option has been provided, there is the possibility that you can disable cookies in your browser settings. However, this may limit the functions of our online services. We therefore additionally recommend the following opt-out options, which are offered summarizingly for each respective area:
  
  a) Europe: https://www.youronlinechoices.eu.  
  b) Canada: https://www.youradchoices.ca/choices.
  c) USA: https://www.aboutads.info/choices.
  d) Cross-regional: https://optout.aboutads.info.

Further information on processing processes, procedures, and services:

• Meta-Pixel and Audience Creation (Custom Audiences): With the help of the Meta-Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), the company Meta is able to identify the visitors of our online offerings as a target audience for the display of ads (so-called "Meta-Ads"). Accordingly, we use the Meta Pixel to display the Meta Ads we run only to users on Meta's platforms and within the services of partners cooperating with Meta (the so-called "Audience Network" https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offerings or who exhibit certain characteristics (e.g., interest in specific topics or products that can be inferred from the websites visited) that we transmit to Meta (so-called "Custom Audiences"). With the help of the Meta Pixel, we also want to ensure that our Meta Ads correspond to the potential interest of users and do not appear intrusive. With the help of the Meta Pixel, we can further track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called "conversion tracking"); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: User data, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and audience formation based on the agreement on joint responsibility ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum). The shared responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly includes the transmission of the data to the parent company Meta Platforms, Inc. in the USA concerns (based on the agreement between Meta Platforms Ireland Limited and Meta Platforms, Inc. closed standard contractual clauses).
• Meta - Audience Creation via Data Upload: Creation of audiences for marketing purposes - We transmit contact information (names, email addresses, and phone numbers) in list form to Meta for the purpose of creating audiences (so-called "Custom Audiences") for displaying content and advertising information tailored to the presumed interests of users. The transmission and comparison with data available at Meta do not occur in plain text, but as so-called "hash values", i.e., mathematical representations of the data (this method is used, for example, in the storage of passwords). After the alignment for the formation of target groups, the contact information will be deleted; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for Third Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
• Facebook Ads: Placement of ads within the Facebook platform and evaluation of ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF); Right to Object (Opt-Out): We refer to the privacy and advertising settings in the users' profiles on the Facebook platform as well as within the framework of Facebook's consent procedures and Facebook's contact options for exercising information and other rights of affected parties in Facebook's privacy policy. Further information: User data, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and audience formation based on the agreement on joint responsibility ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum). The shared responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly includes the transmission of the data to the parent company Meta Platforms, Inc. in the USA concerns (based on the agreement between Meta Platforms Ireland Limited and Meta Platforms, Inc. closed standard contractual clauses).
• Google Ads and conversion tracking: Online marketing methods for the purpose of placing content and ads within the advertising network of the service provider (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who have a presumed interest in the ads. Furthermore, we measure the conversion of the ads, i.e., whether users have taken the opportunity to interact with the ads and utilize the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Transfer to Third Countries:  EU-US Data Privacy Framework (DPF); Further Information: Types of processing and the data processed: https://privacy.google.com/businesses/adsservices. Data processing terms between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
• Google Ads Remarketing: Google Remarketing, also known as Retargeting, is a technology that allows users who utilize an online service to be included in a pseudonymous remarketing list, so that users can be shown ads on other online offerings based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Transfer to Third Countries:  EU-US Data Privacy Framework (DPF); Further Information: Types of processing and the data processed: https://privacy.google.com/businesses/adsservices. Data processing terms between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
• Enhanced conversions for Google Ads: When customers click on our Google ads and then use the advertised service (so-called "conversion"), the data entered by the user, such as the email address, name, residential address, or phone number, can be transmitted to Google. The hash values are then matched with existing Google accounts of the users to better evaluate and improve user interaction with the ads (e.g., clicks or views) and thus their performance; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
• Instagram Ads: Placement of ads within the Instagram platform and evaluation of ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF); Right to Object (Opt-Out): We refer to the privacy and advertising settings in the users' profiles on the Instagram platform as well as within the framework of Instagram's consent procedures and Instagram's contact options for exercising information and other rights of affected parties in Instagram's privacy policy. Further information: User data, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and audience formation based on the agreement on joint responsibility ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum). The shared responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly the transmission of the data to the parent company Meta Platforms, Inc. in the USA concerns (based on the agreement between Meta Platforms Ireland Limited and Meta Platforms, Inc. closed standard contractual clauses).
• Taboola: Integration of personalized content and content recommendations; Service provider: Taboola, Inc. 16 Madison Square West 7th Floor New York, New York 10010, USA; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.taboola.com/en; Privacy Policy: https://www.taboola.com/privacy-policy; Data Processing Agreement: Provided by the service provider; Basis for Third Country Transfer: Standard Contractual Clauses (Provided by the service provider); Data Deletion: Taboola stores user information collected directly for the purpose of ad serving for a maximum of eighteen (18) months after the user's last interaction with Taboola services and anonymizes it by removing personal identifiers or aggregating the data. Taboola stores anonymous or aggregated data that cannot identify a person or a device and is used for reporting and analysis purposes as long as it is commercially necessary. Right to object (Opt-Out): https://www.taboola.com/privacy-policy#user-choices-and-optout.
• UTM Parameter: Analysis of sources and user actions based on an extension of referring web addresses with an additional parameter, the "UTM" parameter. For example, a UTM parameter "utm_source=platformX &utm_medium=video" can tell us that a person clicked the link on platform X within a video. The UTM parameters provide information about the source of the link, the medium used (e.g., social media, website, newsletter), the type of campaign, or the content of the campaign (e.g., post, link, image, and video). With the help of this information, we can check, for example, our visibility on the internet or the effectiveness of our campaigns; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Customer reviews and rating procedures

We participate in review and evaluation processes to assess, optimize, and promote our services. When users rate us through the involved review platforms or procedures or provide feedback in other ways, the general terms and conditions or terms of use and the privacy notices of the providers also apply. In general, the evaluation also requires registration with the respective providers.  

To ensure that the reviewers have actually used our services, we transmit the necessary data regarding the customer and the service used to the respective review platform (including name, email address, and order number or item number) with the consent of the customers. This data is used solely for verifying the authenticity of the user.

• Processed data types: Contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history). Contact details (e.g. email, phone numbers).
• Affected persons: customers. Users (e.g., website visitors, users of online services).
• Purposes of processing: Feedback (e.g., collecting feedback via online form); marketing. Provision of contractual services and fulfillment of contractual obligations.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Rating widget: We integrate so-called "rating widgets" into our online offering. A widget is a functional and content element integrated into our online offering that displays variable information. It can be represented, for example, in the form of a seal or a comparable element, sometimes also called a "badge."In this case, the corresponding content of the widget is displayed within our online offering, but it is retrieved at that moment from the servers of the respective widget provider. Only in this way can the current content always be displayed, especially the respective current rating. To do this, a data connection must be established from the website accessed within our online offering to the server of the widget provider, and the widget provider receives certain technical data (access data, including IP address) that are necessary for the content of the widget to be delivered to the user's browser.
  
  Furthermore, the widget provider receives information that users have visited our online offering. This information can be stored in a cookie and used by the widget provider to recognize which online offers participating in the evaluation process have been visited by the user. The information can be stored in a user profile and used for advertising or market research purposes;
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• shopify: Platform through which e-commerce services are offered and carried out. The services and the processes carried out in connection with them include, in particular, online shops, websites, their offers and content, community elements, purchase and payment processes, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.shopify.com.  Privacy Policy: https://www.shopify.de/legal/datenschutz.

Presences in social networks (Social Media)

We maintain online presences within social networks and process user data in this context to communicate with the active users there or to provide information about us.

We would like to point out that user data may be processed outside the territory of the European Union. This can pose risks for users, as it could make the enforcement of users' rights more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests of the users. The usage profiles can in turn be used to display advertisements both within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, where the usage behavior and interests of the users are recorded. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed presentation of the respective processing forms and the options for objection (Opt-Out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of information requests and the assertion of rights of the affected parties, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the users' data and can take appropriate action and provide information directly. If you still need assistance, you can contact us.

• Processed data types: Contact data (e.g. email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. visited websites, interest in content, access times). Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form). Marketing.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
• Facebook pages: Profiles within the social network Facebook - We, together with Meta Platforms Ireland Limited, are responsible for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content that users view or interact with, or the actions they take (see "Things you and others have done and provided" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As stated in the Facebook data policy under "How do we use this information?" Facebook also collects, processes, and uses information to provide analytics services, known as "Page Insights," for page operators, so that they can gain insights into how people interact with their pages and the content associated with them. We have entered into a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which particularly regulates the security measures that Facebook must observe and in which Facebook has agreed to fulfill the rights of the affected parties (i.e., users can, for example, direct inquiries or deletion requests directly to Facebook). The rights of users (in particular the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for Third Country Transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). More information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The shared responsibility is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly the transmission of the data to the parent company Meta Platforms, Inc. in the USA concerns (based on the agreement between Meta Platforms Ireland Limited and Meta Platforms, Inc. closed standard contractual clauses).
• TikTok: Social network / video platform; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/de/privacy-policy.
• Vimeo: Social network and video platform; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://vimeo.com. Privacy Policy: https://vimeo.com/privacy.
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for third country transfer: EU-US Data Privacy Framework (DPF). Right to object (Opt-Out): https://adssettings.google.com/authenticated.

Plugins and embedded functions as well as content

We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as "third-party providers"). This can include graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always assumes that the third-party providers of this content process the users' IP addresses, as they would not be able to send the content to their browsers without the IP address. The IP address is required for the display of this content or functions. We strive to use only such content whose respective providers use the IP address solely for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags", information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the users' device and may contain, among other things, technical information about the browser and operating system, referring websites, visit times, as well as additional details about the use of our online offerings, and may also be linked with such information from other sources.

• Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Event data (Facebook) ("Event data" refers to data that can be transmitted to Facebook by us via Facebook Pixel (through apps or other means) and relates to individuals or their actions; the data includes, for example, information about visits to websites, interactions with content, features, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event data does not include the actual content (such as written comments), no login information, and no contact information (that is, no names, email addresses, or phone numbers). Event data will be deleted by Facebook after a maximum of two years, along with the audiences created from them upon the deletion of our Facebook account.
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; provision of contractual services and fulfillment of contractual obligations; profiles with user-related information (creating user profiles). Marketing.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:

• Facebook plugins and content: Facebook social plugins and content - This can include, for example, content such as images, videos, or texts and buttons that allow users to share content from this online offering within Facebook. The list and appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the context of a transmission (but not further processing) of "event data" that Facebook collects through the Facebook Social Plugins (and embedding features for content) executed on our online offering, or receives in the context of a transmission for the following purposes: a) Display of content and advertising information that corresponds to the presumed interests of users; b) Delivery of commercial and transaction-related messages (e.g., addressing users via Facebook Messenger); c) Improvement of ad delivery and personalization of features and content (e.g., improving the recognition of which content or advertising information presumably corresponds to the interests of users). We have entered into a special agreement with Facebook ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum), which particularly regulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of the affected individuals (i.e., users can, for example, direct inquiries or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing does not occur under joint responsibility, but on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and with regard to processing in the USA based on standard contractual clauses ("Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (especially the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy. Basis for third country transfer: EU-US Data Privacy Framework (DPF).
• Instagram plugins and content: Instagram plugins and content - This can include, for example, content such as images, videos, or texts and buttons that allow users to share content from this online offering within Instagram. - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the context of a transmission (but not further processing) of "event data" that Facebook collects through functions of Instagram (e.g., embedding functions for content) executed on our online offering, or receives in the context of a transmission for the following purposes: a) Displaying content and advertising information that corresponds to the presumed interests of users; b) Delivering commercial and transaction-related messages (e.g., addressing users via Facebook Messenger); c) Improving ad delivery and personalizing functions and content (e.g., enhancing the recognition of which content or advertising information presumably corresponds to the interests of users). We have entered into a special agreement with Facebook ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum), which specifically regulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of the affected individuals (i.e., users can, for example, direct inquiries or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing does not occur under joint responsibility, but on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms), and with regard to processing in the USA based on standard contractual clauses ("Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (especially the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
• reCAPTCHA: We integrate the "reCAPTCHA" function to be able to recognize whether inputs (e.g., in online forms) are made by humans and not by automatically acting machines (so-called "bots"). The processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on web pages, previously visited web pages, interactions with ReCaptcha on other websites, possibly cookies, as well as results from manual recognition processes (e.g., answering posed questions or selecting objects in images). The data processing is based on our legitimate interest to protect our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfer:  EU-US Data Privacy Framework (DPF). Right to object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout? hl=en, settings for the display of advertisements: https://adssettings.google.com/authenticated.
• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third Country Transfer: EU-US Data Privacy Framework (DPF). Right to object (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout? hl=en, settings for the display of advertisements: https://adssettings.google.com/authenticated.
• Vimeo: Video content; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Data Processing Agreement: https://vimeo.com/enterpriseterms/dpa; Basis for Third Country Transfer: Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa). Right to object (Opt-Out): We would like to point out that Vimeo may use Google Analytics and refer to the privacy policy (https://policies.google.com/privacy) as well as the opt-out options for Google Analytics (https://tools.google.com/dlpage/gaoptout? hl=en) or Google's settings for data usage for marketing purposes (https://adssettings.google.com/).

Change and update of the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as the changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and we ask you to verify the information before contacting.

Definitions of terms

In this section, you will receive an overview of the terms used in this privacy policy. As far as the terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

 

• A/B tests: A/B tests are used to improve the usability and performance of online offerings. In this case, users are shown different versions of a webpage or its elements, such as input forms, where the placement of content or the labels of navigation elements may differ. Subsequently, based on user behavior, such as spending more time on the website or interacting more frequently with the elements, it can be determined which of these websites or elements better meet the needs of the users.  
• Heatmaps: "Heatmaps" are user mouse movements that are compiled into an overall picture, which helps to identify, for example, which website elements are preferred and which website elements are less preferred by users.  
• Click tracking: Click tracking allows you to monitor user movements within an entire online offering. Since the results of these tests are more accurate when user interaction can be tracked over a certain period (e.g., so we can find out if a user likes to return), cookies are usually stored on users' computers for these testing purposes.  
• Conversion measurement: Conversion measurement (also referred to as "visit action evaluation") is a method used to determine the effectiveness of marketing measures. To do this, a cookie is usually stored on the users' devices within the websites where the marketing measures take place, and then retrieved again on the target website. For example, we can track whether the ads we placed on other websites were successful.  
• Personal data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more specific characteristics that are an expression of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  
• Profiles with user-related information: The processing of "profiles with user-related information", or simply "profiles", includes any type of automated processing of personal data, which consists of using this personal data to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the type of profiling, this may involve different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). For profiling purposes, cookies and web beacons are often used.  
• Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the visitor flows of an online offering and can include the behavior or interests of visitors regarding specific information, such as the content of web pages. With the help of reach analysis, website owners can, for example, determine when visitors visit their website and which content they are interested in. This allows them to better tailor the content of the website to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.  
• Remarketing: Remarketing or "Retargeting" refers to the practice of noting which products a user has shown interest in on a website for advertising purposes, in order to remind the user of these products on other websites, for example, in advertisements.  
• Tracking: "Tracking" refers to the ability to track user behavior across multiple online services. In general, behavioral and interest information regarding the online services used is stored in cookies or on the servers of the providers of tracking technologies (so-called profiling). This information can subsequently be used, for example, to show users advertisements that are likely to match their interests.  
• Responsible: The term "Responsible" refers to the natural or legal person, authority, institution, or other entity that decides alone or jointly with others on the purposes and means of processing personal data.  
• Processing: "Processing" is any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses practically every interaction with data, whether it is collecting, analyzing, storing, transmitting, or deleting.  
• Target group formation: Target group formation (in English "Custom Audiences") refers to the process of defining target groups for advertising purposes, e.g., displaying advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or the online store where they viewed the products. "Lookalike Audiences" (or similar target groups) refers to when the content deemed suitable is shown to users whose profiles or interests presumably match those of the users for whom the profiles were created. For the purposes of creating Custom Audiences and Lookalike Audiences, cookies and web beacons are generally used.