Privacy notice

Privacy notice

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Effective Date: May 23, 2024


Table of Contents

  • Preamble
  • Responsible person
  • Overview of Processing Activities
  • Relevant Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • General Information on Data Storage and Deletion
  • Rights of Data Subjects
  • Business Services
  • Use of Online Platforms for Offer and Sales Purposes
  • Payment Procedures
  • Provision of the Online Offer and Web Hosting
  • Use of Cookies
  • Contact and Inquiry Management
  • Communication via Messenger
  • Web Analysis, Monitoring, and Optimization
  • Presence on Social Networks (Social Media)
  • Plug-ins and Embedded Functions and Content
  • Definitions of Terms


Responsible person

Irina El Aissati
Gräfin-Helene-Straße 2
78267 Aach

E-Mail-Adresse: irina@amanel-lamp.com


Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected individuals.

Types of Data Processed

  • Inventory data
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of Data Subjects

  • Recipients of services and clients.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Audience measurement.
  • Office and organizational procedures.
  • Organizational and administrative procedures.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.
  • Public relations.
  • Business processes and operational procedures.


Relevant Legal Bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.

Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the GDPR, there are national data protection regulations in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), which contains specific provisions regarding the right to information, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making including profiling on an individual basis. Furthermore, state data protection laws of individual federal states may apply.

Note on the applicability of GDPR and Swiss Data Protection Act (DSG): These data protection notices serve both to provide information under the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that for broader spatial application and comprehensibility, the terms of the GDPR are used. Specifically, terms such as "processing of personal data," "legitimate interests," and "special categories of data" used in the GDPR are used instead of the terms "processing of personal data," "predominant private interests," and "particularly sensitive personal data" used in the Swiss DSG. However, the legal meaning of these terms continues to be determined under the Swiss DSG.


Security Measures

In accordance with legal requirements and considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the severity of the threat to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, transmission, security of availability, and segregation thereof. Additionally, we have established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data threats. Furthermore, we consider data protection principles in the development or selection of hardware, software, and procedures, through privacy by design and by default.

IP Address Masking: Where IP addresses are processed by us or by the services and technologies employed, and processing of the full IP address is not necessary, IP addresses are masked (also known as "IP masking"). This involves removing the last two digits or the last part of the IP address after a dot, or replacing them with placeholders. IP address masking prevents or significantly complicates the identification of a person based on their IP address.

Securing Online Connections with TLS/SSL Encryption Technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are fundamental to secure data transmission over the Internet. These technologies encrypt information transmitted between the website or app and the user's browser (or between two servers), ensuring data is protected from unauthorized access. TLS, being the advanced and more secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured with an SSL/TLS certificate, it is indicated by HTTPS in the URL, signaling to users that their data is being transmitted securely and encrypted.


Transmission of Personal Data

As part of our processing of personal data, it may be necessary to transmit these data to other entities, companies, legally independent organizational units, or individuals, or to disclose them to them. Recipients of this data may include, for example, IT service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with these recipients to protect your data.


International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing occurs in connection with the use of third-party services or the disclosure/transmission of data to other individuals, entities, or companies, we do so in compliance with legal requirements. If the level of data protection in the third country has been recognized as adequate through an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfers. Otherwise, data transfers are carried out only if the data protection level is otherwise secured, especially through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR). Additionally, we inform you about the basis for third-country transfers for each provider from the third country, with adequacy decisions being the primary basis. Information on third-country transfers and existing adequacy decisions can be found on the European Commission's website: EU Commission Data Protection.

EU-US Trans-Atlantic Data Privacy Framework: As part of the "Data Privacy Framework" (DPF), the European Commission has also recognized the level of data protection as safe for certain companies from the USA under the adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at Data Privacy Framework. We will inform you in our privacy notices which service providers we use are certified under the Data Privacy Framework.


General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing no longer applies or the data are no longer needed. Exceptions to this rule exist where legal obligations or special interests require longer retention or archiving of data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal action or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data specifically applicable to certain processing activities.

In cases where multiple statements regarding the retention period or deletion deadlines of a datum exist, the longest period always applies.

If a deadline does not explicitly begin on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the effective date of termination or other termination of the legal relationship.

Data that are retained not for their original intended purpose but due to legal requirements or other reasons are processed solely for the reasons justifying their retention.

Further information on processing procedures, methods, and services:

Retention and deletion of data: The following general deadlines apply to retention and archiving under German law:

  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the necessary instructions for understanding them, as well as other organizational documents, booking vouchers, and invoices (§ 147 para. 3 in conjunction with para. 1 nos. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 nos. 1 and 4, para. 4 HGB).
  • 6 years - Other business records: received commercial or business letters, copies of sent commercial or business letters, other documents to the extent they are relevant for taxation, e.g., hourly wage sheets, operating expense sheets, calculation documents, price labels, as well as payroll documents unless already booking vouchers, and cash register tapes (§ 147 para. 3 in conjunction with para. 1 nos. 2, 3, 5 AO, § 257 para. 1 nos. 2 and 3, para. 4 HGB).
  • 3 years - Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights, as well as associated inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).


Rights of Data Subjects

Under the GDPR, you have various rights as a data subject, particularly arising from Articles 15 to 21 of the GDPR:

  1. Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  2. Right to Withdraw Consent: You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  3. Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain additional information according to legal requirements.
  4. Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  5. Right to Erasure and Restriction of Processing: You have the right to obtain the erasure of personal data concerning you without undue delay, and the controller shall have the obligation to erase personal data without undue delay where certain legal grounds apply. You also have the right to obtain restriction of processing where certain legal grounds apply.
  6. Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
  7. Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.


These rights can be exercised directly with the data controller or through authorized representatives as provided for under the GDPR.


Business Services

We process data of our contractual and business partners, such as customers and prospects (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships and related measures, as well as for communication with contractual partners (or pre-contractually), for example, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any obligations to update, and to remedy any warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for the purposes of associated administrative tasks and organizational management. Additionally, we process the data on the basis of our legitimate interests in proper and efficient business management, as well as security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under applicable law, we only disclose data of contractual partners to third parties to the extent required for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, such as for marketing purposes, within the framework of this privacy policy.

We inform contractual partners about which data is required for the aforementioned purposes before or during data collection, for example, in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, generally after four years, unless the data is stored in a customer account or must be retained for legal reasons (e.g., for tax purposes, usually ten years). Data disclosed to us by the contractual partner as part of an order will be deleted in accordance with the specifications and generally after the end of the order.

Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact details (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and length of visit, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data Subjects: Service recipients and contractors; Prospects, business and contractual partners.

Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and commercial procedures.

Retention and Deletion: Deletion as indicated in the section "General Information on Data Storage and Deletion."

Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legal obligation (Art. 6 (1) (c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further Information on Processing Procedures, Procedures, and Services:

Online shop, order forms, e-commerce, and delivery: We process our customers' data to enable them to select, purchase, or order the selected products, goods, and associated services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, especially postal, freight, and shipping companies, to carry out delivery or execution to our customers. We use the services of banks and payment service providers for the processing of payment transactions. The required information is marked as such within the framework of the order or comparable acquisition process and includes the information necessary for delivery, provision, and billing, as well as contact information for any inquiries; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).


Use of Online Platforms for Sales and Distribution Purposes

We offer our services on online platforms operated by other service providers. In this context, in addition to our privacy policy, the privacy policies of the respective platforms apply. This particularly pertains to the execution of payment transactions and the methods employed on the platforms for measuring reach and interest-based marketing.

Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact details (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and length of visit, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data Subjects: Service recipients and contractors. Business and contractual partners.

Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Marketing. Business processes and commercial procedures.

Retention and Deletion: Deletion as indicated in the section "General Information on Data Storage and Deletion."

Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Additional Information on Processing Procedures, Procedures, and Services:

Etsy: Online marketplace for e-commerce; Service provider: Etsy, Inc., 55 Washington Street, Suite 712, Brooklyn, NY 11201, USA; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.etsy.com/de. Privacy Policy: https://www.etsy.com/de/legal/privacy/?ref=ftr

For further details regarding the handling of personal data on Etsy, please refer to their specific privacy policy linked above. This includes information on data processing activities, legal bases, and rights available to users under the GDPR.


Payment Procedures

In the context of contractual and other legal relationships, based on legal obligations or otherwise on the basis of our legitimate interests, we offer affected individuals efficient and secure payment options, utilizing additional service providers alongside banks and financial institutions (collectively referred to as "payment service providers").

The data processed by these payment service providers include inventory data such as name and address, banking details including account or credit card numbers, passwords, TANs (transaction authentication numbers), checksums, as well as contract-related information, amounts, and recipient details. This information is necessary to execute transactions. However, the entered data is processed and stored exclusively by the payment service providers. This means we do not receive account or credit card-related information, but rather only information confirming or denying payment. Under certain circumstances, these data may be transmitted by the payment service providers to credit agencies for identity and credit checks. We refer to the terms and conditions and the privacy policies of the payment service providers for further details.

For payment transactions, the terms and conditions and privacy policies of the respective payment service providers apply, which are accessible within their respective websites or transaction applications. We also refer to these for additional information and for exercising withdrawal, information, and other data subject rights.

Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank connections, invoices, payment history); Contract data (e.g., contract subject matter, duration, customer category); Usage data (e.g., page views and length of visit, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); Contact details (e.g., postal and email addresses or phone numbers).

Data Subjects: Service recipients and contractors; Business and contractual partners; Interested parties.

Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Business processes and commercial procedures.

Retention and Deletion: Deletion as indicated in the section "General Information on Data Storage and Deletion."

Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).

Further Information on Processing Procedures, Procedures, and Services:

  • American Express: Payment services (technical integration of online payment methods); Service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: American Express; Privacy Policy: American Express Privacy Policy.
  • Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: Apple Pay; Privacy Policy: Apple Privacy Policy.
  • Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: Google Pay; Privacy Policy: Google Privacy Policy.
  • Mastercard: Payment services (technical integration of online payment methods); Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: Mastercard; Privacy Policy: Mastercard Privacy Policy.
  • PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: PayPal; Privacy Policy: PayPal Privacy Policy.
  • Visa: Payment services (technical integration of online payment methods); Service provider: Visa Europe Services Inc., branch London, 1 Sheldon Square, London W2 6TT, UK; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: Visa; Privacy Policy: Visa Privacy Policy. Basis of third-country transfers: Adequacy decision (UK).

For detailed information regarding how these payment service providers handle personal data, please refer to their respective privacy policies linked above. These policies provide insights into data processing activities, legal bases, and rights available to individuals under the GDPR.


Providing the Online Offering and Web Hosting

We process user data to provide our online services to them. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files concerning logins or data retrieval, access times); content data (e.g., textual or pictorial messages and posts, including information such as authorship or creation time).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Providing our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); security measures; provision of contractual services and fulfillment of contractual obligations.

Storage and Deletion: Deletion according to information provided in the section "General Information on Data Storage and Deletion."

Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

Online Offering Provision on Rented Storage Space: We use storage space, computing capacity, and software rented from a server provider (also known as a "web host") to provide our online offering; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Collection of Access Data and Log Files: Access to our online offering is logged in the form of "server log files." Server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transmitted, message about successful access, browser type and version, user's operating system, referrer URL (previously visited page), and usually IP addresses and requesting provider. Server log files may be used for security purposes, such as preventing server overload (especially in cases of abusive attacks like DDoS attacks), and ensuring server utilization and stability; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data necessary for evidence purposes are exempt from deletion until the final clarification of the respective incident.

Email Sending and Hosting: Our web hosting services also include the sending, receiving, and storage of emails. For these purposes, recipient and sender addresses as well as other information regarding email transmission (e.g., involved providers) and the contents of respective emails are processed. The aforementioned data may also be processed for spam detection purposes. Please note that emails are generally not encrypted when sent over the internet. Typically, emails are encrypted during transport, but (unless end-to-end encryption methods are used) not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and reception on our server; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Content Delivery Network (CDN): We utilize a Content Delivery Network (CDN), which helps deliver content of an online offering, especially large media files like graphics or program scripts, faster and more securely using regionally distributed servers interconnected via the internet; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

1&1 IONOS: Services in the provision of IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: 1&1 IONOS; Privacy Policy: 1&1 IONOS Privacy Policy. Data Processing Agreement: 1&1 IONOS Data Processing Agreement.


Use of Cookies

Cookies are small text files or other storage technologies that store information on end devices and retrieve it from them. For example, they may store login status in a user account, shopping cart contents in an e-commerce shop, accessed content, or functions used in an online service. Cookies may also serve various purposes such as ensuring functionality, security, and convenience of online offerings, as well as generating analyses of visitor traffic.

Notice on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required under applicable laws. Permission is particularly unnecessary when storing and retrieving information, including cookies, is essential to provide users with a telemedia service (i.e., our online offering) explicitly requested by them. Revocable consent is clearly communicated to users and includes information about each specific use of cookies.

Notes on Legal Basis under Data Protection Law: The legal basis for processing users' personal data using cookies depends on whether we request their consent. If users accept, the legal basis for processing their data is the declared consent. Otherwise, data processed using cookies are based on our legitimate interests (e.g., in operating our online offering efficiently and improving its usability) or, if the use of cookies is necessary to fulfill our contractual obligations, the processing is based on contract performance. We clarify the purposes for which cookies are used during the consent and processing procedures as part of this privacy policy.

Storage Duration: Regarding storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their browser or mobile application.
  • Permanent Cookies: Permanent cookies remain stored even after closing the end device. For instance, they can store login status and display preferred content directly when a user revisits a website. Additionally, user data collected through cookies may be used for audience measurement purposes. If we do not provide specific information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume they are permanent and can have a storage duration of up to two years.

General Notes on Revocation and Objection (Opt-out): Users can revoke their consent at any time and also object to processing in accordance with legal requirements, including through their browser's privacy settings.

Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data Subjects: Users (e.g., website visitors, users of online services).

Legal Bases: Legitimate interests (Art. 6 (1) (f) GDPR), Consent (Art. 6 (1) (a) GDPR).

Further Information on Processing Procedures, Procedures, and Services:

Processing of cookie data based on consent: We use a consent management solution to obtain user consent for the use of cookies or the processes and providers mentioned within the consent management solution. This process facilitates the acquisition, logging, management, and revocation of consents, particularly regarding the use of cookies and similar technologies used to store, retrieve, and process information on users' devices. Users also have the option to manage and revoke their consents. Consent declarations are stored to avoid repeated queries and to comply with legal requirements for proof of consent. Storage occurs on the server side and/or in a cookie (known as an opt-in cookie) or similar technologies to assign consent to a specific user or device. If specific information about consent management service providers is not provided, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored alongside the timestamp of consent, details of the consent scope (e.g., categories of cookies and/or service providers concerned), and information about the browser, system, and device used.

Legal Basis: Consent (Art. 6 (1) (a) GDPR).

For detailed information on how these cookies and similar technologies are used, please refer to our privacy policy or consent management processes. These documents provide insights into processing activities, legal bases, and rights available to individuals under the GDPR.


Contact and Inquiry Management

When contacting us (e.g., via post, contact form, email, telephone, or social media) or within existing user and business relationships, the information of the requesting individuals is processed as necessary to respond to the contact inquiries and any requested measures.

Processed Data Types: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or pictorial messages and posts as well as the information concerning them, such as authorship details or creation timestamps); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data Subjects: Communication partners.

Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online forms); provision of our online offerings and user-friendliness.

Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal Bases: Legitimate interests (Art. 6 (1) (f) GDPR); contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Additional Notes on Processing Procedures, Procedures, and Services:

Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and process the respective inquiry. This typically includes information such as name, contact information, and any additional information provided to us that is necessary for appropriate handling. We use this data exclusively for the specified purpose of contact and communication.

Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); legitimate interests (Art. 6 (1) (f) GDPR).

For further details on how we handle contact inquiries, please refer to our privacy policy or related consent processes, where we outline our processing activities, legal bases, and the rights available to individuals under the GDPR.


Communication via Messenger

For the purpose of communication, we use messenger services. Please take note of the following information regarding the functionality of these messengers, encryption, the use of communication metadata, and your options to object.

You can also contact us through alternative means such as telephone or email. Please use the contact information provided to you or the contact options specified within our online offerings.

In the case of end-to-end encryption of content (i.e., the content of your messages and attachments), we emphasize that communication contents (i.e., the content of messages and attached images) are encrypted end-to-end. This means that the content of messages is not viewable, not even by the messenger providers themselves. It is essential to always use an updated version of the messenger with encryption enabled to ensure the encryption of message contents.

However, we additionally inform our communication partners that while messenger providers cannot view the content, they may obtain information about when communication partners interact with us and technical details about the devices used by communication partners, including potentially location information (metadata), depending on their device settings.

Legal Basis Notes: If we request consent from communication partners before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not seek consent and they initiate contact with us, we use messengers in relation to our contractual partners and as part of contract initiation as a contractual measure. For other interested parties and communication partners, we use messengers based on our legitimate interests in efficient communication and meeting the communication needs of our partners. Furthermore, we do not transmit contact details to messengers without your consent.

Revocation, Objection, and Deletion: You can revoke your consent at any time. - This text area needs to be unlocked with a Premium License.

Processed Data Types: Contact details (e.g., postal and email addresses or phone numbers); content data (e.g., textual or pictorial messages and posts as well as the information concerning them, such as authorship details). - This text area needs to be unlocked with a Premium License.

Data Subjects: Communication partners.

Purposes of Processing: Communication.

Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal Bases: Consent (Art. 6 (1) (a) GDPR); contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); legitimate interests (Art. 6 (1) (f) GDPR).


Web Analysis, Monitoring, and Optimization

We conduct web analysis (also known as "reach measurement") to evaluate visitor flows to our online offering. This can include pseudonymous data such as behavior, interests, or demographic information about visitors, such as age or gender. Through reach analysis, we can identify peak usage times of our online offering or its features and contents, as well as areas that require optimization.

In addition to web analysis, we may use testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles may be created for these purposes, which aggregate data related to user interactions, and information may be stored in a browser or device and then read. The collected information may include visited websites and elements used on those websites, as well as technical details such as the browser used, the computer system used, and information regarding usage times. If users have consented to the collection of their location data with us or with the providers of the services we use, the processing of location data is also possible.

Furthermore, user IP addresses are stored. However, we use IP masking (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored in the context of web analysis, A/B testing, and optimization, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the respective procedures.

Legal Basis: If we ask users for their consent to use third-party services, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Reach measurement (e.g., access statistics, identification of recurring visitors); profiles with user-related information (creation of user profiles); providing our online offering and user-friendliness.

Storage and Deletion: Deletion according to information provided in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years, unless otherwise stated.

Security Measures: IP masking (pseudonymization of the IP address).

Additional Information on Processing Processes, Procedures, and Services:

Google Analytics: We use Google Analytics to measure and analyze the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to a device, recognizing which content users accessed within one or various usage sessions, which search terms they used, revisited, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users referring to our online offering and technical aspects of their devices and browsers.

Pseudonymous user profiles are created using information from the usage of various devices, where cookies may be used. Google Analytics does not log and store individual IP addresses for EU users. However, it provides approximate geographic location data by deriving the following metadata from IP addresses: city (and derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for deriving geolocation data before being immediately deleted. They are not logged, accessible, or used for further purposes. When Google Analytics collects measurement data, all IP queries are conducted on EU-based servers before traffic is forwarded for processing to Analytics servers.

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Legal Basis: Consent (Art. 6 (1) (a) GDPR).

Website: Google Analytics

Security Measures: IP masking (pseudonymization of the IP address).

Privacy Policy: Google Privacy Policy

Data Processing Agreement: Google Ads Data Processing Terms

Basis for Third-Country Transfers: Data Privacy Framework (DPF).

Opt-Out Options: Opt-Out Plugin, Ad Display Settings

Further Information: Google Ads Services

This section outlines the procedures and legal foundations for conducting web analysis, A/B testing, and optimization on our online platform, ensuring compliance with data protection regulations and providing transparency regarding the processing of user data.


Social Media Presences

We maintain online presences within social networks and process user data within this framework to communicate with active users or to provide information about us.

Please note that user data may be processed outside the European Union in this context. This may pose risks for users, as enforcement of user rights, for example, could be more challenging.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For instance, usage behavior and resulting user interests may be used to create user profiles. These profiles may in turn be used to display advertisements within and outside the networks that presumably correspond to the users' interests. Therefore, cookies are generally stored on users' computers, containing information about users' usage behavior and interests. Additionally, data may be stored in the user profiles independently of the devices used by users (especially if they are members of the respective platforms and logged in).

For a detailed presentation of the respective processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

Even in the case of information requests and the assertion of data subject rights, we would like to emphasize that these can be most effectively asserted with the providers. Only they have access to the user data and can directly take appropriate measures and provide information. Should you still require assistance, you can contact us.

Processed Data Types: Contact details (e.g., postal and email addresses or phone numbers); content data (e.g., textual or pictorial messages and posts as well as the information concerning them, such as authorship details or creation timestamps); usage data (e.g., page views and duration, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Communication; feedback (e.g., collecting feedback via online forms); public relations.

Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

Instagram: Social network allowing for sharing photos and videos, commenting and favoring posts, messaging, subscribing to profiles and pages.

  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
  • Legal Basis: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Website: Instagram
  • Privacy Policy: Instagram Privacy Policy
  • Basis for Third-Country Transfers: Data Privacy Framework (DPF).
  • This section outlines our approach to maintaining presences on social networks and how user data is processed in these contexts, highlighting the importance of understanding privacy policies and opt-out mechanisms provided by the network operators.


Plug-ins and Embedded Functions and Contents

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include graphics, videos, or maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is therefore necessary for displaying these contents or functions. We strive to use only those contents whose respective providers use the IP address solely for delivering the contents.

Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags allow for the evaluation of information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on users' devices, containing technical information about the browser and operating system, referring websites, visit times, and other details about the use of our online offering, which may also be linked to such information from other sources.

Legal Basis Notes: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., page views and duration, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Provision of our online offering and user-friendliness.

Storage and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods can be stored on users' devices for a period of two years).

Legal Basis: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

Google Fonts (Provided on our own server): Provision of font files for user-friendly display of our online offering. Service provider: Google Fonts are hosted on our server, no data is transmitted to Google. Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Google Fonts (Obtained from Google Server): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to updating and loading times, their uniform display, and consideration of possible licensing restrictions. The provider of the fonts is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) necessary for providing the fonts depending on the devices used and the technical environment is transmitted. This data may be processed on a server of the font provider in the USA. When users visit our online offering, their browser sends its browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with Google Fonts' Cascading Style Sheets (CSS) and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent describing the browser and operating system versions of the website visitors, as well as the referring URL (i.e., the webpage where the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referring URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load fonts for. This data is logged so that Google can determine how often a particular font family is requested. The Google Fonts Web API must adjust the user agent to generate the font for the specific browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts "Analytics" page. Finally, the referring URL is logged so that the data can be used for production maintenance and to generate an aggregated report on top integrations based on the number of font requests. According to Google's own information, none of the information collected by Google Fonts is used to create profiles of end-users or to display targeted advertisements. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Website: Google Fonts. Privacy Policy: Google Privacy Policy. Basis for Third-Country Transfers: Data Privacy Framework (DPF). More Information: Google Fonts FAQ.

This section describes how we integrate external content and functionalities into our online services, emphasizing the necessity of IP addresses for such integrations and the processing purposes related to cookies and usage data.


Definitions of Terms

In this section, you will find an overview of the terminologies used in this privacy policy. Where these terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

Inventory Data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar associations. These data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Inventory data form the basis for any formal interaction between individuals and services, institutions, or systems by enabling clear identification and communication.

Content Data: Content data encompasses information generated during the creation, editing, and publication of content of all kinds. This category of data can include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data not only pertains to the actual content but also includes metadata providing information about the content itself, such as tags, descriptions, author information, and publication dates.

Contact Data: Contact data comprises essential information that facilitates communication with individuals or organizations. It includes phone numbers, postal addresses, email addresses, as well as communication methods like social media handles and instant messaging identifiers.

Meta, Communication, and Process Data: Meta, communication, and process data include information about how data is processed, transmitted, and managed. Metadata, also known as data about data, describes information that outlines the context, origin, and structure of other data. It may include details like file sizes, creation dates, document authors, and revision histories. Communication data captures the exchange of information between users across various channels, such as email exchanges, call logs, social media messages, and chat histories, including participants, timestamps, and transmission paths. Process data describes the procedures and workflows within systems or organizations, including workflow documentation, transaction logs, activities, and audit logs used for tracking and verifying operations.

Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. These data encompass a wide range of information indicating how users use applications, which features they prefer, how long they stay on specific pages, and the paths they navigate through an application. Usage data can also include frequency of use, activity timestamps, IP addresses, device information, and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data play a crucial role in identifying trends, preferences, and potential issues within digital offerings.

Personal Data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Profiles with User-related Information: The processing of "profiles with user-related information," or simply "profiles," includes any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person (depending on the type of profiling, this may include demographic information, behavior, and interests, such as interaction with websites and their content, etc.) to analyze or predict aspects concerning that natural person's performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Log Data: Log data refers to information about events or activities that have been logged in a system or network. Typically, these data include details such as timestamps, IP addresses, user actions, error messages, and other operational details about the use or operation of a system. Log data are often used for system problem analysis, security monitoring, or performance reporting.

Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate visitor flows to an online offering and may include the behavior or interests of visitors in specific information, such as website content. Reach analysis enables operators of online offerings to determine, for example, when users visit their websites and what content they are interested in. This allows them to better tailor website content to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognize returning visitors and obtain more precise analyses of the use of an online offering.

Controller: The "controller" is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.

Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Contract Data: Contract data refers to specific information relating to the formalization of an agreement between two or more parties. They document the conditions under which services or products are provided, exchanged, or sold. This data category is essential for managing and fulfilling contractual obligations and includes identification of the contracting parties as well as the specific terms and conditions of the agreement. Contract data may encompass start and end dates of the contract, the nature of the agreed services or products, price agreements, payment terms, termination rights, extension options, and specific terms or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.

Payment Data: Payment data includes all information required for processing payment transactions between buyers and sellers. This data is critical for electronic commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction data, verification numbers, and invoice information. Payment data may also encompass information regarding payment status, chargebacks, authorizations, and fees.

Share by: