This English version is automatically translated by DeepL find original below!
German version accessible here
Preamble
With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as „data“) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as „online offer“). The terms used are not gender-specific. Status: August 3, 2024
Overview of content
- Preamble
- Person responsible
- Overview of the processing operations
- Relevant legal bases
- Security measures
- Transfer of personal data
- International data transfers
- General information on data storage and erasure
- Rights of the data subjects
- Business services
- Business processes and procedures
- Use of online platforms for offering and sales purposes
- Providers and services used in the course of business activities
- Provision of the online offering and web hosting
- Special notes on applications (apps)
- Obtaining applications via app stores
- Registration, login and user account
- Single sign-on login
- Contact and request management
- Surveys and polls
- Web analysis, monitoring and optimization
- Presence in social networks (social media)
- Plug-ins and embedded functions and content
- Management, organization and support tools
- Processing of data in the context of employment relationships
- Change and update
- Definitions of terms
Person responsible
Mundet GbR (Dennis Gottfried, Lena Frankiewitsch, Paul Höppner, Justus Ernst)
Hönowerstr 35
10318 Berlin, Germany
Email: info@mundet.app
Website: https://mundet.app
Overview of the processing
The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Types of data processed
- Inventory data.
- Employee data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication and process data.
- Social data.
- Image and/or video recordings.
- Log data.
- Performance and behavioral data.
- Working time data.
- Bonus data.
- Salary data.
Special categories of data
- Health data.
- Religious or philosophical beliefs.
- Union membership.
Categories of affected persons
- Beneficiaries and clients.
- Employees.
- Interested parties.
- Communication partners.
- Users.
- Business and contractual partners.
- Participants.
- Third parties.
- Customers.
Purposes of the processing
- Provision of contractual services and fulfillment of contractual obligations.
- Communication.
- Security measures.
- Range measurement.
- Tracking.
- Office and organizational procedures.
- Conversion measurement.
- Target group formation.
- Organizational and administrative procedures.
- Feedback.
- Surveys and questionnaires.
- Marketing.
- Profiles with user-related information.
- Subscription process.
- Provision of our online offer and user-friendliness.
- Assessment of creditworthiness and credit standing.
- Establishment and implementation of employment relationships.
- Information technology infrastructure.
- Financial and payment management.
- Public relations work.
- Sales promotion.
- Business processes and business management procedures.
- Artificial intelligence (AI).
Relevant legal bases
Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Processing of special categories of personal data concerning health care, occupational and social security matters (Art. 9 (2) (h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of an employee’s fitness for work, for medical diagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. The data protection laws of the individual federal states may also apply. Relevant legal bases according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection („Swiss DPA“ for short). Unlike the GDPR, for example, the Swiss DPA does not require that a legal basis for the processing of personal data be specified and that the processing of personal data be carried out in good faith, lawfully and proportionately (Art. 6 para. 1 and 2 of the Swiss DPA). In addition, personal data will only be obtained by us for a specific purpose that is recognizable to the data subject and will only be processed in a manner that is compatible with this purpose (Art. 6 para. 3 of the Swiss FADP). Note on the applicability of the GDPR and Swiss FADP: This data protection notice serves to provide information in accordance with both the Swiss FADP and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the broader geographical application and comprehensibility. In particular, instead of the terms „processing“ of „personal data“, „overriding interest“ and „sensitive personal data“ used in the Swiss DPA, the terms „processing“ of „personal data“, „legitimate interest“ and „special categories of data“ used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DPA within the scope of application of the Swiss DPA.
Security measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk. The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings. Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.
Transmission of personal data
As part of our processing of personal data, it may be transmitted to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
International data transfers
Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will inform you of the basis for third country transfers with the individual providers from the third country, whereby the adequacy decisions take precedence. Information on third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called „Data Privacy Framework“ (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA as part of the adequacy decision of 10.07.2023. The list of certified companies as well as further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). As part of the data protection information, we will inform you which service providers we use are certified under the Data Privacy Framework. Disclosure of personal data abroad: In accordance with the Swiss FADP, we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 Swiss FADP). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These may include international contracts, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC) or internal company data protection regulations recognized in advance by the FDPIC or a competent data protection authority in another country. According to Art. 16 of the Swiss DPA, exceptions may be made for the disclosure of data abroad if certain conditions are met, including consent of the data subject, performance of a contract, public interest, protection of life or physical integrity, data made public or data from a register provided for by law. These disclosures are always made in accordance with legal requirements.
General information on data storage and deletion
We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there is no further legal basis for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data. In particular, data that must be stored for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly. Our data protection information contains additional information on the retention and deletion of data that applies specifically to certain processing operations. If there is more than one information on the retention period or deletion period of a date, the longest period is always decisive. If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the date on which the termination or other termination of the legal relationship takes effect. We only process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, for the reasons that justify its storage. Further information on processing processes, procedures and services:
- Retention and deletion of data: The following general time limits apply to retention and archiving under German law:
- 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the work instructions and other organizational documents required for their understanding, accounting documents and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
- 6 years – Other business documents: commercial or business letters received, reproductions of commercial or business letters sent, other documents, insofar as they are relevant for taxation, e.g. hourly wage slips, company accounting sheets, calculation documents, price markings, but also payroll accounting documents, insofar as they are not already accounting documents and cash register slips (Section 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, Section 257 para. 1 no. 2 and 3, para. 4 HGB).. 4 HGB).
- 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights as well as to process related inquiries based on past business experience and common industry practices will be stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).
- Retention and deletion of data: The following general time limits apply to retention and archiving under Swiss law:
- 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).
- 10 years – Data necessary for the consideration of potential claims for damages or similar contractual claims and rights, as well as for the processing of related inquiries based on past business experience and standard industry practices, will be stored for the statutory limitation period of ten years, unless a shorter period of five years applies, which is relevant in certain cases (Art. 127, 130 CO). Claims for rent, leasehold and capital interest as well as other periodic services, from the supply of food, for catering and for debts to landlords, as well as from handicraft work, retail sale of goods, medical care, professional work of lawyers, legal agents, procurators and notaries and from the employment relationship of employees expire after five years (Art. 128 CO).
Rights of the data subjects
Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
-
- Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
.
- Right to withdraw consent: You have the right to withdraw your consent at any time.
- Right to information: You have the right to request confirmation as to whether the data in question is being processed and to information about this data as well as further information and a copy of the data in accordance with the legal requirements.
- Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with the legal requirements.
- Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to request that data concerning you be erased immediately or that processing be restricted.. alternatively to demand a restriction on the processing of the data in accordance with the statutory provisions.</li
- Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
- Complaint to supervisory authority: In accordance with the statutory provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you are habitually resident, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Rights of data subjects under the Swiss DPA: As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss DPA:
- Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to enable you to assert your rights under this law and to ensure transparent data processing.
- Right to data surrender or transfer: You have the right to request the surrender of your personal data that you have provided to us in a commonly used electronic format.
- Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
- Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to request that data concerning you be erased immediately or, alternatively, to request that the processing of the data be restricted in accordance with the statutory provisions.
Business services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as „contractual partners“), in the context of contractual and comparable legal relationships and associated measures and with regard to communication with the contractual partners (or pre-contractual), for example to respond to inquiries. We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the company organization. We also process the data on the basis of our legitimate interests both in the proper and efficient management of our business and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information and rights (e.g. to involve telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy. We inform the contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special marking (e.g. colors) or symbols (e.g. asterisks or similar), or in person. We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons. The statutory retention period is ten years for documents relevant under tax law as well as for trading books, inventories, opening balance sheets, annual financial statements, the work instructions required to understand these documents and other organizational documents and accounting records, and six years for commercial and business letters received and reproductions of commercial and business letters sent. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report were prepared, the commercial or business letter was received or sent or the accounting voucher was created, the record was made or the other documents were created. Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.
-
- Types of data processed: inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of contract, term, customer category);
- Persons concerned: Service recipients and clients; interested parties. Business and contractual partners
-
- Purposes of processing: Provision of contractual services and performance of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and business management procedures.
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- Provision of software and platform services: We process the data of our users, registered users and any test users (hereinafter uniformly referred to as „users“) in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to guarantee the security of our offer and to be able to develop it further. The required information is marked as such in the context of the conclusion of the order, purchase order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Business processes and procedures
Personal data of service recipients and clients – including customers, clients or, in special cases, clients, patients or business partners as well as other third parties – are processed in the context of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting and project management. The data collected is used to fulfill contractual obligations and efficiently design operational processes. This includes the processing of business transactions, the management of customer relationships, the optimization of sales strategies and the guarantee of internal accounting and financial processes. In addition, the data supports the protection of the rights of the controller and promotes administrative tasks and the organization of the company. Personal data may be passed on to third parties if this is necessary to fulfill the stated purposes or legal obligations. The data will be deleted after expiry of statutory retention periods or if the purpose of the processing no longer applies. This also includes data that must be stored for longer due to tax and legal obligations to provide evidence.
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time). information on authorship or time of creation); contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times). Creditworthiness data (e.g. credit score received, estimated probability of default, risk classification based on this, historical payment behavior); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, persons involved).
- Persons concerned: Service recipients and clients; interested parties; communication partners; business and contractual partners; customers; third parties; users (e.g. website visitors, users of online services). Employees (e.g. employees, applicants, temporary staff and other employees).</li
- Purposes of Processing: Provision of contractual services and performance of contractual obligations; Office and organizational procedures; Business processes and business procedures; Security measures; Provision of our online services and usability; Communication; Marketing; Sales promotion; Public relations; Creditworthiness and credit rating assessment; Financial and payment management. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.).
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR
Further information on processing processes, procedures and services:
- Contact management and maintenance: Procedures that are necessary in the context of organizing, maintaining and securing contact information (e.g. setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees in the effective use of contact management software, regularly reviewing communication history and adapting contact strategies); Legal bases: Performance of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Customer account: Customers can create an account within our online offering (e.g. customer or user account, „customer account“ for short). If the registration of a customer account is required, customers will be informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process and subsequent logins and use of the customer account, we store the IP addresses of customers together with the access times in order to be able to prove registration and prevent any misuse of the customer account. If the customer account has been terminated, the customer account data will be deleted after the termination date, unless it is stored for purposes other than provision in the customer account or must be stored for legal reasons (e.g. internal storage of customer data, order processes or invoices). It is the customer’s responsibility to back up their data when the customer account is terminated; legal bases: contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Wishlist: Customers can create a product/wish list. In this case, the products are stored as part of the fulfillment of our contractual obligations until the account is deleted, unless the product list entries are removed by the customer or we expressly inform the customer of different storage periods; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- Bookkeeping, accounts payable, accounts receivable: Procedures required for the recording, processing and control of business transactions in the area of accounts payable and accounts receivable (e.g.. Creation and verification of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, processing of dunning, account reconciliation in the context of receivables and payables, accounts payable and accounts receivable); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Financial accounting and taxes: Procedures required for the recording, management and control of financially relevant business transactions and for the calculation, reporting and payment of taxes (e.g. Account assignment and booking of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of dunning procedures, account reconciliation, tax advice, preparation and submission of tax returns, processing of tax matters); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Marketing, advertising and sales promotion: Procedures that are necessary in the context of marketing, advertising and sales promotion (e.g. Market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Economic analyses and market research: The available data on business transactions, contracts, inquiries, etc. are analyzed for business purposes and to identify market trends, the wishes of contractual partners and users. The group of data subjects may include contractual partners, interested parties, customers, visitors and users of the controller’s online offering. The analyses are carried out for the purposes of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). If available, profiles of registered users and their details of services used are taken into account. The analyses are used exclusively by the controller and are not disclosed externally, unless they are anonymous analyses with summarized, i.e. anonymized values. In addition, the privacy of users is taken into account; the data is pseudonymized as far as possible for analysis purposes and, if feasible, processed anonymously (e.g. as aggregated data); legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Public relations work: Procedures that are necessary in the context of public relations work and public relations (e.g. Development and implementation of communication strategies, planning and implementation of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organization of press conferences and public events, crisis communication, creation of content for social media and company websites, management of corporate branding); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Use of online platforms for offer and sales purposes
We offer our services on online platforms operated by other service providers. In this context, the data protection notices of the respective platforms apply in addition to our data protection notices. This applies in particular with regard to the execution of the payment process and the procedures used on the platforms to measure reach and for interest-based marketing.
-
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g.. Page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: Service recipients and clients; business and contractual partners. Users (e.g. website visitors, users of online services)
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Marketing. Business processes and business management procedures
-
- Retention and erasure: Erasure in accordance with the information in the section „General information on data retention and erasure“.
- Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
-
- Apple App Store: App and software sales platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/app-store/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/
- Google Play: App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://play.google.com/store/apps?hl=de; Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers: Switzerland – adequacy decision (Ireland)
-
- 1&1 IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third country transfers: Switzerland – adequacy decision (Germany).
Providers and services used in the course of business activities
As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers („services“ for short) in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organization.
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: Service recipients and clients; interested parties; business and contractual partners; users (e.g. website visitors, users of online services), communication partners. Third parties
- Purposes of processing: Provision of contractual services and performance of contractual obligations; Office and organizational procedures; Business processes and business procedures; Security measures; Provision of our online services and usability; Communication; Organizational and administrative procedures; Information technology infrastructure (Operation and provision of information systems and technical equipment (computers, servers, etc.). Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behavioral profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; marketing. Profiles with user-related information (creation of user profiles).</li
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)
Further information on processing processes, procedures and services:
-
- Firebase: Google Firebase is a platform for developers of applications („apps“ for short) for mobile devices and websites. Google Firebase offers a variety of functions for testing apps, monitoring their functionality and optimizing them (which are presented on the following overview page: https://firebase.google.com/products-build). The functions include the storage of apps including personal data of the application users, such as content created by them or information regarding their interaction with the apps (so-called „cloud computing“). Google Firebase also offers interfaces that allow interaction between the users of the app and other services, e.g. authentication using services such as Facebook, Twitter or using an email password combination; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers: EU-US Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland).
- Firebase Authentication: Authentication of users, user account management, password reset, email/password login, login with third-party providers such as Google or Facebook, multi-factor authentication, session management; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/auth; Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers:** EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
- Cloud Firestore: Storage and synchronization of data in real time between clients and the cloud. Offline access to data. Support for complex queries, transactions and auto-scaling; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/firestore; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland).
-
- 1&1 IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Article 6(1)(f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third country transfers: Switzerland – adequacy decision (Germany).
-
- 1&1 IONOS WebAnalytics: Reach measurement and web analytics; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third country transfers: Switzerland – adequacy decision (Germany).
- GitHub: Platform for version control of software projects. Developers can upload their code to repositories and track changes as well as use tools for project management in software development; Service provider: GitHub B.V., Netherlands, https://support.github.com/contact/privacy; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://github.com. Privacy Policy: https://docs.github.com/de/site-policy/privacy-policies/github-general-privacy-statement
- Notion: Project management – Organization and management of teams, groups, workflows, projects and processes; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Standard contractual clauses: Provided by the service provider; Data processing agreement: Provided by the service provider; Service provider: Notion Labs, Inc, 548 Market St #74567, San Francisco, CA 94104-5401, USA; Website: https://www.notion.so/de-de/product. Privacy Policy: https://www.notion.so/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091.
- WPForms: Creation of online forms, collection of user input, transmission of data to the server, storage and management of submitted information; Service provider: Execution on servers and/or computers under own responsibility under data protection law; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Website: https://wpforms.com/. Further information: https://wpforms.com/introducing-new-gdpr-enhancements-for-your-wordpress-forms//.
- Google Analytics: We use Google Analytics to measure and analyze the use of our online offer on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have called up within one or more usage processes, which search terms they have used, which they have called up again or which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of the users that refer to our online offering and technical aspects of their end devices and browsers.</li
- Pseudonymous profiles of users are created with information from the use of various devices, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: City (and the city’s inferred latitude and longitude), Continent, Country, Region, Subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible and are not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing.Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Option to object (opt-out): https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.
Provision of the online offer and web hosting
We process users‘ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.
- Types of data processed: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation);</li
- Persons concerned: users (e.g. website visitors, users of online services)
- Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures. Provision of contractual services and fulfillment of contractual obligations.</li
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called „web host“); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Collection of access data and log files: Access to our website is recorded in the form of so-called „server log files“. The server log files may include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability; legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.</li
- E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as other information relating to the sending of emails (e.g. the providers involved) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but not on the servers from which they are sent and received (unless an end-to-end encryption method is used). We can therefore assume no responsibility for the transmission path of the emails between the sender and receipt on our server; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
- 1&1 IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third country transfers: Switzerland – adequacy decision (Germany).
Special notes on applications (apps)
We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to develop it further. We may also contact users in compliance with legal requirements if communication is necessary for the purposes of administering or using the application. Otherwise, we refer to the data protection information in this privacy policy with regard to the processing of user data. Legal bases: The processing of data required for the provision of the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of the functions requires user authorization (e.g. enabling device functions). If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests (e.g. collection of data for the purpose of optimizing the application or security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked for their consent to the processing of their data, the data covered by the consent is processed on the basis of the consent. Notes on functions of the application: The app only accesses the camera function to recognize and process a QR code. The app does not have access to the media stored in the media library on the end device (photo or video recordings).
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); metadata, communication data and process data (e.g. IP addresses, time data). meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category). Image and/or video recordings (e.g. photographs or video recordings of a person).</li
- Persons concerned: Users (e.g. Website visitors, users of online services)
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures. Provision of our online services and user-friendliness
- Storage and erasure: Erasure in accordance with the information in the section „General information on data storage and erasure“.
- Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- Commercial use: We process the data of the users of our application, registered users and any test users (hereinafter uniformly referred to as „users“) in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to ensure the security of our application and to be able to develop it further. The required information is identified as such in the context of the conclusion of the usage, order, purchase order or comparable contract and may include the information required for the provision of services and for any billing as well as contact information in order to be able to hold any consultations. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- Storage of a universally unique identifier (UUID): The application stores a so-called universally unique identifier (UUID) for the purpose of analyzing the use and functionality of the application and storing the user’s settings. This identifier is generated when this application is installed (but is not linked to the device, so it is not a device identifier in this sense), remains stored between the start of the application and its updates and is deleted when users remove the application from their device.
- Storage of a pseudonymous identifier: We use a pseudonymous identifier so that we can provide the application and ensure its functionality. The identifier is a mathematical value (i.e. no clear data such as names are used) that is assigned to a device and/or the installation of the application installed on it. This identifier is generated when this application is installed, remains stored between the start of the application and its updates and is deleted when users remove the application from their device.
- Device authorizations for access to functions and data: The use of our application or its functionalities may require user authorizations for access to certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these authorizations must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user’s device and software. Users can contact us if they require clarification. We would like to point out that the denial or revocation of the respective authorizations may affect the functionality of our application.
- Access to the camera and saved recordings: As part of the use of our application, image and/or video recordings (including audio recordings) of users (and of other persons captured by the recordings) are processed by accessing the camera functions or saved recordings. Access to the camera functions or saved recordings requires the user’s authorization, which can be revoked at any time. The processing of the image and/or video recordings only serves to provide the respective functionality of our application, as described to users, or its typical and expected functionality.
Obtaining applications via app stores
Our application is obtained via special online platforms operated by other service providers (so-called „app stores“). In this context, the data protection notices of the respective app stores apply in addition to our data protection notices. This applies in particular with regard to the methods used on the platforms to measure reach and interest-based marketing as well as any obligation to pay costs.
- Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: Service recipients and clients. Users (e.g. website visitors, users of online services)
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing. Provision of our online services and user-friendliness
- Storage and erasure: Erasure in accordance with the information in the section „General information on data storage and erasure“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
-
- Apple App Store: App and software sales platform; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/app-store/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/
- Google Play: App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://play.google.com/store/apps?hl=de; Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers: Switzerland – adequacy decision (Ireland).
Registration, login and user account
Users can create a user account. As part of the registration process, users are provided with the required mandatory information and processed for the purpose of providing the user account on the basis of contractual obligations. The processed data includes in particular the login information (user name, password and an e-mail address). As part of the use of our registration and login functions and the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or the time of posting). B. information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);. Log data (e.g. log files relating to logins or the retrieval of data or access times).
- Persons concerned: Users (e.g. website visitors, users of online services)
- Purposes of processing: Provision of contractual services and performance of contractual obligations; security measures; organizational and administrative procedures. Provision of our online services and user-friendliness
- .
- Storage and erasure: Erasure in accordance with the information in the section „General information on data storage and erasure“. Deletion after termination
- .
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
- .
Further information on processing processes, procedures and services:
- Registration with pseudonyms: Users may use pseudonyms as usernames instead of real names; Legal basis: Contract performance and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- User profiles are not public: User profiles are not publicly visible or accessible.
- Deletion of data after termination: If users have terminated their user account, their data will be deleted with regard to the user account, subject to legal permission, obligation or consent of the users; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- No obligation to retain data: – It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Single sign-on registration
„Single sign-on“ or „single sign-on login or authentication“ refers to procedures that allow users to log in to a provider of single sign-on procedures (e.g. a social network), including our online offering, with the help of a user account. The prerequisite for single sign-on authentication is that users are registered with the respective single sign-on provider and enter the required access data in the online form provided for this purpose, or are already registered with the single sign-on provider and confirm the single sign-on registration via a button. Authentication takes place directly with the respective single sign-on provider. As part of such authentication, we receive a user ID with the information that the user is logged in to the respective single sign-on provider under this user ID and an ID that cannot be used by us for other purposes (so-called „user handle“). Whether additional data is transmitted to us depends solely on the single sign-on procedure used, on the data releases selected during authentication and also on which data users have released in the privacy or other settings of the user account with the single sign-on provider. Depending on the single sign-on provider and the user’s choice, it can be different data, usually the e-mail address and the user name. The password entered with the single sign-on provider as part of the single sign-on procedure is neither visible to us nor is it stored by us. Users are asked to note that their details stored with us can be automatically compared with their user account with the single sign-on provider, but that this is not always possible or actually happens. If, for example, users‘ email addresses change, they must change them manually in their user account with us. If agreed with the users, we can use the single sign-on login as part of or before the fulfillment of the contract, insofar as the users have been asked to do so, process it as part of a consent and otherwise use it on the basis of our legitimate interests and the interests of the users in an effective and secure login system. Should users ever decide that they no longer wish to use the link to their user account with the single sign-on provider for the single sign-on procedure, they must remove this link within their user account with the single sign-on provider. If users wish to delete their data with us, they must cancel their registration with us.
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); usage data (e.g. page views and time spent on the website) page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); metadata, communication data and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Affected persons: users (e.g. Website visitors, users of online services)
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; registration procedures. Provision of our online services and user-friendliness
- Storage and erasure: Erasure in accordance with the information in the section „General information on data storage and erasure“. Deletion after termination
- Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- Apple Single Sign-On: Authentication services for user logins, provision of single sign-on features, management of identity information and application integrations; Service providers: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
- Google Single-Sign-On: Authentication services for user logins, provision of single sign-on features, management of identity information and application integrations; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.de; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF). Option to object (opt-out): Settings for the display of advertisements: https://myadcenter.google.com/.
Contact and request management
When contacting us (e.g. by post, contact form, email, telephone or via social media) and as part of existing user and business relationships, the details of the person making the inquiry are processed insofar as this is necessary to respond to the contact inquiries and any measures requested.
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: communication partners;
- Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online services and user-friendliness
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR)
Further information on processing processes, procedures and services:
- Contact form: When you contact us via our contact form, by email or other communication channels, we process the personal data transmitted to us to answer and process the respective request. This usually includes details such as name, contact information and, if applicable, other information that is provided to us and is required for appropriate processing. We use this data exclusively for the stated purpose of establishing contact and communication; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Surveys and interviews
We conduct surveys and interviews to collect information for the communicated survey or interview purpose. The surveys and questionnaires we conduct (hereinafter „surveys“) are evaluated anonymously. Personal data is only processed to the extent that this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user’s browser or to enable the survey to be resumed with the help of a cookie).
- Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time). e.g. information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
- Persons affected: Participants.
- Purposes of processing: Feedback (e.g. collecting feedback via online form). Surveys and questionnaires (e.g. surveys with input options, multiple choice questions)
- .
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
- .
Web analysis, monitoring and optimization
Web analysis (also referred to as „reach measurement“) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or content are most frequently used, or invite visitors to reuse them. We are also able to understand which areas require optimization. In addition to web analysis, we can also use test procedures, for example to test and optimize different versions of our online offering or its components. Unless otherwise stated below, profiles, i.e. data summarized for a usage process, may be created for these purposes and information may be stored in a browser or end device and then read out. The information collected includes, in particular, websites visited and the elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, it is also possible to process location data. In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective process. Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
-
- Types of data processed: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: users (e.g. website visitors, users of online services)
- Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors) Profiles with user-related information (Creating user profiles); Tracking (e.g. profiling based on interests/behavior, use of cookies); Conversion tracking (Measurement of the effectiveness of marketing activities); Custom Audiences; Marketing. Provision of our online services and user-friendliness
-
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users‘ devices for a period of two years).
-
- Security measures: IP masking (pseudonymization of the IP address).
- Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- 1&1 IONOS WebAnalytics: Reach measurement and web analysis; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for third country transfers: Switzerland – adequacy decision (Germany).
- Firebase: Google Firebase is a platform for developers of applications („apps“ for short) for mobile devices and websites. Google Firebase offers a variety of functions for testing apps, monitoring their functionality and optimizing them (which are presented on the following overview page: https://firebase.google.com/products-build). The functions include the storage of apps including personal data of the application users, such as content created by them or information regarding their interaction with the apps (so-called „cloud computing“). Google Firebase also offers interfaces that allow interaction between the users of the app and other services, e.g. authentication using services such as Facebook, Twitter or using an email password combination; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers: EU-US Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland).
- Google Analytics: We use Google Analytics to measure and analyze the use of our online offer on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have called up within one or more usage processes, which search terms they have used, which they have called up again or which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of the users that refer to our online offering and technical aspects of their end devices and browsers.
- Pseudonymous profiles of users are created with information from the use of various devices, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: City (and the city’s inferred latitude and longitude), Continent, Country, Region, Subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. It is not logged, is not accessible and is not used for any other purpose. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing.Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland); Option to object (opt-out): https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.
Presence in social networks (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us. We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights. Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. Cookies are therefore generally stored on the user’s computer, in which the user’s usage behavior and interests are stored. In addition, data can also be stored in the user profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there). For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks. In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users‘ data and can take appropriate measures and provide information directly. If you still need help, you can contact us.
- Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); Usage data (e.g. page views and traffic data). usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: users (e.g. website visitors, users of online services)
- Purposes of processing: Communication; feedback (e.g. collecting feedback via online form). Public relations work
- .
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)
- .
Further information on processing processes, procedures and services:
- Instagram: Social network, allows you to share photos and videos, comment and favorite posts, send messages, subscribe to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (§ 6 S. 1 No. 4 in conjunction with. No. 8 DSG-EKD); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third country transfers: Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland).
- Facebook pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called „fan page“). This data includes information about the types of content users view or interact with, or the actions they take (see under „Things you and others do and provide“ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under „Device information“ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under „How do we use this information?“, Facebook also collects and uses information to provide analytics services, known as „Page Insights“, for page operators to help them understand how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook („Information on Page Insights“, https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the „Information on Page Insights“ (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
- LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitors‘ data generated for the purpose of creating the „page insights“ (statistics) of our LinkedIn profiles.
- This data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data) and information from users‘ profiles, such as job function, country, industry, hierarchy level, company size and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy
- We have concluded a special agreement with LinkedIn Ireland („Page Insights Joint Controller Addendum (the ‚Addendum‘)“, https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to LinkedIn). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and transfer to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, which in particular concerns the transfer of the data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (§ 6 S. 1 No. 4 in conjunction with No. 8 DSG-EKD); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: Data Privacy Framework (DPF). Option to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- TikTok: Social network, allows you to share photos and videos, comment on and favorite posts, send messages, subscribe to accounts; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (§ 6 S. 1 No. 4 in conjunction with No. 8 DSG-EKD); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/de/privacy-policy. Basis for third country transfers: EU/EEA – standard contractual clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), Switzerland – standard contractual clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
- YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Section 6 S. 1 No. 4 in conjunction with No. 8 DSG-EKD); Data protection declaration: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Option to object (opt-out): https://myadcenter.google.com/personalizationoff.
Plug-ins and embedded functions and content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as „third-party providers“). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as „content“). The integration always requires that the third-party providers of this content process the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content or function. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and contain, among other things, technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, but may also be linked to such information from other sources. Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
-
- Types of data processed: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Persons concerned: users (e.g. website visitors, users of online services)
- Purposes of processing: Provision of our online services and user-friendliness
- Storage and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users‘ devices for a period of two years).
- Security measures: IP masking (pseudonymization of the IP address).
- Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Further information on processing processes, procedures and services:
- Google Fonts (provision on own server): Provision of font files for the purpose of a user-friendly presentation of our online offer; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Management, organization and auxiliary tools
We use services, platforms and software from other providers (hereinafter referred to as „third-party providers“) for the purposes of organizing, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements. In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content. If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
- Types of data processed: Content data (e.g. text or image messages and posts as well as the information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and time spent on the site); metadata (e.g. metadata on the use of the website). page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved); contact data (e.g. postal and email addresses or telephone numbers); inventory data (e.g. full name, residential address, contact information, customer number, etc.). ). Contract data (e.g. subject matter of the contract, term, customer category).
- Persons concerned: Communication partners; users (e.g. website visitors, users of online services); interested parties; business and contractual partners. Third parties
- Purposes of Processing: Communication; Provision of contractual services and performance of contractual obligations; Office and organizational procedures; Web Analytics (e.g. profiling).. Access statistics, recognition of returning visitors) Provision of our online offer and user-friendliness; artificial intelligence (AI). Organizational and administrative procedures
- Retention and deletion: Deletion in accordance with the information in the section „General information on data storage and deletion“.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)
Further information on processing processes, procedures and services:
-
- Notion: Project management – organization and management of teams, groups, workflows, projects and processes; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Standard contractual clauses: Provided by the service provider; Data processing agreement: Provided by the service provider; Service provider: Notion Labs, Inc, 548 Market St #74567, San Francisco, CA 94104-5401, USA; Website: https://www.notion.so/de-de/product. Privacy Policy: https://www.notion.so/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091.
- Google Docs: Online application for word processing, document storage, collaboration and document sharing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.google.com/docs/about/; Privacy Policy: https://cloud.google.com/privacy; Processing Agreement: https://workspace.google.com/terms/dpa_terms.html; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
- DeepL: Translation of texts into different languages and provision of synonyms and context examples. Support for the correction and improvement of texts in different languages; Service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.deepl.com; Privacy Policy: https://www.deepl.com/privacy.html; Processing Agreement: Provided by the service provider. Basis for third country transfers: Switzerland – adequacy decision (Germany)
-
- ChatGPT: AI-based service designed to understand and generate natural language and related input and data, analyze information and make predictions („AI“, i.e. „Artificial Intelligence“, is to be understood in the applicable legal sense of the term); Service Provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://openai.com/product Privacy Policy: https://openai.com/de/policies/eu-privacy-policyPossibility to object (opt-out): https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
- Google Spreadsheets: Online application for spreadsheets, document storage, collaboration and document sharing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR); Website: https://www.google.com/sheets/about/; Privacy Policy: https://www.google.com/policies/privacy/; Data Processing Agreement: https://workspace.google.com/terms/dpa_terms.html; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Further information: https://cloud.google.com/privacy.
- Gmail: Sending and receiving emails, storing contacts in the address book, filter rules for sorting incoming emails, spam and virus protection, cloud storage for attachments and other content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/gmail/about/. Privacy Policy: https://policies.google.com/privacy. Basis for third country transfers: Switzerland – adequacy decision (Ireland).
Processing of data in the context of employment relationships
In the context of employment relationships, personal data is processed with the aim of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions that are necessary for the management of employee relations. The data processing covers various aspects ranging from contract initiation to contract termination. This includes the organization and administration of daily working hours, the administration of access rights and authorizations as well as the handling of personnel development measures and employee appraisals. The processing is also used for payroll and the administration of wage and salary payments, which are critical aspects of contract implementation. In addition, data processing takes into account the legitimate interests of the responsible employer, such as ensuring safety in the workplace or collecting performance data to evaluate and optimize operational processes. Data processing also includes the disclosure of employee data as part of external communication and publication processes, where this is necessary for operational or legal purposes. The processing of this data always takes place in compliance with the applicable legal framework, whereby the aim is always to create and maintain a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, the anonymization or deletion of data after the purpose of processing has been fulfilled or in accordance with legal retention periods.
-
- Types of data processed: inventory data (e.g. full name, home address, contact information, customer number, etc.); employee data (information on employees and other persons in an employment relationship); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and content data (e.g. text or image messages and contributions and the information relating to them, such as information on authorship or time of creation); contract data (e.g. subject matter of the contract, term, customer category); social data (data that is subject to social confidentiality and is processed, for example, by social insurance institutions, social welfare institutions or pension authorities); log data (e.g. log files relating to logins or the use of the website). log files concerning logins or the retrieval of data or access times); performance and behavioral data (e.g. performance and behavioral aspects such as performance evaluations, feedback from superiors, training participation, compliance with company guidelines, self-assessments and behavioral assessments); working time data (e.g. start of working hours, end of working hours, actual working hours, target working hours, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); salary data (e.g. basic salary, bonus payments, bonuses, tax class information, supplements for night work/overtime, tax deductions, social security contributions, net amount paid out); image and/or video recordings (e.g. photographs or video recordings of a person); usage data (e.g. Page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved);
- Special categories of personal data: Health data; Religious or philosophical beliefs. Trade union membership.
- Persons concerned: Employees (e.g. employees, applicants, temporary staff and other employees).
- Purposes of processing: Establishment and execution of employment relationships (processing of employee data in the context of the establishment and execution of employment relationships); business processes and business management procedures; provision of contractual services and fulfillment of contractual obligations; public relations; security measures. Office and organizational procedures
-
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Processing of special categories of personal data concerning health, professional and social security matters (Art. 9 para. 2 lit. h) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)
Further information on processing processes, procedures and services:
-
- Working time recording: Procedures for recording employees‘ working hours include both manual and automated methods, such as the use of time clocks, time recording software or mobile apps. This involves activities such as entering clock-in and clock-out times, break times, overtime and absences. Checking and validating the recorded working times includes comparing them with shift schedules, checking absences and approving overtime by supervisors. Reports and analyses are created based on the recorded working hours in order to provide timesheets, overtime reports and absence statistics for management and the HR department; legal basis: performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Authorization management: Procedures required to define, manage and control access rights and user roles within a system or organization (e.g. creation of authorization profiles, role and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
- Special categories of personal data: Special categories of personal data are processed in the context of the employment relationship or to fulfill legal obligations. The special categories of personal data processed include data relating to the health, trade union membership or religious affiliation of employees. This data may, for example, be passed on to health insurance companies or processed to assess employees‘ ability to work or for occupational health management or for information to the tax office; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Sources of the processed data: Personal data is processed that was obtained as part of the application and/or the employment relationship of the employees. In addition, if required by law, personal data is collected from other sources. These may be tax authorities for tax-relevant information, the respective health insurance company for information on incapacity for work, third parties such as employment agencies or publicly accessible sources such as professional social networks in the context of application procedures; Legal bases: Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Purposes of data processing: The personal data of employees are processed primarily to establish, implement and terminate the employment relationship. In addition, the processing of this data is necessary to fulfill legal obligations in the area of tax and social security law. In addition to these primary purposes, employee data is also used to comply with regulatory and supervisory requirements, to optimize electronic data processing processes and to compile internal or cross-company data, possibly including statistical data. Furthermore, employees‘ data may be processed for the assertion of legal claims and for defense in legal disputes; legal bases: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Transfer of employee data: Employee data is only processed internally by those departments that need it to fulfill operational, contractual and legal obligations.
- Data is only passed on to external recipients if this is required by law or if the employees concerned have given their consent. Possible scenarios for this could be requests for information from authorities or in the case of capital formation benefits. Furthermore, the controller may forward personal data to other recipients if this is necessary to fulfill its contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance funds, pension insurance providers, pension providers and other social insurance providers c) Authorities, courts (e.g. tax authorities, labor courts, other supervisory authorities in the context of fulfilling reporting and information obligations) d) Tax and legal advisors e) Third-party debtors in the event of wage and salary garnishment f) Other bodies to which legally binding declarations must be made.
- In addition, data may be passed on to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples of this are details in the sender area of emails or letterhead and the creation of profiles on external platforms; legal bases: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Deletion of employee data: Employee data is deleted under German law if it is not required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or due to the interests of the employer. The following retention and archiving obligations are observed:
- General personnel documents – General personnel documents (such as employment contract, reference letter, supplementary agreements) are retained for up to three years after termination of the employment relationship (Section 195 BGB).
- Tax-relevant documents – Tax-relevant documents in the personnel file are kept for six years (§ 147 AO, § 257 HGB).
- Information on wages and hours worked – Information on wages and hours worked for (accident) insured persons with proof of wages is kept for five years (§ 165 I 1, IV 2 SGB VII).
- Salary lists including lists for special payments – Salary lists including lists for special payments, provided an accounting document is available, are kept for ten years (§ 147 AO, § 257 HGB).
- Payrolls for interim, final and special payments – payrolls for interim, final and special payments are kept for six years (§ 147 AO, § 257 HGB).
- Documents relating to employee insurance – Documents relating to employee insurance, if accounting records are available, are kept for ten years (Section 147 AO, Section 257 HGB).
- Contribution statements to social insurance institutions – Contribution statements to social insurance institutions are kept for ten years (Section 165 SGB VII).
- Wage accounts – wage accounts are kept for six years (§ 41 I 9 EStG).
- Applicant data – Retained for a maximum of six months from receipt of rejection.
- Working time records (for more than 8 hours on working days) – Retained for two years (Section 16 II Working Hours Act (ArbZG)).
- Application documents (after online job advertisement) – Are kept for three to a maximum of six months after receipt of the rejection (§ 26
- Federal Data Protection Act (BDSG) as amended, Section 15 IV General Equal Treatment Act (AGG))
- Certificates of incapacity for work (AU) – Retained for up to five years (Section 6 I of the Act on the Equalization of Expenses (AAG)).
- Documents relating to company pension schemes – Retained for 30 years (Section 18a of the Act on the Improvement of Company Pension Schemes (BetrAVG))
- Employee sickness data – Retained for twelve months after the start of the illness if the absences do not exceed six weeks in a year.
- Data on maternity protection – Retained for two years (Section 27 (5) MuSchG)
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Processing of special categories of personal data concerning health, professional and social security matters (Art. 9 para. 2 lit. h) GDPR).
- Personnel development, performance evaluation and employee appraisals: Procedures required in the area of promotion and further development of employees as well as in the assessment of their performance and in the context of employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, preparation of performance evaluations, implementation of target agreement and feedback discussions, career planning and talent management, succession planning); Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Processing of special categories of personal data relating to health, professional and social security (Art. 9 para. 2 lit. h) GDPR).
- Obligation to provide data: The controller informs employees that the provision of their data is required. This is generally the case if the data is required for the establishment and performance of the employment relationship or if its collection is required by law. It may also be necessary to provide data if employees assert claims or if employees are entitled to claims. The performance of these measures or fulfillment of services is dependent on the provision of this data (for example, the provision of data for the purpose of receiving wages); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Publication and disclosure of employee data: Employee data is only published or disclosed to third parties if this is necessary for the performance of work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers following consultation or an agreed job description, or if the area of responsibility includes representative functions. This may also be the case if a presentation or communication with the public takes place as part of the performance of duties, such as photographs taken as part of public relations work. Otherwise, employees‘ data will only be published with their consent or on the basis of the employer’s legitimate interests, for example in the case of stage or group photos taken as part of a public event; legal bases: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Change and update
We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification. If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.
Definitions of terms
This section provides an overview of the terms used in this privacy policy. Where the terms are defined by law, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.
- Employee: Persons who are in an employment relationship, whether as employees, salaried employees or in similar positions, are referred to as employees. An employment relationship is a legal relationship between an employer and an employee that is defined by an employment contract or agreement. It involves the employer’s obligation to pay remuneration to the employee while the employee performs work. The employment relationship comprises various phases, including the establishment, in which the employment contract is concluded, the performance, in which the employee carries out his or her work activities, and the termination, when the employment relationship ends, whether by notice, termination agreement or otherwise. Employee data is all information relating to these persons and in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, vacation entitlements, health data and performance appraisals.
- Inventory data: Inventory data includes essential information that is necessary for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, facilities or systems by enabling unique assignment and communication.
- Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data can include text, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates
- Contact data: Contact data is essential information that enables communication with people or organizations. It includes telephone numbers, postal addresses and email addresses, as well as communication tools such as social media handles and instant messaging identifiers
- Conversion measurement: Conversion measurement (also referred to as „visit action evaluation“) is a process that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the user’s device within the websites on which the marketing measures take place and then retrieved again on the target website. For example, this allows us to track whether the ads we placed on other websites were successful.
- Artificial intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data in order to recognize patterns, make predictions and improve the efficiency and quality of our services. This includes the collection, cleansing and structuring of data, the training and application of AI models as well as the continuous review and optimization of the results and is carried out exclusively with the consent of the users or on the basis of legal permission.
- Performance and behavioral data: Performance and behavioral data refers to information related to how people perform tasks or behave in a particular context, such as in an educational, work or social environment. This data can include metrics such as productivity, efficiency, quality of work, attendance and compliance with policies or procedures. Behavioral data could include interactions with colleagues, communication styles, decision-making processes and reactions to different situations. These types of data are often used for performance evaluations, training and development, and decision making within organizations.
- Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about the way data is processed, transmitted and managed. Meta data, also known as data about data, includes information that describes the context, origin and structure of other data. It can include information on file size, creation date, the author of a document and change histories. Communication data records the exchange of information between users via various channels, such as e-mail traffic, call logs, messages in social networks and chat histories, including the persons involved, time stamps and transmission paths. Procedural data describes the processes and procedures within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to track and review operations.
- Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms. This data includes a wide range of information that shows how users use applications, which functions they prefer, how long they stay on certain pages and which paths they use to navigate through an application. Usage data can also include frequency of use, timestamps of activities, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimizing user experiences, personalizing content and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences and potential problem areas within digital offerings
- Personal data: „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or an identifier (e.g. an IP address).
- a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Profiles with user-related information: The processing of „profiles with user-related information“, or „profiles“ for short, includes any type of automated processing of personal data that consists of using this personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information relating to demographics, behavior and interests, such as interaction with websites and their content, etc.). interests in certain content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
- Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used to analyze system problems, monitor security or generate performance reports.
- Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offering and can include the behavior or interests of visitors in certain information, such as website content. With the help of reach analysis, operators of online offers can, for example, recognize at what time users visit their websites and what content they are interested in. This enables them to better adapt the content of their websites to the needs of their visitors, for example. Pseudonymous cookies and web beacons are often used for reach analysis purposes in order to recognize returning visitors and thus obtain more precise analyses of the use of an online offering.
- Tracking: The term „tracking“ is used when the behavior of users can be traced across several online offers. As a rule, behavioral and interest information is stored in cookies or on the servers of the providers of the tracking technologies with regard to the online offers used (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
- Controller: The „controller“ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Processing: „Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data, be it collection, analysis, storage, transmission or erasure.
- Contractual data: Contractual data is specific information that relates to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged or sold. This category of data is essential for the management and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of services or products agreed, price agreements, payment terms, termination rights, renewal options and special terms or clauses. They serve as the legal basis for the relationship between the parties and are crucial for the clarification of rights and obligations, the enforcement of claims and the resolution of disputes.
- Payment data: Payment data includes all information needed to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction dates, verification numbers and billing information. Payment data may also include information about payment status, chargebacks, authorizations and fees.
- Target group formation: Custom audiences are defined when target groups are determined for advertising purposes, e.g. the display of advertisements. For example, based on a user’s interest in certain products or topics on the internet, it can be concluded that this user is interested in advertisements for similar products or the online store in which they viewed the products. In turn, „lookalike audiences“ (or similar target groups) are when the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom audiences and lookalike audiences.