Privacy Policy

Preamble

In this privacy policy, we would like to explain what types of personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data that we carry out, both in connection with the provision of our services and, in particular, on our websites, in mobile applications, and on our external online platforms, such as our social media profiles (hereinafter collectively referred to as “online offerings”).

The terms used are gender-neutral.

Status as of May 27, 2026

Content Overview

• Preamble
• Manager
• Overview of treatments
• Relevant legal bases
• Safety measures
• Transfer of personal data
• International data transfers
• General information on data retention and deletion
• Rights of data subjects
• Sales Services
• Use of online platforms for offering and selling products
• Payment Procedure
• Provision of the online service and web hosting
• Use of Cookies
• Data processing in the context of applications (apps)
• Registration, login, and user account
• Contact and Request Management
• Communication via Messenger
• Artificial Intelligence (AI)
• Newsletters and email notifications
• Advertising communications via email, mail, fax, or telephone
• Games and Contests
• Web analytics, monitoring, and optimization
• Online Marketing
• Customer testimonials and evaluation procedures
• Social Media Presence
• Plug-ins, built-in features, and content
• Management, organization, and support tools
• Modification and update
• Definitions of terms

Manager

Stoll Group Ventures GmbH
Aegeristrasse 116
6300 Zug
Switzerland

Persons authorized to represent the company: Oliver Stoll

Email address: lockenkopf

Legal Notice :lockenkopf

Overview of treatments

The overview below summarizes the types of data processed and the purposes of such processing, and provides information for data subjects.

Types of data processed

• Inventory data.
• Payment information.
• location data.
• Contact information.
• Content information.
• Contractual information.
• Usage data.
• Metadata, communication data, and procedural data.
• Contact information (Facebook).
• Event dates (Facebook).
• Log data.

Categories of affected individuals

• Beneficiary and payer.
• Anyone interested.
• Communication partners.
• Users.
• Participants in games and contests.
• business and contractual partners.
• Third person.

Purposes of the processing

• To provide contractual services and fulfill contractual obligations.
• Communication.
• Safety measures.
• direct marketing.
• Range measurement.
• Follow-up.
• Office and organizational procedures.
• Retargeting.
• Conversion tracking.
• Click tracking.
• Formation of target groups.
• A/B testing.
• Organizational and administrative procedures.
• organization of games and contests.
• Content Delivery Network (CDN).
• Reaction.
• Heat maps.
• Surveys and questionnaires.
• Marketing.
• Profile containing information about the user.
• Availability of our online offerings and user-friendliness.
• IT infrastructure.
• public relations.
• Sales promotion.
• Business management processes and procedures.
• Artificial intelligence (AI).

Relevant legal bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we rely to process personal data. Please note that in addition to the provisions of the GDPR, national data protection laws may apply in your country or in our country of residence or domicile. If, in a specific case, more specific legal bases were to apply, we would inform you of them in the privacy policy.

• Consent (Article 6(1)(a) of the GDPR) – The data subject has given consent to the processing of personal data concerning him or her for one or more specified purposes.
• Performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
• Legal obligation (Article 6(1)(c) of the GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Article 6(1)(f) of the GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests, fundamental rights, and fundamental freedoms of the data subject which require protection of personal data.

National data protection rules in Germany: In addition to the data protection rules of the GDPR, national data protection rules apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transfer, as well as automated decision-making on a case-by-case basis, including profiling. In addition, the regional data protection laws of the various federal states may apply.

Note on the applicability of the GDPR and the Swiss Data Protection Act (DPA): This data protection information serves to provide guidance in accordance with both the Swiss DPA and the General Data Protection Regulation (GDPR). For this reason, please note that, to ensure broader applicability and greater clarity, the terms used are those of the GDPR. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data” used in the Swiss FADP, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” used in the GDPR are employed. However, within the scope of the Swiss DPA’s applicability, the legal meaning of these terms will continue to be determined in accordance with the Swiss DPA.

Safety measures

We take appropriate technical and organizational measures, in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, collection, disclosure, availability, and segregation of data. We have also established procedures to ensure the exercise of data subjects’ rights, the erasure of data, and the response to data threats. Furthermore, we take into account the protection of personal data from the very beginning of the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and through default settings that favor data protection.

Securing online connections using TLS/SSL (HTTPS) encryption technology: To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission over the Internet. These technologies encrypt the information transmitted between the website or application and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as a more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transfer of personal data

In the course of our processing of personal data, such data may be transferred to or disclosed to other departments, companies, legally independent organizational units, or individuals. The recipients of this data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other individuals, services, or companies (which can be identified by the postal address of the provider in question or if the privacy policy explicitly refers to the transfer of data to third countries), this is always done in accordance with legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a safe legal framework by a European Commission adequacy decision dated July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers that meet the European Commission’s requirements and define contractual obligations for the protection of your data.

This dual protection ensures comprehensive protection for your data: The DPF serves as the first line of defense, while the standard contractual clauses provide an additional layer of security. In the event of changes to the DPF, the standard contractual clauses act as a reliable fallback option. In this way, we ensure that your data is always adequately protected, even in the event of political or legal changes.

For the various service providers, we provide information on whether they are DPF-certified and whether there are standard contractual clauses. You can find more information about the DPF and a list of certified companies on the U.S. Department of Commerce websiteat https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, including standard contractual clauses, explicit consent, or transfers required by law. You can find information on transfers to third countries and the adequacy decisions in force on the European Commission’s information website : https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information on data retention and deletion

We delete the personal data we process in accordance with legal provisions as soon as the underlying consents are revoked or there is no longer a legal basis for processing. This applies to cases where the original purpose of the processing no longer applies or the data is no longer necessary. Exceptions to this rule apply when legal obligations or specific interests require the data to be retained or archived for a longer period.

In particular, data that must be retained for commercial or tax purposes, or whose retention is necessary for legal proceedings or to protect the rights of other individuals or legal entities, must be archived accordingly.

Our privacy policy contains additional information about data retention and deletion that applies specifically to certain processing operations.

If there are multiple provisions regarding the retention period or the time limits for deleting data, the longest period shall always apply. We process data that is no longer retained for its original purpose, but is retained due to legal requirements or for other reasons, exclusively for the purposes that justify its retention.

Data retention and deletion: The following general time limits apply to data retention and archiving in accordance with German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, status reports, the opening balance sheet, as well as work instructions and other organizational documents necessary for their understanding (Section 147(1)(1) in conjunction with Section 3 of the AO, § 14b(1) UStG, § 257(1)(1) in conjunction with § 257(4) of the HGB).
• 8 years – accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with Section 147(3), first sentence, of the German Fiscal Code (AO), as well as Section 257(1)(4) in conjunction with Section 257(4) of the German Commercial Code (HGB)).
• 6 years – Other business documents: business or professional correspondence received, copies of business or professional correspondence sent, other documents, insofar as they are relevant for tax purposes, such as hourly pay slips, operating statements, calculation documents, price tags, as well as payroll documents, insofar as they are not already accounting records or cash register receipts (§ 147(1)(2), (3), (5) in conjunction with § 147(2), (3), (5) in conjunction with § 147(1), (3), (5). (Section 3 AO, Section 257(1)(2) and (3) in conjunction with the BGB. Section 4 of the HGB).
• 3 years – Data necessary to address potential warranty and indemnity claims or similar contractual claims and rights, as well as to process related requests, based on prior business experience and standard industry practices, is retained for the duration of the standard three-year statutory limitation period (Sections 195 and 199 of the German Civil Code).

Start of the period at the end of the year: If a period does not expressly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is recorded, the event triggering the period is the effective date of termination or any other cessation of the legal relationship.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which are set forth in Articles 15 through 21 of the GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to request confirmation as to whether or not the data in question is being processed, and to obtain information about that data, as well as additional information and a copy of the data, in accordance with legal requirements.
• Right to rectification: In accordance with applicable law, you have the right to request that your personal data be completed or that any inaccurate personal data be corrected.
• Right to erasure and restriction of processing: In accordance with applicable law, you have the right to request that your personal data be erased immediately or, failing that, to request that the processing of your personal data be restricted in accordance with applicable law.
• Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request that it be transmitted to another controller.
• file a complaint with a supervisory authority: In accordance with legal provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular with a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work, or the place where the alleged infringement occurred, if you believe that the processing of your personal data violates the GDPR.

Sales Services

We process the personal data of our contractual and business partners, such as customers, clients, interested parties, suppliers, and other cooperation partners (collectively referred to as "contractual partners"), for the purpose of establishing, executing, and managing contractual relationships as well as comparable legal relationships. This also includes pre-contractual measures taken upon request, as well as communication related to the relevant contractual relationship.

The processing is used, in particular, to fulfill our primary and secondary contractual obligations. This includes, in particular, the provision of agreed services, any obligations to provide updates and information, the handling of warranty claims and other performance issues, the processing of revocations, terminations of open-ended contracts, refunds, and the handling of other contract-related declarations and requests. This applies to both one-time contracts and ongoing contractual relationships.

In particular, we process basic data such as name, address, and, where applicable, company name, contact information such as email address and phone number, contractual and service-related data such as the subject matter of the contract, the contract term, the order or process number, usage and service data, payment and billing information, as well as the content and history of communications. If necessary, we also process data disclosed or transmitted to us in connection with the fulfillment of an order.

In addition, we process data to protect our rights and fulfill our legal obligations. This includes, in particular, retention requirements under commercial and tax law, documentation requirements, and, where applicable, obligations regarding evidence and accountability. Furthermore, processing is carried out based on our legitimate interests in sound business management, internal administration, risk management, and IT security, as well as in protecting our business activities and contractual partners against abuse, data breaches, disclosure of trade secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications service providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other agents, to the extent necessary for the performance of the contract or compliance with legal obligations.

Personal data is disclosed to third parties only if necessary for the performance of the contract, the implementation of pre-contractual measures, the protection of legitimate interests, or compliance with legal obligations. We provide separate information in this privacy policy regarding processing activities that go beyond this scope, particularly for marketing purposes.

We inform our contractual partners which data is required in each specific case as part of the data collection process, for example by marking the relevant fields on online forms or during personal contact.

Data is deleted as soon as it is no longer needed for the aforementioned purposes and there are no legal retention requirements that prevent its deletion. Legal retention periods, particularly under commercial and tax law, may require longer storage. We delete data that was transmitted in connection with a specific order after the order has been completed and any retention periods have expired, provided there are no other legal or contractual obligations to retain the data.

The legal basis for the processing is Article 6(1)(b) of the GDPR for the performance of pre-contractual measures and for the performance of the corresponding contractual relationship, as well as Article 6(1)(c) of the GDPR for the fulfillment of legal obligations. If the processing is based on legitimate interests, it is carried out pursuant to Article 6(1)(f) of the GDPR. To the extent that the processing is based on Article 6(1)(f) of the GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, internal management and documentation of business transactions, the enforcement and defense of legal rights, the assurance of IT and data security, the prevention of abuse and fraud, as well as the economic management and development of our business activities. These interests include, in particular, ensuring safe and legally sound business activities and preserving our ability to act as a business.

• Types of data processed: basic data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., mailing and email addresses or phone numbers); contractual data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Target audience: Beneficiaries and clients; interested parties. Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and management procedures.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal bases: performance of a contract and pre-contractual requests (Art. 6(1)(b) of the GDPR); legal obligation (Art. 6(1)(c) of the GDPR); legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Online store, order forms, e-commerce, and service fulfillment: We process our customers’ data to enable them to select, purchase, or order the products, goods, and related services they have chosen, as well as to pay for them and make them available, deliver them, or fulfill them. To the extent necessary for order fulfillment, we engage service providers—in particular postal, transport, and shipping companies—to carry out delivery or fulfillment on behalf of our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is identified as such during the ordering or comparable purchasing process and includes information necessary for delivery, provision, and billing, as well as contact information to enable you to contact us if necessary; legal bases: performance of the contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR).

Use of online platforms for offering and selling products

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our privacy policy. This applies in particular to the processing of payments and to the procedures used on the platforms for audience measurement and interest-based marketing.

• Types of data processed: basic data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., mailing and email addresses or phone numbers); contractual data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• The parties involved: Beneficiaries and principals. Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing. Business processes and management procedures.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Shopify: a platform through which e-commerce services are offered and provided. The services and processes implemented as part of these services include, but are not limited to, online stores, websites, their offerings and content, community features, purchasing and payment processes, communication with customers, as well as analytics and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website: https://www.shopify.com/de/. Privacy Policy : https://www.shopify.com/de/legal/datenschutz.

Payment Procedure

In the context of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, engage not only banks and credit institutions but also other service providers (collectively, “payment service providers”). In accordance with the state of the art, payment transactions are conducted exclusively via encrypted connections, ensuring that the data entered is protected against unauthorized access during transmission.

The data processed by payment service providers includes personal information, such as name and address; banking information, such as account or credit card numbers, passwords, TANs, and checksums; as well as information regarding the contract, transaction amounts, and payees. This information is necessary to process transactions. However, the data entered is processed only by the payment service providers and stored by them. In other words, we do not receive any account or credit card information, but only information confirming whether or not the payment was successful. Under certain circumstances, the data is transmitted by the payment service providers to credit reporting agencies. The purpose of this transmission is to verify identity and creditworthiness. Please refer to the terms and conditions and privacy policies of the payment service providers for further details.

Payment transactions are subject to the terms and conditions and privacy policies of the respective payment service providers, which can be viewed on their websites or in their transaction apps. We also refer you to these resources for further information and to exercise your rights of withdrawal, access, and other rights as a data subject.

• Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contractual data (e.g., purpose of the contract, term, customer category); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Contact data (e.g., postal and email addresses or phone numbers).
• Persons concerned: Beneficiaries and principals; business and contractual partners. Interested parties.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and management procedures; administrative and organizational procedures.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• American Express: payment services (technical integration of online payment methods); service provider: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany; legal basis: performance of the contract and pre-contractual requests (Art. 6, para. 1, (1)(b) of the GDPR); website: https://www.americanexpress.com/de/. Privacy Policy : https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/.
• Apple Pay: payment services (technical integration of online payment methods); service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, United States; legal basis: performance of the contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR); website: https://www.apple.com/de/apple-pay/. Privacy Policy : https://www.apple.com/legal/privacy/de-ww/.
• Google Pay: payment services (technical integration of online payment methods); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR); website : https://pay.google.com/intl/de_de/about/. Privacy Policy : https://business.safety.google/privacy/.
• Mastercard: payment services (technical integration of online payment methods); service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; legal basis: performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR); website: https://www.mastercard.de/de-de.html. Privacy Policy : https://www.mastercard.com/de/de/datenschutz.html.
• Mollie: payment services (technical integration of online payment methods); service provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands; legal basis: performance of the contract and pre-contractual requests (Art. 6, para. 1, (1)(b) of the GDPR); website: https://www.mollie.com/de. Privacy Policy : https://www.mollie.com/de/privacy.
• PayPal: payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; legal basis: performance of the contract and pre-contractual requests (Art. 6, para. 1, subpara. 1, letter b) GDPR); website: https://www.paypal.com/de. Privacy Policy : https://www.paypal.com/de/legalhub/paypal/privacy-full.
• Shopify Payments: payment services (technical integration of online payment methods). Payments are processed by Shopify Payments, Shopify’s integrated payment platform. It allows customers to use various supported payment methods, depending on their region. Payment processing is governed by the Shopify Payments Terms of Service, which are displayed to the customer during the checkout process. More information is available at https://www.shopify.com/de/payments; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: performance of the contract and pre-contractual requests (Article 6(1)(b) of the GDPR); Website: https://www.shopify.de. Privacy Policy : https://www.shopify.de/legal/datenschutz.
• Visa: payment services (technical integration of online payment methods); service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, UK; legal basis: performance of a contract and pre-contractual inquiries (Article 6(1)(b) of the GDPR); website: https://www.visa.de. Privacy Policy : https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung.html.
• Riverty: payment services (technical integration of online payment methods); service provider: Riverty Group GmbH, Rheinstraße 99, 76532 Baden-Baden, Germany; legal basis: legitimate interests (Article 6(1)(f) of the GDPR); website: https://www.riverty.com/de/. Privacy Policy : https://www.riverty.com/de/datenschutz/.

Provision of the online service and web hosting

We process user data in order to make our online services available to users. To this end, we process the user’s IP address, which is necessary to deliver the content and features of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., pages viewed and duration of visit, navigation paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); log data (e.g., log files regarding connections or data access or access times); content data (e.g., text or image-based messages and contributions, as well as related information such as author details or creation dates); Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); contractual data (e.g., subject matter of the contract, duration, customer category).
• Data subjects: Users (e.g., website visitors, users of online services); business and contractual partners; service recipients and clients.
• Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; content delivery network (CDN). Provision of contractual services and fulfillment of contractual obligations.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: legitimate interests (Article 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Making our online services available via rented storage space: To make our online services available, we use storage space, computing capacity, and software that we rent from a server provider (also known as a "hosting provider") or obtain in some other way; legal basis: legitimate interests (Art. 6, para. 1, sentence 1, point f) of the GDPR).
• Collection of access data and log files: Access to our online services is recorded in the form of "server log files." Server log files may include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, confirmation of successful access, the browser type and version, the user’s operating system, the referring URL (the previously visited page), and, as a rule, the IP addresses and the internet service provider. Server log files may be used, on the one hand, for security purposes, for example to prevent server overload (particularly in the event of malicious attacks, known as DDoS attacks), and, on the other hand, to ensure server capacity and stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Information from log files is retained for a maximum of 30 days, after which it is deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the incident in question has been definitively resolved.
• Amazon Web Services (AWS): services related to the provision of IT infrastructure and related services (e.g., storage space and/or computing power); service provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg; legal basis: legitimate interests (Art. 6, para. 1, (1)(f) of the GDPR); website : https://aws.amazon.com/de/; privacy policy : https://aws.amazon.com/de/privacy/; data processing agreement : https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses(https://aws.amazon.com/de/compliance/gdpr-center/).
• GoDaddy: domain registration and web hosting services; service provider: Go Daddy Operating Company, LLC, 14455 N. Hayden Road, Scottsdale, Arizona 85254, United States; legal basis: legitimate interests (Art. 6, para. 1, (1)(f) of the GDPR); website : https://www.godaddy.com/de-de; privacy policy : https://www.godaddy.com/de-de/legal/agreements/privacy-policy. Basis for transfers to third countries: Data Privacy Framework (DPF).
• Cloudflare: Content Delivery Network (CDN) – a service that enables the faster and more secure delivery of online content, particularly large multimedia files such as graphics or program scripts, using servers distributed regionally and connected via the Internet; service provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, United States; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website : https://www.cloudflare.com; Privacy Policy : https://www.cloudflare.com/privacypolicy/; Data Processing Agreement : https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.cloudflare.com/cloudflare-customer-scc/).
• GDPR Legal Cookie: storage and management of consents (consent to cookies and data processing), logging of user decisions, display of information on data protection and cookies, ability for users to revoke or modify their consents; Service provider: beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany; legal basis: legitimate interests (Art. 6, para. 1, subpara. 1, point f) of the GDPR); website: https://gdpr-legal-cookie.myshopify.com/. Privacy Policy : https://gdpr-legal-cookie.myshopify.com/pages/datenschutzerklarung.
• Shopify: a platform through which e-commerce services are offered and provided. The services and processes implemented as part of these services include, but are not limited to, online stores, websites, their offerings and content, community features, purchasing and payment processes, communication with customers, as well as analytics and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website: https://www.shopify.com/de/. Privacy Policy : https://www.shopify.com/de/legal/datenschutz.
• Klaviyo: email and SMS marketing platform ; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, United States; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website : https://www.klaviyo.com/; Privacy Policy : https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).
• Amazon CloudFront: Content Delivery Network (CDN) – a service that enables faster and more secure delivery of online content, particularly large multimedia files such as graphics or program scripts, using servers distributed across different regions and connected via the Internet; service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website : https://aws.amazon.com/de/cloudfront/; privacy policy : https://aws.amazon.com/privacy/; data processing agreement : https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: standard contractual clauses (provided by the service provider).
• JSDelivr: a content delivery network (CDN) that helps deliver media and files quickly and efficiently, especially under heavy load; service provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; legal basis: legitimate interests (Article 6(1)(f) of the GDPR); website: https://www.jsdelivr.com. Privacy Policy : https://www.jsdelivr.com/terms/privacy-policy.

Use of Cookies

The term "cookies" refers to functions that store information on users' devices and read it from those devices. Cookies may also be used for various purposes, such as ensuring the proper functioning, security, and user-friendliness of online services, as well as for analyzing visitor traffic. We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests. This is the case when the storage and reading of information are essential to provide the content and functions expressly requested. This includes, for example, saving settings and ensuring the functionality and security of our online service. Consent may be revoked at any time. We provide clear information regarding the scope of use and the cookies employed.

Notes on the legal basis for data protection: The processing of personal data using cookies is subject to consent. If consent is given, it serves as the legal basis. In the absence of consent, we rely on our legitimate interests, which are explained above in this section and in the context of the relevant services and procedures.

Lifespan: With regard to lifespan, cookies are classified into the following types:

• Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile app).
• Persistent cookies: Persistent cookies remain stored even after the device is shut down. They allow, for example, the system to remember the user’s login status and display preferred content directly when the user visits a website again. Similarly, user data collected via cookies may be used to measure website traffic. Since we do not provide users with explicit information about the nature and retention period of cookies (for example, as part of the consent request), they should assume that these are persistent and that their retention period may be up to two years.

General information on withdrawal of consent and opting out: Users may withdraw their consent at any time and, in addition, object to the processing of their data in accordance with legal provisions, including through their browser’s privacy settings.

• Types of data processed: metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• People affected: Users (for example, website visitors, users of online services).
• Legal basis: legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution through which we obtain users’ consent for the use of cookies or for the procedures and providers mentioned in connection with the consent management solution. This procedure is used to obtain, record, manage, and withdraw consents, particularly regarding the use of cookies and comparable technologies that are used to store, read, and process information on users’ devices. As part of this procedure, user consent is collected for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management procedure. Users also have the option to manage and withdraw their consent. Consent declarations are recorded to avoid the need for a new request and to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (called an opt-in cookie) or using comparable technologies, in order to be able to attribute the consent to a specific user or their device. In the absence of specific information about the consent management service providers, the following general guidelines apply: The retention period for consent can be up to two years. A pseudonymous user identifier is then created and stored along with the time of consent, information regarding the scope of consent (e.g., the categories of cookies and/or the service providers concerned), as well as information about the browser, operating system, and device used; legal basis: consent (Article 6(1)(a) of the GDPR).
• TrustArc: storage and management of consent (consent to cookies and data processing), recording of user decisions, display of notices regarding data protection and cookies, ability for users to withdraw or modify their consent; service provider: TrustArc Inc., 111 Sutter Street, Suite 600, San Francisco, CA 94104, United States; website : https://www.trustarc.com/products/cookie-consent-manager/; privacy policy : https://trustarc.com/privacy-policy/; data processing agreement: provided by the service provider. Basis for transfers to third countries: standard contractual clauses (provided by the service provider).
  ).

Data processing in the context of applications (apps)

We process the data of our app users to the extent necessary to provide users with the app and its features, to monitor its security, and to develop it. We may also contact users in accordance with legal provisions, to the extent that such communication is necessary for the administration or use of the app. Furthermore, regarding the processing of user data, we refer to the data protection information contained in this privacy policy.

Legal basis: The processing of data necessary to provide the app’s features is required to fulfill contractual obligations. The same applies when providing these features requires user consent (e.g., authorizing device functions). If data processing is not necessary to provide the app’s features but serves the app’s security or our business interests (e.g., data collection for app optimization or security purposes), it is carried out on the basis of our legitimate interests. To the extent that users are expressly asked to consent to the processing of their data, the processing of data covered by such consent is carried out on the basis of consent.

• Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures. Making our online services available and ensuring user-friendliness.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Device permissions for accessing features and data: Using our app or its features may require users to grant permissions to access certain features of the devices being used, or data stored on the devices or accessible via the devices. By default, these permissions must be granted by users and can be revoked at any time in the settings of the relevant devices. The exact procedure for managing app permissions may vary depending on the user’s device and software. Users may contact us if they require further clarification. Please note that refusing or revoking the relevant permissions may affect the functionality of our app.

Registration, login, and user account

Users can create a user account. During the registration process, users are informed of the required data, which is processed for the purpose of providing the user account based on the fulfillment of a contractual obligation. The data processed includes, in particular, login information (username, password, and email address).

When you use our registration and login features, as well as your user account, we record your IP address and the time of your action. This data is stored based on our legitimate interests and those of our users in protecting against abuse and other unauthorized use. This data is generally not disclosed to third parties unless it is necessary to enforce our rights or there is a legal obligation to do so.

Users may be notified by email of actions related to their user account, such as technical changes.

• Types of data processed: personal information (e.g., full name, home address, contact details, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); content data (e.g., text or visual messages and contributions, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); log data (e.g., log files regarding connections, data retrieval, or access times).
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion." Deletion upon termination.
• Legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Registration with real names: Due to the nature of our community, we ask users to use our service only under their real names. This means that the use of pseudonyms is not permitted; legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR).
• User profiles are not public: user profiles are not visible or accessible to the public.
• No obligation to retain data: Users are responsible for backing up their data in the event of termination before the end of the contract. We are entitled to permanently delete all user data recorded during the term of the contract; legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR).

Contact and Request Management

When you contact us (e.g., by mail, contact form, email, phone, or social media), as well as in the context of existing user and business relationships, the data of the individuals making the request is processed to the extent necessary to respond to contact requests and any requested actions.

• Types of data processed: contact data (e.g., postal and email addresses or phone numbers); content data (e.g., messages and posts in the form of text or images, as well as related information, such as data regarding the author or the time of creation). metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, and individuals involved).
• Target audience: Communications partners.
• Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via an online form). Providing our online services and ensuring user-friendliness.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: legitimate interests (Art. 6(1)(f) of the GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Contact Form: When you contact us via our contact form, by email, or through other means of communication, we process the personal data you provide in order to respond to and handle your inquiry. This generally includes data such as your name, contact information, and, where applicable, other information you provide that is necessary for proper processing. We use this data exclusively for the purpose stated in the initial contact and communication; legal bases: performance of a contract and pre-contractual measures (Art. 6(1)(b) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR).
• Electronic Cancellation: In the context of electronic cancellation, your name, email address, and order number are processed. This processing is carried out by our data processor, Revoq. You can find further information in the Data Processing Agreement (DPA) at https://www.consumer-withdrawal.eu/dpa; Service provider: Information pursuant to § 5 TMG (German Telemedia Act):
  Jonas Busch (sole proprietor)
  Hofstraße No. 2-4
  51061 Cologne
  Germany; Website : https://www.consumer-withdrawal.eu/de. Privacy Policy : https://www.consumer-withdrawal.eu/dpa.

Communication via Messenger

We use messaging services for communication purposes, so please take note of the following information regarding how these services work, encryption, the use of communication metadata, and your options for opting out.

You can also contact us by other means, such as by phone or email. Please use the contact information provided to you or the details listed in our online offer.

In the case of end-to-end encryption of content (i.e., the content of your message and any attachments), please note that the content of the communication (i.e., the message content and attached images) is end-to-end encrypted. This means that the content of the messages cannot be viewed, not even by the messaging providers themselves. You should always use an up-to-date version of Messenger with encryption enabled to ensure that the content of your messages is encrypted.

However, we would like to draw our communication partners’ attention to the fact that while email providers cannot see the content itself, they can see that communication partners are communicating with us and when they do so, and that technical information about the device used by communication partners—as well as location information (known as metadata), depending on their device settings—is processed.

Notes on the legal basis: If we request consent from our communication partners before contacting them via Messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not request consent and they contact us, for example, on their own initiative, we use Messenger in our dealings with our contractual partners as well as in the context of preparing a contract as a contractual measure, and, in the case of other interested parties and communication partners, based on our legitimate interests in rapid and effective communication and in meeting our communication partners’ needs regarding communication via Messenger. Furthermore, we would like to point out that we do not initially transmit the contact data provided to us to messaging services without your consent.

Withdrawal, objection, and deletion: You may withdraw the consent you have given at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete messages in accordance with our general deletion guidelines (i.e., for example, as described above, after the end of the contractual relationship, in the context of archiving requirements, etc.) and otherwise as soon as we can assume we have responded to any requests for information from communication partners, provided no reference to a previous conversation is expected and no legal retention obligation precludes deletion.

Subject to references to other means of communication: To ensure your security, please understand that, for certain reasons, we may not be able to respond to inquiries via Messenger. This applies to situations where contract details must be treated with particular confidentiality or where a response via Messenger does not meet formal requirements. In such cases, we recommend using more appropriate communication channels.

• Types of data processed: contact data (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image-based messages and contributions, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Target audience: Communications partners.
• Purposes of processing and legitimate interests: Communication. Direct marketing (e.g., via email or mail).
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal bases: consent (Article 6(1)(a) of the GDPR); performance of a contract and pre-contractual measures (Article 6(1)(b) of the GDPR); legitimate interests (Article 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Slack: team communication and collaboration, real-time messaging, file and document sharing, integration with third-party tools, video and voice calls, discussion channels on specific topics, search function for messages and files; service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, United States; legal basis: legitimate interests (Article 6(1)(f) of the GDPR); website : https://slack.com/intl/de-de/; privacy policy : https://slack.com/intl/de-de/legal; data processing agreement : https://slack.com/intl/de-de/terms-of-service/data-processing; basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses(https://slack.com/intl/de-de/terms-of-service/data-processing). Additional information: Security measures : https://slack.com/intl/de-de/security-practices.

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our legitimate interest in using AI are set out below. By AI, we mean, in accordance with the definition of "AI system" referred to in Article 3(1) of the AI Regulation, a machine-assisted system that is designed to operate in a variable and autonomous manner, that can adapt after its implementation, and that produces, based on the inputs received, results such as predictions, content, recommendations, or decisions that may affect physical or virtual environments.

Our artificial intelligence systems are used in strict compliance with legal requirements. These include both AI-specific regulations and data protection guidelines. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, and integrity, as well as confidentiality. We ensure that the processing of personal data is always based on a legal basis. This may be either the consent of the data subjects or a legal authorization.

When we use external artificial intelligence systems, we carefully select their providers (hereinafter referred to as "AI providers"). In accordance with our legal obligations, we ensure that AI providers comply with applicable regulations. Likewise, we fulfill our obligations when using or operating the purchased AI services. The processing of personal data by us and by AI providers is carried out exclusively on the basis of consent or legal authorization. In doing so, we place particular emphasis on transparency, fairness, and the preservation of human oversight over AI-based decision-making processes.

To protect the data we process, we implement appropriate and robust technical and organizational measures. These measures ensure the integrity and confidentiality of the data processed and minimize potential risks. We ensure ongoing compliance with current legal and ethical standards by regularly monitoring AI providers and their services.

• Types of data processed: Content data (e.g., text or visual messages and posts, as well as related information such as data regarding the author or the time of creation). Usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
• People affected: Users (e.g., website visitors, users of online services). Third parties.
• Purposes of processing and legitimate interests: Artificial Intelligence (AI).
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."

Newsletters and email notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) exclusively with the recipients’ consent or on a legal basis. If the content of the newsletter is specified during the subscription process, that content is decisive for the users’ consent. To subscribe to our newsletter, you normally only need to provide your email address. However, in order to provide you with a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide other information if it is necessary for the purpose of the newsletter.

Erasure and restriction of processing: We may retain unsubscribed email addresses for a maximum period of three years based on our legitimate interests, before erasing them in order to be able to prove that consent was previously given. The processing of this data will be limited to the purpose of a potential defense against claims. An individual request for erasure is possible at any time, provided that the existence of prior consent is also confirmed. In the event of an obligation to permanently honor objections, we reserve the right to record the email address in a blocklist solely for this purpose.

We record the registration process based on our legitimate interests, in order to verify that it was carried out correctly. If we engage a service provider to send emails, we do so based on our legitimate interests in ensuring an efficient and secure mailing system.

Contents:

Information about us, our services, our activities, and our offers.

• Types of data processed: personal information (e.g., full name, home address, contact details, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions).
• Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Direct marketing (e.g., via email or postal mail). Provision of contractual services and fulfillment of contractual obligations.
• Legal basis: consent (Art. 6, para. 1, sentence 1, subparagraph (a) of the GDPR). Legitimate interests (Art. 6, para. 1, sentence 1, subparagraph (f) of the GDPR).
• Opt-out option: You may unsubscribe from our newsletter at any time, i.e., revoke your consent or object to receiving further issues. You will find a link to unsubscribe from the newsletter at the end of each issue, or you may use one of the contact options listed above, preferably by email.

Additional information on treatment processes, procedures, and services:

• Tracking open and click-through rates: Newsletters contain what is known as a "web beacon," which is a file the size of a single pixel that is loaded by our server—or by the server of the email service provider we use—when the newsletter is opened. As part of this request, technical information—such as details about your browser and operating system, as well as your IP address and the time of the request—is collected. This information is used to technically improve our newsletter by analyzing technical data or target groups and their reading behavior based on their location (which can be determined using the IP address) or access times. This analysis also involves determining whether and when newsletters are opened and which links are clicked. The information collected is assigned to the various newsletter recipients and stored in their profiles until it is deleted. On this basis, user profiles are created in which usage behavior and user characteristics are recorded. The measurement of open and click rates, as well as the recording of measurement results in user profiles and their subsequent processing, are carried out on the basis of user consent. Unfortunately, it is not possible to opt out of performance tracking separately; in this case, the entire newsletter subscription must be canceled or revoked. In this case, the stored profile information is deleted; legal basis: consent (Art. 6(1)(a) GDPR).
• Prerequisite for using free services: Consent to receive email communications may be contingent upon the use of free services (such as access to certain content or participation in certain promotions). If users wish to access these free services without subscribing to the newsletter, please contact them.
• Reminder emails regarding the checkout process: If users do not complete a checkout process, we may send them an email reminding them of the checkout process and providing a link to continue it. This feature can be useful, for example, when the purchase process could not be completed due to a browser crash, an error, or an oversight. These emails are sent based on consent, which users may revoke at any time; legal basis: consent (Art. 6(1)(a) GDPR).
• Klaviyo: email and SMS marketing platform ; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, United States; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website : https://www.klaviyo.com/; Privacy Policy : https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Advertising communications via email, mail, fax, or telephone

We process personal data for marketing purposes, which may be carried out through various channels, such as email, telephone, regular mail, or fax, in accordance with applicable laws.

Recipients have the right to withdraw their consent at any time or to object, free of charge, to the receipt of promotional communications at any time by using the contact option listed above.

After revocation or objection, we retain the data necessary to prove prior authorization to contact you or send you communications for up to three years after the expiration of the year in which the revocation or objection was made, based on our legitimate interests. The processing of this data is limited to the purpose of defending against potential claims. Based on the legitimate interest in permanently respecting users’ revocation or objection, we also retain the data necessary to prevent further contact (e.g., depending on the communication channel, email address, phone number, name).

• Types of data processed: basic data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., mailing and email addresses or phone numbers). Content data (e.g., text or image-based messages and posts, as well as related information such as author details or creation dates).
• Target audience: Communications partners.
• Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail); marketing; sales promotion.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: consent (Art. 6, para. 1, sentence 1, subparagraph (a) of the GDPR). Legitimate interests (Art. 6, para. 1, sentence 1, subparagraph (f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Klaviyo: email and SMS marketing platform ; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, United States; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website : https://www.klaviyo.com/; Privacy Policy : https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Games and Contests

We process the personal data of participants in games and contests only in compliance with applicable data protection regulations, provided that such processing is contractually necessary for the provision, execution, and conduct of the contest, that participants have given their consent to the processing, or that the processing serves our legitimate interests (e.g., for the security of the contest or to protect our interests against abuse by potentially recording IP addresses when contest entries are submitted).

If participants’ entries are published in connection with contests (for example, as part of a vote, a presentation of contest entries or winners, or a contest report), please note that participants’ names may also be published in this context. Participants may object to this at any time.

If the contest takes place on an online platform or social media site (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the respective platforms’ terms of use and privacy policies also apply. In such cases, please note that we are responsible for the information provided by participants in connection with the contest and that any inquiries regarding the contest should be directed to us.

Participants’ data is deleted as soon as the sweepstakes or contest has ended and the data is no longer needed to notify the winners or because no further inquiries regarding the sweepstakes are expected. In general, participants’ data is deleted no later than 6 months after the end of the sweepstakes. Winners’ data may be retained for a longer period, for example to answer questions about prizes or to fulfill the conditions of the prize; in this case, the retention period depends on the nature of the prize and may be up to three years for items or services, for example to handle warranty claims. In addition, participants’ data may be retained for a longer period, for example in the form of a report on the contest in online and offline media.

If data was also collected for other purposes as part of the contest, its processing and retention period are governed by the privacy policy applicable to that specific use (for example, when subscribing to a newsletter as part of a contest).

• Types of data processed: personal information (e.g., full name, home address, contact details, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); content data (e.g., messages and contributions in text or image form, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• People affected by the contest: Participants in games and contests. Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: organization of games and contests.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: performance of the contract and pre-contractual requests (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Facebook Pages: Profiles on the Facebook social network – The controller is responsible, jointly with Meta Platforms Ireland Limited, for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes information about user behavior (e.g., content viewed or interacted with, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). For more details, see Facebook’s Privacy Policy : https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical insights via the “Page Insights” service, which informs us about how people interact with our site and its content. This is based on an agreement with Facebook (“Information on Page Insights ”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of data subjects’ rights. Further information can be found here : https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore submit requests for information or deletion directly to Facebook. Users’ rights (including the right to information, erasure, objection, and filing a complaint with a supervisory authority) remain unaffected. Joint liability is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any transfer to Meta Platforms Inc. in the United States; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1)(f) f) GDPR); website : https://www.facebook.com; privacy policy : https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses(https://www.facebook.com/legal/EU_data_transfer_addendum).
• Instagram: social media platform that allows users to share photos and videos, comment on and save posts, send messages, and follow profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6, para. 1, (1)(f) of the GDPR); website : https://www.instagram.com; privacy policy : https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
• TikTok: a social media platform that allows users to share photos and videos, comment on and save posts, send messages, and follow accounts; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; legal basis: legitimate interests (Art. 6(1)( p. 1, let. f) GDPR); website : https://www.tiktok.com; privacy policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. Order processing agreement: provided by the service provider.

Web analytics, monitoring, and optimization

Web analytics (also known as "web traffic measurement") is used to evaluate visitor traffic to our online offering and may include visitors' behavior, interests, or demographic information—such as age or gender—in pseudonymous form. Reach analysis allows us, for example, to determine when our online offering, its features, or its content are most frequently used, or to encourage their reuse. It also enables us to identify areas that require optimization.

In addition to web analytics, we can also use testing procedures to test and optimize, for example, different versions of our online offering or its components.

Unless otherwise specified below, profiles—that is, data aggregated for a usage process—may be created for these purposes, and information may be stored in a browser or on a device and subsequently retrieved. The data collected includes, in particular, the websites visited and the elements used on those sites, as well as technical information such as the browser used, the operating system used, and data regarding usage times. To the extent that users have consented to the collection of their location data by us or by the service providers we use, the processing of location data is also possible.

In addition, users' IP addresses are recorded. However, we use an IP masking process (i.e., pseudonymization by shortening the IP address) to protect users. As a general rule, users’ plain data (such as email addresses or names) are not stored in connection with web analytics, A/B testing, and optimization, but rather in pseudonymized form. This means that neither we nor the providers of the software used know the actual identity of the users, but only the data stored in their profiles for the purposes of the respective procedures.

Notes on the legal basis: If we ask users to consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing services that are effective, cost-efficient, and user-friendly). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Measuring reach (e.g., access statistics, recognition of returning visitors); profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness; click tracking; A/B testing; feedback (e.g., collection of feedback via an online form); heatmaps (users’ mouse movements, aggregated into an overall image); surveys and questionnaires (e.g., surveys with text entry fields, multiple-choice questions). Marketing.
• Retention and deletion: Deletion in accordance with the instructions in the "General Information on Data Retention and Deletion" section. Cookies are retained for up to 2 years (unless otherwise specified, cookies and other similar storage methods may be retained on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: consent (Art. 6, para. 1, sentence 1, subparagraph (a) of the GDPR). Legitimate interests (Art. 6, para. 1, sentence 1, subparagraph (f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user ID. This ID does not contain any personally identifiable information, such as a name or email address. It is used to assign analytical information to a device in order to identify the content that users have viewed during one or more visits, the search terms they have used, whether they have revisited the site, or how they have interacted with our online offering. Similarly, the time of use and its duration are recorded, as well as the sources from which users are referred to our online offering and the technical aspects of their devices and browsers.
  Pseudonymous user profiles are thus created using information from the use of various devices, and cookies may be used. Google Analytics does not log or record individual IP addresses for users in the EU. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and the latitude and longitude derived from the city), continent, country, region, subcontinent (and counterparts based on identification). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP requests are made to servers based in the EU before the traffic is transferred to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1)(a) of the GDPR); website : https://marketingplatform.google.com/intl/de/about/analytics/; security measures: IP masking (pseudonymization of the IP address); Privacy Policy : https://business.safety.google/privacy/; Data Processing Agreement : https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms); Option to opt out: Opt-out plugin : https://tools.google.com/dlpage/gaoptout?hl=de, ad display settings : https://myadcenter.google.com/personalizationoff. Additional information : https://business.safety.google/adsservices/ (types of processing and data processed).
• Google Tag Manager: We use Google Tag Manager, a Google software tool that allows us to manage website tags centrally via a user interface. Tags are small pieces of code on our website that are used to track and analyze visitor activity. This technology helps us improve our website and the content it offers. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services we use on our website. However, when using Google Tag Manager, users’ IP addresses are transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies may also be set in this process. This data processing, however, only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, please refer to the following sections of this privacy policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1)(a) GDPR); website : https://marketingplatform.google.com; Privacy Policy : https://business.safety.google/privacy/; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms).
• Hotjar: software for analyzing and optimizing online offerings based on feedback features as well as pseudonymized measurements and analyses of user behavior, which may include, in particular, A/B testing (measuring the popularity and usability of various content and features), tracking click paths and interactions with the content and features of the online offering (known as heatmaps and recordings); service provider: Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; legal basis: consent (Article 6(1)(a) of the GDPR); website : https://www.hotjar.com; privacy policy: https://www.hotjar.com/legal/policies/privacy ; data deletion: The cookies used by Hotjar have different "lifespans"; some remain valid for up to 365 days, others only for the duration of the current visit; cookie policy : https://www.hotjar.com/legal/policies/cookie-information. Opt-out option : https://www.hotjar.com/legal/compliance/opt-out.

Online Marketing

We process personal data for online marketing purposes, which may include, among other things, selling advertising space or displaying advertising and other content (collectively referred to as "content") based on users' potential interests, as well as measuring the effectiveness of such content.

For these purposes, user profiles are created and stored in a file (called a "cookie") or similar procedures are used, through which relevant information about the user is recorded for the presentation of the aforementioned content. This may include, for example, the content viewed, websites visited, online networks used, as well as communication partners and technical data such as the browser used, the operating system used, and information regarding usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

In addition, users' IP addresses are recorded. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no personally identifiable user data (such as email addresses or names) is recorded as part of the online marketing process, but rather pseudonyms. This means that neither we nor the providers of the online marketing services know the actual identity of the users, but only the information stored in their profiles.

The information contained in user profiles is typically stored in cookies or through similar methods. These cookies can then generally be read on other websites that use the same online marketing platform, analyzed for the purpose of displaying content, supplemented with other data, and stored on the server of the online marketing platform provider.

In exceptional cases, it is possible to link personal data to user profiles, primarily when users are members of a social network whose online marketing services we use and that network links user profiles to the aforementioned data. Please note that users may enter into additional agreements with the providers, for example by giving their consent during the registration process.

In principle, we only have access to aggregated data on the performance of our ads. However, as part of what is known as conversion tracking, we can determine which of our online marketing activities led to a conversion—for example, the conclusion of a contract with us. Conversion tracking is used solely to analyze the success of our marketing efforts.

Unless otherwise specified, please assume that the cookies used are stored for a period of two years.

Notes on the legal basis: If we ask users to consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing services that are effective, cost-efficient, and tailored to the recipients). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

Instructions regarding revocation and objection:

Please refer to the respective providers’ privacy policies and the opt-out options listed for each provider. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, this may limit the functionality of our website. We therefore also recommend the following opt-out options, which are summarized for each domain:

a) Europe : https://youronlinechoices.eu/.

b) Canada : https://youradchoices.ca/.

c) United States : https://optout.aboutads.info/.

d) Interregional : https://optout.aboutads.info.

• Types of data processed: Content data (e.g., text or visual messages and posts, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and duration of visits, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); event data (Facebook) (“event data” refers to information sent, for example, to the provider Meta via meta-pixels (whether via apps or other channels) and which relates to individuals or their actions. This data includes, for example, details of website visits, interactions with content and features, app installations, and product purchases. The purpose of processing event data is to create target groups for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups created from this data are deleted when our Meta user accounts are deleted); contact information (Facebook) ("contact information" refers to data that (clearly) identifies the individuals concerned, such as names, email addresses, and phone numbers, which may be transmitted to Facebook—for example, via the Facebook pixel or upload—for comparison purposes in the creation of custom audiences. After the comparison for the purpose of creating targeted audiences, the contact information is deleted).
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Audience measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-based/behavioral profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); creation of target groups; marketing; profiles containing user-related information (creation of user profiles); provision of our online offering and user-friendliness. Remarketing.
• Retention and deletion: Deletion in accordance with the instructions in the "General Information on Data Retention and Deletion" section. Cookies are retained for up to 2 years (unless otherwise specified, cookies and other similar storage methods may be retained on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: consent (Art. 6, para. 1, sentence 1, subparagraph (a) of the GDPR). Legitimate interests (Art. 6, para. 1, sentence 1, subparagraph (f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Meta Pixel and Target Audience Creation (Custom Audiences): Using the Meta Pixel (or similar functions for transmitting event data or contact information via interfaces within applications), Meta is able to identify visitors to our website as a target group for the display of ads (known as "Meta Ads"). Consequently, we use the Meta pixel to display the Meta ads we distribute exclusively to users on Meta’s platforms and within the services of partners cooperating with Meta (known as the “Audience Network” https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offering or who exhibit certain characteristics (e.g., interest in certain topics or products, as indicated by the web pages visited) that we transmit to Meta (referred to as "Custom Audiences"). Using the Meta pixel, we also aim to ensure that our meta-ads align with users’ potential interests and do not constitute harassment. The Meta pixel also allows us to track the effectiveness of Meta ads for statistical and market research purposes, by seeing whether users were redirected to our website after clicking on a Meta ad (known as "conversion tracking"); service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6, para. 1, subpara. 1, letter a) GDPR); website : https://www.facebook.com; Privacy Policy : https://www.facebook.com/privacy/policy/; Data Processing Agreement : https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum); Additional information: User event data, i.e., behavioral and interest data, is processed for targeted advertising and targeting purposes based on the joint liability agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection by Meta Platforms Ireland Limited, a company established in the EU, and the transfer of data. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including, in particular, the transfer of data to the parent company Meta Platforms, Inc. in the United States (based on the standard contractual clauses agreed between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
• Advanced comparison for the Meta pixel: In addition to the processing of event data in connection with the use of the Meta pixel (or comparable functions, for example in apps), contact information (data identifying individual persons, such as names, email addresses, and phone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information is used to form target groups (called "Custom Audiences") for the display of content and advertising information tailored to users’ presumed interests. The collection, transmission, and comparison with data available at Meta do not take place in plain text, but in the form of "hash values," i.e., mathematical representations of the data (this method is used, for example, for storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted; legal bases: consent (Art. 6(1)(a) of the GDPR); privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; data processing agreement : https://www.facebook.com/legal/terms/dataprocessing; basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses(https://www.facebook.com/legal/EU_data_transfer_addendum). For more information : https://www.facebook.com/legal/terms/data_security_terms.
• Facebook Ads: Display of ads on the Facebook platform and evaluation of ad performance; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; basis for transfers to third countries: Data Privacy Framework (DPF); option to opt out: Please refer to the privacy and advertising settings in users’ profiles on Facebook platforms, as well as to Facebook’s consent procedures and contact options for exercising data subjects’ rights of access and other rights, as described in Facebook’s privacy policy; Additional information: User event data, i.e., behavioral and interest data, is processed for targeted advertising and targeting purposes based on the joint liability agreement (“Data Controller Addendum,” https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection by Meta Platforms Ireland Limited, a company established in the EU, and the transfer of data. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which includes, in particular, the transfer of data to the parent company Meta Platforms, Inc. in the United States (based on the standard contractual clauses agreed between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
• Google Ad Manager: We use the "Google Ad Manager" service to place ads on Google's advertising network (e.g., in search results, in videos, on web pages, etc.). Google Ad Manager is characterized by the fact that ads are displayed in real time based on users' presumed interests. This allows us to display ads for our online offering to users who may be interested in our offering or who have been interested in it before, and to measure the success of the ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website : https://marketingplatform.google.com; privacy policy : https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); other information: Types of processing and data processed : https://business.safety.google/adsservices/; Data processing terms for Google advertising products: Service information; Data processing terms between data controllers and standard contractual clauses for data transfers to third countries : https://business.safety.google/adscontrollerterms. If Google acts as a processor, data processing terms for Google advertising products and standard contractual clauses for data transfers to third countries : https://business.safety.google/adsprocessorterms.
• Google Ads and conversion tracking: an online marketing process aimed at placing content and ads within the service provider’s advertising network (for example, in search results, in videos, on web pages, etc.) so that they are displayed to users who are presumed to be interested in the ads. In addition, we measure ad conversion, i.e., whether users have interacted with the ads and taken advantage of the promoted offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1)(a) of the GDPR), legitimate interests (Art. 6(1)(f) of the GDPR); website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; basis for transfers to third countries: Data Privacy Framework (DPF); other information: Types of processing and data processed : https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for data transfers to third countries : https://business.safety.google/adscontrollerterms.
• Advanced conversions for Google Ads: When users click on our Google ads and then use the promoted service (known as a "conversion"), the data entered by the user—such as email address, name, home address, or phone number—may be transmitted to Google. The hash values are then compared to users’ existing Google accounts in order to better evaluate and improve user interaction with the ads (e.g., clicks or views) and thus their performance; legal basis: consent (Art. 6(1)(a) GDPR). Website : https://support.google.com/google-ads/answer/9888656.
• Google AdSense with personalized ads: We use the Google AdSense service, which allows us to display personalized ads on our website. Google AdSense analyzes user behavior and uses this data to display ads tailored to our visitors’ interests. We receive financial compensation for each ad impression or other use of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Article 6(1)(a) of the GDPR); website : https://marketingplatform.google.com; Privacy Policy : https://business.safety.google/privacy/; basis for transfers to third countries: Data Privacy Framework (DPF); additional information: Types of processing and data processed : https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Service information; Data processing terms between controllers and standard contractual clauses for data transfers to third countries : https://business.safety.google/adscontrollerterms.
• Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized ads on our website. These ads are not based on individual user behavior, but are selected based on general characteristics such as the page content or your approximate geographic location. We receive compensation for the display or any other use of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Article 6(1)(a) of the GDPR); website : https://marketingplatform.google.com; Privacy Policy : https://business.safety.google/privacy/; basis for transfers to third countries: Data Privacy Framework (DPF); additional information: Types of processing and data processed : https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Service information; Data processing terms between controllers and standard contractual clauses for data transfers to third countries : https://business.safety.google/adscontrollerterms.
• TikTok Pixel: code that is loaded when a user visits our website and tracks the user’s behavior and conversions, recording them in a profile (possible uses: measuring campaign performance, optimizing ad delivery, building custom audiences, and similar). - We and TikTok are jointly responsible for the collection and transmission of event data, as well as for measuring and reporting insights (statistics) to profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and user profile information, such as country or city. Information regarding data protection related to TikTok’s processing of user data can be found in TikTok’s Privacy Policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a specific joint liability agreement with TikTok that defines, among other things, the security measures TikTok must comply with and in which TikTok has declared its willingness to respect the rights of data subjects (i.e., users may, for example, submit requests for information or deletion directly to TikTok). Users’ rights (including the right to information, erasure, objection, and the right to lodge a complaint with the competent supervisory authority) are not limited by the agreements concluded with TikTok. The joint liability agreement can be found in TikTok’s “Jurisdiction Specific Terms ”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. ; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; legal bases: consent (Art. 6(1)(a) GDPR); website : https://ads.tiktok.com/help/article/tiktok-pixel; privacy policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: standard contractual clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).

Customer testimonials and evaluation procedures

We participate in review and evaluation processes to assess, optimize, and promote our services. When users rate us or provide feedback in any other way through participating review platforms or processes, the providers’ terms and conditions of sale or use and their privacy policies also apply. As a general rule, submitting a review also requires registration with the respective providers.

To ensure that reviewers have actually used our services, we share the necessary customer data and information about the service used with the relevant review platform (including the customer’s name, email address, and order or item number), with the customer’s consent. This data is used solely to verify the user’s authenticity.

• Types of data processed: contractual data (e.g., subject matter of the contract, term, customer category); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• The individuals concerned: Beneficiaries and sponsors. Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Feedback (e.g., collecting feedback via an online form). Marketing.
• Legal basis: legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Google Customer Reviews: A service that allows you to collect and/or display customer satisfaction ratings and reviews; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website : https://www.google.com/; Privacy Policy : https://business.safety.google/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF); other information: In the context of collecting customer reviews, an identification number and the time of the commercial transaction to be evaluated are processed; for review requests sent directly to customers, the customer’s email address, country of residence, and the review data itself are processed; Further information on the types of processing and the data processed : https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Service information Data processing terms between controllers and standard contractual clauses for data transfers to third countries : https://business.safety.google/adscontrollerterms.
• Trusted Shops (Trustedbadge): Review Platform – As part of the joint responsibility between us and Trusted Shops, please contact Trusted Shops directly regarding data protection issues and to exercise your rights, using the contact options provided in the privacy policy. Regardless of this, you may always contact the data controller of your choice. Your request will then be forwarded, if necessary, to the other controller for a response.
  
  The Trustbadge is provided by an American CDN (Content Delivery Network) provider. An appropriate level of data protection is ensured through standard data protection clauses and other contractual measures.
  When the Trustbadge is accessed, the web server automatically records a so-called server log file, which includes your IP address, the date and time of the request, the amount of data transferred, and the requesting provider (access data), and documents the request. The IP address is anonymized immediately after collection, so that the recorded data cannot be attributed to you personally. The anonymized data is used in particular for statistical purposes and for error analysis.
  
  If you have given your consent, the Trustbadge accesses, after the order has been completed, the order information stored on your device (order amount, order number, product purchased if applicable) as well as your email address, and your email address is hashed using a cryptographic one-way function. The hash value is then transmitted along with the order information to Trusted Shops in accordance with Art. 6(1)(a) of the GDPR. This serves to verify whether you are already registered for Trusted Shops’ services. If so, further processing is carried out in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered for the services or if you do not consent to automatic recognition via the Trustbadge, you will then have the option to register manually to use the services or to complete the verification process within the framework of your existing user agreement, if applicable.
  
  To this end, after you complete your order, the Trustbadge accesses the following information stored on the device you are using: order amount, order number, and email address. This is necessary so that we can offer you Buyer Protection. Data is only transmitted to Trusted Shops if you actively decide to subscribe to Buyer Protection by clicking the designated button on the so-called Trustcard. If you decide to use the services, further processing is based on the contractual agreement with Trusted Shops in accordance with Art. 6(1)(b) of the GDPR, in order to finalize your registration for Buyer Protection, secure the order, and, if applicable, send you invitations to leave a review via email.
  
  Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Article 6(1)(f) of the GDPR for the purpose of ensuring seamless operation. In this context, processing may take place in third countries (the United States and Israel). An adequate level of data protection is ensured, in the case of the United States, by standard data protection clauses and other contractual measures, and, in the case of Israel, by an adequacy decision.
  ; Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal bases: consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de. Privacy Policy : https://www.trustedshops.de/impressum-datenschutz/.
• Klaviyo: email and SMS marketing platform ; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, United States; legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); website : https://www.klaviyo.com/; Privacy Policy : https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Social Media Presence

We maintain an online presence on social media platforms and, in this context, process user data in order to communicate with users active on these platforms or to provide information about our company.

Please be aware that user data may be processed outside the European Union. This may pose risks to users, for example because it could make it more difficult for them to exercise their rights.

In addition, user data on social media platforms is generally processed for market research and advertising purposes. For example, user profiles may be created based on users’ behavior and the resulting interests. These profiles can be used to display advertisements both within and outside the platforms that are intended to match users’ interests. This is why cookies are generally stored on users’ computers, in which users’ behavior and interests are recorded. In addition, data may be recorded in user profiles regardless of the devices used by users (particularly if they are members of the relevant platforms and have logged in).

For a detailed overview of the respective processing methods and opt-out options, please refer to the privacy policies and information provided by the respective network operators.

We would also like to point out that requests for information and the exercise of data subjects’ rights can be handled most effectively by the service providers. Only they have access to user data and can take the necessary steps directly and provide information. If you nevertheless need assistance, please contact us.

• Types of data processed: contact data (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image-based messages and contributions, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Inventory data (e.g., full name, home address, contact information, customer number, etc.)
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Communication; feedback (e.g., collecting feedback via an online form); public relations; marketing. Providing our online services and ensuring user-friendliness.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Instagram: social media platform that allows users to share photos and videos, comment on and save posts, send messages, and follow profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6, para. 1, (1)(f) of the GDPR); website : https://www.instagram.com; privacy policy : https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
• Facebook Pages: Profiles on the Facebook social network – The controller is responsible, jointly with Meta Platforms Ireland Limited, for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes information about user behavior (e.g., content viewed or interacted with, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). For more details, see Facebook’s Privacy Policy : https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical insights via the “Page Insights” service, which informs us about how people interact with our site and its content. This is based on an agreement with Facebook (“Information on Page Insights ”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of data subjects’ rights. Further information can be found here : https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore submit requests for information or deletion directly to Facebook. Users’ rights (including the right to information, erasure, objection, and filing a complaint with a supervisory authority) remain unaffected. Joint liability is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any transfer to Meta Platforms Inc. in the United States; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1)(f) f) GDPR); website : https://www.facebook.com; privacy policy : https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses(https://www.facebook.com/legal/EU_data_transfer_addendum).
• Pinterest: a social network that allows users to share photos, comment, save, and curate posts, send messages, and follow profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) of the GDPR); Website: https://www.pinterest.com. Privacy Policy : https://policy.pinterest.com/de/privacy-policy.
• TikTok: a social media platform that allows users to share photos and videos, comment on and save posts, send messages, and follow accounts; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; legal basis: legitimate interests (Art. 6(1)( p. 1, let. f) GDPR); website : https://www.tiktok.com; privacy policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. Order processing agreement: provided by the service provider.
• TikTok Business: a social media platform that allows users to share photos and videos, comment on and save posts, send messages, and follow accounts. We and TikTok are jointly responsible for collecting and transmitting event data, as well as for measuring and reporting insights (statistics) for profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data) and user profile information, such as country or city. Information regarding data protection related to TikTok’s processing of user data can be found in TikTok’s Privacy Policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a specific joint liability agreement with TikTok that defines, among other things, the security measures TikTok must comply with and in which TikTok has declared its willingness to respect the rights of data subjects (i.e., users may, for example, submit requests for information or deletion directly to TikTok). Users’ rights (including the right to information, erasure, objection, and the right to lodge a complaint with the competent supervisory authority) are not limited by the agreements concluded with TikTok. The joint liability agreement can be found in TikTok’s “Jurisdiction Specific Terms ”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. ; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; legal bases: consent (Art. 6(1)(a) a) of the GDPR); website : https://www.tiktok.com; privacy policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: standard contractual clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
• YouTube, the video-sharing site: Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); privacy policy: https://business.safety.google/privacy/; basis for transfers to third countries: Data Privacy Framework (DPF). Option to object (opt-out) : https://myadcenter.google.com/.

Plug-ins, built-in features, and content

We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "content").

Integration always requires that third-party providers of this content process users' IP addresses, as without an IP address they would be unable to send the content to the user's browser. The IP address is therefore necessary for the display of this content or these functions. We strive to use only content from providers who use the IP address solely for the purpose of delivering the content. Third-party providers may also use "pixel tags" (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" allow for the evaluation of information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, the time of the visit, and other details regarding the use of our online offering; however, this information may also be linked to such data from other sources.

Notes on the legal basis: If we ask users to consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., the interest in providing services that are effective, cost-efficient, and tailored to the recipients). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); location data (information about the geographic location of a device or person). Event data (Facebook) (“event data” refers to information sent to the Meta provider, for example via Meta pixels (whether through apps or other channels), that relates to individuals or their actions. This data includes, for example, details of website visits, interactions with content and features, app installations, and product purchases. The purpose of processing event data is to create target groups for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the target groups created from this data are deleted when our Meta user accounts are closed.
• People affected: Users (for example, website visitors, users of online services).
• Purposes of processing and legitimate interests: Providing our online services and enhancing user experience. Profiles containing user-related information (creation of user profiles).
• Retention and deletion: Deletion in accordance with the instructions in the "General Information on Data Retention and Deletion" section. Cookies are retained for up to 2 years (unless otherwise specified, cookies and other similar storage methods may be retained on users' devices for a period of two years).
• Legal basis: consent (Art. 6, para. 1, sentence 1, subparagraph (a) of the GDPR). Legitimate interests (Art. 6, para. 1, sentence 1, subparagraph (f) of the GDPR).

Additional information on treatment processes, procedures, and services:

• Facebook Plugins and Content: Facebook Social Plugins and Content - This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this website on Facebook. The list and appearance of Facebook social plugins can be viewed here : https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt, in the context of a transmission (but not further processing), of “event data” that Facebook collects or receives in the context of a transmission via the Facebook social plugins (and content integration features) that are implemented on our online offering, for the following purposes: a) displaying content and advertising information that corresponds to users’ presumed interests; b) sending commercial and transactional messages (e.g., contacting users via Facebook Messenger); c) improving the delivery of advertisements and the personalization of features and content (e.g., improving the recognition of content or advertising information that is presumed to correspond to users’ interests). We have entered into a special agreement with Facebook (“Data Controller Addendum,” https://www.facebook.com/legal/controller_addendum), which defines, among other things, the security measures that Facebook must comply with(https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has declared its willingness to respect the rights of data subjects (i.e., users may, for example, submit requests for information or deletion directly to Facebook). Note: When Facebook provides us with metrics, analytics, and reports (which are aggregated—meaning they do not contain information about individual users and are anonymous to us), this processing is not carried out under shared responsibility but on the basis of a data processing agreement ("Data Processing Terms," https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms"(https://www.facebook.com/legal/terms/data_security_terms), and, with regard to processing in the United States, on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum," https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular the right to information, erasure, objection, and to lodge a complaint with the competent supervisory authority) are not limited by the agreements with Facebook; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: consent (Art. 6(1)(a) a) GDPR); website : https://www.facebook.com; privacy policy : https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
• Google Maps: We integrate maps from the "Google Maps" service provided by Google. The data processed may include, in particular, users' IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal basis: consent (Art. 6, para. 1, (1)(a) of the GDPR); website: https://mapsplatform.google.com/ ; privacy policy : https://business.safety.google/privacy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
• Font Awesome (purchased from the provider's server): Retrieval of fonts (and icons) to ensure technically secure, maintenance-free, and efficient use of fonts and icons in terms of up-to-date content and loading times, consistent display, and compliance with any applicable licensing restrictions. The user’s IP address is transmitted to the font provider so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) necessary for providing the fonts based on the devices used and the technical environment is transmitted; service provider: Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA; legal basis: legitimate interests (Article 6(1)(f) of the GDPR); website: https://fontawesome.com/. Privacy policy : https://fontawesome.com/privacy.
• TikTok Plugins and Content: TikTok plugins and content—this may include, for example, content such as images, videos, text, and buttons; service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: consent (Art. 6, para. 1, subpara. 1, letter a) GDPR); Website: https://www.tiktok.com. Privacy Policy : https://www.tiktok.com/legal/page/eea/privacy-policy/de.
• Adobe Fonts: provision of fonts for use in web and print designs, font synchronization across devices, access to a library of licensed fonts for creative projects, font management and organization within projects; service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.adobe.com/de/; privacy policy: https://www.adobe.com/de/privacy.html; basis for transfers to third countries: Data Privacy Framework (DPF). For more information : https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

Management, organization, and support tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning, and providing our services. When selecting third-party providers and their services, we comply with all applicable legal requirements.

In this context, personal data may be processed and stored on third-party providers’ servers. This may involve various types of data that we process in accordance with this Privacy Policy. Such data may include, in particular, users’ basic information and contact details, as well as data relating to transactions, contracts, other processes, and their content.

To the extent that users are directed to third-party providers or their software or platforms in connection with communication, business relationships, or other interactions with us, such third-party providers may process usage data and metadata for security, service optimization, or marketing purposes. We therefore ask that you review the privacy policies of the relevant third-party providers.

• Types of data processed: Content data (e.g., text or visual messages and posts, as well as related information such as author details or creation dates); usage data (e.g., pages viewed and duration of visits, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, and individuals involved).
• Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations. Administrative and organizational procedures.
• Retention and deletion: deletion in accordance with the instructions in the section "General Information on Data Retention and Deletion."
• Legal basis: legitimate interests (Article 6(1)(f) of the GDPR).

Modification and update

We encourage you to review the content of our Privacy Policy on a regular basis. We update the Privacy Policy whenever changes to our data processing practices make it necessary. We will notify you as soon as the changes require action on your part (e.g., consent) or another individual notification.

Please note that while we provide the addresses and contact information for companies and organizations in this privacy policy, these details may change over time, so we ask that you verify the information before contacting us.

Definitions of terms

This section provides an overview of the terms used in this privacy statement. To the extent that these terms are defined by law, their legal definitions apply. However, the explanations provided below are intended primarily to aid understanding.

• A/B testing: A/B tests are used to improve the usability and performance of online offerings. They involve presenting users with, for example, different versions of a website or its elements—such as input forms—where the placement of content or the labels of navigation elements may differ. Then, user behavior—such as spending more time on the website or interacting more frequently with the elements—helps determine which of these web pages or elements best meet users’ needs.
• Inventory data: Inventory data includes essential information needed to identify and manage contractors, user accounts, profiles, and similar assignments. This data may include, among other things, personal and demographic information such as names, contact details (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for all formal interactions between individuals and services, institutions, or systems, enabling unique identification and communication.
• Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that enables the faster and more secure delivery of online content—particularly large multimedia files such as graphics or program scripts—using servers distributed across different regions and connected via the Internet.
• Heat maps: "Heat maps" are visualizations of users' mouse movements, aggregated into a single image, which can be used to identify, for example, which parts of the website users prefer to visit and which they visit less frequently.
• Content data: Content data includes information generated during the creation, processing, and publication of any type of content. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself, but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication data.
• Click tracking: Click tracking provides insight into how users navigate an online platform. Since the results of these tests are more accurate when user interactions can be tracked over a period of time (for example, to determine whether a user intends to return), cookies are typically stored on users' computers for these testing purposes.
• Contact information: Contact information is essential data that enables communication with individuals or organizations. It includes, among other things, phone numbers, mailing addresses, and email addresses, as well as communication channels such as social media handles and instant messaging usernames.
• Conversion tracking: Conversion tracking (also known as "visit action tracking") is a method used to determine the effectiveness of marketing efforts. To do this, a cookie is typically stored on the user’s device on the web pages where marketing activities take place, and then retrieved on the target web page. This allows us, for example, to determine whether the ads we placed on other websites were effective.
• Artificial Intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions, and improve the efficiency and quality of our services. This includes the collection, cleaning, and structuring of data, the training and application of AI models, as well as the continuous verification and optimization of results, and is carried out exclusively with the consent of users or on the basis of legal authorizations.
• Metadata, communication data, and procedural data: Metadata, communication data, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as “data about data,” includes information that describes the context, origin, and structure of other data. It may include information on file size, creation date, document author, and revision history. Communication data records the exchange of information between users via various channels, such as email exchanges, call logs, social media messages, and chat histories, including the parties involved, timestamps, and transmission methods. Procedural data describes processes and operations within systems or organizations, including workflow documentation, transaction and activity logs, as well as audit logs used for monitoring and verifying operations.
• Usage data: Usage data refers to information that tracks how users interact with digital products, services, or platforms. This data includes a wide range of information that shows how users interact with applications, which features they prefer, how much time they spend on certain pages, and the paths they take to navigate an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing the user experience, personalizing content, and improving products or services. In addition, usage data plays a key role in identifying trends, preferences, and potential issues within digital offerings.
• Personal data: "personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles containing user-related information: The processing of "profiles containing user-related information," or "profiles" for short, includes any type of automated processing of personal data that involves using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may involve various information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc. Cookies and web beacons are often used for profiling purposes.)
• Log data: Log data consists of information about events or activities that have been recorded in a system or network. This data typically includes details such as timestamps, IP addresses, user actions, error messages, and other information regarding the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
• Web analytics: Web analytics (also known as web analytics) is used to evaluate the flow of visitors to an online service and may include information about visitors’ behavior or interests regarding specific content, such as the content of web pages. Through web analytics, operators of online services can, for example, determine at what times users visit their web pages and what content interests them. This allows them, for example, to better tailor the content of their web pages to the needs of their visitors. Pseudonymous cookies and web beacons are often used for audience measurement purposes to recognize returning visitors and thus obtain more accurate analyses of how an online service is used.
• Remarketing: The terms "remarketing" or "retargeting" refer to the practice of tracking the products a user has viewed on a website—for example, for advertising purposes—in order to remind the user of those products on other websites, such as through advertisements.
• Location data: Location data is generated when a mobile device (or another device capable of location tracking) connects to a cellular network, a wireless local area network, or similar technical means and location-tracking functions. Location data is used to indicate the specific geographic location of the device in question. Location data can be used, for example, to display map features or other location-based information.
• Tracking: The term "tracking" refers to the ability to monitor users' behavior across multiple online services. Generally, information about users' behavior and interests is stored in cookies or on the servers of tracking technology providers (profiling) in connection with the online services they use. This information can then be used, for example, to display ads to users that are likely to match their interests.
• Controller: The term "controller" refers to the natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any manipulation of data, including collection, analysis, storage, transmission, or erasure.
• Contractual data: Contractual data refers to specific information related to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contractual data may include the start and end dates of the contract, the type of services or products agreed upon, pricing agreements, payment terms, termination rights, renewal options, and specific conditions or clauses. It serves as the legal basis for the relationship between the parties and is essential for clarifying rights and obligations, enforcing rights, and resolving disputes.
• Payment data: Payment data includes all the information necessary to process payment transactions between buyers and sellers. This data is essential for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction details, verification codes, and billing information. Payment data may also contain information on payment status, chargebacks, authorizations, and fees.
• Targeting: The term "targeting" (known as "Custom Audiences" in English) refers to the process of identifying target groups for advertising purposes, such as displaying ads. For example, a user’s interest in certain products or topics online suggests that this user is interested in ads for similar products or in the online store where they viewed those products. We also refer to "Lookalike Audiences" (or similar target groups) when content deemed appropriate is displayed to users whose profiles or interests are assumed to match those of the users for whom the profiles were originally created. Cookies and web beacons are generally used to create custom audiences and lookalike audiences.