Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also briefly referred to as "Data") that we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both within the scope of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences—such as our social media profiles (hereinafter collectively referred to as the "Online Offering").

The terms used are not gender-specific.

Status: April 29, 2026

Legal text by Dr. Schwenke – please click for further information.

Table of Contents

 

Responsible Party

tci - Gesellschaft für technische Informatik mbH Ludwig-Rinn-Straße 10-14
D-35452 Heuchelheim / Gießen
Germany

Authorized Representatives: Dipl.-Ing. (FH) Jens Paul Becker and Bachelor Professional Metin Alpsoy

Email address: info@tci.de

Phone: +49 (0) 6 41/9 62 84-0

Legal Notice: https://www.tci.de/de/impressum

Contact for Data Protection Officer

QS-Kornmann GmbH
Sudetenstrasse 33
35625 Hüttenberg
Germany
Phone: 06403 9295287
Email: dsb@qs-kornmann.de

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and identifies the data subjects concerned.

Types of Data Processed

  • Inventory data.
  • Employee data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Applicant data.
  • Log data.
  • Creditworthiness data.

Categories of Data Subjects

  • Recipients of services and clients.
  • Employees.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Applicants.
  • Business and contract partners.
  • Third parties.
  • Whistleblowers.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion measurement.
  • Audience formation.
  • Organizational and administrative procedures.
  • Application procedures.
  • Server monitoring and error detection.
  • Content Delivery Network (CDN).
  • Feedback.
  • Marketing.
  • Profiles containing user-related information.
  • Provision of our online offering and user-friendliness.
  • Assessment of creditworthiness and solvency.
  • Information technology infrastructure.
  • Whistleblower protection.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and operational procedures.

Automated individual decision-making

  • Credit checks.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Furthermore, should more specific legal bases be applicable in individual cases, we will inform you of these in the Privacy Policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
  • Contractual Performance and Pre-contractual Inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject.
  • Legal Obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests, fundamental rights, and fundamental freedoms of the data subject which require protection of personal data.
  • Application Procedures as a Pre-contractual or Contractual Relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data, such as severe disability status or ethnic origin) are requested from applicants within the scope of the application procedure—in order to enable the controller or the data subject to fulfill their respective obligations arising from labor law and social security law and ...exercise rights arising from social protection and fulfill his or her corresponding obligations, such processing is carried out pursuant to Art. 9 Para. 2 lit. b GDPR; in cases involving the protection of the vital interests of applicants or other persons, pursuant to Art. 9 Para. 2 lit. c GDPR; or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment, or for the management of health or social care systems and services, pursuant to Art. 9 Para. 2 lit. h GDPR. In the event that special categories of data are voluntarily disclosed based on consent, such processing is carried out on the basis of Art. 9 Para. 2 lit. a GDPR.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, specifically, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transmission, as well as automated individual decision-making, including profiling. Furthermore, the data protection laws of the individual federal states may also apply.

Applicable Legal Basis Data Processing under the Swiss Data Protection Act:  If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (hereinafter referred to as the "Swiss FADP"). Unlike the GDPR, for example, the Swiss FADP generally does not require that a specific legal basis be cited for the processing of personal data; rather, it stipulates that the processing of personal data must be carried out in good faith, and must be lawful and proportionate (Art. 6, Paras. 1 and 2 of the Swiss FADP). Furthermore, we collect personal data solely for a specific purpose that is recognizable to the data subject, and we process it only in a manner compatible with that purpose (Art. 6, Para. 3 of the Swiss FADP).

Note on the Applicability of the GDPR and the Swiss DPA:These privacy notices serve to provide information in accordance with both the Swiss FADP and the General Data Protection Regulation (GDPR). For this reason, please note that—due to their broader territorial scope and general comprehensibility—we utilize the terminology of the GDPR. Specifically, instead of the terms used in the Swiss FADP—namely "processing" (*Bearbeitung*) of "personal data" (*Personendaten*), "overriding interest," and "particularly sensitive personal data"—we employ the corresponding terms used in the GDPR: "processing" (*Verarbeitung*) of "personal data" (*personenbezogene Daten*), as well as "legitimate interest" and "special categories of data." However, within the scope of applicability of the Swiss Data Protection Act (Swiss DPA), the legal meaning of these terms continues to be determined in accordance with the Swiss DPA.

Security Measures

In accordance with statutory requirements—and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihoods of occurrence and the severity of the risk to the rights and freedoms of natural persons—we implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as controlling access, input, transmission, availability, and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security incidents. Moreover, we incorporate the protection of personal data into the development and selection of hardware, software, and procedures—in accordance with the principles of data protection by design and by default—by means of technology design and privacy-friendly default settings.

Securing Online Connections via TLS/SSL Encryption Technology (HTTPS): To protect user data transmitted via our online services against unauthorized access, we utilize TLS/SSL encryption technology.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between a website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS—as the more advanced and secure version of SSL—ensures that all data transmissions comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by the display of "HTTPS" in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

 

Transmission of Personal Data

In the course of our processing of personal data, it may occur that such data is transmitted to—or disclosed to—other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers contracted to handle IT tasks, or providers of services and content integrated into a website. In such cases, we adhere to statutory requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data Processing in Third Countries: Insofar as we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (...EEA), or if such transfer occurs in the context of using third-party services or through the disclosure or transmission of data to other individuals, entities, or companies (which can be identified by the postal address of the respective provider or if the privacy policy explicitly references data transfers to third countries), such transfers are always carried out in compliance with statutory requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers; these clauses comply with the requirements of the EU Commission and establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: The DPF constitutes the primary layer of protection, while the Standard Contractual Clauses serve as an additional security measure. Should changes arise within the framework of the DPF, the Standard Contractual Clauses will serve as a reliable fallback option. In this way, we ensure that your data remains adequately protected at all times, even in the event of political or legal changes.

In the sections regarding individual service providers, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place.

Further information regarding the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply—specifically Standard Contractual Clauses, explicit consent, or transfers required by law. Information regarding third-country transfers and applicable adequacy decisions can be found in the information resources provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of Personal Data Abroad: In accordance with the Swiss Federal Act on Data Protection (FADP), we disclose personal data abroad only if adequate protection for the data subjects concerned is guaranteed (Art. 16 FADP). Unless the Federal Council has determined that adequate protection exists (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by a Swiss adequacy decision dated September 15, 2024. Additionally, we have concluded Standard Data Protection Clauses with the respective providers; these clauses have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: The DPF constitutes the primary layer of protection, while the Standard Data Protection Clauses serve as an additional security measure. Should any changes arise within the framework of the DPF, the Standard Data Protection Clauses step in as a reliable fallback option. In this way, we ensure that your data remains adequately protected at all times, even in the event of political or legal changes.

For each individual service provider, we provide information indicating whether they are certified under the DPF and whether Standard Data Protection Clauses are in place. The list of certified companies, as well as further information regarding the DPF, can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, including international treaties, specific guarantees, Standard Contractual Clauses approved by the FDPIC, or Binding Corporate Rules previously recognized by the FDPIC or a competent data protection authority in another country.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or no further legal basis for the processing exists. This applies to cases where the original purpose of processing ceases to apply or the data is no longer required. Exceptions to this rule exist where statutory obligations or specific interests require the longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons—or the storage of which is necessary for the enforcement of legal claims or for the protection of the rights of other natural or legal persons—must be archived accordingly.

Our privacy notices contain additional information regarding the retention and deletion of data that applies specifically to certain processing activities.

In cases where multiple specifications exist regarding the retention period or deletion deadlines for a specific piece of data, the longest period shall always prevail.

We process data that is no longer retained for its originally intended purpose—but rather due to statutory requirements or other reasons—solely for the specific reasons that justify its retention.

Data Retention and Deletion: The following general periods apply to data retention and archiving under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their comprehension (Section 147 Para. 1 No. 1 in conjunction with Para. 3 of the Fiscal Code [AO]; Section 14b Para. 1 of the Value Added Tax Act [UStG]; Section 257 Para. 1 No. 1 in conjunction with Para. 4 of the Commercial Code [HGB]).
  • 8 years – Accounting vouchers, such as invoices and expense receipts (Section 147 Para. 1 Nos. 4 and 4a in conjunction with Para. 3 Sentence 1 AO; and Section 257 Para. 1 No. 4 in conjunction with Para. 4 HGB).
  • 6 years – Other business records: commercial or business letters received; copies of commercial or business letters sent; and other documents insofar as they are relevant for taxation purposes, e.g. e.g., hourly wage slips, cost center accounting sheets, costing records, price tags, but also payroll records—insofar as they do not already constitute accounting vouchers—and cash register receipts (§ 147 Para. 1 Nos. 2, 3, 5 in conjunction with Para. 3 of the Tax Code [AO]; § 257 Para. 1 Nos. 2 & 3 in conjunction with Para. 4 of the Commercial Code [HGB]).
  • 3 years – Data required to address potential warranty and compensation claims, or similar contractual claims and rights, as well as to handle related inquiries—based on past business experience and customary industry practices—are retained for the duration of the regular statutory limitation period of three years (§§ 195, 199 of the Civil Code [BGB]).

Data Retention and Deletion: The following general periods apply to data retention and archiving under Swiss law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers, and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations [OR]).
  • 10 years – Data necessary to address potential compensation claims or similar contractual claims and rights, as well as to handle related inquiries—based on past business experience and the ...customary industry practices, are retained for the duration of the statutory limitation period of ten years, unless a shorter period of five years applies—which is relevant in certain specific cases (Art. 127, 130 OR). Upon the expiration of five years, claims for rent, lease payments, and interest on capital—as well as other periodic payments; claims arising from the supply of foodstuffs, from board and lodging, and from tavern debts; and claims arising from manual labor, the retail sale of goods, medical services, professional services rendered by lawyers, legal agents, attorneys, and notaries, as well as from employment relationships—become time-barred (Art. 128 OR).

Commencement of the Period at Year-End: If a period does not expressly begin on a specific date and amounts to at least one year, it automatically commences at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships within the framework of which data is stored,the event triggering the time limit is the point in time at which the termination—or other cessation—of the legal relationship becomes effective.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which derive in particular from Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; This also applies to profiling insofar as it is associated with such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed, and to obtain access to such data, as well as to receive further information and a copy of the data in accordance with statutory requirements.
  • Right to rectification: In accordance with statutory requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with statutory requirements, you have the right to request that data concerning you be erased without undue delay, or, alternatively—also in accordance with statutory requirements—to request a restriction of the processing of such data.
  • Right to data portability: In accordance with statutory requirements, you have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request the transmission of such data to another controller.
  • Right to lodge a complaint with a supervisory authority: In accordance with statutory requirements—and without prejudice to any other administrative or judicial remedy—you also have the right to lodge a complaint with a data protection supervisory authority; specifically, with a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. ...to lodge a complaint if you believe that the processing of personal data concerning you violates the GDPR.

Rights of Data Subjects under the Swiss DSG:

As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss DSG:

  • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary to enable you to exercise your rights under this Act and to ensure transparent data processing.
  • Right to Data Disclosure or Transfer: You have the right to request the disclosure of the personal data you have provided to us in a commonly used electronic format.
  • Right to Rectification: You have the right to request the rectification of inaccurate personal data concerning you.
  • Right to Object, Delete, and Destroy: You have the right to object to the processing of your data, as well as to request that personal data concerning you be deleted or destroyed.

Business Services

We process the personal data of our contractual and business partners—such as customers, clients, prospective clients, suppliers, and other cooperation partners (collectively referred to as "Contractual Partners")—for the initiation, execution, and settlement of contractual relationships as well as comparable legal relationships. This also encompasses pre-contractual measures undertaken at your request, as well as communication related to the respective contractual relationship.

The processing serves, in particular, the fulfillment of our primary and ancillary contractual obligations. This includes the provision of the agreed-upon services, any...updating and information obligations; the handling of warranty claims and other performance disruptions; the processing of contract revocations, terminations of long-term contractual relationships, contract reversals, and refunds; as well as the processing of other contract-related declarations and inquiries. This covers both one-off contracts and ongoing contractual relationships.

Specifically, we process master data—such as name, address, and (where applicable) company name—as well as contact data (e.g., email address and telephone number), contract and performance data (e.g., subject matter of the contract, contract duration, order or transaction numbers), usage and service data, payment and billing data, and communication content and histories. To the extent necessary, we also process data that is disclosed or transmitted to us in the context of executing an order.

Furthermore, we process this data to safeguard our rights and to fulfill statutory obligations. This includes, in particular, retention obligations under commercial and tax law, documentation obligations, and—where applicable—record-keeping and accountability obligations. Additionally, processing is carried out based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners against misuse, data breaches, the compromise of trade secrets, and other infringements of legal rights.

This may also involve the engagement of external service providers—such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other agents—insofar as this is necessary for the performance of the contract or for the fulfillment of legal obligations.

Personal data is transferred to third parties exclusively to the extent necessary for the fulfillment of the contract, the implementation of pre-contractual measures, the safeguarding of legitimate interests, or the fulfillment of legal obligations. We provide separate information regarding any processing beyond these purposes—particularly for marketing purposes—within the scope of this Privacy Policy.

We inform our contractual partners, at the time of data collection, as to which specific data is required in each individual case—for instance, by means of appropriate labeling in online forms or during personal interactions.

Data is deleted as soon as it is no longer required for the aforementioned purposes and provided that no statutory retention obligations preclude such deletion. Statutory retention periods—particularly those under commercial and tax law—may necessitate longer storage periods.

We delete data transmitted in the context of a specific order following the completion of the order and the expiration of any applicable retention periods, provided that no further statutory or contractual obligations to retain the data exist.

The legal basis for the processing is Art. 6 Para. 1 lit. b GDPR, for the implementation of pre-contractual measures and the fulfillment of the respective contractual relationship, as well as Art. 6 Para. 1 lit. c GDPR, for the fulfillment of statutory obligations. Insofar as the processing is based on legitimate interests, it is carried out pursuant to Art. 6 Para. 1 lit. f GDPR. Where processing is based on Art. 6 Para. 1 lit. f GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, the internal administration and documentation of business processes, the assertion and defense of legal claims, the assurance of IT and data security, the prevention of misuse and fraud, as well as the economic management and further development of our business operations. These interests consist, in particular, of ensuring secure and legally compliant business operations, as well as maintaining our operational capacity.

  • Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses, or telephone numbers). Contract data (e.g., subject matter of the contract, term, customer category).
  • Data subjects: Service recipients and clients; prospective customers. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organiza...[transac]tion and administrative procedures. Business processes and commercial procedures.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR); Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR). Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Technical Services: We process the data of our customers and clients (hereinafter collectively referred to as "Customers") in order to enable them to select, acquire, or commission their chosen services or works—as well as associated activities—and to facilitate the payment, provision, execution, or delivery thereof.

    The required information is identified as such during the ordering, purchasing, or comparable contract conclusion process; it comprises the details necessary for service provision and billing, as well as contact information to facilitate any necessary follow-up inquiries. Insofar as we gain access to information regarding end customers, employees, or other individuals, we process such information in compliance with statutory and contractual requirements; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients—including customers, clients, or in specific cases mandates, patients, or business partners, as well as other third parties—are processed within the scope of contractual and comparable legal relationships, as well as pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment processing, accounting, and project management.

The collected data serve to fulfill contractual obligations and to ensure the efficient design of operational processes. This includes the handling of business transactions, customer relationship management, the optimization of sales strategies, and the safeguarding of internal accounting and financial processes. Additionally, the data support the protection of the Controller's rights and facilitate administrative tasks as well as the organization of the company.

Personal data may be disclosed to third parties insofar as this is necessary for the fulfillment of the aforementioned purposes or for compliance with legal obligations. Upon the expiration of statutory retention periods, or once the purpose of the processing ceases to exist, the data will be deleted. This also includes data that must be retained for longer periods due to tax law and statutory record-keeping obligations.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information relating to them, such as details regarding authorship or time of creation); Contract data (e.g., subject matter of the contract, term, customer category); Log data (e.g., log files regarding logins, data retrieval, or access times); Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Employee data (information regarding employees and other persons in an employment relationship).
  • Data Subjects: Service recipients and clients; Prospective customers; Communication partners; Business and contractual partners; Third parties; Users (e.g., website visitors, users of online services). Employees (e.g., salaried staff, applicants, temporary workers, and other personnel).
  • Purposes of Processing and Legitimate Interests: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and commercial management procedures; communication; marketing; abs...grant funding; financial and payment management. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 lit. f) GDPR). Legal obligation (Art. 6 para. 1 lit. c) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Contact Management and Maintenance: Procedures required for the organization, maintenance, and security of contact information (e.g., the establishment and maintenance of a central contact database, regular updates to contact information, monitoring of data integrity, implementation of data protection measures, ensuring access controls, performing backups and restorations of contact data, training employees on the effective use of contact management software, regular review of communication history, and adjustment of contact strategies);
  • General Payment Transactions: Procedures required for the execution of payment transactions, the monitoring of bank accounts, and the control of payment flows (e.g., creation and verification of bank transfers, processing of direct debits, review of bank statements, monitoring of incoming and outgoing payments, direct debit return management, account reconciliation, cash management); Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Accounting, Accounts Payable, Accounts Receivable: Procedures required for the recording, processing, and verification of business transactions within the scope of accounts payable and accounts receivable (e.g., creation and verification of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, handling of dunning procedures, account reconciliation regarding receivables and liabilities, accounts payable and accounts receivable accounting); Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Financial Accounting and Taxes: Procedures required for the recording, management, and monitoring of financially relevant business transactions, as well as for the calculation, reporting, and payment of taxes (e.g., account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, handling of dunning procedures, account reconciliation, tax consulting, preparation and submission of tax returns, administration of tax affairs); Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Purchasing: Procedures required for the procurement of goods, raw materials, or services (e.g., supplier selection and evaluation, price negotiations, order placement and monitoring, inspection and verification of deliveries, invoice verification, order management, inventory management, creation and maintenance of purchasing guidelines); Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 lit. f) GDPR).
  • Sales: Processes required for the planning, execution, and monitoring of measures for the marketing and sale of products or services (e.g., customer acquisition, quotation generation and follow-up, order processing, customer consultation and support, sales promotion, product training, sales controlling and analysis, management of sales channels...channels); Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Marketing, Advertising, and Sales Promotion: Processes required within the scope of marketing, advertising, and sales promotion (e.g., market analysis and target group determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Credit Checks

Insofar as we provide services in advance or incur comparable financial risks (e.g., when accepting orders on account), we reserve the right—in order to safeguard our legitimate interests—to obtain identity and creditworthiness information from specialized service providers (credit agencies) for the purpose of assessing credit risk, based on mathematical-statistical methods.

We process the information received from the credit agencies regarding the statistical probability of payment default as part of a reasonable discretionary decision concerning the establishment, execution, and termination of the contractual relationship.

We reserve the right, in the event of a negative result from a creditworthiness check, to refuse payment by invoice or any other form of advance performance. The decision as to whether we provide advance performance is made—in accordance with statutory requirements—solely on the basis of an automated individual decision carried out by our software, utilizing information obtained from a credit reference agency. In cases where we obtain the express consent of our contractual partners, the legal basis for obtaining creditworthiness information and transmitting the customer's data to credit reference agencies is that consent. If no such consent is obtained, the creditworthiness check is carried out on the basis of our legitimate interests in ensuring the security of our payment claims against default.
  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses, or telephone numbers); Contract data (e.g., subject matter of the contract, term, customer category). Creditworthiness data (e.g., obtained credit score, estimated probability of default, risk classification based thereon, historical payment behavior).
  • Data Subjects: Recipients of services and clients; prospective customers. Business and contractual partners.
  • Purposes of processing and legitimate interests: Assessment of credit standing and creditworthiness.
  • Retention and deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal bases: Consent (Art. 6 para. 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 lit. f) GDPR).
  • Automated decision-making in individual cases: Credit information (decision based on a credit check).

Provision of the Online Offering and Web Hosting

We process user data in order to make our online services available to them. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Log data (e.g., log files regarding logins, data retrieval, or access times).
    • Content data (e.g., text-based or visual messages and posts, as well as information relating to them, such as details regarding authorship or time of creation).
  • Affected Persons: Users (e.g., webwebsite visitors, users of online services).
  • Purposes of Processing and Legitimate Interests: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Content Delivery Network (CDN); Server monitoring and error detection.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Provision of Online Offering on Rented Storage Space: To provide our online offering, we utilize storage space, computing capacity, and software that we rent or otherwise procure from a corresponding server provider (also referred to as a "web host"); Legal Bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
  • Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, the date and time of access, the volume of data transferred, a notification regarding successful access, the browser type and version, the user's operating system, the Referrer URL (the previously visited page), and—typically—IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes—e.g., ...e.g., to prevent server overload (particularly in the event of malicious attacks, so-called DDoS attacks), and secondly, to ensure server capacity and stability; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR). Data Deletion: Log file information is stored for a maximum period of 30 days and is subsequently deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
  • Cloudflare: Content Delivery Network (CDN) service used to deliver content from an online offering—specifically large media files such as graphics or program scripts—more quickly and securely by utilizing regionally distributed servers connected via the Internet; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).
  • New Relic: Server monitoring and error detection; Service Provider: New Relic, Inc. Attn: Legal Department, 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://newrelic.com; Security Measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://newrelic.com/termsandconditions/privacy; Data Processing Agreement: https://newrelic.com/termsandconditions/terms; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider...Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider). Data Deletion: Aggregated data is deleted after three months, and pseudonymized data after seven days.

Use of Cookies

The term "cookies" refers to functions that store information on users' end devices and retrieve it from them. Furthermore, cookies may be used for various purposes—for instance, to ensure the functionality, security, and user-friendliness of online services, as well as to generate analyses of visitor traffic. We use cookies in compliance with statutory regulations. To this end, we obtain users' prior consent where required. If consent is not necessary, we rely on our legitimate interests as the legal basis. This applies in cases where the storage and retrieval of information are essential for providing content and functions explicitly requested by the user. Examples include saving user settings and ensuring the functionality and security of our online services. Consent may be revoked at any time. We provide clear information regarding the scope of such consent and the specific cookies being utilized.

Notes on Legal Bases for Data Protection: Whether we process personal data using cookies depends on the existence of user consent. If consent has been granted, it serves as the legal basis for such processing. In the absence of consent, we rely on our legitimate interests, as explained above in this section and within the context of the respective services and procedures.

Storage Duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored even after the device has been closed. This allows, for example, the login status to be saved and preferred content to be displayed directly when the user revisits a website. Similarly, user data collected using cookies may be used for audience measurement purposes. Unless we provide users with explicit details regarding the type and retention period of cookies (e.g., during the consent collection process), users should assume that these are permanent and that the retention period may last up to two years.

General Information on Revocation and Objection (Opt-out): Users may revoke any consents they have granted at any time and may also object to the processing of their data in accordance with statutory requirements—including by utilizing their browser's privacy settings.

  • Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR). Consent (Art. 6 para. 1 lit. a) GDPR).

Further Information on Processing Operations, Procedures, and Services:

  • Processing of Cookie Data Based on Consent: We utilize a consent management solution to obtain user consent for the use of cookies, or for the specific procedures and providers identified within the scope of said consent management solution. This process serves to facilitate the collection, logging, management, and revocation of consents—specifically regarding the deployment of cookies and similar technologies used to store, access, and process information on users' end devices. As part of this process, user consent is obtained for the use of cookies and the associated processing of information—including the specific processing activities and providers identified within the consent management procedure. Users also have the option to manage and revoke their consent. Consent declarations are stored to avoid the need for repeated requests and to enable the demonstration of consent in accordance with statutory requirements. The storage is carried out......stored server-side and/or in a cookie (a so-called "opt-in cookie") or by means of comparable technologies, in order to be able to attribute the consent to a specific user or their device. Insofar as no specific details regarding the providers of consent management services are provided, the following general notes apply: The duration of the storage of the consent is up to two years. In this process, a pseudonymous user identifier is created, which is stored together with the time of consent, details regarding the scope of the consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, the system, and the end device used; Legal Bases: Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR).
  • Usercentrics: Storage and management of consents (agreement to cookies and data processing), logging of user decisions, display of notices regarding data protection and cookies, enabling users to revoke or adjust their consents; Service Provider: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; Website: https://usercentrics.com/de/. Privacy Policy:https://usercentrics.com/de/datenschutzerklaerung/
    .

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media), as well as within the context of existing user and business relationships, the details provided by the inquiring persons are processed insofar as this is necessary to respond to contact inquiries and any requested measures.

  • Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information relating to them, such as details regarding authorship or time of creation). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Persons concerned: Communication partners.
  • Purposes of processing and legitimate interests: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR).

Further information regarding processing processes, procedures, and services:

  • Contact Form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data transmitted to us in order to respond to and handle your specific inquiry. This typically includes details such as your name, contact information, and—where applicable—any other information you provide that is necessary for us to adequately address your request. We use this data exclusively for the stated purpose of establishing contact and facilitating communication; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 lit. f) GDPR).

Chatbots and Chat Functions

We offer online chats and chatbot functions as a means of communication (collectively referred to as "Chat Services"). A chat constitutes an online conversation conducted in near real-time. A chatbot is a software program designed to answer user questions or provide users with information via messages. If you utilize our chat functions, we may process your personal data.

If you use our Chat Services within the context of an online platform, your unique identification number associated with that specific platform will also be stored. Furthermore, we may collect information regarding which users interact with our Chat Services, and at what times. Furthermore, we store the content of your conversations conducted via the Chat Services and log registration and consent processes in order to provide proof of compliance with statutory requirements. 

We wish to inform users that the respective platform provider may determine that—and when—users communicate via our chat services; furthermore, the provider may collect technical information regarding the device used by the user, as well as—depending on the device’s settings—location information (so-called metadata) for the purposes of optimizing the respective services and ensuring security. Additionally, metadata pertaining to communications conducted via chat services (e.g., information regarding who communicated with whom) may be utilized by the respective platform providers—in accordance with their terms and conditions, to which we refer for further details—for marketing purposes or for the display of advertisements tailored to the user.

Should users opt in via a chatbot to receive regular informational messages, they retain the option to unsubscribe from such messages at any time with future effect. The chatbot will provide users with instructions on how to unsubscribe from these messages, including the specific commands required to do so. Upon unsubscribing from the chatbot messages, the user’s data will be deleted from the list of message recipients.

We utilize the aforementioned information to operate our chat services, e.g., ...e.g., to address users personally, to answer their inquiries, to transmit any requested content, and also to improve our chat services (e.g., to "teach" chatbots answers to frequently asked questions or to identify unanswered inquiries).

Notes on Legal Bases: We utilize chat services based on consent in cases where we have previously obtained the users' permission for the processing of their data within the scope of our chat services (this applies to instances where users are asked for their consent—e.g., to allow a chatbot to send them regular messages). Insofar as we utilize chat services to answer user inquiries regarding our services or our company, this is done for the purpose of contractual and pre-contractual communication. Furthermore, we utilize chat services based on our legitimate interests in optimizing the chat services, ensuring their economic efficiency, and enhancing the positive user experience.

Revocation, Objection, and Deletion: You may revoke any given consent or object to the processing of your data within the scope of our chat services at any time.

  • Types of Data Processed: Contact data (e.g., postal and email addresses, or telephone numbers); Content data (e.g., text-based or image-based messages and posts, as well as information pertaining to them—such as details regarding authorship or time of creation); Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contract data (e.g., subject matter of the contract, term, customer category). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Data Subjects: Communication partners; Users (e.g., website visitors, users of online services). Business and contractual partners.
  • Purposes of Processing and Legitimate Interests: Communication; Provision of contractual services and fulfillment of contractual obligations; Marketing. Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR); Contractual performance and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 lit. f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "Newsletters") exclusively with the consent of the recipients or on the basis of a legal ground. If the content of the newsletter is specifically described during the registration process, this description is authoritative for the users' consent. To subscribe to our newsletter, providing your email address is usually sufficient. However, in order to provide you with personalized service, we may request your name—for instance, to address you personally in the newsletter—or ask for additional information, should this be necessary for the specific purpose of the newsletter.

Deletion and Restriction of Processing: We may retain the email addresses of subscribers who have unsubscribed for up to three years—based on our legitimate interests—before deleting them, in order to be able to provide proof of any consent previously granted. The processing of this data is restricted solely to the purpose of potentially defending against legal claims. You may request the individual deletion of your data at any time, provided that you simultaneously confirm the prior existence of your consent. In cases where we are under an obligation to permanently honor an objection (opt-out), we reserve the right to retain the email address—solely for this specific purpose—within a suppression list (a so-called "blocklist").

The logging of the registration process is carried out based on our legitimate interests, for the purpose of demonstrating that the process was conducted properly. Insofar as we engage a service provider to handle the dispatch of emails, this is done based on our legitimate interests in maintaining an efficient and secure email delivery system.

Content:

Information regarding us, our services, promotions, and offers.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses, or telephone numbers); Metadata, communication data, and process data (e.g., IP addresses, timestamps, identification numbers, parties involved). Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Data Subjects: Communication partners.
  • Purposes of Processing and Legitimate Interests: Direct marketing (e.g., via email or postal mail).
  • Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 lit. f) GDPR).
  • Right to Object (Opt-Out): You may unsubscribe from our newsletter at any time—i.e., revoke your consent or object to receiving further issues. You will find a link to unsubscribe from the newsletter either at the end of every newsletter issue, or you may use one of the contact options provided above—preferably email—to do so.

Further Information on Processing Activities, Procedures, and Services:

  • Measurement of Open and Click-Through Rates: The newsletters contain a so-called "web beacon"—a pixel-sized file that is retrieved from our server (or that of our email service provider, should we utilize one) when the newsletter is opened. As part of this retrieval process, technical information—such as details regarding your browser and operating system—as well as your IP address and the time of access are initially collected. This information is used for the technical improvement of our newsletter—based on technical data, target groups, and their reading behavior—on the basis of their......access locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened, and which links are clicked. The collected information is assigned to individual newsletter recipients and stored in their profiles until deleted. Based on this data, user profiles are created in which usage behavior and user characteristics are stored. The measurement of open and click-through rates, as well as the storage of these measurement results in user profiles and their subsequent processing, are carried out on the basis of user consent. Unfortunately, it is not possible to separately withdraw consent for this performance measurement; in such cases, the entire newsletter subscription must be cancelled or objected to. In that event, the stored profile information will be deleted; Legal Basis: Consent (Art. 6 para. 1 lit. a) GDPR).
  • HubSpot Email Marketing: Sending of emails, creation of personalized campaigns, workflow automation, audience segmentation, integration with CRM systems, performance analysis via reports and dashboards; Service Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.hubspot.com/products/marketing/email; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as "reach measurement") serves to evaluate visitor flows within our online offering; it may encompass visitor behavior, interests, or demographic information—such as age or gender—in the form of pseudonymized values. Through reach analysis, we can, for example, identify the times at which our online offering—or specific features and content within it—are most frequently accessed or revisited. Likewise, this enables us to determine which areas require optimization.

In addition to web analytics, we may also employ testing procedures—for instance, to test and optimize different versions of our online offering or its individual components.

Unless otherwise specified below, profiles—i.e., data aggregated to represent a specific usage session—may be created for these purposes; furthermore, information may be stored in, and subsequently retrieved from, a browser or end device. The data collected includes, in particular, websites visited and the elements utilized thereon, as well as technical information such as the browser and computer system used, and details regarding usage times. If users have consented to the collection of their location data—either by us or by the providers of the services we employ—the processing of such location data may also take place.

Furthermore, users' IP addresses are stored. However, we utilize an IP masking procedure (i.e., pseudonymization through the truncation of the IP address) to protect our users. Generally, within the scope of web analytics, A/B testing, and optimization, no clear data regarding users (such as email addresses or names) is stored; instead, pseudonyms are used. This means that neither we nor the providers of the software we employ know the actual identities of the users, but rather only the information stored in their profiles for the specific purposes of the respective procedures.

Information on Legal Bases: In instances where we request users' consent for the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this...refer to the Privacy Policy.

  • Types of Data Processed: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing and Legitimate Interests: Reach measurement (e.g., access statistics, detection of returning visitors); Profiles containing user-related information (creation of user profiles); Tracking (e.g., interest-based/behavioral profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing measures); Marketing; Remarketing. Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Security Measures: IP masking (pseudonymization of the IP address).
  • Legal Bases: Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR). Legitimate Interests (Art. 6 para. 1 lit. f) GDPR).

Further information regarding processing activities, procedures, and services:

  • HubSpot Analytics: Web analytics, reach measurement, and analysis of user behavior regarding usage and interests concerning features and content, as well as duration of use, based on a pseudonymous user ID and profiling; Service Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR); Website: https://www.hubspot.com/products/marketing/analytics; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
  • HubSpot Marketing Hub: Email marketing, lead generation, marketing automation, analysis of campaign performance, management of social media interactions, creation and optimization of landing pages, as well as contact management; Service Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
  • Google Ads and Conversion Measurement: Online marketing methods used for the purpose of placing content and advertisements within the service provider's advertising network (e.g., in search results, in videos, on websites, etc.), such that they are displayed to users who have a presumed interest in the advertisements. Furthermore, we measure the conversion of the advertisements—i.e., whether users were prompted to interact with the ads and utilize the advertised offers (so-called conversions). However, we receive only anonymous information and no...personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR), Legitimate Interests (Art. 6 para. 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
  • Google Ads Remarketing: Google Remarketing—also known as retargeting—is a technology used to add users who utilize an online service to a pseudonymous remarketing list, thereby enabling advertisements to be displayed to these users on other online platforms based on their visit to the online service; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further Information: Types of processing and data processed: https://business.safety.google/adsservices/. Data Processing Terms between Controllers and Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
  • Enhanced Conversions for Google Ads: If users click on our Google ads and subsequently utilize the advertised service (a so-called "conversion"), data entered by the user—such as their email address, name, residential address, or telephone number—may be transmitted to Google. These hash values are then matched against existing Google accounts of the users in order to better evaluate and improve user interactions with the ads (e.g., clicks or views) and, consequently, the performance of the ads; Legal Basis: Consent (Art. 6 para. 1 lit. a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.

Social Media Presences (Social Media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active there or to offer information about ourselves.

We wish to point out that, in this process, user data may be processed outside the European Union. This may give rise to risks for users—for instance, because the enforcement of user rights could be rendered more difficult.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and the resulting interests of the users. These profiles may, in turn, be used to place advertisements—both within and outside the networks—that are presumed to align with the users' interests. Consequently, cookies are typically stored on users' computers to record their usage behavior and interests. Additionally, data may be stored in these usage profiles independently of the devices used by the users (particularly if they are members of the respective platforms and are logged in there).

For a detailed description of theRegarding the respective forms of processing and the available options to object (opt-out), we refer you to the privacy policies and information provided by the operators of the respective networks.

Furthermore, in the event of requests for information or the exercise of data subject rights, we wish to point out that such requests are most effectively addressed directly to the providers. Only the latter have access to the user data in each case and are able to take appropriate measures or provide information directly. Should you nevertheless require assistance, you are welcome to contact us.

  • Types of Data Processed: Contact data (e.g., postal and email addresses, or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information pertaining to them, such as details regarding authorship or time of creation); Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing and Legitimate Interests: Communication; Feedback (e.g., collecting feedback via online forms). Public relations.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR).

Further Information on Processing Activities, Procedures, and Services:

  • Facebook Pages: Profiles within the social network Facebook – The Controller is jointly responsible, together with Meta Platforms Ireland Limited, for the collection and transmission of data regarding visitors to our Facebook Page ("Fanpage"). This includes, in particular, information on user behavior (e.g., content viewed or interacted with, actions performed) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details regarding this can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the "Page Insights" service, which offer insights into how individuals interact with our Page and its content. The basis for this is an agreement with Facebook ("Information on Page Insights": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates—among other things—security measures as well as the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore address requests for access to or deletion of data directly to Facebook. Users' rights (in particular the rights of access, deletion, objection, and lodging a complaint with a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for any further processing, including any potential transfer to Meta Platforms Inc. in the USA; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • LinkedIn: Social Network – Together with LinkedIn Ireland Unlimited Company, we are jointly responsible for the collection(though not the subsequent processing) of data regarding visitors used to generate the "Page Insights" (statistics) for our LinkedIn profiles. This data includes information regarding the types of content users view or interact with, as well as the actions they take. Furthermore, details regarding the devices used are collected—such as IP addresses, operating system, browser type, language settings, and cookie data—along with information derived from user profiles, such as job function, country, industry, seniority level, company size, and employment status. Information regarding LinkedIn's processing of user data can be found in LinkedIn's Privacy Policy: https://www.linkedin.com/legal/privacy-policy.
    We have entered into a specific agreement with LinkedIn Ireland (the "Page Insights Joint Controller Addendum," https://legal.linkedin.com/pages-joint-controller-addendum), which specifically stipulates the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users may, for example, direct requests for access or deletion directly to LinkedIn). Users' rights (specifically the right to access, deletion, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. This joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of data lies exclusively with LinkedIn Ireland Unlimited Company, particularly regarding the transfer of data to its parent company, LinkedIn Corporation, in the USA; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • YouTube: Social network and video platform; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF). Right to Object (Opt-Out): https://myadcenter.google.com/personalizationoff.
  • Xing: Social network; Service Provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal Bases: Legitimate interests (Art. 6 para. 1 lit. f) GDPR); Website: https://www.xing.com/. Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins, Embedded Features, and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "Third-Party Providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "Content").

The integration of such elements always requires that the Third-Party Providers of this content process the users' IP addresses, as without an IP address...otherwise, we would be unable to transmit the content to their browsers. The IP address is therefore required for the display of this content or these functions. We endeavor to use only such content where the respective providers utilize the IP address solely for the delivery of the content. Furthermore, third-party providers may employ so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. These "pixel tags" allow for the analysis of information such as visitor traffic on the pages of this website. Moreover, this pseudonymized information may be stored in cookies on the users' devices; it may contain—among other things—technical details regarding the browser and operating system, referring websites, visit duration, and other data concerning the use of our online services, and may also be combined with information obtained from other sources.

Notes on Legal Bases: Insofar as we request users' consent for the use of third-party providers, the legal basis for the data processing is that consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies contained within this Privacy Policy.

  • Types of Data Processed: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing and Legitimate Interests: Provision of our online offering and user-friendliness; audience measurement (e.g., access statistics, detection of returning visitors); tracking (e.g., interest-based/behavioral profiling, use of cookies); target group formation; marketing. Provision of contractual services and fulfillment of contractual obligations.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR). Legitimate Interests (Art. 6 para. 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • reCAPTCHA: We integrate the "reCAPTCHA" function to detect whether inputs (e.g., in online forms) are made by humans rather than by automated machines (so-called "bots"). The data processed may include IP addresses, information regarding operating systems, devices, or browsers used, language settings, location, mouse movements, keystrokes, duration of stay on webpages, previously visited webpages, interactions with reCAPTCHA on other webpages, potentially cookies, as well as results of manual verification processes (e.g., answering posed questions or selecting objects in images). Data processing is carried out on the basis of our legitimate interest in protecting our online offering against abusive automated crawling and spam; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate Interests (Art. 6 Para. 1 lit. f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum (effective as of April 2, 2026). Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p (effective as of April 2, 2026)), Switzerland – Data Privacy Framework (DPF),Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p (effective as of April 2, 2026)).
  • YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 para. 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF). Opt-Out Option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://myadcenter.google.com/personalizationoff.

Management, Organization, and Support Tools

We utilize services, platforms, and software provided by other vendors (hereinafter referred to as "Third-Party Providers") for the purposes of organizing, managing, and planning our operations, as well as for delivering our services. When selecting these Third-Party Providers and their services, we adhere to all applicable statutory requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may involve various types of data that we process in accordance with this Privacy Policy. Such data may include, in particular, users' master data and contact details, as well as data regarding transactions, contracts, other processes, and their contents.

Insofar as users are referred to third-party providers—or to their software or platforms—within the scope of communication, business dealings, or other relationships with us, these third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore request that you consult the privacy notices of the respective third-party providers.

  • Types of data processed: Content data (e.g., textual or visual messages and posts, as well as information pertaining to them, such as authorship details or creation timestamps); Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Categories of data subjects: Communication partners; Users (e.g., website visitors, users of online services). Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures; Reach measurement (e.g., access statistics, detection of returning visitors); Profiles containing user-related information (creation of user profiles); Provision of our online offering and user-friendliness. IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Legitimate interests (Art. 6 Para. 1 lit. f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The specific information required is indicated in the job description or, in the case of online forms, within the fields provided therein.

Generally, the required information includes personal details—such as name, address, and contact information—as well as documentation verifying the qualifications necessary for the specific position. Upon request, we are also happy to provide further details regarding exactly what information is required.

Where available, applicants are welcome to submit their applications via our online form, which utilizes state-of-the-art encryption technology. Alternatively, applications may also be sent to us via email. However, we would like to point out that, as a general rule, emails sent over the Internet are not encrypted. Although emails are typically encrypted while in transit, this encryption does not apply to the servers from which they are sent or on which they are received. Therefore, we cannot assume any responsibility for the security of the application during its transmission between the sender and our server.

For the purposes of candidate sourcing, application submission, and candidate selection, we may—in compliance with statutory requirements—utilize applicant tracking systems, recruitment software, platforms, and services provided by third parties.

Applicants are welcome to contact us regarding the method of application submission or to send their application to us via postal mail.

Processing of Special Categories of Data: Insofar as special categories of personal data (Art. 9 Para. 1 GDPR—e.g., health data, such as severe disability status or ethnic origin) are requested from applicants or voluntarily disclosed by them during the application process, such data is processed to enable the data controller or the data subject to exercise their rights and fulfill their obligations arising from labor law, social security law, and social protection law; or in cases involving the protection of the vital interests of the applicants or other persons; or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems and services.

Deletion of Data: In the event of a successful application, the data provided by the applicants may be retained for the purposes of the employment relationship by ...be further processed by us. Otherwise—should an application for a specific job opening prove unsuccessful—the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, a step applicants are entitled to take at any time. Subject to a valid revocation by the applicant, deletion will take place no later than six months after the fact; this allows us to address any follow-up inquiries regarding the application and to fulfill our record-keeping obligations under regulations concerning the equal treatment of applicants. Invoices for any travel ex......tax reimbursements are archived in accordance with tax law requirements.

Inclusion in an Applicant Pool: Inclusion in an applicant pool—where offered—is based on consent. Applicants are informed that their agreement to be included in the talent pool is voluntary, has no bearing on the ongoing application process, and that they may revoke their consent at any time with effect for the future.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses, or telephone numbers); Content data (e.g., textual or visual messages and posts, as well as information pertaining to them—such as details regarding authorship or the time of creation). Applicant Data (e.g., personal details, postal and contact addresses, documents submitted as part of the application—and the information contained therein—such as cover letters, CVs, references, as well as any additional information regarding a specific position or voluntarily provided by applicants concerning their person or qualifications).
  • Data Subjects: Applicants.
  • Purposes of Processing and Legitimate Interests: Application procedures (the establishment, and any subsequent execution or potential termination, of an employment relationship).
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Application procedures as a pre-contractual or contractual relationship (Art. 6 Para. 1 S. 1 lit. b) GDPR).

Whistleblower Systems

As part of our whistleblower reporting procedure, we utilize external providers. In doing so, we act within the framework of statutory requirements and ensure that the technical and organizational security measures we adhere to are also met by these external providers.

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Employee data (information regarding employees and other individuals in an employment relationship); Contact data (e.g., postal and email addresses, or telephone numbers);
    • Content data (e.g., textual or visual messages and posts, as well as information relating to them, such as details regarding authorship or time of creation). Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Data Subjects: Employees (e.g., salaried staff, applicants, temporary staff, and other personnel); Third parties. Whistleblowers.
  • Purposes of Processing and Legitimate Interests: Whistleblower protection.
  • Retention and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Consent (Art. 6 para. 1 lit. a) GDPR); Legal obligation (Art. 6 para. 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 lit. f) GDPR).

Amendments and Updates

We ask that you regularly review the content of our Privacy Policy. We will update the Privacy Policy whenever changes to the data processing activities we conduct make this necessary. We will inform you as soon as these changes necessitate any action on your part (e.g., providing consent) or require any other form of individual notification.

Insofar as we provide addresses and contact information for companies and organizations within this Privacy Policy, please note that these addresses may change over time; we therefore ask that you verify this information before making contact.

Definitions of Terms

This section provides an overview of the terminology used in this Privacy Policy. Where terms are defined by law, their statutory definitions shall apply. The following explanations, however, are intended primarily to facilitate understanding.

  • Employees: The term "Employees" refers to individuals engaged in an employment relationship, whether...as employees, staff members, or in similar positions. An employment relationship is a legal bond between an employer and an employee, established by means of an employment contract or agreement. It entails the employer's obligation to pay remuneration to the employee, while the employee performs their work duties. The employment relationship encompasses various phases, including its inception—when the employment contract is concluded—its execution—during which the employee carries out their work activities—and its termination—when the employment relationship comes to an end, whether through notice of termination, a mutual termination agreement, or other means. Employee data comprises all information relating to these individuals within the context of their employment. This includes aspects such as personal identification details, identification numbers, salary and banking information, working hours, leave entitlements, health data, and performance evaluations.
  • Inventory Data: Inventory data comprises essential information necessary for the identification and administration of contractual partners, user accounts, profiles, and similar associations. This data may include, among other things, personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the foundation for any formal interaction between individuals and services, institutions, or systems, by enabling unambiguous identification and communication.
  • Credit Check: Automated decisions are based on automated data processing without human intervention (e.g., in the event of the automatic rejection of a purchase on account, an online loan application, or an online application process without any human involvement). Such automated decisions are permissible under Art. 22 of the GDPR only if the data subjects consent, if they are necessary for the fulfillment of a contract, or if national laws permit such decisions.
  • Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that enables the faster and more secure delivery of content from an online offering—particularly large media files such as graphics or program scripts—by utilizing servers that are geographically distributed and interconnected via the Internet.
  • Content Data: Content data comprises information generated during the creation, editing, and publication of content of any kind. This category of data may include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited solely to the actual content itself but also encompasses metadata that provides information about the content—such as tags, descriptions, author details, and publication dates.
  • Contact Data: Contact data consists of essential information that facilitates communication with individuals or organizations. It includes, among other things, telephone numbers, postal addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
  • Conversion Tracking: Conversion tracking (also referred to as "visitor action evaluation") is a method used to determine the effectiveness of marketing measures. Typically, this involves placing a cookie on users' devices while they are visiting the websites where the marketing measures are displayed, and subsequently retrieving that cookie on the target website. For example, this allows us to track whether the advertisements we placed on other websites were successful.
  • Meta, Communication, and Process Data: Meta, communication, and process data are categories containing information regarding the manner in which data is processed, transmitted, and managed. Metadata—also known as "data about data"—comprises information describing the context, origin, and structure of other data. It may include details such as file size, creation date, the author of a document, and revision histories. Communication data captures the exchange of information between users across various channels—such as email correspondence, call logs, social media messages, and chat histories—including the individuals involved, timestamps, and......transmission channels. Process data describes the processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, as well as audit logs used for tracking and verifying operations.
  • Usage Data:  Usage data refers to information that captures how users interact with digital products, services, or platforms. This data encompasses a wide range of information demonstrating how users utilize applications, which features they prefer, how long they spend on specific pages, and the paths they take to navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings. 
  • Personal Data:  "Personal Data" means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 
  • Profiles containing user-related information:  The processing of "profiles containing user-related information"—or simply "profiles" for short—encompasses any form of automated processing of personal data that involves using such data to analyze, evaluate, or predict specific personal aspects relating to a natural person (depending on the nature of the profiling, this may include various types of information regarding demographics, behavior, and interests—such as interactions with websites and their content, etc.) (e.g., interest in specific content or products, click behavior on a website, or location). Cookies and web beacons are frequently used for profiling purposes. 
  • Log Data:  Log data consists of information regarding events or activities that have been recorded within a system or network. This data typically includes details such as timestamps, IP addresses, user actions, error messages, and other specifics concerning the usage or operation of a system. Log data is frequently used for analyzing system issues, security monitoring, or generating performance reports 
  • Audience Measurement: Audience measurement (also referred to as web analytics) serves to evaluate visitor traffic on an online service; it may encompass the behavior or interests of visitors regarding specific information—such as website content. Through audience analysis, operators of online services can, for instance, identify when users visit their websites and which content interests them. This enables them, for example, to better tailor their website content to meet the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are frequently used to recognize returning visitors and thereby obtain more accurate analyses regarding the usage of an online service.
  • Remarketing: "Remarketing" (or "retargeting") refers to instances—for example, for advertising purposes—where a record is kept of which products a user has shown interest in on a website, in order to subsequently remind the user of these products on other websites (e.g., through advertisements).
  • Server Monitoring and Error Detection: Through server monitoring and error detection, we ensure the availability and integrity of our online service; we use the processed data to technically optimize our online offering. The data processed includes performance metrics, system load data, and comparable technical values that provide insight into the stability of our online service and highlight any potential anomalies. In the event of errors or anomalies...individual requests made by users of our online service are recorded in order to identify and resolve sources of problems.
  • Tracking: "Tracking" refers to instances where user behavior can be traced across multiple online services. Typically, with regard to the online services utilized, information concerning user behavior and interests is stored in cookies or on the servers of the providers of the tracking technologies (referred to as "profiling"). This information may subsequently be used—for example—to display advertisements to users that are likely to correspond to their interests.
  • Controller: A "Controller" is defined as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" refers to any operation or set of operations performed on personal data, whether or not by automated means. This term is broad in scope and encompasses practically every form of handling data—be it collection, analysis, storage, transmission, or deletion.
  • Contract Data: Contract data consists of specific information relating to the formalization of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged, or sold. This category of data is essential for the administration and fulfillment of contractual obligations and comprises both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the nature of the agreed-upon services or products, pricing agreements, payment terms, termination rights, renewal options, and any special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
  • Payment Data: Payment data comprises all information required to process payment transactions between buyers and sellers. This data is of critical importance for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction records, verification codes, and billing information. Payment data may also contain information regarding payment status, chargebacks, authorizations, and fees.
  • Audience Creation: The term "Audience Creation" (or "Custom Audiences") refers to the process of defining target groups for advertising purposes—for instance, to determine who sees specific advertisements. For example, based on a user's interest in certain products or topics online, it may be inferred that this user would be interested in advertisements for similar products or for the specific online store where they viewed those products. Conversely, the term "Lookalike Audiences" (or similar audiences) refers to instances where content deemed suitable is displayed to users whose profiles—or interests—are presumed to correspond to those of the original audience used to create the profile model. Cookies and web beacons are typically employed for the purpose of creating Custom Audiences and Lookalike Audiences.