Privacy Policy Introduction and Overview

We have written this privacy policy (version 13.11.2024-122906385) in order to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the controller – and the processors commissioned by us (e.g. providers) – process, will process in the future and what legal options you have. The terms used are to be considered gender-neutral.
In short: We provide you with comprehensive information about any of your personal data we process.

Privacy policies usually sound very technical and use legal terminology. However, this privacy policy is intended to describe the most important things to you as simply and transparently as possible. So long as it aids transparency, technical terms are explained in a reader-friendly manner, links to further information are provided and graphics are used. We are thus informing in clear and simple language that we only process personal data in the context of our business activities if there is a legal basis for it. This is certainly not possible with brief, unclear and legal-technical statements, as is often standard on the internet when it comes to data protection. I hope you find the following explanations interesting and informative. Maybe you will also find some information that you have not been familiar with.
If you still have questions, we kindly ask you to contact the responsible body named below or in the imprint, follow the existing links and look at further information on third-party sites. You can of course also find our contact details in the imprint.

Scope

This privacy policy applies to all personal data processed by our company and to all personal data processed by companies commissioned by us (processors). With the term personal data, we refer to information within the meaning of Article 4 No. 1 GDPR, such as the name, email address and postal address of a person. The processing of personal data ensures that we can offer and invoice our services and products, be it online or offline. The scope of this privacy policy includes:

  • all online presences (websites, online shops) that we operate
  • Social media presences and email communication
  • mobile apps for smartphones and other devices

In short: This privacy policy applies to all areas in which personal data is processed in a structured manner by the company via the channels mentioned. Should we enter into legal relations with you outside of these channels, we will inform you separately if necessary.

Legal bases

In the following privacy policy, we provide you with transparent information on the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, which enable us to process personal data.
Whenever EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can of course access the General Data Protection Regulation of the EU online at EUR-Lex, the gateway to EU law, at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

  1. Consent (Article 6 Paragraph 1 lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered into a contact form.
  2. Contract (Article 6 Paragraph 1 lit. b GDPR): We process your data in order to fulfill a contract or pre-contractual obligations with you. For example, if we conclude a sales contract with you, we need personal information in advance.
  3. Legal obligation (Article 6 Paragraph 1 lit. c GDPR): If we are subject to a legal obligation, we will process your data. For example, we are legally required to keep invoices for our bookkeeping. These usually contain personal data.
  4. Legitimate interests (Article 6 Paragraph 1 lit. f GDPR): In the case of legitimate interests that do not restrict your basic rights, we reserve the right to process personal data. For example, we have to process certain data in order to be able to operate our website securely and economically. Therefore, the processing is a legitimate interest.

Other conditions such as making recordings in the interest of the public, the exercise of official authority as well as the protection of vital interests do not usually occur with us. Should such a legal basis be relevant, it will be disclosed in the appropriate place.

In addition to the EU regulation, national laws also apply:

  • In Austria this is the Austrian Data Protection Act (Datenschutzgesetz), in short DSG.
  • In Germany this is the Federal Data Protection Act (Bundesdatenschutzgesetz), in short BDSG.

Should other regional or national laws apply, we will inform you about them in the following sections.

Contact details of the data protection controller

If you have any questions about data protection, you will find the contact details of the responsible person or controller below:

brandgroup Kommunikation und digitale Medien GmbH
Franckstraße 45, 4020 Linz, Austria
Mail: office(at)brandgroup.at
Tel. +34 (670) 191 91 41

Storage Period

It is a general criterion for us to store personal data only for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as any reason for the data processing no longer exists. In some cases, we are legally obliged to keep certain data stored even after the original purpose no longer exists, such as for accounting purposes.

If you want your data to be deleted or if you want to revoke your consent to data processing, the data will be deleted as soon as possible, provided there is no obligation to continue its storage.

We will inform you below about the specific duration of the respective data processing, provided we have further information.

Rights in accordance with the General Data Protection Regulation

In accordance with Articles 13, 14 of the GDPR, we inform you about the following rights you have to ensure fair and transparent processing of data:

  • According to Article 15 DSGVO, you have the right to information about whether we are processing data about you. If this is the case, you have the right to receive a copy of the data and to know the following information:
    • for what purpose we are processing;
    • the categories, i.e. the types of data that are processed;
    • who receives this data and if the data is transferred to third countries, how security can be guaranteed;
    • how long the data will be stored;
    • the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
    • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
    • the origin of the data if we have not collected it from you;
    • Whether profiling is carried out, i.e. whether data is automatically evaluated to arrive at a personal profile of you.
  • You have a right to rectification of data according to Article 16 GDPR, which means that we must correct data if you find errors.
  • You have the right to erasure (“right to be forgotten”) according to Article 17 GDPR, which specifically means that you may request the deletion of your data.
  • According to Article 18 of the GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it further.
  • According to Article 20 of the GDPR, you have the right to data portability, which means that we will provide you with your data in a standard format upon request.
  • According to Article 21 DSGVO, you have the right to object, which entails a change in processing after enforcement.
    • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object to the processing. We will then check as soon as possible whether we can legally comply with this objection.
    • If data is used to conduct direct advertising, you may object to this type of data processing at any time. We may then no longer use your data for direct marketing.
    • If data is used to conduct profiling, you may object to this type of data processing at any time. We may no longer use your data for profiling thereafter.
  • According to Article 22 of the GDPR, you may have the right not to be subject to a decision based solely on automated processing (for example, profiling).
  • You have the right to lodge a complaint under Article 77 of the GDPR. This means that you can complain to the data protection authority at any time if you believe that the data processing of personal data violates the GDPR.

In short: you have rights – do not hesitate to contact the responsible party listed above with us!

If you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way, you can complain to the supervisory authority. For Austria, this is the data protection authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Austria Data protection authority

Manager:Dr. Matthias Schmidl
Address:
Barichgasse 40-42, 1030 Wien
Phone number.:
+43 1 52 152-0
E-mail address:
dsb@dsb.gv.at
Website:
https://www.dsb.gv.at/

Security of data processing operations

In order to protect personal data, we have implemented both technical and organisational measures. We encrypt or pseudonymise personal data wherever this is possible. Thus, we make it as difficult as we can for third parties to extract personal information from our data.

Article 25 of the GDPR refers to “data protection by technical design and by data protection-friendly default” which means that both software (e.g. forms) and hardware (e.g. access to server rooms) appropriate safeguards and security measures shall always be placed. If applicable, we will outline the specific measures below.

TLS encryption with https

The terms TLS, encryption and https sound very technical, which they are indeed. We use HTTPS (Hypertext Transfer Protocol Secure) to securely transfer data on the Internet.
This means that the entire transmission of all data from your browser to our web server is secured – nobody can “listen in”.

We have thus introduced an additional layer of security and meet privacy requirements through technology design Article 25 Section 1 GDPR). With the use of TLS (Transport Layer Security), which is an encryption protocol for safe data transfer on the internet, we can ensure the protection of confidential information.
You can recognise the use of this safeguarding tool by the little lock-symbol , which is situated in your browser’s top left corner in the left of the internet address (e.g. examplepage.uk), as well as by the display of the letters https (instead of http) as a part of our web address.
If you want to know more about encryption, we recommend you to do a Google search for “Hypertext Transfer Protocol Secure wiki” to find good links to further information.

Communications

Communications Overview
👥 Affected parties: Anyone who communicates with us via phone, email or online form
🤝 Processed data: e. g. telephone number, name, email address or data entered in forms. You can find more details on this under the respective form of contact
📓 Purpose: handling communication with customers, business partners, etc.
📅 Storage duration: for the duration of the business case and the legal requirements
⚖️ Legal basis: Article 6 (1) (a) GDPR (consent), Article 6 (1) (b) GDPR (contract), Article 6 (1) (f) GDPR (legitimate interests)

If you contact us and communicate with us via phone, email or online form, your personal data may be processed.

The data will be processed for handling and processing your request and for the related business transaction. The data is stored for this period of time or for as long as is legally required.

Affected persons

The above-mentioned processes affect all those who seek contact with us via the communication channels we provide.

Telephone

When you call us, the call data is stored in a pseudonymised form on the respective terminal device, as well as by the telecommunications provider that is being used. In addition, data such as your name and telephone number may be sent via email and stored for answering your inquiries. The data will be erased as soon as the business case has ended and the legal requirements allow for its erasure.

Email

If you communicate with us via email, your data is stored on the respective terminal device (computer, laptop, smartphone, …) as well as on the email server. The data will be deleted as soon as the business case has ended and the legal requirements allow for its erasure.

Online forms

If you communicate with us using an online form, your data is stored on our web server and, if necessary, forwarded to our email address. The data will be erased as soon as the business case has ended and the legal requirements allow for its erasure.

Legal bases

Data processing is based on the following legal bases:

  • Art. 6 para. 1 lit. a GDPR (consent): You give us your consent to store your data and to continue to use it for the purposes of the business case;
  • Art. 6 para. 1 lit. b GDPR (contract): For the performance of a contract with you or a processor such as a telephone provider, or if we have to process the data for pre-contractual activities, such as preparing an offer;
  • Art. 6 para. 1 lit. f GDPR (legitimate interests): We want to conduct our customer inquiries and business communication in a professional manner. Thus, certain technical facilities such email programs, Exchange servers and mobile network operators are necessary to efficiently operate our communications.

Data Processing Agreement (DPA)

In this section, we would like to explain what a Data Processing Agreement is and why it is needed. As the term “Data Processing Agreement” is quite lengthy, we will often only use the acronym DPA here in this text. Like most companies, we do not work alone, but also use the services of other companies or individuals. By involving different companies or service providers, we may pass on personal data for processing. These partners then act as processors with whom we conclude a contract, the so-called Data Processing Agreement (DPA). Most importantly for you to know is that any processing of your personal data takes place exclusively according to our instructions and must be regulated by the DPA.

Who are the processors?

As a company and website owner, we are responsible for any of your data that is processed by us. In addition to the controller, there may also be so-called processors involved. This includes any company or person who processes your personal data. More precisely and according to the GDPR’s definition, this means: Any natural or legal person, authority, institution or other entity that processes your personal data is considered a processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers or large companies such as Google or Microsoft.

To make the terminology easier to comprehend, here is an overview of the GDPR’s three roles:

Data subject (you as a customer or interested party) → Controller (we as a company and contracting entity) → Processors (service providers such as web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have concluded a DPA with our partners who act as processors. First and foremost, it states that the processor processes the data exclusively in accordance with the GDPR. The contract must be concluded in writing, although an electronic contract completion is also considered a “written contract”. Any processing of personal data only takes place after this contract is concluded. The contract must contain the following:

  • indication to us as the controller
  • obligations and rights of the controller
  • categories of data subjects
  • type of personal data
  • type and purpose of data processing
  • subject and duration of data processing
  • location of data processing

Furthermore, the contract contains all obligations of the processor. The most important obligations are:

  • ensuring data security measures
  • taking possible technical and organisational measures to protect the rights of the data subject
  • maintaining a data processing record
  • cooperation with the data protection authority upon request
  • performing a risk analysis for any received personal data
  • subprocessors may only be appointed with the written consent of the controller

You can see an example of what a DPA looks like at https://gdpr.eu/data-processing-agreement/. This link shows a sample contract.

Cookies

Cookies Overview
👥 Affected parties: visitors to the website
🤝 Purpose: depending on the respective cookie. You can find out more details below or from the software manufacturer that sets the cookie.
📓 Processed data: depends on the cookie used. More details can be found below or from the manufacturer of the software that sets the cookie.
📅 Storage duration: can vary from hours to years, depending on the respective cookie
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What are cookies?

Our website uses HTTP-cookies to store user-specific data.
In the following we explain what cookies are and why they are used, so that you can better understand the following privacy policy.

Whenever you surf the Internet, you are using a browser. Common browsers are for example, Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text-files in your browser. These files are called cookies.

It is important to note that cookies are very useful little helpers. Almost every website uses cookies. More precisely, these are HTTP cookies, as there are also other cookies for other uses. HTTP cookies are small files that our website stores on your computer. These cookie files are automatically placed into the cookie-folder, which is the “brain” of your browser. A cookie consists of a name and a value. Moreover, to define a cookie, one or multiple attributes must be specified.

Cookies store certain user data about you, such as language or personal page settings. When you re-open our website to visit again, your browser submits these “user-related” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are familiar to. In some browsers, each cookie has its own file, while in others, such as Firefox, all cookies are stored in one single file.

The following graphic shows a possible interaction between a web browser such as Chrome and the web server. The web browser requests a website and receives a cookie back from the server. The browser then uses this again as soon as another page is requested.

HTTP cookie interaction between browser and web server

There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, while third-party cookies are created by partner-websites (e.g. Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. The expiry time of a cookie also varies from a few minutes to a few years. Cookies are not software programs and do not contain viruses, trojans or other malware. Cookies also cannot access your PC’s information.

This is an example of how cookie-files can look:

Name: _ga
Value: GA1.2.1326744211.152122906385-9
Purpose: Differentiation between website visitors
Expiry date: after 2 years

A browser should support these minimum sizes:

  • At least 4096 bytes per cookie
  • At least 50 cookies per domain
  • At least 3000 cookies in total

Which types of cookies are there?

The exact cookies that we use, depend on the used services, which will be outlined in the following sections of this privacy policy. Firstly, we will briefly focus on the different types of HTTP-cookies.

There are 4 different types of cookies:

Essential cookies
These cookies are necessary to ensure the basic functions of a website. They are needed when a user for example puts a product into their shopping cart, then continues surfing on different websites and comes back later in order to proceed to the checkout. These cookies ensure the shopping cart does not get deleted, even if the user closes their browser window.

Purposive cookies
These cookies collect information about user behaviour and whether the user receives any error messages. Furthermore, these cookies record the website’s loading time as well as its behaviour in different browsers.

Target-orientated cookies
These cookies ensure better user-friendliness. Thus, information such as previously entered locations, fonts sizes or data in forms stay stored.

Advertising cookies
These cookies are also known as targeting cookies. They serve the purpose of delivering customised advertisements to the user. This can be very practical, but also rather annoying.

Upon your first visit to a website you are usually asked which of these cookie-types you want to accept. Furthermore, this decision will of course also be stored in a cookie.

If you want to learn more about cookies and do not mind technical documentation, we recommend https://tools.ietf.org/html/rfc6265, the Request for Comments of the Internet Engineering Task Force (IETF) called “HTTP State Management Mechanism”.

Purpose of processing via cookies

The purpose ultimately depends on the respective cookie. You can find out more details below or from the software manufacturer that sets the cookie.

Which data are processed?

Cookies are little helpers for a wide variety of tasks. Unfortunately, it is not possible to tell which data is generally stored in cookies, but in the privacy policy below we will inform you on what data is processed or stored.

Storage period of cookies

The storage period depends on the respective cookie and is further specified below. Some cookies are erased after less than an hour, while others can remain on a computer for several years.

You can also influence the storage duration yourself. You can manually erase all cookies at any time in your browser (also see “Right of objection” below). Furthermore, the latest instance cookies based on consent will be erased is after you withdraw your consent. The legality of storage will remain unaffected until then.

Right of objection – how can I erase cookies?

You can decide for yourself how and whether you want to use cookies. Regardless of which service or website the cookies originate from, you always have the option of erasing, deactivating or only partially accepting cookies. You can for example block third-party cookies but allow all other cookies.

If you want to find out which cookies have been stored in your browser, or if you want to change or erase cookie settings, you can find this option in your browser settings:

Chrome: Clear, enable and manage cookies in Chrome

Safari: Manage cookies and website data in Safari

Firefox: Clear cookies and site data in Firefox

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete cookies in Microsoft Edge

If you generally do not want cookies, you can set up your browser in a way to notify you whenever a cookie is about to be set. This gives you the opportunity to manually decide to either permit or deny the placement of every single cookie. This procedure varies depending on the browser. Therefore, it might be best for you to search for the instructions in Google. If you are using Chrome, you could for example put the search term “delete cookies Chrome” or “deactivate cookies Chrome” into Google.

Legal basis

The so-called “cookie directive” has existed since 2009. It states that the storage of cookies requires your consent (Article 6 Paragraph 1 lit. a GDPR). Within countries of the EU, however, the reactions to these guidelines still vary greatly. In Austria, however, this directive was implemented in Section 165 (3) of the Telecommunications Act (2021). In Germany, the cookie guidelines have not been implemented as national law. Instead, this guideline was largely implemented in Section 15 (3) of the Telemedia Act (TMG), which has been replaced by the Digital Services Act (DSA) since May 2024.

For absolutely necessary cookies, even if no consent has been given, there are legitimate interests (Article 6 (1) (f) GDPR), which in most cases are of an economic nature. We want to offer our visitors a pleasant user experience on our website. For this, certain cookies often are absolutely necessary.

This is exclusively done with your consent, unless absolutely necessary cookies are used. The legal basis for this is Article 6 (1) (a) of the GDPR.

In the following sections you will find more detail on the use of cookies, provided the used software does use cookies.

Customer Data

Customer Data Overview
👥Affected parties: Customers or business and contractual partners
🤝 Purpose: Performance of a contract for the provision of agreed services or prior to entering into such a contract, including associated communications.
📓 Data processed: name, address, contact details, email address, telephone number, payment information (such as invoices and bank details), contract data (such as duration and subject matter of the contract), IP address, order data
📅 Storage period: the data will be erased as soon as they are no longer required for our business purposes and there is no legal obligation to process them.
⚖️ Legal bases: Legitimate interests (Art. 6 Para. 1 lit. f GDPR), Contract (Art. 6 Para. 1 lit. b GDPR)

What is customer data?

In order to be able to offer our services and contractual services, we also process data from our customers and business partners. This data always includes personal data. Customer data is all information that is processed on the basis of contractual or pre-contractual agreements so that the offered services can be provided. Customer data is therefore all the information we collect and process about our customers.

Why do we process customer data?

There are many reasons why we collect and process customer data. The main reason is that we simply need specific data to provide our services. Sometimes for example your email address may be enough. But if you purchase a product or service, we may e. g. also need data such as your name, address, bank details or other contract data. This data will subsequently be used for marketing and sales optimisation so that we can improve our overall service for our customers and clients. Another important reason for data processing is our customer service, which is very important to us. We want you to have the opportunity to contact us at any time with questions about our offers. Thus, we may need certain data such as your email address at the very least.

What data is processed?

Exactly which data is stored can only be shown by putting them in categories. All in all, it always depends on which of our services you receive. In some cases, you may only give us your email address so that we can e. g. contact you or answer your questions. In other instances, you may purchase one of our products or services. Then we may need significantly more information, such as your contact details, payment details and contract details.

Here is a list of potential data we may receive and process:

  • Name
  • Contact address
  • Email address
  • Phone number
  • Your birthday
  • Payment data (invoices, bank details, payment history, etc.)
  • Contract data (duration, contents)
  • Usage data (websites visited, access data, etc.)
  • Metadata (IP address, device information)

How long is the data stored?

We erase corresponding customer data as soon as we no longer need it to fulfill our contractual obligations and purposes, and as soon as the data is also no longer necessary for possible warranty and liability obligations. This can for example be the case when a business contract ends. Thereafter, the limitation period is usually 3 years, although longer periods may be possible in individual cases. Of course, we also comply with the statutory retention requirements. Your customer data will certainly not be passed on to third parties unless you have given your explicit consent.

Legal Basis

The legal basis for the processing of your data is Article 6 Paragraph 1 Letter a GDPR (consent), Article 6 Paragraph 1 Letter b GDPR (contract or pre-contractual measures), Article 6 Paragraph 1 Letter f GDPR (legitimate interests) and in special cases (e. g. medical services) Art. 9 (2) lit. GDPR (processing of special categories).

In the case of protecting vital interests, data processing is carried out in accordance with Article 9 Paragraph 2 Letter c. GDPR. For the purposes of health care, occupational medicine, medical diagnostics, care or treatment in the health or social sectors or for the administration of systems and services in health or social sectors, the processing of personal data takes place in accordance with Art. 9 Para. 2 lit. h. GDPR. If you voluntarily provide data of these special categories, the processing takes place on the basis of Article 9 Paragraph 2 lit. a GDPR.

Registration

Registration Overview
👥 Affected parties: Anyone who registers to create an account with us, and logs in to use the account.
📓 Processed data: Personal data such as email address, name, password and other data that is collected during registration, login and account use.
🤝 Purpose: For the provision of our services, as well as to communicate with clients or customers in the scope of our services.
📅Storage period: As long as the company account associated with the texts exists, plus a period of usually 3 years.
⚖️ Legal bases: Article 6 paragraph 1 letter b GDPR (contract), Article 6 paragraph 1 letter a GDPR (consent), Article 6 paragraph 1 letter f GDPR (legitimate interests)

If you register with us and provide any personal data, this data may be processed, possibly along with your IP address. Below you can explore what we mean by the rather broad term “personal data”.

Please only enter the data we need for the registration. In case you are registering on behalf of a third party, please only enter data for which you have the approval of the party you are registering for. If possible, use a secure password that you don’t use anywhere else and an email address that you check regularly.

In the following, we will inform you about the exact type of data processing we do. After all, we want you to feel at ease with the services we provide!

What is a registration?

When you register, we retain certain of your data in order to make it easy for you to log in with us online and use your account. An account with us has the advantage that you don’t have to re-enter everything every time. It saves time and effort and ultimately prevents any issues with the provision of our services.

Why do we process personal data?

In short, we process personal data to make account registration and usage possible for you. If we didn’t do this, you would have to enter all your data each time, wait for our approval and then enter everything again. This strenuous process would probably not only irritate us a little, but also many of our dear clients and customers.

Which data is processed?

Any data that you provided during registration or login and any data that you may enter as part of managing your account data.

During registration, we process the following types of data:

  • First name
  • Last name
  • Email address
  • Company name
  • Street + house number
  • Residence
  • Postcode
  • Country

During your registration, we process any data you enter, such as your username and password, along with data that is collected in the background such as your device information and IP addresses.

When using your account, we process any data you enter while using the account, as well as any data that is created while you use our services.

Storage time

We store the entered data for at least as long as the account associated with the data exists with us and is in use – and as long as there are contractual obligations between you and us. In case the contract ends, we retain the data until the respective claims get time-barred. Moreover, we store your data as long as we are subject to legal storage obligations, if applicable. Following that, we keep any accounting records (invoices, contract documents, account statements, etc.) of the contract for 10 years (§ 147 AO) and other relevant business documents for 6 years (§ 247 HGB) after accrual.

Right to object

You have registered, entered data and want to revoke the data processing? Not a problem. As you can see above, you retain this right under the General Data Protection Regulation also at and after registration, login or account creation with us. Contact the Data Protection Officer above to exercise your rights. If you already have an account with us, you can easily view and manage your data and texts in your account.

Legal Basis

By completing the registration process, you enter into a pre-contractual agreement with us, with the intention to conclude a contract of use for our platform (although there is no automatic payment obligation). You invest time to enter data and register and in return, we offer you our services after you log on to our system and view your customer account. We also meet our contractual obligations. Finally, we need to be able to email registered users about important changes. Article 6(1)(b) GDPR (implementation of pre-contractual measures, fulfilment of a contract) applies.

Where applicable, we will ask for your consent, e.g. in case you voluntarily provide more data than is absolutely necessary, or in case we may ask you if we may send you advertising. Article 6 paragraph 1 lit. a GDPR (consent) applies in this matter.

We also have a legitimate interest in knowing who who our clients or customers are, in order to get in touch if required. We also need to know who is using our services and whether they are being used in accordance with our terms of use, i.e. Article 6(1)(f) GDPR (legitimate interests) applies in this matter.

Note: the following sections are to be ticked by users (as required):

Registration with real names

Since business operations require us to know who our clients or customers are, registration is only possible with your real name (full name) and not with a pseudonym.

Registration with pseudonyms

You can use a pseudonym for the registration, which means you don’t have to register with your real name. This ensures that your real name cannot be processed by us.

Storage of the IP address

During registration, login and account use, we store your IP address for security reasons in order to be able to determine legitimate use.

Public Profile

User profiles are publicly visible, i.e. parts of the profiles can also be viewed on the Internet without the need to enter a username and password.

Two Factor Authentication (2FA)

Two Factor Authentication (2FA) offers additional security when logging in, as it prevents you from logging in without a smartphone, for example. This technical measure to secure your account protects you against the loss of data or unauthorised access, even if your username and password were leaked. During your registration process, login or within the account itself y ou can find out which 2FA is used.

Web hosting

Web hosting Overview
👥 Affected parties: visitors to the website
📓 Purpose: professional hosting of the website and security of operations
🤝 Processed data: IP address, time of website visit, browser used and other data. You can find more details on this below or at the respective web hosting provider.
📅 Storage period: dependent on the respective provider, but usually 2 weeks
⚖️ Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is web hosting?

Every time you visit a website nowadays, certain information – including personal data – is automatically created and stored, including on this website. This data should be processed as sparingly as possible, and only with good reason. By website, we mean the entirety of all websites on your domain, i.e. everything from the homepage to the very last subpage (like this one here). By domain we mean example.uk or examplepage.com.

When you want to view a website on a screen, you use a program called a web browser. You probably know the names of some web browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari.

The web browser has to connect to another computer which stores the website’s code: the web server. Operating a web server is complicated and time-consuming, which is why this is usually done by professional providers. They offer web hosting and thus ensure the reliable and flawless storage of website data.

Whenever the browser on your computer establishes a connection (desktop, laptop, smartphone) and whenever data is being transferred to and from the web server, personal data may be processed. After all, your computer stores data, and the web server also has to retain the data for a period of time in order to ensure it can operate properly.

Illustration:

Browser and Webserver

Why do we process personal data?

The purposes of data processing are:

  1. Professional hosting of the website and operational security
  2. To maintain the operational as well as IT security
  3. Anonymous evaluation of access patterns to improve our offer, and if necessary, for prosecution or the pursuit of claims.li>

Which data are processed?

Even while you are visiting our website, our web server, that is the computer on which this website is saved, usually automatically saves data such as

  • the full address (URL) of the accessed website (e. g. https://www.examplepage.uk/examplesubpage.html?tid=122906385)
  • browser and browser version (e.g. Chrome 87)
  • the operating system used (e.g. Windows 10)
  • the address (URL) of the previously visited page (referrer URL) (e. g. https://www.examplepage.uk/icamefromhere.html/)
  • the host name and the IP address of the device from the website is being accessed from (e.g. COMPUTERNAME and 194.23.43.121)
  • date and time
  • in so-called web server log files

How long is the data stored?

Generally, the data mentioned above are stored for two weeks and are then automatically deleted. We do not pass these data on to others, but we cannot rule out the possibility that this data may be viewed by the authorities in the event of illegal conduct.

In short: Your visit is logged by our provider (company that runs our website on special computers (servers)), but we do not pass on your data without your consent!

Legal basis

The lawfulness of processing personal data in the context of web hosting is justified in Art. 6 para. 1 lit. f GDPR (safeguarding of legitimate interests), as the use of professional hosting with a provider is necessary to present the company in a safe and user-friendly manner on the internet, as well as to have the ability to track any attacks and claims, if necessary.

Webhosting Other

Contact data for our Webhosting:

Dienst: Cloudways
Anbieter: Cloudways Ltd., 52 Springvale, Pope Pius XII Street, Mosta MST2653, Malta
Serverstandort: Frankfurt

You can learn more about the data processing at this provider in their Privacy Policy.

Web Analytics

Web Analytics Privacy Policy Overview
👥 Affected parties: visitors to the website
🤝 Purpose: Evaluation of visitor information to optimise the website.
📓 Processed data: Access statistics that contain data such as access location, device data, access duration and time, navigation behaviour, click behaviour and IP addresses. You can find more details on this from the respective web analytics tool directly.
📅 Storage period: depending on the respective web analytics tool used
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Web Analytics?

We use software on our website, which is known as web analytics, in order to evaluate website visitor behaviour. Thus, data is collected, which the analytic tool provider (also called tracking tool) stores, manages and processes. Analyses of user behaviour on our website are created with this data, which we as the website operator receive. Most tools also offer various testing options. These enable us, to for example test which offers or content our visitors prefer. For this, we may show you two different offers for a limited period of time. After the test (a so-called A/B test) we know which product or content our website visitors find more interesting. For such testing as well as for various other analyses, user profiles are created and the respective data is stored in cookies.

Why do we run Web Analytics?

We have a clear goal in mind when it comes to our website: we want to offer our industry’s best website on the market. Therefore, we want to give you both, the best and most interesting offer as well as comfort when you visit our website. With web analysis tools, we can observe the behaviour of our website visitors, and then improve our website accordingly for you and for us. For example, we can see the average age of our visitors, where they come from, the times our website gets visited the most, and which content or products are particularly popular. All this information helps us to optimise our website and adapt it to your needs, interests and wishes.

Which data are processed?

The exact data that is stored depends on the analysis tools that are being used. But generally, data such as the content you view on our website are stored, as well as e. g. which buttons or links you click, when you open a page, which browser you use, which device (PC, tablet, smartphone, etc.) you visit the website with, or which computer system you use. If you have agreed that location data may also be collected, this data may also be processed by the provider of the web analysis tool.

Moreover, your IP address is also stored. According to the General Data Protection Regulation (GDPR), IP addresses are personal data. However, your IP address is usually stored in a pseudonymised form (i.e. in an unrecognisable and abbreviated form). No directly linkable data such as your name, age, address or email address are stored for testing purposes, web analyses and web optimisations. If this data is collected, it is retained in a pseudonymised form. Therefore, it cannot be used to identify you as a person.

The following example shows Google Analytics’ functionality as an example for client-based web tracking with JavaScript code.

Schematic data flow in Google Analytics

The storage period of the respective data always depends on the provider. Some cookies only retain data for a few minutes or until you leave the website, while other cookies can store data for several years.

Duration of data processing

If we have any further information on the duration of data processing, you will find it below. We generally only process personal data for as long as is absolutely necessary to provide products and services. The storage period may be extended if it is required by law, such as for accounting purposes for example for accounting.

Right to object

You also have the option and the right to revoke your consent to the use of cookies or third-party providers at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data processing by cookies by managing, deactivating or erasing cookies in your browser.

Legal basis

The use of Web Analytics requires your consent, which we obtained with our cookie popup. According to Art. 6 para. 1 lit. a of the GDPR (consent), this consent represents the legal basis for the processing of personal data, such as by collection through Web Analytics tools.

In addition to consent, we have a legitimate interest in analysing the behaviour of website visitors, which enables us to technically and economically improve our offer. With Web Analytics, we can recognise website errors, identify attacks and improve profitability. The legal basis for this is Art. 6 para. 1 lit. f of the GDPR (legitimate interests). Nevertheless, we only use these tools if you have given your consent.

Since Web Analytics tools use cookies, we recommend you to read our privacy policy on cookies. If you want to find out which of your data are stored and processed, you should read the privacy policies of the respective tools.

If available, information on special Web Analytics tools can be found in the following sections.

Google Analytics Privacy Policy

Google Analytics Privacy Policy Overview
👥 Affected parties: website visitors
🤝 Purpose: Evaluation of visitor information to optimise the website.
📓 Processed data: Access statistics that contain data such as the location of access, device data, access duration and time, navigation behaviour and click behaviour. You can find more details on this in the privacy policy below.
📅 Storage period: Customizable, GA4 stores data for 14 months by default.
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Google Analytics?

On our website, we use the analytics tracking tool Google Analytics in the Google Analytics 4 (GA4) version provided by the American company Google Inc. For the European region, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics collects data about your actions on our website. By combining various technologies such as cookies, device IDs, and login information, you can be identified as a user across different devices. This allows your actions to be analyzed across platforms as well.

For example, when you click on a link, this event is stored in a cookie and sent to Google Analytics. With the reports we receive from Google Analytics, we can better tailor our website and service to your needs. In the following, we will provide more information about the tracking tool and specifically inform you about the data processed and how you can prevent it.

Google Analytics is a tracking tool used for website traffic analysis. The basis for these measurements and analyses is a pseudonymous user identification number. This number does not include personally identifiable information such as name or address but is used to assign events to a device. GA4 utilizes an event-based model that captures detailed information about user interactions such as page views, clicks, scrolling, and conversion events. Additionally, GA4 incorporates various machine learning features to better understand user behavior and certain trends. GA4 employs modeling through machine learning capabilities, meaning that based on the collected data, missing data can be extrapolated to optimize the analysis and provide forecasts.

In order for Google Analytics to function properly, a tracking code is embedded in the code of our website. When you visit our website, this code records various events that you perform on our website. With GA4’s event-based data model, we, as website operators, can define and track specific events to obtain analyses of user interactions. This allows us to track not only general information such as clicks or page views but also specific events that are important for our business, such as submitting a contact form or making a purchase.

Once you leave our website, this data is sent to and stored on Google Analytics servers.

Google processes the data, and we receive reports on your user behavior. These reports can include, among others, the following:

  • Audience reports: Audience reports help us get to know our users better and gain a more precise understanding of who is interested in our service.
  • Advertising reports: Advertising reports make it easier for us to analyze and improve our online advertising.
  • Acquisition reports: Acquisition reports provide helpful information on how we can attract more people to our service.
  • Behavior reports: Here, we learn about how you interact with our website. We can track the path you take on our site and which links you click on.
  • Conversion reports: Conversion refers to an action you take as a result of a marketing message, such as going from being a website visitor to becoming a buyer or newsletter subscriber. Through these reports, we gain insights into how our marketing efforts resonate with you, with the aim of improving our conversion rate.
  • Real-time reports: With real-time reports, we can see what is currently happening on our website. For example, we can see how many users are currently reading this text.

In addition to the above-mentioned analysis reports, Google Analytics 4 also offers the following functions:

  • Event-based data model: This model captures specific events that can occur on our website, such as playing a video, making a purchase, or subscribing to our newsletter.
  • Advanced analytics features: With these features, we can gain a better understanding of your behavior on our website or certain general trends. For example, we can segment user groups, conduct comparative analyses of target audiences, or track your path on our website.
  • Predictive modeling: Based on the collected data, missing data can be extrapolated through machine learning to predict future events and trends. This can help us develop better marketing strategies.
  • Cross-platform analysis: Data collection and analysis are possible from both websites and apps. This enables us to analyze user behavior across platforms, provided you have consented to data processing.

Why do we use Google Analytics on our website?

Our goal with this website is clear: we want to provide you with the best possible service. The statistics and data from Google Analytics help us achieve this goal.

The statistically evaluated data gives us a clear picture of the strengths and weaknesses of our website. On one hand, we can optimize our site to make it more easily found by interested people on Google. On the other hand, the data helps us better understand you as a visitor. We know exactly what we need to improve on our website in order to provide you with the best possible service. The data also helps us conduct our advertising and marketing activities in a more personalized and cost-effective manner. After all, it only makes sense to show our products and services to people who are interested in them.

What data is stored by Google Analytics?

With the help of a tracking code, Google Analytics creates a random, unique ID associated with your browser cookie. This way, Google Analytics recognizes you as a new user, and a user ID is assigned to you. When you visit our site again, you are recognized as a “returning” user. All collected data is stored together with this user ID, making it possible to evaluate pseudonymous user profiles.

To analyze our website with Google Analytics, a property ID must be inserted into the tracking code. The data is then stored in the corresponding property. For each newly created property, the default is Google Analytics 4 Property. The data storage duration varies depending on the property used.

Through identifiers such as cookies, app instance IDs, user IDs, or custom event parameters, your interactions, if you have consented, are measured across platforms. Interactions encompass all types of actions you perform on our website. If you also use other Google systems (such as a Google account), data generated through Google Analytics can be linked to third-party cookies. Google does not disclose Google Analytics data unless we, as website operators, authorize it, except when required by law.

According to Google, IP addresses are not logged or stored in Google Analytics 4. However, IP address data is used by Google for deriving location data and is immediately deleted thereafter. All IP addresses collected from users in the EU are deleted before the data is stored in a data center or on a server.

Since GA4 focuses on event-based data, the tool uses significantly fewer cookies compared to previous versions such as Google Universal Analytics. However, there are still some specific cookies used by GA4. These can include:

Name: _ga
Value: 2.1326744211.152122906385-5
Purpose: By default, analytics.js uses the _ga cookie to store the user ID. It is used to distinguish website visitors.
Expiration: After 2 years

Name: _gid
Value: 2.1687193234.152122906385-1
Purpose: This cookie is also used to distinguish website visitors.
Expiration: After 24 hours

Name: gat_gtag_UA Value: 1
Purpose: Used to reduce the request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named dc_gtm .
Expiration: After 1 minute

Note: This list cannot claim to be exhaustive, as Google may change their choice of cookies from time to time. GA4 aims to improve data privacy and offers several options for controlling data collection. For example, we can determine the storage duration ourselves and control data.

Here we provide an overview of the main types of data collected by Google Analytics:

Heatmaps: Google creates heatmaps to show the exact areas you click on. This provides us with information about your interactions on our site.

Session Duration: Google refers to session duration as the time you spend on our site without leaving. If you are inactive for 20 minutes, the session automatically ends.

Bounce Rate: Bounce rate refers to when you view only one page on our website and then leave.

Account Creation: If you create an account or place an order on our website, Google Analytics collects this data.

Location: IP addresses are not logged or stored in Google Analytics. However, location data is derived shortly before the IP address is deleted.

Technical Information: Technical information includes your browser type, internet service provider, and screen resolution, among others.

Source of Origin: Google Analytics is interested in the website or advertisement that brought you to our site.

Additional data may include contact information, reviews, media playback (e.g., if you play a video on our site), sharing of content via social media, or adding to favorites. This list is not exhaustive and serves only as a general guide to the data storage by Google Analytics.

Where and how long are the data stored?

Google has servers distributed worldwide. You can find precise information about the locations of Google data centers at: https://www.google.com/about/datacenters/locations/?hl=en

Your data is distributed across multiple physical storage devices. This ensures faster access to data and better protection against manipulation. Each Google data center has emergency programs in place for your data. In the event of hardware failure or natural disasters, the risk of service interruption at Google remains low.

The retention period of data depends on the properties used. The storage duration is always set separately for each individual property. Google Analytics offers us four options for controlling the storage duration:

  • 2 months: This is the shortest storage period.
  • 14 months: By default, data is stored in GA4 for 14 months.
  • 26 months: Data can also be stored for 26 months.
  • Data is only deleted manually.

In addition, there is also the option for data to be deleted only if you do not visit our website within the selected time period. In this case, the retention period is reset every time you revisit our website within the defined time frame.

Once the defined period has expired, the data is deleted once a month. This retention period applies to data linked to cookies, user identification, and advertising IDs (e.g., cookies from the DoubleClick domain). Report results are based on aggregated data and are stored independently of user data. Aggregated data is a combination of individual data into larger units.

How can I delete my data or prevent data storage?

Under the data protection laws of the European Union, you have the right to access, update, delete, or restrict your data. By using the browser add-on to deactivate Google Analytics JavaScript (analytics.js, gtag.js), you can prevent Google Analytics 4 from using your data. You can download and install the browser add-on at: https://tools.google.com/dlpage/gaoptout?hl=en Please note that this add-on only disables data collection by Google Analytics.

If you want to disable, delete, or manage cookies in general, you can find the respective instructions for the most common browsers in the “Cookies” section.

Legal basis

The use of Google Analytics requires your consent, which we obtained through our cookie popup. According to Art. 6(1)(a) of the GDPR, this consent constitutes the legal basis for the processing of personal data that may occur during the collection by web analytics tools.

In addition to consent, we also have a legitimate interest in analyzing the behavior of website visitors to improve our offering technically and economically. By using Google Analytics, we can identify website errors, detect attacks, and improve efficiency. The legal basis for this is Art. 6(1)(f) of the GDPR (legitimate interests). However, we only use Google Analytics if you have given your consent.

Google processes data from you, among other things, in the USA. Google is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. More information can be found at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Additionally, Google uses so-called Standard Contractual Clauses (Article 46(2) and (3) GDPR). Standard Contractual Clauses (SCC) are template clauses provided by the EU Commission and are designed to ensure that your data complies with European data protection standards, even when transferred and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Google commits to maintaining the European data protection level when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847.

You can find the Google Ads Data Processing Terms, which refer to the Standard Contractual Clauses, at: https://business.safety.google/intl/en/adsprocessorterms/

We hope we have provided you with the most important information regarding the data processing by Google Analytics. If you want to learn more about the tracking service, we recommend the following links: https://marketingplatform.google.com/about/analytics/terms/en/ and https://support.google.com/analytics/answer/6004245?hl=en

If you want to learn more about data processing, you can refer to the Google Privacy Policy at: https://policies.google.com/privacy?hl=en.

Data Processing Agreement (DPA) Google Analytics

In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have entered into a Data Processing Agreement (DPA) with Google Analytics. What exactly a DPA is and especially what must be included in a DPA, you can read in our general section “Data Processing Agreement (DPA)”.

This contract is required by law because Google Analytics processes personal data on our behalf. It clarifies that Google Analytics may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the Data Processing Terms under https://business.safety.google/intl/en/adsprocessorterms/.

Google Analytics Reports on demographic characteristics and interests

We have turned on Google Analytics’ functions for advertising reports. These reports on demographic characteristics and interests contain details about age, gender and interests. Through them we can get a better picture of our users – without being able to allocate any data to individual persons. You can learn more about advertising functions at auf https://support.google.com/analytics/answer/3450482?hl=en&amp%3Butm_id=ad.

You can terminate the use of your Google Account’s activities and information in “Ads Settings” at https://adssettings.google.com/authenticated via a checkbox.

Google Analytics in Consent Mode

Depending on your consent, Google Analytics will progress your personal data in the so-called “consent mode”. You can choose whether or not you want to accept Google Analytics cookies, and thus which of your data Google Analytics may process. The retained data is mainly used to measure user behaviour on the website, to serve targeted advertising and to provide us with web analysis reports. Usually, you would consent to Google’s data processing via a cookie consent tool. If you do not consent to data processing, only aggregated data will be collected and processed. This means that data cannot be assigned to individual users and therefore no user profile will be created for you. You also have the option to only agree to statistical measurement, meaning that none of your personal data will be processed and used for advertising or advertising measurement sequences.

Google Analytics IP Anonymisation

We implemented Google Analytics’ IP address anonymisation to this website. Google developed this function, so this website can comply with the applicable privacy laws and the local data protection authorities’ recommendations, should they prohibit the retention of any full IP addresses.
The anonymisation or masking of IP addresses takes place, as soon as they reach Google Analytics’ data collection network, but before the data would be saved or processed.

You can find more information on IP anonymisation at https://support.google.com/analytics/answer/2763052?hl=en.

Email-Marketing

Email Marketing Overview
👥 Affected parties: newsletter subscribers
🤝 Purpose: direct marketing via email, notification of events that are relevant to the system
📓 Processed data: data entered during registration, but at least the email address. You can find more details on this in the respective email marketing tool used.
📅 Storage duration: for the duration of the subscription
⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Email-Marketing?

We use email marketing to keep you up to date. If you have agreed to receive our emails or newsletters, your data will be processed and stored. Email marketing is a part of online marketing. In this type of marketing, news or general information about a company, product or service are emailed to a specific group of people who are interested in it.

If you want to participate in our email marketing (usually via newsletter), you usually just have to register with your email address. To do this, you have to fill in and submit an online form. However, we may also ask you for your title and name, so we can address you personally in our emails.

The registration for newsletters generally works with the help of the so-called “double opt-in procedure”. After you have registered for our newsletter on our website, you will receive an email, via which you can confirm the newsletter registration. This ensures that you own the email address you signed up with, and prevents anyone to register with a third-party email address. We or a notification tool we use, will log every single registration. This is necessary so we can ensure and prove, that registration processes are done legally and correctly. In general, the time of registration and registration confirmation are stored, as well as your IP address. Moreover, any change you make to your data that we have on file is also logged.

Why do we use Email-Marketing?

Of course, we want to stay in contact with you and keep you in the loop of the most important news about our company. For this, we use email marketing – often just referred to as “newsletters” – as an essential part of our online marketing. If you agree to this or if it is permitted by law, we will send you newsletters, system emails or other notifications via email. Whenever the term “newsletter” is used in the following text, it mainly refers to emails that are sent regularly. We of course don’t want to bother you with our newsletter in any way. Thus, we genuinely strive to offer only relevant and interesting content. In our emails you can e.g. find out more about our company and our services or products. Since we are continuously improving our offer, our newsletter will always give you the latest news, or special, lucrative promotions. Should we commission a service provider for our email marketing, who offers a professional mailing tool, we do this in order to offer you fast and secure newsletters. The purpose of our email marketing is to inform you about new offers and also to get closer to our business goals.

Which data are processed?

If you subscribe to our newsletter via our website, you then have to confirm your membership in our email list via an email that we will send to you. In addition to your IP and email address, your name, address and telephone number may also be stored. However, this will only be done if you agree to this data retention. Any data marked as such are necessary so you can participate in the offered service. Giving this information is voluntary, but failure to provide it will prevent you from using this service. Moreover, information about your device or the type of content you prefer on our website may also be stored. In the section “Automatic data storage” you can find out more about how your data is stored when you visit a website. We record your informed consent, so we can always prove that it complies with our laws.

Duration of data processing

If you unsubscribe from our e-mail/newsletter distribution list, we may store your address for up to three years on the basis of our legitimate interests, so we can keep proof your consent at the time. We are only allowed to process this data if we have to defend ourselves against any claims.

However, if you confirm that you have given us your consent to subscribe to the newsletter, you can submit an individual request for erasure at any time. Furthermore, if you permanently object to your consent, we reserve the right to store your email address in a blacklist. But as long as you have voluntarily subscribed to our newsletter, we will of course keep your email address on file.

Withdrawal – how can I cancel my subscription?

You have the option to cancel your newsletter subscription at any time. All you have to do is revoke your consent to the newsletter subscription. This usually only takes a few seconds or a few clicks. Most of the time you will find a link at the end of every email, via which you will be able to cancel the subscription. Should you not be able to find the link in the newsletter, you can contact us by email and we will immediately cancel your newsletter subscription for you.

Legal basis

Our newsletter is sent on the basis of your consent (Article 6 (1) (a) GDPR). This means that we are only allowed to send you a newsletter if you have actively registered for it beforehand. Moreover, we may also send you advertising messages on the basis of Section 7 (3) UWG (Unfair Competition Act), provided you have become our customer and have not objected to the use of your email address for direct mail.

If available – you can find information on special email marketing services and how they process personal data, in the following sections.

GetResponse Privacy Policy

Privacy Policy Summary GetResponse
👥 Data subjects: Newsletter subscribers
🤝 Purpose: Direct email marketing, notification of system-relevant events
📓 Processed data: Entered data during registration, at least the email address
📅 Storage duration: Duration of the subscription
⚖️ Legal bases: Art. 6 (1) lit. a GDPR (Consent), Art. 6 (1) lit. f GDPR (Legitimate interests)

What is GetResponse?

We use GetResponse, a service for email marketing and marketing automation, on our website. The service provider is the Polish company GetResponse Sp. z o.o., Arkonska 6/A3, 80-387 Gdansk, Poland.

Founded in 1997 by Simon Grabowski, the company has evolved into a global marketing service provider with various innovative products, currently serving over 350,000 customers worldwide. In addition to the traditional newsletter service, the company also offers marketing automation, a technical method that automates and personalizes certain marketing or sales processes. This allows us to adapt our communication to your needs based on your user behavior and tailor advertising campaigns individually to you and our other customers. Personal data (e.g., name, address, IP address) and technical data such as click behavior or how long you stay on one of our pages are stored and processed for this purpose. These data are only stored if you have consented to data processing.

Why do we use GetResponse?

We want to keep you informed about news from our company, ensuring that you receive only relevant information. With a smart marketing or newsletter tool like GetResponse, we can achieve both objectives. GetResponse is particularly convenient as it enables quick and easy creation of newsletters or traditional emails. The user-friendly interface with a drag-and-drop editor allows us to design the content and layout of our newsletters according to our preferences.

What data does GetResponse process?

We are delighted when you subscribe to our newsletter, allowing us to provide you with up-to-date information about our company. However, you should be aware that during the newsletter registration process, all data you enter (such as your email address or your first and last name) is stored and managed on our server and at GetResponse. This includes personal data. For example, along with the time and date of registration, your IP address is also stored. During the registration process, you also consent to receiving the newsletter, and this Privacy Policy is referenced. Additionally, data such as click behavior in the newsletter may be processed.

How long and where are the data stored?

The data for the newsletter tool is primarily stored on servers in Poland or in other countries of the European Economic Area.

The collected data that identifies you as an individual (personal data) is stored at GetResponse for as long as we have an account with them. Once the account is deactivated, no further processing by GetResponse takes place. The data is then stored for an additional 60 days. Afterward, the data is deleted from the main database and stored as an encrypted backup for the next 120 days.

Data collected through your newsletter registration and sent to GetResponse is deleted by us as soon as you unsubscribe from our newsletter.

Right to object

You have the option to unsubscribe from our newsletter at any time. To do this, you only need to revoke your consent to newsletter registration. This usually takes only a few seconds or one or two clicks. Most newsletters contain a link at the end of each email to unsubscribe from the newsletter. If you cannot find the link in the newsletter, please contact us by email, and we will promptly cancel your newsletter subscription. After unsubscribing, personal data is deleted from our server and GetResponse servers. You have the right to free information about your stored data and, if necessary, the right to deletion, blocking, or correction.

Legal basis

The sending of our newsletter through GetResponse is based on your consent (Article 6 (1) lit. a GDPR). This means we may only send you a newsletter if you actively signed up for it. If consent is not required, newsletter dispatch is based on the legitimate interest in direct marketing (Article 6 (1) lit. f), if legally permitted. We record your registration process to always demonstrate compliance with our laws.

For more information about the data processed by using GetResponse, you can refer to the Privacy Policy at https://www.getresponse.com/legal/privacy. For specific questions about data processing at GetResponse, you can also contact privacy@getresponse by email.

Payment providers

Payment Providers Privacy Policy Overview
👥 Affected parties: visitors to the website
🤝 Purpose: To enable and optimise the payment process on our website
📓 Processed data: data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.), IP address and contract data
You can find more details on this directly from the payment provider tool that is being used.
📅 Storage period: depending on the payment provider that is being used
⚖️ Legal basis: Art. 6 paragraph 1 lit. b GDPR (performance of a contract)

What is a payment provider?

On our website we use online payment systems, which enable us as well as you to have a secure and smooth payment process available. Among other things, personal data may also be sent to the respective payment provider, where it may also be stored and processed. Payment providers are online payment systems that enable you to place an order via online banking. The payment processing is carried out by the payment provider of your choice. We will then receive information about the payment. This method can be used by any user who has an active online banking account with a PIN and TAN. There are hardly any banks that do not offer or accept such payment methods.

Why do we use payment providers on our website?

With both our website and our embedded online shop, we of course want to offer you the best possible service, so you can feel comfortable on our site and take advantage of our offers. We know that your time is valuable and that payment processing in particular has to work quickly and smoothly. Thus, we offer various payment providers. You can choose your preferred payment provider and pay in the usual way.

Which data are processed?

What exact data that is processed of course depends on the respective payment provider. However, generally data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.) do get stored. This data is necessary for carrying out any transactions. In addition, any contract data and user data, such as when you have visited our website, what content you are interested in or which sub-pages you have clicked, may also be stored. Most payment providers also store your IP address and information about the computer you are using.

Your data is usually stored and processed on the payment providers’ servers. We, so the website operator, do not receive this data. We only get information on whether the payment has gone through or not. For identity and credit checks, it may happen for payment providers to forward data to the appropriate body. The business and privacy policy principles of the respective provider always apply to all payment transactions. Therefore, please always take a look at the general terms and conditions and the privacy policy of the payment provider. You e.g. also have the right to have data erased or rectified at any time. Please contact the respective service provider regarding your rights (right to withdraw, right of access and individual rights).

Duration of data processing

Provided we have further information on this, we will inform you below about the duration of the processing of your data. In general, we only process personal data for as long as is absolutely necessary for providing our services and products. This storage period may be exceeded however, if it is required by law, for example for accounting purposes. We keep any accounting documents of contracts (invoices, contract documents, account statements, etc.) for 10 years (Section 147 AO) and other relevant business documents for 6 years (Section 247 HGB).

Right to object

You always have the right to information, rectification and erasure of your personal data. If you have any questions, you can always contact the person that is responsible for the respective payment provider. You can find contact details for them either in our respective privacy policy or on the relevant payment provider’s website.

You can erase, deactivate or manage cookies in your browser, that payment providers use for their functions. How this works differs a little depending on which browser you are using. Please note, however, that the payment process may then no longer work.

Legal basis

For the processing of contractual or legal relationships (Art. 6 para. 1 lit. b GDPR), we offer other payment service providers in addition to the conventional banking/credit institutions. In the privacy policy of the individual payment providers (such as Amazon Payments, Apple Pay or Discover) you will find a detailed overview of data processing and data storage. In addition, you can always contact the responsible parties should you have any questions about data protection issues.

Provided it is available, you can find information on the special payment providers in the following sections.

PayPal Privacy Policy

PayPal Privacy Policy Overview
👥 Affected parties: website visitors
🤝 Purpose: optimising the payment process on our website
📓 Processed data: Data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.), IP address, and contract data can be processed. More details on this can be found further below in this privacy policy.
📅 Storage period: data is usually stored until the collaboration with PayPal is terminated
⚖️ Legal basis: Art. 6 para. 1 lit. b GDPR (contract processing), Art. 6 para. 1 lit. a GDPR (consent)

What is PayPal?

We use the online payment service PayPal on our website. The service provider is the American company PayPal Inc. For the European region, the responsible entity is PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
With PayPal, all users can send and receive money electronically. The company was founded in 1998 and has since grown to become one of the most well-known and largest online payment service providers worldwide, boasting over 325 million active customers.

Why do we use PayPal for our website?

There are various reasons why we use and offer PayPal on our website. As one of the most recognized online payment providers, many of our website visitors use and trust this service. PayPal also provides high-security standards for digital money transfers, utilizing various encryption methods to protect your personal data. We also appreciate the user-friendly interface of PayPal and the ability to make international payments in different currencies. Transactions typically proceed quickly, benefiting both us and you as customers.

What data does PayPal process?

In its privacy policy, PayPal distinguishes various categories of personal data that may be processed through the use of the service. These include registration and contact details, identification and signature data, payment information, information about imported contacts, data from your account profile, device data such as your IP address, location data, and so-called derived data. Derived data includes information that can be derived from transactions or other data, such as purchasing habits, behavioral patterns, creditworthiness, or personal preferences.
Additionally, there are personal data collected by third parties (such as identity verification providers, fraud detection providers, or your bank). These data may include information from credit agencies, transaction data, information about legal regulations, technical usage data, location data, and derived data once again.

PayPal and its partners also use tracking technologies like cookies, pixel tags, web beacons, and widgets to recognize you as a user, customize content, and conduct analyses for interest-based advertising.

How long and where are the data stored?

In general, PayPal retains data for as long as necessary to fulfill its obligations and within the scope of the purpose. Personal data necessary for the customer relationship is kept for up to 10 years after the relationship ends. If PayPal is subject to a legal obligation, the retention period for personal data complies with the applicable law (e.g., insolvency law). PayPal also stores personal data for as long as necessary if retention is advisable for legal disputes.
As PayPal is a globally operating company, the service has data centers worldwide where your data may be stored. This means your data may be stored outside your country and outside the scope of the GDPR on PayPal servers.

How can I delete my data or prevent data storage?

You have the right to access, correct, delete, and restrict the processing of your personal data at any time. You can also revoke your consent to data processing at any time.
If you want to disable, delete, or manage cookies in general, you can find the corresponding links to the instructions for the most popular browsers in the “Cookies” section.

Legal Basis

We have a legitimate interest in integrating PayPal as an external payment service to make our offer more attractive and improve it technically and economically. The legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate interests). Please note that you can only use PayPal if you enter into a contractual relationship with PayPal. In this case, it may be necessary to provide additional data protection and contractual declarations (e.g., consent).
PayPal processes data from you, among other places, in the USA. We would like to inform you that, according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may entail various risks for the legality and security of data processing.

As the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the USA) or data transfers to such countries, PayPal uses so-called Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are model templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even when transferred and stored in third countries (such as the USA). Through these clauses, PayPal undertakes to comply with the European data protection level in processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses, among other things, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

For more information on Standard Contractual Clauses and the data processed by using PayPal, please refer to the privacy policy at https://www.paypal.com/webapps/mpp/ua/privacy-full.

Explanation of the terminology used

We always strive to make our privacy policy as clear and comprehensible as possible. However, this is not always easy, especially when it comes to technical and legal matters. It is often sensible to use legal terms (such as ‘personal data)’ or certain technical terms (such as ‘cookies’ or ‘IP address’). But we don’t want to use such terms without any explanation. This is why you will find an alphabetical list of important terms used below. These are terms we may not yet have sufficiently explained in the privacy policy. In case we have adopted any of these terms from the GDPR which are definitions, we will also list the GDPR texts here and add our own further explanations if necessary.

Processor

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Explanation: As a company and a website owner, we are responsible for all your data we process (i. e. the ‘controller’). In addition to the controller, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. In addition to service providers such as tax consultants, processors can also be hosting or cloud providers, payment or newsletter providers or large companies such as Google or Microsoft.

Consent

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Explanation: With websites, such consent is usually given via a cookie consent tool. You’ve most certainly come across these. Whenever you visit a website for the first time, you will usually be asked via a banner whether you agree or consent to the data processing. You can usually also make individual settings and thus decide for yourself which level of data processing you want to allow. If you do not give your consent, no personal data may be processed. Consent can of course also be given in writing, i.e. not via a tool.

Data concerning health

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Explanation: Health data includes all stored information relating to your own health. It is often data that is also noted in patient files. This includes, for example, which medication you are using, X-rays, your entire medical history or your vaccination statuses.

Personal Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“personenal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Explanation: Personal data is all data that can identify you as a person. This is usually data such as:

  • name
  • address
  • email address
  • postal address
  • phone number
  • birthday
  • identification numbers such as social security number, tax identification number, ID card number or matriculation number
  • banking data such as account number, credit information, account balances and more.

According to the European Court of Justice (ECJ), your IP address is also personal data. IT experts can use your IP address to determine at least the approximate location of your device and subsequently your location as the connection owner. Therefore, storing an IP address also requires a legal basis within the scope of the GDPR. There are also so-called “special categories” of personal data, which are particularly worthy of protection. These include:

  • racial and ethnic origin
  • political opinions
  • religious or ideological beliefs
  • Union membership
  • genetic data such as data obtained from blood or saliva samples
  • biometric data (this is information about psychological, physical or behavioural characteristics that can identify an individual).
    health Data
  • Data relating to sexual orientation or sex life

Profiling

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Explanation: Profiling collects various personal data about an individual in order to learn more about that individual. On the internet, profiling is often used for advertising purposes or for credit checks. Web and advertising analysis programs e. g. collect data about your behaviour and interests on a website. This results in a special user profile that can be used to target advertising to specific target groups.

Controller

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Explanation: In our example, we are responsible for the processing of your personal data and are therefore the “controller”. If we pass on collected data to other service providers for processing, they are considered “contract processors”. For this, a “Data Processing Agreement (DPA)” must be concluded.

Processing

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note: When we talk about processing in our Privacy Policy, we talk about any type of data processing. As mentioned above in the original GDPR declaration, this includes not only the collection but also the storage and processing of data.

All texts are copyrighted.