Privacy Policy

Preamble

With this privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data that we carry out, both in the context of providing our services and, in particular, on our websites, in mobile applications, and on external online platforms, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.

Date: May 27, 2026

Legal text by Dr. Schwenke—click for more information.

Table of Contents

Person in charge

Stoll Group Ventures GmbH
Aegeristrasse 116
6300 Zug
Switzerland

Persons authorized to represent the company: Oliver Stoll

Email address: lockenkopf

Imprint: lockenkopf

Treatment Summary

The following is a summary of the types of data processed and the purposes of such processing, along with information regarding the data subjects.

Types of data processed

  • Inventory data.
  • Payment information.
  • Location data.
  • Contact information.
  • Content details.
  • Contractual details.
  • Usage data.
  • Meta data, communication data, and process data.
  • Contact information (Facebook).
  • Event details (Facebook).
  • Protocol details.

Categories of affected individuals

  • Beneficiary and client.
  • Interested parties.
  • Communications Partner.
  • Users.
  • Participants in contests and competitions.
  • Business and contractual partners.
  • Third parties.

Purpose of the processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Safety measures.
  • Direct marketing.
  • Reach measurement.
  • Follow-up.
  • Administrative and organizational procedures.
  • Remarketing.
  • Conversion metric.
  • Click tracking.
  • Formation of target groups.
  • A/B testing.
  • Organizational and administrative procedures.
  • Organization of contests and competitions.
  • Content Delivery Network (CDN).
  • Comments.
  • Heat maps.
  • Surveys and questionnaires.
  • Marketing.
  • Profiles containing user-related information.
  • Our online services and ease of use.
  • IT infrastructure.
  • Public Relations.
  • Sales promotion.
  • Business processes and management procedures.
  • Artificial intelligence (AI).

Relevant legal bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection laws may apply in your country of residence or domicile, or in ours. If more specific legal bases apply in a particular case, we will inform you of this in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of contracts and pre-contractual inquiries (Article 6(1)(b) of the GDPR ): The processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the data subject’s request prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) of the GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) of the GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act—BDSG). In particular, the BDSG contains special provisions regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and disclosure, as well as automated decision-making in individual cases, including profiling. Data protection laws of the individual federal states may also apply.

Note on the applicability of the GDPR and the Swiss FADP : This privacy notice is intended to provide information in compliance with both the Swiss FADP and the General Data Protection Regulation (GDPR). For this reason, please note that GDPR terminology is used due to its broader geographical scope and greater clarity. In particular, instead of the terms “processing” of “personal data,” “best interests,” and “sensitive personal data” used in the Swiss DPA, the terms “processing” of “personal data,” “legitimate interests,” and “special categories of data” used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DPA within the scope of application of the Swiss DPA.

Safety measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to it, as well as access, input, disclosure, safeguarding availability, and segregation. In addition, we have established procedures that ensure the exercise of data subjects’ rights, the erasure of data, and responses to data threats. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software, and processes in accordance with the principle of data protection through technology design and data protection-friendly default settings.

Online connection security using TLS/SSL (HTTPS) encryption technology: To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission over the Internet. These technologies encrypt the information transmitted between the website or application and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the strictest security standards. If a website is protected by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in an encrypted manner.

Transfer of personal data

In the course of our processing of personal data, such data may be transferred to or disclosed to other agencies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure its protection.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or the disclosure or transfer of data to other persons, organizations, or companies (which can be identified by the respective provider’s mailing address or if the privacy policy expressly refers to the transfer of data to third countries), this is always done in accordance with legal requirements.

For data transfers to the U.S., we rely primarily on the Data Privacy Framework (DPF), which was recognized as an adequate legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers that meet the requirements of the EU Commission and define the contractual obligations to protect your data.

This dual protection ensures comprehensive protection of your data: The DPF serves as the primary layer of protection, while the standard contractual clauses provide additional safeguards. Should any changes occur to the DPF, the standard contractual clauses act as a reliable fallback option. In this way, we ensure that your data is always adequately protected, even in the event of political or legal changes.

As for individual service providers, we will let you know whether they are certified under the DPF and whether standard contractual clauses are in place. You can find more information about the DPF and a list of certified companies on the U.S. Department of Commerce website: https://www.dataprivacyframework.gov/.

Appropriate safeguards are applied to data transfers to other third countries, in particular standard contractual clauses, explicit consent, or transfers required by law. You can find information on transfers to third countries and the applicable adequacy decisions in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information about data storage and deletion

We delete the personal data we process in accordance with legal requirements as soon as the underlying consent is revoked or there is no longer a legal basis for processing. This applies to cases where the original purpose of the processing is no longer applicable or the data is no longer necessary. There are exceptions to this rule if legal obligations or specific interests require the data to be stored or retained for a longer period.

In particular, data that must be retained for commercial or tax law reasons, or whose retention is necessary for the pursuit of legal action or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information about data retention and deletion that applies specifically to certain processing operations.

If there is more than one indication of the retention period or the period for deleting data, the longer period will always apply. We only process data that is no longer stored for its original purpose, but rather due to legal requirements or other reasons, based on the grounds that justify its storage.

Data Retention and Deletion: The following general retention and archiving periods apply in accordance with German law:

  • 10 years—Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and work instructions and other organizational documents necessary for their understanding (Section 147(1)(1) in conjunction with Section 3 of the German Fiscal Code (AO), Section 14b(1) of the German Value-Added Tax Act (UStG)). Section 3 AO, Section 14b(1) UStG, Section 257(1)(1) in conjunction with Section 4 HGB).
  • 8 years – Accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with Section 147(3), first sentence, of the German Fiscal Code (AO) and Section 257(1)(4) in conjunction with Section 257(4) of the German Commercial Code (HGB)).
  • 6 years - Other business documents: received business letters, copies of sent business letters, other documents, to the extent that they are relevant for tax purposes, for example, timesheets, company accounting records, calculation documents, price tags, but also payroll accounting documents, to the extent that they are not already accounting documents and cash register receipts (Section 147(1) nos. 2, 3, 5 in conjunction with (3) AO). Section 3 AO, Section 257(1) nos. 2 and 3 in conjunction with Section 4 HGB).
  • 3 years – The data necessary to consider potential warranty claims, claims for damages, or similar contractual claims and rights, and to process related inquiries based on past business experience and standard industry practice, will be stored for the standard three-year statute of limitations period (Sections 195 and 199 of the German Civil Code (BGB)).

Start of the retention period at the end of the year: If a retention period does not expressly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the event triggering the retention period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the retention period is the date on which the cancellation or other termination of the legal relationship takes effect.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 through 21 of the GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and to obtain information about such data, as well as additional information and a copy of the data, in accordance with legal requirements.
  • Right to rectification: In accordance with applicable law, you have the right to request that your personal data be completed or that any inaccurate personal data concerning you be corrected.
  • Right to erasure and restriction of processing: In accordance with applicable law, you have the right to request the immediate erasure of your personal data or, alternatively, to request the restriction of the processing of your personal data in accordance with applicable law.
  • Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request that it be transmitted to another data controller.
  • Complaint to a supervisory authority In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work, or the place where the alleged infringement occurred, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process the personal data of our contractual and business partners, such as customers, stakeholders, suppliers, and other business partners (collectively referred to as "contractual partners"), in order to establish, implement, and manage contractual relationships and similar legal relationships. This also includes pre-contractual measures taken upon request, as well as communication related to the respective contractual relationship.

The processing is used in particular to fulfill our primary and secondary contractual obligations. This includes the provision of the agreed-upon services, any obligations regarding updates and information, the handling of warranty claims and other service interruptions, the processing of revocations, cancellations of ongoing obligations, rescissions, refunds, and the handling of other contract-related statements and inquiries. This applies to both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as name, address, and, where applicable, company name; contact information such as email address and phone number; contractual and service data such as the subject matter of the contract, the term of the contract, and the order or transaction number; usage and service data; payment and billing data; as well as the content and history of communications. If necessary, we also process data that is communicated or transmitted to us in connection with the fulfillment of an order.

In addition, we process data to protect our rights and comply with legal obligations. This includes, in particular, retention obligations under commercial and tax law, documentation obligations, and, where applicable, audit and accountability obligations. Data is also processed on the basis of our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as the protection of our business operations and our contractual partners against misuse, data compromise, disclosure of secrets, and other legal interests. This may also involve the participation of external service providers, such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other indirect agents, to the extent necessary for the performance of the contract or to comply with legal obligations.

Personal data will only be disclosed to third parties if necessary for the performance of the contract, for the implementation of pre-contractual measures, to protect legitimate interests, or to comply with legal obligations. In this privacy policy, we provide separate information regarding any further processing, particularly for marketing purposes.

As part of our data collection process, we inform our contractual partners of the specific data required in each case, for example, by clearly labeling the relevant fields on online forms or during in-person interactions.

The data will be deleted as soon as it is no longer necessary for the purposes mentioned and there is no legal obligation to retain it. Legal retention periods, particularly under commercial and tax law, may require longer storage. Data transmitted in connection with a specific order will be deleted once the order has been completed and the retention periods have expired, provided there is no other legal or contractual obligation to retain the data.

The legal basis for the processing is Article 6(1)(b) of the GDPR for the implementation of pre-contractual measures and for the performance of the respective contractual relationship, as well as Article 6(1)(c) of the GDPR for compliance with legal obligations. To the extent that the processing is based on legitimate interests, it is carried out pursuant to Article 6(1)(f) of the GDPR. If the processing is based on Article 6(1)( (f) of the GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, internal administration, and the documentation of business transactions; the enforcement and defense of legal claims; the safeguarding of IT and data security; the prevention of misuse and fraud; as well as the financial management and further development of our business operations. These interests consist, in particular, of ensuring secure and lawful business operations and safeguarding our ability to conduct business.

  • Types of data processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., mailing and email addresses or phone numbers); Contractual data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, persons involved).
  • Affected parties: Service recipients and customers; stakeholders; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and business management procedures.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of contracts and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

More information about treatment options, procedures, and services:

  • Online store, order forms, e-commerce, and service fulfillment: We process our customers’ data to enable them to select, purchase, or order the selected products, goods, and associated services, as well as to facilitate payment and the supply, delivery, or fulfillment of those items. If necessary for order fulfillment, we use service providers—in particular postal, shipping, and transportation companies—to carry out delivery or fulfillment on behalf of our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such in the context of the order or comparable purchase process and includes the information necessary for delivery or provision and billing, as well as contact information to enable us to address any inquiries; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Use of online platforms for the purpose of offering and selling

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our own privacy policy. This applies in particular to the processing of payments and to the procedures used on the platforms to measure reach and for interest-based marketing.

  • Types of data processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., mailing and email addresses or phone numbers); Contractual data (e.g., subject matter of the contract, duration, customer category); Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, persons involved).
  • Affected parties: Service recipients and customers. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing. Business processes and management procedures.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR). Legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Shopify: A platform through which e-commerce services are offered and conducted. The services and processes carried out in connection with them include, in particular, online stores, websites, their offerings and content, community features, purchase and payment processes, customer communication, as well as analytics and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.

Payment Procedure

In the context of contractual and other legal relationships, due to legal obligations, or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use service providers other than banks and credit institutions (collectively referred to as "payment service providers"). In accordance with the state of the art, payment transactions are conducted exclusively via encrypted connections, so that the data entered is protected against unauthorized access during transmission.

The data processed by payment service providers includes personal information, such as name and address; banking information, such as account or credit card numbers, passwords, TANs, and checksums; as well as contractual, total, and recipient-related information. This information is necessary to process transactions. However, the data entered is processed and stored solely by the payment service providers. This means that we do not receive any account or credit card information, but only confirmation or rejection of the payment. Under certain circumstances, payment service providers may transmit the data to credit bureaus. The purpose of this transmission is to verify identity and creditworthiness. Please refer to the general terms and conditions and data protection information of the payment service providers.

Payment transactions are subject to the terms and conditions and privacy notices of the respective payment service providers, which can be accessed on their respective websites or transaction apps. Please refer to these documents for further information and to exercise your rights to cancellation, information, and other rights as a data subject.

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contractual data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata (e.g., IP address); page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication and process data (e.g., IP addresses, time stamps, identification numbers, persons involved). Contact data (e.g., postal and email addresses or phone numbers).
  • Affected individuals: Service recipients and customers; business and contractual partners; stakeholders.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and management procedures; administrative and organizational procedures.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR). Legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

Online service provision and web hosting

We process user data to provide our online services. To do so, we process the user’s IP address, which is necessary to deliver the content and features of our online services to the user’s browser or end device.

  • Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, individuals involved); log data (e.g., log files relating to logins, data retrieval, or access times); content data (e.g., text or image messages and contributions, and related information such as authorship or creation time); inventory data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); contractual data (e.g., subject matter of the contract, term, customer category).
  • Data subjects: Users (e.g., website visitors, users of online services); business and contractual partners; service recipients and customers.
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; content delivery network (CDN). Provision of contractual services and fulfillment of contractual obligations.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Hosting of our online services on rented server space: To host our online services, we use server space, computing capacity, and software that we rent or otherwise obtain from a server provider (also known as a "web host"); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online services is recorded in the form of so-called "server log files." Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, confirmation of successful access, the browser type and version, the user’s operating system, the referring URL (the previously visited page), and, as a rule, the IP addresses and the requesting provider. Server log files may be used for security purposes, for example, to prevent server overload (especially in the event of malicious attacks, so-called DDoS attacks), and to ensure the proper functioning and stability of the servers; legal basis: legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Information from the log files is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the relevant incident has been definitively resolved.
  • Amazon Web Services (AWS): Services related to the provision of information technology infrastructure and related services (e.g., storage space and/or computing capabilities); Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://aws.amazon.com/de/compliance/gdpr-center/).
  • GoDaddy: domain registration and web hosting services; service provider: Go Daddy Operating Company, LLC, 14455 N. Hayden Road, Scottsdale, Arizona 85254, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.godaddy.com/de-de; Privacy Policy: https://www.godaddy.com/de-de/legal/agreements/privacy-policy. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Cloudflare: Content Delivery Network (CDN) – A service that enables the content of an online offering, particularly large multimedia files such as graphics or program scripts, to be delivered more quickly and securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.cloudflare.com/cloudflare-customer-scc/).
  • GDPR Cookie Policy: Storage and management of consent (consent for cookies and data processing), recording of user decisions, display of information on data protection and cookies, allowing users to revoke or adjust their consent; Service provider: beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://gdpr-legal-cookie.myshopify.com/. Privacy Policy: https://gdpr-legal-cookie.myshopify.com/pages/datenschutzerklarung.
  • Shopify: A platform through which e-commerce services are offered and conducted. The services and processes carried out in connection with them include, in particular, online stores, websites, their offerings and content, community features, purchase and payment processes, customer communication, as well as analytics and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.
  • Klaviyo: Email and SMS marketing platform ; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Amazon CloudFront: Content Delivery Network (CDN) – A service that enables the content of an online offering, particularly large multimedia files such as graphics or program scripts, to be delivered more quickly and securely with the help of regionally distributed servers connected via the Internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/cloudfront/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Standard Contractual Clauses (provided by the service provider).
  • JSDelivr: Content Delivery Network (CDN) that helps deliver media and files quickly and efficiently, especially during periods of high traffic; Service provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.jsdelivr.com. Privacy Policy: https://www.jsdelivr.com/terms/privacy-policy.

Use of Cookies

The term "cookies" refers to functions that store information on users' devices and read it from them. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings and generating visitor flow analyses. We use cookies in accordance with legal requirements. Where necessary, we obtain the user's consent in advance. If consent is not required, we rely on our legitimate interests. This applies if the storage and reading of information are essential to provide the content and functions expressly requested. This includes, for example, saving settings and ensuring the functionality and security of our online service. Consent may be revoked at any time. We provide clear information about the scope and the cookies used.

Information on the legal basis under data protection law: The processing of personal data through cookies is subject to consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained earlier in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after the user has left an online service and closed their device (e.g., browser or mobile app).
  • Persistent cookies: Persistent cookies remain stored even after the device is turned off. For example, login status can be saved, and favorite content can be displayed immediately when the user revisits a website. User data collected via cookies can also be used to measure reach. If we do not provide users with explicit information about the type and duration of cookie storage (for example, when obtaining their consent), they should assume that the cookies are persistent and that the storage duration may be up to two years.

General information on withdrawal of consent and opting out: Users may withdraw any consent they have given at any time and may also object to the processing of their data in accordance with legal requirements, including through their browser’s privacy settings.

  • Types of data processed: Metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: Legitimate interests (Article 6(1)(f) of the GDPR). Consent (Article 6(1)(a) of the GDPR).

More information about treatment options, procedures, and services:

  • Processing of cookie data based on consent: We use a consent management solution through which we obtain the user’s consent for the use of cookies or for the procedures and providers mentioned in the consent management solution. This procedure is used to obtain, record, manage, and revoke consent, particularly with regard to the use of cookies and comparable technologies used to store, read, and process information on users’ end devices. As part of this procedure, user consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option to manage and revoke their consent. Consent statements are stored to avoid repeated requests and to provide evidence of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (the so-called opt-in cookie) or via comparable technologies in order to be able to assign consent to a specific user or their device. If no specific information is available regarding the consent management service providers, the following general information applies: Consent is stored for a maximum of two years. A pseudonymous user identifier is created and stored along with the time of consent, information regarding the scope of consent (e.g., relevant categories of cookies and/or service providers), and information regarding the browser, operating system, and end device used; legal basis: consent (Art. 6(1)(a) GDPR).
  • TrustArc: Storage and management of consent (cookie consent and data processing), recording of user decisions, display of information on data protection and cookies, and the ability for users to revoke or adjust their consent; Service provider: TrustArc Inc, 111 Sutter Street, Suite 600, San Francisco, CA 94104, USA; Website: https://www.trustarc.com/products/cookie-consent-manager/; Privacy Policy: https ://trustarc.com/privacy-policy/; Data Processing Agreement: Provided by the service provider. Basis for transfers to third countries: Standard Contractual Clauses (provided by the service provider
    ).

Data processing in the context of applications (apps)

We process the data of our app users to the extent necessary to provide users with the app and its features, to monitor its security, and to continue developing it. We may also contact users in compliance with legal requirements if such communication is necessary for the administration or use of the app. For further details regarding the processing of user data, please refer to the data protection information in this privacy policy.

Legal basis: The processing of data necessary to provide the app’s features is required to fulfill contractual obligations. This also applies if the provision of features requires the user’s consent (e.g., enabling device features). If data processing is not necessary for the provision of the app’s features but serves the security of the app or our business interests (e.g., data collection to optimize the app or for security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked for their consent to the processing of their data, the data covered by the consent is processed on the basis of that consent.

  • Types of data processed: personal data (e.g., full name, home address, contact information, customer number, etc.); usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures. Provision of our online services and ease of use.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR). Legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Device permissions for accessing features and data: Using our app or its features may require users to grant permissions to access certain features of the devices being used, or to access data stored on those devices or accessible through them. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective devices. The exact procedure for managing app permissions may depend on the user’s device and software. Users can contact us if they need clarification. We would like to point out that denying or revoking the respective permissions may affect the functionality of our app.

Registration, login, and user account

Users can create a user account. As part of the registration process, users provide the required information, which is collected and processed for the purpose of creating the user account in accordance with contractual obligations. The data processed includes, in particular, login information (username, password, and an email address).

As part of the use of our registration and login features, as well as the use of the user account, we store the IP address and the time of the respective user action. This data is stored based on our legitimate interests and those of the user in protecting against misuse and other unauthorized use. This data is not disclosed to third parties unless it is necessary to address our claims or there is a legal obligation to do so.

Users can be notified by email about matters relevant to their user account, such as technical changes.

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image messages and contributions, as well as related information such as details about authorship or the time of creation); usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); log data (e.g., log files relating to logins, data retrieval, or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online services and ease of use.
  • Storage and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Deletion upon cancellation.
  • Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR). Legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Registration with real names: Due to the nature of our community, we ask users to use our services only under their real names. This means that the use of pseudonyms is not permitted; legal basis: Performance of contracts and pre-contractual inquiries (Article 6(1)(b) of the GDPR).
  • User profiles are not public: User profiles are not visible or accessible to the public.
  • There is no obligation to retain data: It is the users’ responsibility to back up their data before the contract ends in the event of cancellation. We have the right to permanently delete all user data stored during the term of the contract; legal basis: performance of the contract and pre-contractual inquiries (Art. 6, para. 1, sentence 1, letter b) of the GDPR).

Contact and Inquiry Management

When you contact us (for example, by mail, contact form, email, phone, or through social media) and in the context of existing business and user relationships, the personal data of those who contact us is processed to the extent necessary to respond to inquiries and take any requested actions.

  • Types of data processed: contact information (e.g., mailing addresses, email addresses, and phone numbers); content data (e.g., messages and textual or visual contributions, as well as related information such as details about authorship or the time of creation); metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, and individuals involved).
  • Affected parties: Communications partner.
  • Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via an online form). Providing our online services and ensuring ease of use.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Article 6(1)(f) of the GDPR). Performance of contracts and pre-contractual inquiries (Article 6(1)(b) of the GDPR).

More information about treatment options, procedures, and services:

  • Contact Form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to us in order to respond to and process your request. This generally includes data such as your name, contact information, and any other information you provide that is necessary for proper processing. We use this data exclusively for the stated purpose of establishing contact and communication; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Electronic cancellation: Your name, email address, and order number are processed as part of the electronic cancellation process. This processing is carried out by our processor, Revoq. You can find more information in the data processing agreement (DPA) at https://www.consumer-withdrawal.eu/dpa; Service Provider: Information pursuant to § 5 TMG (German Telecommunications Act):
    Jonas Busch (sole proprietor)
    Hofstraße No. 2-4
    51061 Cologne
    Germany; Website: https://www.consumer-withdrawal.eu/de. Privacy Policy: https://www.consumer-withdrawal.eu/dpa.

Communication via Messenger

We use messaging apps for communication purposes, and therefore ask that you review the following information regarding the functionality of messaging apps, encryption, the use of communication metadata, and your options for opting out.

You can also contact us through other channels, such as by phone or email. Please use the contact options we provide or the contact options listed in our online offer.

In the case of end-to-end encryption (i.e., the message content and attached images), we would like to point out that the content of the communication (i.e., the message content and attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messaging providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure that the message content is encrypted.

However, we would also like to point out to our communication partners that, although messaging service providers cannot view the content, they can see who is communicating with us and when, and that technical information about the device used by communication partners—as well as location information (so-called metadata), depending on the device’s settings—is also processed.

Notes on the legal basis: If we ask communication partners for permission before contacting them via Messenger, the legal basis for our processing of their data is their consent. Otherwise, if we do not request your consent and you contact us, for example, on your own initiative, we use Messenger in relation to our contractual partners and in the context of the initiation of the contract as a contractual measure, and in the case of other interested parties and communication partners, based on our legitimate interests in rapid and effective communication and meeting the communication needs of our communication partners via Messenger. We would also like to point out that we will not pass on the contact details you provide to us to Messenger for the first time without your consent.

Withdrawal, Objection, and Deletion: You may withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete messages in accordance with our general deletion guidelines (i.e., for example, as described above, following the termination of contractual relationships, in the context of archiving requirements, etc.) and, otherwise, as soon as we can assume that we have responded to any information from the communication partners, if no reference to a previous conversation is to be expected and the deletion does not conflict with any legal retention obligation.

Note regarding other communication channels: To ensure your security, please understand that we may not be able to respond to your inquiries via Messenger for certain reasons. This applies to situations where, for example, contract details must be treated with special confidentiality or a response via Messenger does not meet the formal requirements. In such cases, we recommend that you use more appropriate communication channels.

  • Types of data processed: Contact information (e.g., mailing addresses, email addresses, or phone numbers); Content data (e.g., text or image messages and posts, as well as related information such as details about authorship or the time of creation); Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Affected parties: Communications partner.
  • Purposes of processing and legitimate interests: Communication. Direct marketing (e.g., via email or mail).
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Consent (Article 6(1)(a) of the GDPR); performance of a contract and pre-contractual measures (Article 6(1)(b) of the GDPR); legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

Artificial Intelligence (AI)

We use artificial intelligence (AI) to process personal data. The specific purposes and our rationale for using AI are outlined below. In accordance with the definition of “AI system” in Article 3(1) of the AI Regulation, we define AI as a machine-based system that is designed to operate autonomously to varying degrees, is capable of adaptation after deployment, and produces outputs such as predictions, content, recommendations, or decisions based on the inputs received, which may impact physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations on artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality. We ensure that the processing of personal data is always carried out on a legal basis. This may be the consent of the data subject or a legal authorization.

When we use external AI systems, we carefully select their providers (hereinafter “AI providers”). In accordance with our legal obligations, we ensure that AI providers comply with applicable regulations. We also fulfill our obligations when we use or operate the AI services we have acquired. The processing of personal data by us and by AI providers is carried out exclusively on the basis of consent or legal authorization. We place particular emphasis on transparency, fairness, and the preservation of human control over AI-assisted decision-making processes.

We implement appropriate and robust technical and organizational measures to protect the data we process. These measures ensure the integrity and confidentiality of the processed data and minimize potential risks. We ensure ongoing compliance with applicable legal and ethical standards by regularly reviewing AI providers and their services.

  • Types of data processed: Content data (e.g., messages and textual or visual contributions, as well as related information such as details about authorship or the time of creation). Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
  • Data subjects: Users (e.g., website visitors, users of online services). Third parties.
  • Purposes of processing and legitimate interests: Artificial intelligence (AI).
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Newsletter and email notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "newsletter") exclusively with the recipient's consent or on a legal basis. If the newsletter's content is described in the context of a newsletter subscription, that content is decisive for the user's consent. To subscribe to our newsletter, it is usually sufficient to provide your email address. However, in order to offer you a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide us with additional information if this is necessary for the purpose of the newsletter.

Deletion and Limitation of Processing: We may store email addresses that have been unsubscribed for up to three years based on our legitimate interests before deleting them, in order to demonstrate that consent was previously given. The processing of this data is limited to the purposes of a potential defense against claims. An individual request for deletion is possible at any time, provided that the prior existence of consent is confirmed at the same time. In the event of an obligation to permanently honor objections, we reserve the right to store the email address in a block list exclusively for this purpose.

The registration process is recorded based on our legitimate interests in order to verify that it is carried out correctly. If we engage a service provider to send emails, this is done based on our legitimate interests in ensuring an efficient and secure delivery system.

Contents:

Information about us, our services, promotions, and special offers.

  • Types of data processed: personal data (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); metadata, communication, and processing data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
  • Affected parties: Media partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail). Provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).
  • Opt-out option: You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or opt out of receiving it. You will find a link to unsubscribe at the bottom of each newsletter, or you can use one of the contact options listed above, preferably email.

More information about treatment options, procedures, and services:

  • Tracking open and click-through rates: Newsletters contain a "web beacon," which is a one-pixel-sized file that is retrieved from our server—or from your server, if we use a mailing service provider—when the newsletter is opened. As part of this retrieval, technical information is initially collected, such as browser and system details, as well as your IP address and the time of retrieval. This information is used for the technical improvement of our newsletter based on the technical data, or to analyze target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether newsletters are opened and when, and which links are clicked. The information collected is assigned to individual newsletter recipients and stored in their profiles until it is deleted. On this basis, user profiles are created in which user behavior and characteristics are stored. The measurement of open and click rates, as well as the storage of measurement results in user profiles and their subsequent processing, are carried out on the basis of the user’s consent. Unfortunately, it is not possible to revoke performance tracking separately; in this case, the entire newsletter subscription must be canceled or objected to. In this case, the stored profile information will be deleted; legal basis: Consent (Art. 6(1)(a) GDPR).
  • Conditions for using free services: Consent to receive emails may be a requirement for using free services (for example, access to certain content or participation in certain promotions). If you wish to use a free service without subscribing to the newsletter, please contact us.
  • Order process reminder emails: If users do not complete an order, we can send them a reminder via email and provide a link to continue the process. This feature can be useful, for example, if the purchase process could not be continued due to a browser error, an oversight, or a lapse in memory. The sending of these emails is based on consent, which users may revoke at any time; legal basis: Consent (Art. 6(1)(a) GDPR).
  • Klaviyo: Email and SMS marketing platform ; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Advertising communications via email, mail, fax, or telephone

We process personal data for advertising and marketing purposes, which may be carried out through various channels, such as email, telephone, regular mail, or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to receiving promotional communications at any time, free of charge, by using the contact option mentioned above.

Following a revocation or objection, we store the data necessary to demonstrate prior authorization for contact or delivery for up to three years after the end of the year in which the revocation or objection was made, based on our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on the legitimate interest in permanently observing the user’s revocation or objection, we also store the data necessary to prevent further contact (e.g., depending on the communication channel, the email address, phone number, or name).

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses, or phone numbers); content data (e.g., messages and textual or visual contributions, as well as related information such as details regarding authorship or the time of creation).
  • Affected parties: Communications partner.
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail). Sales promotion.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Klaviyo: Email and SMS marketing platform ; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Giveaways and contests

We process the personal data of participants in contests and competitions solely in compliance with the relevant data protection regulations, to the extent that such processing is contractually necessary for the provision, conduct, and administration of the contest, the participants have given their consent to the processing, or the processing serves our legitimate interests (for example, in ensuring the security of the contest or protecting our interests against misuse through the possible collection of IP addresses when submitting contest entries).

If participants’ submissions are published as part of the contests (for example, as part of a vote or presentation of contest entries or winners, or in connection with information about the contest), we would like to note that participants’ names may also be published in this context. Participants may object to this at any time.

If the contest takes place on an online platform or social media site (e.g., Facebook or Instagram, hereinafter “online platform”), the terms of use and privacy policies of the respective platforms will also apply. In such cases, please note that we are responsible for the information provided by participants in connection with the contest and that any inquiries regarding the contest should be directed to us.

Participants’ data will be deleted as soon as the contest or competition has ended and is no longer needed to notify the winners or because no further inquiries regarding the contest are expected. In principle, participants’ data will be deleted no later than 6 months after the contest ends. Winners’ data may be retained for a longer period, for example, to respond to inquiries about the prizes or to fulfill the prize; in this case, the retention period depends on the type of prize and is up to three years for goods or services, for example, to process warranty claims. In addition, participants’ data may be retained for a longer period, for example, in the form of reports on the contest in online and offline media.

If data is also collected for other purposes as part of the contest, its processing and retention period will be based on the data protection information applicable to that specific use (for example, in the case of subscribing to a newsletter as part of a contest).

  • Types of data processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image messages and contributions, as well as related information such as details about authorship or the time of creation); Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Participants in contests and competitions. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Organization of contests and competitions.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR). Legitimate interests (Article 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Facebook Pages: Profiles on the Facebook social network - The data controller, together with Meta Platforms Ireland Limited, is responsible for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions taken) and device information (e.g., IP address, operating system, browser type, language settings, cookie data). You can find more information on this in Facebook’s data policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provides information on how people interact with our site and its content. The basis for this is an agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which, among other things, governs security measures and the exercise of data subjects’ rights. You can find more information here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Therefore, users may submit requests for information or deletion directly to Facebook. Users’ rights (in particular, the right to information, erasure, objection, and the right to lodge a complaint with a supervisory authority) remain unaffected by this. Joint liability is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any potential transfer to Meta Platforms Inc. in the U.S.; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), https://www.facebook.com/legal/EU_data_transfer_addendum.
  • Instagram: A social media platform that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • TikTok: Social media platform that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data Processing Agreement: Provided by the service provider.

Website analysis, monitoring, and optimization

Web analytics (also known as "audience measurement") is used to evaluate visitor traffic to our online platform and may include information about visitors' behavior, interests, or demographic data—such as age or gender—in pseudonymized form. With the help of reach analysis, we can, for example, identify at what times our online offering or its features and content are most frequently used, or encourage visitors to use them again. It also allows us to understand which areas require optimization.

In addition to web analytics, we can also use testing methods, for example to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles—that is, summarized data regarding usage patterns—may be created for these purposes, and the information may be stored in a browser or end device and subsequently retrieved. The information collected includes, in particular, the websites visited and the elements used on them, as well as technical information such as the browser used, the operating system employed, and information regarding usage times. If users have consented to us or the service providers we use collecting their location data, such data may also be processed.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, in the context of web analytics, A/B testing, and optimization, no plaintext user data (such as email addresses or names) is stored, but rather pseudonyms. This means that neither we nor the providers of the software used know the users’ actual identities, but only the information stored in their profiles for the purposes of the respective process.

Notes on the legal basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing efficient, cost-effective services tailored to the recipients). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and processing data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Measuring reach (e.g., access statistics, recognition of returning visitors); user-related profiles (creation of user profiles); provision of our online services and user-friendliness; click tracking; A/B testing; feedback (e.g., collection of feedback via an online form); heat maps (users’ mouse movements summarized to form an overall picture); surveys and questionnaires (e.g., surveys with open-ended questions, multiple-choice questions). Marketing.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion." Cookies are stored for a maximum of 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user ID. This ID does not contain any personally identifiable information, such as names or email addresses. It is used to assign analytics information to an end device in order to identify which content users have viewed during one or more usage sessions, which search terms they have used, which pages they have revisited, and how they have interacted with our online offering. The duration and timing of usage, as well as the sources from which users are referred to our online offering and technical details about their end devices and browsers, are also stored.
    Pseudonymized user profiles are created using information derived from the use of various devices, for which cookies may be used. Google Analytics does not record or store individual IP addresses of users in the EU. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: City (and the inferred latitude and longitude of the city), Continent, Country, Region, Subcontinent (and counterparts based on IDs). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not recorded, is not accessible, and is not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on servers based in the EU before the traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms); Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad display settings: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (types of processing and data processed).
  • Google Tag Manager: We use Google Tag Manager, a Google software tool that allows us to centrally manage website tags via a user interface. Tags are small pieces of code on our website that are used to track and analyze visitor activity. This technology helps us improve our website and the content it offers. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform independent analyses. Its function is limited to simplifying the integration and management of the tools and services we use on our website and making them more efficient. However, when Google Tag Manager is used, the user’s IP address is transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place if services are integrated via Tag Manager. For more detailed information about these services and their data processing, please refer to the following sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement:
    https://business.safety.google/adsprocessorterms. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms).
  • Hotjar: Software for the analysis and optimization of online services based on feedback features and pseudonymous measurements and analyses of user behavior, which may include, in particular, A/B testing (measuring the popularity and usability of different content and features), tracking click paths, and interaction with content and features of the online service (so-called heatmaps and recordings); Service Provider: Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hotjar.com; Privacy Policy: https ://www.hotjar.com/legal/policies/privacy; Data Deletion: The cookies used by Hotjar have different "lifespans"; some remain valid for up to 365 days, others only for the duration of the current visit; Cookie Policy: https://www.hotjar.com/legal/policies/cookie-information. Opt-out option: https://www.hotjar.com/legal/compliance/opt-out.

Online Marketing

We process personal data for online marketing purposes, which may include, in particular, the sale of advertising space or the display of advertisements and other content (collectively referred to as "content") based on users' potential interests, as well as the measurement of their effectiveness.

For this purpose, so-called user profiles (known as "cookies") are created and stored in a file, or similar procedures are used to store information about the user that is relevant for the presentation of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the operating system used, and information regarding usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

Users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, as part of the online marketing process, we do not store users’ plaintext data (such as email addresses or names), but rather pseudonyms. This means that neither we nor the providers of online marketing procedures know the users’ actual identities, but only the information stored in their profiles.

Profile data is generally stored in cookies or through similar methods. These cookies can usually be read later on other websites that use the same online marketing process, analyzed for the purpose of displaying content, combined with other data, and stored on the server of the online marketing provider.

In exceptional cases, it is possible to associate unmasked data with user profiles, particularly if, for example, users are members of a social network whose online marketing processes we utilize and the network links user profiles to the aforementioned data. Please note that users may enter into additional agreements with providers, for example, by giving their consent during registration.

In principle, we only have access to summary information about the success of our ads. However, through what is known as conversion tracking, we can determine which of our online marketing activities have led to a conversion—for example, the signing of a contract with us. Conversion tracking is used solely to analyze the success of our marketing efforts.

Unless otherwise stated, please assume that the cookies used are stored for a period of two years.

Notes on the legal basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing efficient, cost-effective services tailored to the recipients). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

Information on annulment and opposition:

Please refer to the privacy policies of the respective providers and the opt-out options they offer. If no explicit opt-out option has been specified, you have the option to disable cookies in your browser settings. However, this may restrict the functionality of our online offering. We therefore recommend the following additional opt-out options, which are summarized for the respective areas:

a) Europe: https:// youronlinechoices.eu/.

b) Canada: https:// youradchoices.ca/.

c) U.S.: https:// optout.aboutads.info/.

d) Multi-territorial: https://optout.aboutads.info.

  • Types of data processed: Content data (e.g., text or image messages and posts, and related information such as details about authorship or the time of creation); usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); event data (Facebook; “event data” refers to information such as that from Meta Pixels (whether via apps or other channels) or other data). (e.g., IP addresses, timestamps, identification numbers, individuals involved); event data (Facebook) (“event data” is information sent to the Meta provider, for example via meta pixels (whether via apps or other channels), that relates to individuals or their actions. This data includes, for example, details of website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups created from it disappear when our user accounts are deleted from Meta); contact information (Facebook) (“contact information” refers to data that (clearly) identifies data subjects, such as names, email addresses, and phone numbers, which may be transmitted to Facebook—for example, via Facebook pixels or uploads—for matching purposes to create custom audiences. Contact data is deleted after matching for the purpose of creating target groups).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g., traffic statistics, recognition of returning visitors); tracking (e.g., interest/behavioral profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); target group segmentation; marketing; user-related profiles (creation of user profiles); provision of our online services and user-friendliness. Remarketing.
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion." Cookies are stored for a maximum of 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Meta Pixel and Custom Audiences: With the help of the Meta Pixel (or comparable features for transmitting event data or contact information via in-app interfaces), Meta is able to identify visitors to our website as a target audience for the display of ads (so-called "Meta Ads"). Consequently, we use the Meta pixel to display the Meta ads we have placed only to those users on Meta platforms and within the services of Meta’s partner networks (the so-called “audience network” https://www.facebook.com/audiencenetwork/ ) who have also shown interest in our online offering or who have certain characteristics (e.g., interest in certain topics or products that can be inferred from the websites visited) that we transmit to Meta (so-called “custom audiences”). With the help of the Meta pixel, we also want to ensure that our Meta ads match users’ potential interests and do not prove annoying. With the help of the Meta pixel, we can also track the effectiveness of Meta ads for statistical and market research purposes, seeing whether users have been redirected to our website after clicking on a Meta ad (so-called “conversion tracking”); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Event user data, i.e., behavioral and interest data, is processed for targeted advertising and segmentation purposes based on the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Expanded processing for the Meta Pixel: In addition to processing event data in connection with the use of the Meta Pixel (or comparable features, e.g., in apps), Meta also collects contact information (data that identifies individual persons, such as names, email addresses, and phone numbers) within our online offering or transmits it to Meta. The processing of contact information is used to create target groups (so-called "custom audiences") for the display of content and advertising information based on users’ presumed interests. The collection, transmission, and comparison with data available at Meta is not performed in plain text, but as so-called "hash values," i.e., mathematical representations of the data (this method is used, for example, when storing passwords). Legal basis : consent (Art. 6(1)(a) of the GDPR); Privacy Policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, 104 X2K5, Ireland; Data Processing Agreement: https ://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook Ads: Placement of ads within the Facebook platform and analysis of ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https ://www.facebook.com; Privacy Policy: https:// www.facebook.com/privacy/policy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Opt-out: We refer to the data protection and advertising settings in the user’s profile on Facebook platforms, as well as Facebook’s consent procedures and contact options for exercising information and other rights of data subjects, as described in Facebook’s privacy policy; Further information: Event user data, i.e., behavioral and interest data, is processed for targeted advertising and segmentation purposes based on the joint controller agreement (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the standard contractual clauses entered into between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ad Manager: We use the "Google Ad Manager" service to place ads on the Google advertising network (for example, in search results, on videos, on websites, etc.). Google Ad Manager works by displaying ads in real time based on users' presumed interests. This allows us to display ads for our online offerings to users who may have a potential interest in our offerings or who have previously shown an interest in them, and to measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Data processing terms for Google advertising products: Service information Data processing terms between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms. If Google acts as a data processor, data processing terms for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
  • Google Ads and conversion tracking: an online marketing process designed to place content and ads within the service provider’s advertising network (e.g., in search results, on videos, on websites, etc.) so that they are shown to users who are likely to be interested in the ads. In addition, we measure ad conversion, i.e., whether users have interacted with the ads and taken advantage of the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https ://marketingplatform.google.com; Privacy Policy: https ://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Extended conversions for Google Ads: When users click on our Google Ads and subsequently use the advertised service (known as a "conversion"), the data entered by the user—such as their email address, name, home address, or phone number—may be transmitted to Google. The hashed values are then compared with users’ existing Google accounts in order to better analyze and improve user interaction with the ads (e.g., clicks or views) and thus their performance; legal basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
  • Google AdSense with personalized ads: We have integrated the Google AdSense service, which allows us to display personalized ads on our website. Google AdSense analyzes user behavior and uses this data to display targeted advertising tailored to the interests of our visitors. We receive compensation for each ad displayed or for other uses of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information about the services, data processing terms between data controllers, and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized ads on our website. These ads are not based on individual user behavior, but are selected based on general characteristics such as the page content or the user’s approximate geographic location. We receive compensation for displaying or otherwise using these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information about the services Data processing terms between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • TikTok Pixel: a code that loads when a user visits our online offering and tracks user behavior and conversions, storing this data in a profile (possible uses: measuring campaign performance, optimizing ad delivery, creating custom audiences, and similar purposes). - We and TikTok are jointly responsible for the collection and transmission of event data and for the measurement and reporting of insights (statistics) to profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and user profile information, such as country or location. You can find information about TikTok’s processing of user data in TikTok’s privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a special joint liability agreement with TikTok, which specifically regulates the security measures TikTok must observe and in which TikTok has committed to respecting the rights of data subjects (i.e., users can, for example, send information or requests for deletion directly to TikTok). Users’ rights (in particular to information, erasure, objection, and lodging a complaint with the competent supervisory authority) are not limited by the agreements with TikTok. The joint liability agreement can be found in TikTok’s “Jurisdiction-Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://ads.tiktok.com/help/article/tiktok-pixel; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: Standard Contractual Clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).

Customer reviews and evaluation process

We participate in review and rating processes to evaluate, optimize, and promote our services. If users rate us or submit feedback through participating platforms or rating processes, the providers’ terms and conditions, terms of use, and privacy notices will also apply. As a general rule, submitting a review also requires registration with the respective providers.

To ensure that reviewers have actually used our services, we share the necessary customer and service-related data (including name, email address, and order or item number) with the relevant review platform with the customer’s consent. This data is used solely to verify the user’s authenticity.

  • Types of data processed: Contractual data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Affected individuals: Service recipients and customers. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Comments (e.g., collecting comments via an online form). Marketing.
  • Legal basis: Legitimate interests (Article 6(1)(f) of the GDPR). Consent (Article 6(1)(a) of the GDPR).

More information about treatment options, procedures, and services:

  • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and customer reviews; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: As part of the collection of customer reviews, an identification number and the time of the business transaction to be evaluated are processed; in the case of review requests sent directly to customers, the customer’s email address and country of residence, as well as the review details themselves; Further information on the types of processing and the data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services, data processing terms between data controllers, and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Trusted Shops (Trustedbadge): Review platform - As part of the joint responsibility between us and Trusted Shops, please contact Trusted Shops regarding any data protection issues or to exercise your rights using the contact options specified in the privacy policy. Regardless of this, you can always contact the data controller of your choice. If necessary, your inquiry will be forwarded to the other data controller for a response.

    The Trusted Shops badge is provided by a U.S.-based CDN (content delivery network) provider. An adequate level of data protection is ensured through standard data protection clauses and other contractual measures.
    When the trust badge is accessed, the web server automatically saves a so-called server log file, which also contains your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access. The IP address is anonymized immediately after collection, so that the stored data cannot be assigned to you personally. The anonymized data is used, in particular, for statistical purposes and for error analysis.

    If you have given your consent, the Trustbadge accesses the order information stored on your end device (order total, order number, product purchased, if applicable) and your email address once the order is completed, and your email address is hashed using a one-way cryptographic function. The hash value is then transmitted to Trusted Shops along with the order information, in accordance with Article 6(1)(a) of the GDPR. This serves to verify whether you are already registered with Trusted Shops’ services. If this is the case, further processing will be carried out in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered for the services or do not consent to automatic recognition via the Trustbadge, you will then be given the opportunity to register manually for the use of the services or to complete the protection as part of your existing user agreement.

    For this purpose, the Trustbadge accesses the following information, which is stored on the end device you are using, after you have completed your order: Order total, order number, and email address. This is necessary so that we can offer you buyer protection. The data will only be transmitted to Trusted Shops if you actively opt in to buyer protection by clicking the corresponding button on the so-called Trustcard. If you decide to use the services, further processing is based on the contractual agreement with Trusted Shops in accordance with Art. 6(1)(b) 1(b) of the GDPR for the purpose of completing your registration for buyer protection and securing the order, and, if necessary, to be able to send you review invitations via email at a later date.

    Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Art. 6(1)(f) of the GDPR for the purpose of ensuring smooth operation. Processing may take place in third countries (the U.S. and Israel). In the U.S., an adequate level of data protection is ensured through standard data protection clauses and other contractual measures, and in Israel through an adequacy decision.
    Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de. Privacy Policy: https://www.trustedshops.de/impressum-datenschutz/.
  • Klaviyo: Email and SMS marketing platform ; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Social media presence

We maintain an online presence on social media platforms and process user data in this context to communicate with active users on these platforms or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This may pose risks to users because, for example, it could make it more difficult for them to exercise their rights.

In addition, user data on social media platforms is generally processed for market research and advertising purposes. For example, user profiles may be created based on user behavior and the resulting interests. These interests can in turn be used, for example, to place ads both on and off the platforms that are presumed to align with users’ interests. Therefore, cookies are generally stored on users’ computers, where users’ behavior and interests are recorded. In addition, data may also be stored in user profiles regardless of the devices used by users (especially if they are members of the respective platforms and are registered with them).

For a detailed description of the respective processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

With regard to requests for information and the exercise of data subjects’ rights, we would also like to point out that these can be most effectively addressed through the service providers. Only they have access to user data and can take the necessary steps and provide information directly. If you still need assistance, please contact us.

  • Types of data processed: contact information (e.g., mailing addresses, email addresses, or phone numbers); content data (e.g., text or image messages and posts, and related information such as authorship or creation date); usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication, and process data (e.g., IP addresses, timestamps, identification numbers, persons involved). Inventory data (e.g., full name, home address, contact information, customer number, etc.).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; Feedback (e.g., collecting feedback via an online form); Public relations; Marketing. Providing our online services and ensuring ease of use.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Article 6(1)(f) of the GDPR). Consent (Article 6(1)(a) of the GDPR).

More information about treatment options, procedures, and services:

  • Instagram: A social media platform that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles on the Facebook social network - The data controller, together with Meta Platforms Ireland Limited, is responsible for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions taken) and device information (e.g., IP address, operating system, browser type, language settings, cookie data). You can find more information on this in Facebook’s data policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provides information on how people interact with our site and its content. The basis for this is an agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which, among other things, governs security measures and the exercise of data subjects’ rights. You can find more information here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Therefore, users may submit requests for information or deletion directly to Facebook. Users’ rights (in particular, the right to information, erasure, objection, and the right to lodge a complaint with a supervisory authority) remain unaffected by this. Joint liability is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any potential transfer to Meta Platforms Inc. in the U.S.; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), https://www.facebook.com/legal/EU_data_transfer_addendum.
  • Pinterest: A social network that allows users to share photos, comment, save posts as favorites, send messages, and follow profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com. Privacy Policy: https://policy.pinterest.com/de/privacy-policy.
  • TikTok: Social media platform that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data Processing Agreement: Provided by the service provider.
  • TikTok Business: A social media platform that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts. We and TikTok are jointly responsible for collecting and transmitting event data, as well as for measuring and generating insights reports (statistics) for profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and information from user profiles, such as country or location. You can find information about TikTok’s processing of user data in TikTok’s privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a special joint liability agreement with TikTok, which specifically regulates the security measures TikTok must observe and in which TikTok has committed to respecting the rights of data subjects (i.e., users can, for example, submit requests for information or deletion directly to TikTok). Users’ rights (in particular to information, erasure, objection, and lodging a complaint with the competent supervisory authority) are not limited by the agreements with TikTok. The joint liability agreement can be found in TikTok’s “Jurisdiction-Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: Standard Contractual Clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
  • YouTube: Social media and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/.

Plug-ins, features, and integrated content

We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "content").

This integration always requires third-party providers of this content to process the user’s IP address, as they would not be able to send the content to your browser without it. Therefore, the IP address is necessary to display this content or feature. We strive to use only content whose respective providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags may be used to analyze information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and other information regarding the use of our online offering; however, it may also be linked to such information from other sources.

Notes on the legal basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing efficient, cost-effective services tailored to the recipients). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved); location data (information about the geographic location of a device or person). Event data (Facebook) ("Event data" is information sent to the Meta provider, for example via Meta pixels (whether through apps or other channels), and refers to individuals or their actions. This data includes, for example, details of website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups created from it disappear when our Meta user accounts are deleted).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Providing our online services and ensuring ease of use. Profiles containing user-related information (creation of user profiles).
  • Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion." Cookies are stored for a maximum of 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about treatment options, procedures, and services:

  • Facebook plugins and content: Facebook social plugins and content may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this website on Facebook. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the context of a transmission (but not for the subsequent processing) of “event data” that Facebook collects or receives in the context of a transmission via the Facebook social plugins (and content embedding features) running on our online offering for the following purposes: a) Displaying content and advertising information that corresponds to users’ presumed interests; b) Sending commercial and transaction-related messages (e.g., by contacting users via Facebook); (e.g., by contacting users via Facebook Messenger); c) improving ad delivery and the personalization of features and content (e.g., improving the recognition of which content or advertising information presumably corresponds to users’ interests). We have entered into a special agreement with Facebook (“Addendum for Data Controllers,” https://www.facebook.com/legal/controller_addendum), which specifically regulates the security measures Facebook must observe(https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has committed to respecting the rights of data subjects (i.e., users can, for example, send information or deletion requests directly to Facebook). Note: If Facebook provides us with metrics, analytics, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing is not carried out under joint responsibility but on the basis of a data processing agreement ("Data Processing Terms," https://www.facebook.com/legal/terms/dataprocessing) the "Data Security Terms"(https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the U.S., on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum," https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular to information, erasure, objection, and lodging a complaint with the competent supervisory authority) are not limited by the agreements with Facebook; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Google Maps: We integrate maps from the "Google Maps" service provided by Google. The data processed may include, in particular, IP addresses and user location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https ://mapsplatform.google.com/; Privacy Policy: https://business.safety.google/privacy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Font Awesome (retrieved from the provider's server): Retrieval of fonts (as well as icons) to ensure technically secure, maintenance-free, and efficient use of fonts and icons in terms of updates and loading times, consistent display, and consideration of potential license restrictions. The font provider is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) necessary for making the fonts available based on the devices used and the technical environment is transmitted; service provider: Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fontawesome.com/. Privacy Policy: https://fontawesome.com/privacy.
  • TikTok plugins and content: TikTok plugins and content—this may include, for example, content such as images, videos, or text, as well as buttons; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de.
  • Adobe Fonts: Provision of fonts for integration into web and print designs, font synchronization across devices, access to a library of licensed fonts for creative projects, and font management and organization within projects; Service provider: Adobe Systems Software Ireland, 4-6 Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/; Privacy Policy: https://www.adobe.com/de/privacy.html; Basis for transfers to third countries: Data Privacy Framework (DPF). More information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

Management, organizational, and support tools

We use services, platforms, and software from other providers (hereinafter "third-party providers") to organize, manage, plan, and provide our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on third-party servers. This may affect various types of data that we process in accordance with this privacy policy. Such data may include, in particular, user master data and contact information, as well as data relating to transactions, contracts, other processes, and their content.

If users are referred to third-party providers or their software or platforms in the context of communication, business dealings, or other relationships with us, those third-party providers may process usage data and metadata for security, service optimization, or marketing purposes. Therefore, please be sure to review the privacy notices of the respective third-party providers.

  • Types of data processed: Content data (e.g., messages and textual or visual contributions, as well as related information such as details regarding authorship or the time of creation); usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Affected parties: Media partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations. Administrative and organizational procedures.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Change and update

Please review our privacy policy periodically. We will update the privacy policy as soon as changes in our data processing practices make it necessary. We will notify you as soon as the changes require your cooperation (for example, consent) or other individual notification.

If we provide addresses and contact information for companies and organizations in this privacy policy, please note that these addresses may change over time, and you should verify the information before contacting us.

Definitions of terms

This section provides an overview of the terms used in this privacy policy. To the extent that these terms are defined by law, their legal definitions shall apply. The explanations provided below, however, are intended primarily to help you understand them.

  • A/B testing: A/B tests are used to improve the usability and performance of online services. For example, users are shown different versions of a website or its elements, such as input forms, in which the placement of content or the labeling of navigation elements may differ. User behavior—such as the time spent on the website or the most frequent interaction with elements—can then be used to determine which of these websites or elements is most likely to meet the user’s needs.
  • Inventory data: Inventory data includes essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis of any formal interaction between people and services, facilities, or systems by enabling clear assignment and communication.
  • Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that enables the content of an online offering—particularly large multimedia files such as graphics or program scripts—to be delivered more quickly and securely with the help of servers distributed across different regions and connected via the Internet.
  • Heat maps: "Heat maps" are visualizations of users' mouse movements that are aggregated to form an overall picture, which can be used, for example, to identify which elements of the website users prefer and which they prefer less.
  • Content data: Content data includes information generated during the creation, editing, and publication of all types of content. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information, and publication dates.
  • Click tracking: Click tracking allows us to monitor users’ movements throughout an entire online offering. Since the results of these tests are more accurate if user interaction can be tracked over a specific period of time (for example, to determine whether a user likes to return), cookies are typically stored on the user’s computer for these testing purposes.
  • Contact information: Contact information is essential data that enables communication with individuals or organizations. It includes phone numbers, mailing addresses, and email addresses, as well as communication tools such as social media accounts and instant messaging usernames.
  • Conversion tracking: Conversion tracking (also known as "visit action evaluation") is a process that can be used to determine the effectiveness of marketing initiatives. To do this, a cookie is typically stored on the user's device on the websites where the marketing initiatives take place and is then retrieved again on the destination website. For example, this allows us to determine whether the ads we have placed on other websites have been successful.
  • Artificial Intelligence (AI): The purpose of data processing using artificial intelligence (AI) includes the automated analysis and processing of user data in order to identify patterns, make predictions, and improve the efficiency and quality of our services. This includes the collection, cleaning, and structuring of data, the training and application of AI models, as well as the continuous review and optimization of results, and is carried out exclusively with the user’s consent or on the basis of a legal authorization.
  • Metadata, communication data, and procedural data: Metadata, communication data, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information that describes the context, origin, and structure of other data. It may include information about file size, creation date, the author of a document, and change histories. Communication data records the exchange of information between users through various channels, such as email traffic, call logs, social media messages, and chat histories, including the individuals involved, timestamps, and transmission routes. Process data describes the processes and procedures within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used to track and review processes.
  • Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages, and which paths they take to navigate an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
  • Personal data: "personal data" means any information relating to an identified or identifiable natural person (hereinafter "the data subject"); any natural person shall be considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles containing user-related information: The processing of "profiles containing user-related information," or "profiles" for short, includes any type of automated processing of personal data that consists of using such personal data to analyze, evaluate, or predict certain personal aspects related to a natural person (depending on the type of profiling, this may include various information related to demographics, behavior, and interests, such as interaction with websites and their content, etc.) (for example, interests in certain content or products, click behavior on a website, or location). Cookies and web beacons are often used for profiling.
  • Log data: Log data consists of information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details regarding the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
  • Audience measurement: Audience measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offering and may include information about visitors’ behavior or interests, such as website content. With the help of audience analytics, online service providers can, for example, determine at what times users visit their websites and what content interests them. This allows them, for example, to better tailor the content of their websites to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and thus obtain more accurate analyses of the use of an online offering.
  • Remarketing: The term "remarketing" or "retargeting" is used when, for example, the products a user viewed on a website are tracked for advertising purposes so that those products can be shown to the user on other websites, such as in ads.
  • Location data : Location data is generated when a mobile device (or another device capable of determining location) connects to a cell tower, a Wi-Fi network, or similar technical means and functions for determining location. Location data is used to indicate the geographically determinable position on Earth where the respective device is located. Location data can be used, for example, to display map features or other location-dependent information.
  • Tracking: The term "tracking" is used when users' behavior can be tracked across various online services. As a general rule, information about users' behavior and interests is stored in cookies or on the servers of tracking technology providers in connection with the online services used (a process known as profiling). This information can be used, for example, to show users ads that may match their interests.
  • Data controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" refers to any operation or set of operations performed on personal data, whether by automated means or otherwise. The term is broad and covers virtually any form of data processing, including collection, analysis, storage, transmission, or deletion.
  • Contractual data: Contractual data refers to specific information related to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contractual data may include the contract’s start and end dates, the type of services or products agreed upon, pricing arrangements, payment terms, cancellation rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
  • Payment data: Payment data includes all the information needed to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction details, verification codes, and billing information. Payment data may also include information about payment status, refunds, authorizations, and fees.
  • Target audience creation: Custom audiences are defined when target groups are identified for advertising purposes, such as displaying ads. For example, based on a user’s interest in certain products or topics online, it can be concluded that this user is interested in ads for similar products or in the online store where they viewed the products. "Similar audiences" (or similar target groups), on the other hand, occur when content deemed appropriate is shown to users whose profiles or interests presumably match those of the users for whom the profiles were created. Cookies and web beacons are generally used to create custom audiences and similar audiences.