Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our website, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are not gender-specific.

Controller

Overview of Processing

Types of Data Processed

• Master data (e.g. name, address)
• Contact data (e.g. email address, phone number)
• Content data (e.g. messages, enquiries)
• Usage data (e.g. page views, time spent on site)
• Meta, communication and procedural data (e.g. IP addresses, timestamps)
• Log data

Categories of Data Subjects

• Communication partners
• Users (e.g. website visitors, users of online services)

Purposes of Processing

• Communication and responding to enquiries
• Security measures
• Reach measurement and tracking
• Target group formation and marketing
• Provision of our online offering and user experience
• IT infrastructure

Legal Bases

We process personal data on the following legal bases under the GDPR:

• Consent (Art. 6(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract performance (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is party.
• Legal obligation (Art. 6(1)(c) GDPR) — Processing is necessary for compliance with a legal obligation.
• Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by the interests of the data subject.

In addition to EU GDPR requirements, German national data protection law (BDSG — Bundesdatenschutzgesetz) applies.

Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures to ensure the confidentiality, integrity and availability of data.

TLS/SSL encryption (HTTPS): Our website uses TLS/SSL encryption to protect the transmission of your data, indicated by the HTTPS prefix in the URL.

Transfer of Personal Data

In the course of our processing, data may be transferred to other parties, such as IT service providers or providers of services embedded in our website. In such cases, we enter into appropriate contracts to protect your data.

International Data Transfers

Where we transfer data to a third country (outside the EU/EEA), we do so in accordance with legal requirements. For transfers to the USA, we rely primarily on the Data Privacy Framework (DPF). Where applicable, we also rely on standard contractual clauses.

Data Retention and Deletion

We delete personal data as soon as the underlying consent is withdrawn or there is no longer a legal basis for processing. Exceptions apply where legal obligations require longer retention (e.g. commercial and tax retention obligations of 6–10 years).

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR:

• Right to object: You have the right to object at any time to the processing of your personal data.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain information about the data we process about you.
• Right to rectification: You have the right to request the correction of inaccurate data.
• Right to erasure: You have the right to request the deletion of your data, where no legal retention obligations apply.
• Right to data portability: You have the right to receive your data in a structured, commonly used format.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence.

  Supervisory authority for Berlin:
  Berliner Beauftragte für Datenschutz und Informationsfreiheit,
  Friedrichstr. 219, 10969 Berlin, Germany
  www.datenschutz-berlin.de

Provision of the Online Offering and Web Hosting

We process users’ IP addresses in order to provide our online services. Our online offering is hosted on the servers of a web hosting provider.

Access data and log files: Access to our online offering is logged in the form of server log files, containing IP addresses, timestamps, browser type and pages accessed. Log file information is stored for a maximum of 30 days and then deleted or anonymised.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Use of Cookies

We use cookies in accordance with legal requirements. Where necessary, we obtain prior consent from users.

Types of cookies:

• Temporary cookies (session cookies): Deleted after the user leaves the online offering and closes their browser.
• Permanent cookies: Remain stored after the browser is closed, typically for up to 2 years.

Users may withdraw consent at any time via our cookie banner.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR)

Blog and Publication Media

We operate a blog on our website. Readers’ data is only processed to the extent necessary for the display of the blog and communication purposes.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Contact and Enquiry Management

When you contact us (e.g. by email or via WhatsApp), the information provided is processed to the extent necessary to respond to your enquiry.

• Data processed: Contact data; content data; meta and communication data
• Legal bases: Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR)

WhatsApp: For communication via WhatsApp, Meta’s privacy policy applies: www.whatsapp.com/legal/privacy-policy

Online Marketing

We process personal data for the purposes of online marketing, in particular for the display of advertisements and measurement of their effectiveness.

Meta Pixel (Facebook Pixel)

We use the “Meta Pixel” provided by Meta on our website. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The Meta Pixel allows us to track the behaviour of visitors to our website after they have been redirected to our site by clicking on a Meta advertisement. This allows us to measure the effectiveness of our Meta advertisements for statistical and market research purposes and to optimise our advertising.

The data collected in this way is anonymous to us — we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Meta, allowing Meta to connect it to your profile and use it for its own advertising purposes.

The Meta Pixel is only used on the basis of your explicit consent under Art. 6(1)(a) GDPR. Consent can be withdrawn at any time.

• Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Website: www.facebook.com
• Privacy policy: facebook.com/privacy/policy
• Basis for third-country transfers: Data Privacy Framework (DPF)
• Opt-out: facebook.com/settings?tab=ads
• Data processed: Usage data; meta and communication data
• Purposes: Reach measurement; tracking; target group formation; marketing; conversion measurement
• Retention: Up to 2 years (permanent cookies)
• Legal basis: Consent (Art. 6(1)(a) GDPR)

Plugins and Embedded Content

We embed functional and content elements in our online offering that are sourced from the servers of their respective providers.

YouTube Videos

• Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
• Website: www.youtube.com
• Privacy policy: policies.google.com/privacy
• Basis for third-country transfers: Data Privacy Framework (DPF)
• Opt-out: tools.google.com/dlpage/gaoptout
• Legal basis: Consent (Art. 6(1)(a) GDPR)

Changes and Updates

We will update this privacy policy whenever changes to our data processing activities make this necessary. We will inform you when changes require any action on your part. Please check this privacy policy regularly for the current version.

Definitions

• Personal data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, e.g. collection, storage, transmission or deletion.
• Controller: The natural or legal person that determines the purposes and means of the processing of personal data.
• Consent: A freely given, informed and unambiguous indication of the data subject’s wishes.
• Tracking: Tracking the behaviour of users across multiple online offerings, typically using cookies.
• Reach measurement: Analysis of visitor flows to an online offering (also: web analytics).