Privacy Policy

Preamble

The following privacy policy is intended to inform you about the types of personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our websites, in mobile applications, and on external online platforms, such as our social media profiles (hereinafter collectively referred to as "online offerings").

The terms used are not gender-specific.

Status: May 27, 2026

Legal text by Dr. Schwenke – click for more information.

Table of Contents

Person in charge

Stoll Group Ventures GmbH
Aegeristrasse 116
6300 Zug
Switzerland

Persons authorized to represent the company: Oliver Stoll

Email address: lockenkopf

Print: lockenkopf

Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of such processing, and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Payment information.
  • Location information.
  • Contact information.
  • Content details.
  • Contract details.
  • Usage data.
  • Meta, communication, and processing data.
  • Contact information (Facebook).
  • Event details (Facebook).
  • Protocol data.

Categories of affected individuals

  • Beneficiary and customer.
  • Interested parties.
  • Communication partner.
  • Users.
  • Participants in tournaments and competitions.
  • Business and contractual partners.
  • Third parties.

Purposes of the processing

  • Providing contractual services and fulfilling contractual obligations.
  • Communication.
  • Safety measures.
  • Direct marketing.
  • Range measurement.
  • Follow.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion Meeting.
  • Click "Follow."
  • Target audience identification.
  • A/B testing.
  • Organizational and administrative procedures.
  • Organizing competitions and tournaments.
  • Content Delivery Network (CDN).
  • Feedback.
  • Heatmaps.
  • Surveys and questionnaires.
  • Marketing.
  • Profiles containing user-related information.
  • The provision of our online services and user-friendliness.
  • Information technology infrastructure.
  • Public relations.
  • Sales promotion.
  • Business processes and procedures for business management.
  • Artificial intelligence (AI).

Relevant legal bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may also apply in the country where you or we reside or are established. Should more specific legal bases apply in individual cases, we will inform you of this in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Contract performance and pre-contractual assessments (Art. 6(1)(b) of the GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) of the GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) of the GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations also apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific rules regarding the right to information, the right to have data erased, the right to object, the processing of special categories of personal data, processing for other purposes and transfer, as well as automated decision-making in individual cases, including profiling. The data protection laws of the individual federal states may also apply.

Note on the applicability of the GDPR and the Swiss FADP: This privacy notice is intended to provide information in accordance with both the Swiss FADP and the General Data Protection Regulation (GDPR). Please note, therefore, that the terms of the GDPR are used due to its broader geographical scope and clarity. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data” from the Swiss DPA, the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” from the GDPR are used. However, the legal meaning of the terms remains defined in accordance with the Swiss DPA within the scope of the Swiss DPA.

Safety measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

In particular, these measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and segregation. Furthermore, we have established procedures that ensure the exercise of the data subject’s rights, the erasure of data, and responses to data threats. In addition, we already take the protection of personal data into account during the development and selection of hardware, software, and processes in accordance with the principle of data protection, through technological design and data protection-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission over the internet. These technologies encrypt the information sent between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. If a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This signals to users that their data is being transmitted securely and encrypted.

Transfer of personal data

In the course of our processing of personal data, such data may be transferred to or disclosed to other authorities, companies, legally independent organizational units, or individuals. The recipients of this data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and enter into appropriate contracts or agreements with the recipients of your data to protect your data.

International data transfer

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other individuals, authorities, or companies (which can be identified by the postal address of the relevant provider or if the privacy policy explicitly refers to the transfer of data to third countries), this is always done in accordance with legal requirements.

For data transfers to the U.S., we primarily rely on the Data Privacy Framework (DPF), which was recognized as a safe legal framework by an adequacy decision of the European Commission on July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers that meet the requirements of the European Commission and define contractual obligations to protect your data.

This dual protection ensures comprehensive protection of your data: The DPF serves as the primary layer of protection, while the standard contractual clauses provide additional security. Should any changes occur in the DPF, the standard contractual clauses serve as a reliable fallback option. In this way, we ensure that your data remains adequately protected at all times, even in the event of political or legal changes.

For individual service providers, we will inform you whether they are certified in accordance with the DPF and whether standard contractual clauses are in effect. For more information about the DPF and a list of certified companies, please visit the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/.

Appropriate safeguards apply to data transfers to other third countries, in particular standard contractual clauses, explicit consent, or legally required transfers. Information on transfers to third countries and applicable adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information about data storage and deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consent is withdrawn or there is no longer a legal basis for the processing. This applies to cases where the original purpose of the processing no longer applies or the data is no longer necessary. Exceptions to this rule exist if legal obligations or legitimate interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax purposes, or whose retention is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information about the retention and deletion of data that applies specifically to certain processing activities.

If there is more than one basis for determining the retention period or deletion period for a piece of data, the longest period always applies. We only process data that is no longer stored for its originally intended purpose but is retained due to legal requirements or other reasons that justify its storage.

Data Retention and Deletion: The following general time limits apply to data storage and archiving in accordance with German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, work instructions, and other organizational documents necessary for understanding them (Section 147(1)(1) in conjunction with Section 3 of the German Fiscal Code (AO), Section 14b(1) 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with § 4 HGB).
  • 8 years – Accounting documents, such as invoices and expense reports (Section 147(1)(4) and (4a) in conjunction with Section 3, sentence 1 of the German Fiscal Code (AO) and Section 257(1)(4) in conjunction with Section 4 of the German Commercial Code (HGB)).
  • 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents, insofar as they are relevant for tax purposes, e.g. timesheets, business accounting forms, cost estimates, price labels, as well as payroll documents, insofar as they are not already accounting documents or receipts (Section 147(1)(2), (3), and (5) in conjunction with Section 3(4) of the German Fiscal Code (AO)). § 3 AO, § 257(1)(2) and (3) in conjunction with § 257(4) HGB).
  • 3 years - Data required to evaluate potential warranty and damage claims or similar contractual claims and rights, and to process related requests based on previous business experience and standard industry practices, is stored for the duration of the standard statutory limitation period of three years (Sections 195 and 199 of the German Civil Code (BGB)).

Commencement of the period at the end of the year: If a period does not expressly begin on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the date on which the cancellation or other termination of the legal relationship takes effect.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which stem primarily from Articles 15 through 21 of the GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and to receive information about such data, as well as further details and a copy of the data, in accordance with legal requirements.
  • Right to rectification: In accordance with legal provisions, you have the right to request that your data be supplemented or that any inaccurate data about you be corrected.
  • Right to erasure and restriction of processing: In accordance with legal provisions, you have the right to request that your data be erased immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal provisions.
  • Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request that it be transferred to another data controller.
  • Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to file a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you have your habitual residence, the supervisory authority of your place of work, or the place of the alleged infringement, if you believe that the processing of personal data relating to you infringes the GDPR.

Business Services

We process the personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers, and other business partners (collectively referred to as "contractual partners"), in order to initiate, implement, and manage contractual relationships and similar legal relationships. This also includes pre-contractual measures taken upon request, as well as communication related to the relevant contractual relationship.

The processing is primarily intended to fulfill our primary and secondary contractual obligations. This includes the provision of the agreed-upon services, any obligations to provide updates and information, the processing of warranty claims and other service interruptions, the processing of revocations, cancellations of ongoing obligations, chargebacks, refunds, and the processing of other contract-related declarations and requests. This applies to both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as name, address, and, if applicable, company name; contact details such as email address and phone number; contract and service data such as the subject of the contract, the contract term, the order or transaction number; usage and service data; payment and billing data; and the content and history of communications. Where necessary, we also process data provided to us or transmitted to us in connection with the fulfillment of an order.

In addition, we process the data to protect our rights and comply with legal obligations. This includes, in particular, retention requirements under commercial and tax laws, documentation requirements, and, where applicable, verification and accountability requirements. Data is also processed based on our legitimate interests in sound business operations, internal administration, risk management, and IT security, as well as the protection of our business operations and our contractual partners against misuse, the compromise of data, trade secrets, and other legitimate interests. This may also involve the engagement of external service providers, such as IT and telecommunications providers, transportation and logistics companies, payment service providers, banks, tax and legal advisors, or other agents acting on our behalf, to the extent necessary for the performance of the contract or to comply with legal obligations.

Personal data will only be disclosed to third parties if this is necessary for the performance of the contract, for the implementation of pre-contractual measures, to protect legitimate interests, or to comply with legal obligations. We provide separate information in this privacy policy regarding any further processing, particularly for marketing purposes.

We inform our contractual partners which data is required in specific cases as part of the data collection process—for example, in online forms by clearly marking the relevant fields, or during in-person interactions.

The data will be deleted as soon as it is no longer needed for the purposes mentioned above and there is no legal retention requirement that precludes this. Legal retention periods, particularly under commercial and tax law, may require longer storage. We delete data provided as part of a specific order after the order has been completed and any retention periods have expired, provided there are no further legal or contractual obligations to store the data.

The legal basis for the processing is Article 6(1)(b) of the GDPR for the implementation of pre-contractual measures and for the performance of the respective contractual relationship, as well as Article 6(1)(c) of the GDPR for compliance with legal obligations. To the extent that processing is based on legitimate interests, it is carried out pursuant to Article 6(1)(f) of the GDPR. To the extent that processing is based on Article 6(1)(f) of the GDPR, it is carried out to pursue our legitimate interests in the proper and efficient organization of our business, internal administration, and documentation of business transactions, as well as the enforcement and defense of our legal rights. 1(f) GDPR, it is carried out to safeguard our legitimate interests in the proper and efficient organization of our business, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, the assurance of IT and data security, the prevention of abuse and fraud, and the economic management and further development of our business operations. These interests consist, in particular, of ensuring safe and legally compliant business operations and safeguarding our capacity to act as a business entity.

  • Types of data processed: Personal information (e.g., full name, home address, contact information, customer number, etc.); Payment information (e.g., bank details, invoices, payment history); Contact information (e.g., mailing and email addresses or phone numbers); Contract information (e.g., subject of the contract, duration, customer category); Usage data (e.g., pages viewed and time spent on site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • Individuals involved: Service recipients and customers; stakeholders. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and business management procedures.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Online store, order forms, e-commerce, and service provision: we process our customers’ data to enable them to select, purchase, or order the products, goods, and related services they have chosen, as well as to facilitate payment and delivery or service provision. If necessary for the fulfillment of an order, we use service providers, specifically postal, freight, and shipping companies, to carry out delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such during the ordering or similar purchasing process and includes the information necessary for delivery or fulfillment and invoicing, as well as contact details to facilitate any necessary communication; legal basis: performance of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Use of online platforms for marketing and sales purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our own privacy policies. This applies in particular to the processing of payments and the procedures used on the platforms to measure reach and for interest-based marketing.

  • Types of data processed: Personal information (e.g., full name, home address, contact information, customer number, etc.); Payment information (e.g., bank details, invoices, payment history); Contact information (e.g., mailing and email addresses or phone numbers); Contract information (e.g., subject of the contract, duration, customer category); Usage data (e.g., pages viewed and time spent on site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • People involved: Service recipients and customers. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing. Business processes and business management procedures.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Shopify: a platform on which e-commerce services are offered and provided. The services and processes carried out in connection therewith include, in particular, online stores, websites, their offerings and content, community features, purchase and payment processes, communication with customers, as well as analysis and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.

Payment Procedure

In the context of contractual and other legal relationships, based on legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, in addition to banks and credit institutions, we use other service providers (collectively referred to as “payment service providers”). In accordance with the state of the art, payment transactions are carried out exclusively via encrypted connections, so that the data entered is protected against unauthorized access during transmission.

The data processed by the payment service providers includes personal information, such as name and address; banking information, such as account numbers or credit card numbers; passwords, TANs, and checksums; as well as contract, total, and recipient-related information. This information is necessary to process the transactions. However, the data entered is processed and stored solely by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the payment service providers may transfer the data to credit bureaus. The purpose of this transfer is to verify identity and creditworthiness. Please refer to the terms and conditions and the data protection information provided by the payment service providers.

Payment transactions are subject to the terms and conditions and privacy notices of the respective payment service providers, which are available on their respective websites or transaction applications. We also refer you to these resources for more information and to exercise your rights to cancellation, information, and other rights as a data subject.

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); payment information (e.g., bank details, invoices, payment history); contract data (e.g., subject of the contract, term, customer category); usage data (e.g., pages viewed and time spent on site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata (e.g., page views and time spent on site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved). Contact information (e.g., postal and email addresses or phone numbers).
  • Individuals involved: Service recipients and customers; business and contractual partners. Stakeholders.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and business management procedures; office and organizational procedures.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

Provision of online services and web hosting

We process user data in order to provide them with our online services. To do so, we process the user’s IP address, which is necessary to deliver the content and features of our online services to the user’s browser or device.

  • Types of data processed: Usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); metadata, communication data, and process data (e.g., IP addresses, time data, identification numbers, individuals involved); log data (e.g., log files related to logins, data requests, or access times); content data (e.g., text or image messages and posts, and information about them, such as authorship or creation time); inventory data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact information (e.g., postal and email addresses or phone numbers); contract data (e.g., subject of the contract, term, customer category).
  • Data subjects: Users (e.g., website visitors, users of online services); business and contractual partners; service recipients and customers.
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; content delivery network (CDN). Provision of contractual services and fulfillment of contractual obligations.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

More information about processing activities, procedures, and services:

  • Provision of online services using leased server space: To provide our online services, we use server space, computing capacity, and software that we lease or otherwise obtain from a server provider (also known as a "web host"); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online services is recorded in the form of so-called "server log files." The server log files may contain the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, a notification of successful access, the browser type and version, the user’s operating system, the referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g., to prevent server overload (particularly in the event of unlawful attacks, so-called DDoS attacks) and to ensure the proper functioning and stability of the servers; legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the incident in question has been definitively resolved.
  • Amazon Web Services (AWS): services related to the provision of information technology infrastructure and related services (e.g., storage space and/or computing capacity); service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://aws.amazon.com/de/compliance/gdpr-center/).
  • GoDaddy: domain registration and web hosting services; service provider: Go Daddy Operating Company, LLC, 14455 N. Hayden Road, Scottsdale, Arizona 85254, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.godaddy.com/de-de; Privacy Policy: https://www.godaddy.com/de-de/legal/agreements/privacy-policy. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • Cloudflare: Content delivery network (CDN) – a service that enables the content of an online offering, particularly large media files such as images or program scripts, to be delivered more quickly and securely using regionally distributed servers connected to each other via the internet; Service provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.cloudflare.com/cloudflare-customer-scc/).
  • GDPR Legal Cookie: storing and managing consent (consent for cookies and data processing), recording user decisions, displaying information about data protection and cookies, enabling users to withdraw or modify their consent; Service provider: beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://gdpr-legal-cookie.myshopify.com/. Privacy Policy: https://gdpr-legal-cookie.myshopify.com/pages/datenschutzerklarung.
  • Shopify: a platform on which e-commerce services are offered and provided. The services and processes carried out in connection therewith include, in particular, online stores, websites, their offerings and content, community features, purchase and payment processes, communication with customers, as well as analysis and marketing; service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • Amazon CloudFront: Content Delivery Network (CDN) – A service that enables the content of an online offering, particularly large media files such as images or program scripts, to be delivered more quickly and securely using regionally distributed servers connected to each other via the internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/cloudfront/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfer to third countries: standard contractual clauses (provided by the service provider).
  • JSDelivr: Content Delivery Network (CDN) that helps deliver media and files quickly and efficiently, especially during periods of high traffic; Service Provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.jsdelivr.com. Privacy Policy: https://www.jsdelivr.com/terms/privacy-policy.

Use of cookies

The term "cookies" refers to features that store and retrieve information on users' devices. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services and analyzing visitor traffic. We use cookies in accordance with legal requirements. Where necessary, we obtain the user's prior consent. If consent is not required, we rely on our legitimate interests. This applies if the storage and reading of information is essential to provide explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online offerings. Consent may be withdrawn at any time. We provide clear information about the scope and use of cookies.

Information on legal bases under data protection law: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Retention period: With regard to the retention period, a distinction is made between the following types of cookies:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their device (e.g., browser or mobile app).
  • Persistent cookies: Persistent cookies remain stored even after the device is turned off. For example, login status can be saved, and favorite content can be displayed immediately when the user revisits a website. The user data collected via cookies can also be used to measure reach. If we do not explicitly inform users about the type and storage duration of cookies (for example, when obtaining consent), they must assume that they are persistent and that the storage duration may be up to two years.

General information about withdrawal of consent and objection (opt-out): Users may withdraw the consent they have provided at any time and may also object to the processing in accordance with legal requirements, including through their browser’s privacy settings.

  • Types of data processed: Metadata, communication data, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

More information about processing activities, procedures, and services:

  • Processing of cookie data based on consent: We use a consent management solution through which we obtain the user’s consent for the use of cookies or for the procedures and providers listed in the consent management solution. This procedure is used to obtain, record, manage, and withdraw consent, particularly with regard to the use of cookies and similar technologies used to store, read, and process information on users’ end devices. As part of this procedure, user consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management procedure. Users also have the option to manage and withdraw their consent. Consent statements are stored to prevent repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (so-called opt-in cookie) or through comparable technologies to assign the consent to a specific user or their device. If no specific information is available regarding the providers of consent management services, the following general information applies: Consent is retained for a maximum of two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information regarding the scope of consent (e.g., relevant categories of cookies and/or service providers), and information regarding the browser, operating system, and end device used; legal basis: consent (Art. 6(1)(a) GDPR).
  • TrustArc: Storage and management of consent (consent for cookies and data processing), recording of user decisions, display of information about data protection and cookies, enabling users to withdraw or modify their consent; Service Provider: TrustArc Inc, 111 Sutter Street, Suite 600, San Francisco, CA 94104, USA; Website: https://www.trustarc.com/products/cookie-consent-manager/; Privacy Policy: https://trustarc.com/privacy-policy/; Data Processing Agreement: provided by the service provider. Basis for transfer to third countries: Standard Contractual Clauses (provided by the service provider
    ).

Data processing in the context of applications (apps)

We process the data of users of our application to the extent necessary to provide users with the application and its features, to ensure its security, and to further develop the application. We may also contact users in accordance with legal requirements if communication is necessary for the administration or use of the application. For further information regarding the processing of user data, please refer to the data protection information in this privacy policy.

Legal basis: The processing of data necessary to provide the application’s features serves to fulfill contractual obligations. This also applies if the user’s consent is required to provide the features (e.g., enabling device features). If the processing of data is not necessary for providing the application’s functions but serves to ensure the security of the application or our business interests (e.g., collecting data to optimize the application or for security purposes), it is carried out on the basis of our legitimate interests. If users are explicitly asked for consent to the processing of their data, the data to which the consent relates is processed on the basis of that consent.

  • Types of data processed: personal data (e.g., full name, home address, contact information, customer number, etc.); usage data (e.g., pages viewed and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures. Provision of our online services and user-friendliness.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Device permissions for accessing features and data: To use our application or its features, users may need to grant permissions to access certain functions of the devices they are using, or to access data stored on those devices or accessible via them. These permissions must be granted by users by default and can be revoked at any time in the settings of the respective devices. The exact procedure for managing app authorizations may depend on the user’s device and software. Users can contact us for more information. Please note that refusing or revoking the respective authorizations may affect the functionality of our application.

Registration, sign-in, and user account

Users can create a user account. As part of the registration process, users are asked to provide the required information, which is processed for the purpose of creating the user account based on the fulfillment of contractual obligations. The data processed includes, in particular, login credentials (username, password, and email address).

As part of the use of our registration and login functions and the use of the user account, we store the IP address and the time of the relevant user action. This data is stored based on our legitimate interests and those of the user to protect against misuse and other unauthorized use. This data is not disclosed to third parties unless it is necessary to enforce our claims or if there is a legal obligation to do so.

Users can be notified via email about matters relevant to their user accounts, such as technical changes.

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); contact details (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image messages and posts, as well as related information such as authorship or creation date); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Log data (e.g., log files relating to logins, data retrieval, or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Providing our online services and ensuring user-friendliness.
  • Storage and deletion: Deletion in accordance with the information in the "General Information on Data Storage and Deletion" section. Deletion upon cancellation.
  • Legal basis: performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Registration with real names: Due to the nature of our community, we ask users to use our services only under their real names. This means that the use of pseudonyms is not permitted; legal basis: performance of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • User profiles are not public: User profiles are not visible or accessible to the public.
  • No obligation to retain data: It is the responsibility of users to back up their data before the end of the contract in the event of cancellation. We have the right to irrevocably delete all user data stored during the term of the contract; legal basis: performance of the contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Contact and Request Management

When you contact us (e.g., by mail, contact form, email, phone, or social media) or in the context of existing user and business relationships, the personal data of the individuals making the inquiry will be processed to the extent necessary to respond to their inquiries and take any requested actions.

  • Types of data processed: contact information (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information, such as details regarding authorship or the time of creation); metadata, communication, and processing data (e.g., IP addresses, timestamps, identification numbers, and individuals involved).
  • People involved: Communication partners.
  • Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via an online form). Providing our online services and ensuring user-friendliness.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Performance of a contract and pre-contractual measures (Art. 6(1)(b) of the GDPR).

More information about processing activities, procedures, and services:

  • Contact Form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data provided to us in order to respond to and process your request. This generally includes data such as your name, contact information, and other details provided to us that are necessary for proper processing. We use this data exclusively for the stated purpose of establishing contact and communication; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
  • Electronic cancellation: Your name, email address, and order number are processed as part of the electronic cancellation process. This processing is carried out by our processor, Revoq. For more information, please refer to the Order Processing Agreement (OPA) at https://www.consumer-withdrawal.eu/dpa; Service Provider: Information pursuant to § 5 TMG (German Telemedia Act):
    Jonas Busch (sole owner)
    Hofstraße 2-4
    51061 Cologne
    Germany; Website: https://www.consumer-withdrawal.eu/de. Privacy Policy: https://www.consumer-withdrawal.eu/dpa.

Communication via Messenger

We use messaging apps for communication purposes and therefore ask that you take note of the following information regarding the functionality of these apps, encryption, the use of communication metadata, and your options for objecting.

You can also contact us in other ways, such as by phone or email. To do so, please use the contact options provided or those listed on our website.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the content of the communication (i.e., the message content and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You must always use an updated version of the messenger with encryption enabled to ensure that the message content is encrypted.

However, we would also like to point out to our communication partners that, although the providers of these messaging apps cannot view the content of the messages, they can determine whether and when communication partners are communicating with us, and that technical information about the device used by the communication partners—as well as location data (so-called metadata), depending on their device settings—is also processed.

Notes on legal bases: When we ask communication partners for consent before communicating with them via Messenger, their consent serves as the legal basis for our processing of their data. In other cases, such as when we do not ask for consent and you contact us on your own initiative, we use Messenger with respect to our contractual partners and in the context of entering into a contract as a contractual measure, and, in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and in meeting the needs of our communication partners in communication via Messenger. We would also like to point out that we do not pass on the contact details provided to us to Messenger for the first time without your consent.

Withdrawal, Objection, and Deletion: You may withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we will delete the messages in accordance with our general deletion guidelines (i.e., for example, as described above, after the end of contractual relationships, in accordance with archiving requirements, etc.) and otherwise as soon as we can assume that we have responded to all inquiries from the communication partners, if no reference to a previous conversation is to be expected, and the deletion does not conflict with legal retention obligations.

Note regarding other communication channels: To ensure your security, we ask for your understanding that, for certain reasons, we may not be able to answer questions via Messenger. This applies, for example, to situations where contract details must be treated as highly confidential or where a response via Messenger does not meet formal requirements. In these cases, we recommend that you use more appropriate communication channels.

  • Types of data processed: Contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image messages and posts, as well as related information, such as details about authorship or the time of creation); Usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • People involved: Communication partners.
  • Purposes of processing and legitimate interests: Communication. Direct marketing (e.g., via email or mail).
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our legitimate interests in using AI are set out below. In accordance with the term “AI system” in Article 3(1) of the AI Regulation, we define AI as a machine-based system designed to operate autonomously to varying degrees, which can be adapted after deployment and which produces results—such as predictions, content, recommendations, or decisions, which may affect physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations governing artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality. We ensure that the processing of personal data always takes place on a legal basis. This may be the consent of the data subject or a legal authorization.

When we use external AI systems, we carefully select their providers (hereinafter referred to as "AI providers"). In accordance with our legal obligations, we ensure that the AI providers comply with the applicable provisions. We also comply with the obligations incumbent upon us when using or operating the purchased AI services. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or legal authorization. We attach particular importance to transparency, fairness, and the preservation of human control over AI-supported decision-making processes.

We implement appropriate and robust technical and organizational measures to protect the data we process. These measures ensure the integrity and confidentiality of the processed data and minimize potential risks. We ensure ongoing compliance with current legal and ethical standards by regularly evaluating AI providers and their services.

  • Types of data processed: Content data (e.g., textual or visual messages and posts, as well as related information, such as details regarding authorship or the time of creation). Usage data (e.g., pages viewed and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Data subjects: Users (e.g., website visitors, users of online services). Third parties.
  • Purposes of processing and legitimate interests: Artificial intelligence (AI).
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."

Newsletter and email notifications

We send newsletters, emails, and other electronic communications (hereinafter referred to as "newsletters") exclusively with the recipient’s consent or on a legal basis. If the content of the newsletter is specified as part of the newsletter subscription process, that content is decisive for the user’s consent. To subscribe to our newsletter, it is usually sufficient to provide your email address. However, in order to offer you a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter or to provide further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of a potential defense against claims. An individual request for erasure is possible at any time, provided that it is confirmed at the same time that consent was previously given. In the event of obligations to permanently honor objections, we reserve the right to store the email address in a block list exclusively for this purpose.

The registration process is recorded based on our legitimate interest in verifying that it is carried out correctly. When we use a service provider to send emails, we do so based on our legitimate interest in maintaining an efficient and secure email delivery system.

Contents:

Information about us, our services, promotions, and special offers.

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); contact details (e.g., mailing and email addresses or phone numbers); metadata, communication, and transaction data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Usage data (e.g., pages viewed and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • People affected: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail). Provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
  • Right to object (opt-out): You may unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to receiving further issues. You will find a link to unsubscribe at the end of each newsletter, or you may use one of the contact options listed above, preferably email.

More information about processing activities, procedures, and services:

  • Measurement of open and click-through rates: The newsletters contain a so-called "web beacon," i.e., a one-pixel-sized file that is retrieved from our server or the server of our mailing service provider when the newsletter is opened. As part of this retrieval, technical information is initially collected, such as data about the browser and your system, as well as your IP address and the time of retrieval. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The collected information is assigned to the individual newsletter recipients and stored in their profile until the information is deleted. Based on this, user profiles are created in which user behavior and user characteristics are stored. The measurement of the open and click rates and the storage of the measurement results in the user profiles and their further processing are carried out based on the user’s consent. Unfortunately, it is not possible to revoke consent for performance measurement separately; in that case, the entire newsletter subscription must be canceled or an objection must be filed. In this case, the stored profile data will be deleted; legal basis: consent (Art. 6(1)(a) GDPR).
  • Conditions for using free services: Consent to receive email communications may be a condition for using free services (e.g., access to certain content or participation in certain promotions). If users wish to use the free services without subscribing to the newsletter, please contact us.
  • Reminder emails for the checkout process: If users do not complete the checkout process, we can send them a reminder via email and provide a link to continue the process. This feature can be useful, for example, if the purchase process could not be continued due to a browser crash, inattention, or forgetfulness. Sending these emails is based on consent, which users can withdraw at any time; legal basis: consent (Art. 6(1)(a) GDPR).
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfer to third countries: Data Privacy Framework (DPF).

Marketing communications via email, mail, fax, or phone

We process personal data for the purpose of marketing communications, which may be sent via various channels, such as email, telephone, mail, or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to promotional communications at any time, free of charge, by using the contact information provided above.

Following a withdrawal of consent or an objection, we retain the data necessary to prove prior consent for contacting or sending communications for up to three years after the end of the year in which the withdrawal or objection occurred, based on our legitimate interests. The processing of this data is limited to the purpose of a potential defense against claims. Based on the legitimate interest in permanently monitoring the user’s revocation or objection, we also store the data necessary to prevent renewed contact (e.g., depending on the communication channel, the email address, phone number, name).

  • Types of data processed: personal information (e.g., full name, home address, contact information, customer number, etc.); contact details (e.g., mailing and email addresses or phone numbers); content-related data (e.g., textual or visual messages and posts, and information about them, such as information regarding authorship or the time of creation).
  • People involved: Communication partners.
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail); Marketing; Sales promotion.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfer to third countries: Data Privacy Framework (DPF).

Prize drawings and contests

We process personal data of participants in contests and competitions only in accordance with the relevant data protection regulations, to the extent that the processing is contractually required for the offering, implementation, and administration of the contest, the participants have given their consent to the processing, or the processing serves our legitimate interests (e.g., in ensuring the security of the contest or protecting our interests against abuse through the potential collection of IP addresses when entries are submitted for the contest).

If participants’ entries are published as part of the contests (e.g., as part of a vote or presentation of the entries or contest winners, or as a report on the contest), we would like to point out that the participants’ names may also be published in this context. Participants may object to this at any time.

If the contest takes place on an online platform or social media site (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and privacy policies of those platforms also apply. In such cases, we would like to point out that we are responsible for the information provided by participants in connection with the contest and that any questions regarding the contest should be directed to us.

Participants’ data will be deleted as soon as the contest or sweepstakes has ended and the data is no longer needed to notify the winners or because no further questions regarding the contest are expected. In principle, participants’ data will be deleted no later than 6 months after the end of the sweepstakes. Winners’ data may be retained for a longer period, for example, to answer questions about the prizes or to award the prize; in this case, the retention period depends on the type of prize and is a maximum of three years for goods or services, for example, to process warranty claims. In addition, participants’ data may be retained for a longer period, for example, in the form of coverage of the contest in online and offline media.

If data is also collected for other purposes as part of the contest, the processing and retention period will be based on the data protection information applicable to that use (e.g., in the case of newsletter registration as part of a contest).

  • Types of data processed: Personal information (e.g., full name, home address, contact information, customer number, etc.); Contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image messages and posts, as well as related information, such as details regarding authorship or creation date); Usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • Individuals concerned: Participants in contests and sweepstakes. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Organization of contests and sweepstakes.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: performance of the contract and pre-contractual assessments (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Facebook Pages: Profiles within the Facebook social network - The controller, together with Meta Platforms Ireland Limited, is responsible for collecting and transmitting data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behavior (e.g., content viewed or interactions, actions taken) and device information (e.g., IP address, operating system, browser type, language settings, cookie data). You can find more information on this in Facebook’s privacy policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provides information on how people interact with our site and its content. The basis for this is an agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of the data subject’s rights. More information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore send requests for information or deletion directly to Facebook. Users’ rights (in particular the right to information, erasure, objection, and the right to lodge a complaint with a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any transfer to Meta Platforms Inc. in the U.S.; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum).
  • Instagram: A social network that allows you to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • TikTok: a social network that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data processing agreement: provided by the service provider.

Web analytics, monitoring, and optimization

Web analytics (also known as "audience measurement") is used to evaluate visitor traffic to our online offerings and may include pseudonymous data on visitor behavior, interests, or demographic information, such as age or gender. Using web analytics, for example, we can identify when our online offerings or their features and content are used most frequently, or encourage visitors to use them again. It also enables us to understand which areas need to be optimized.

In addition to web analytics, we can also use testing procedures, for example to test and optimize different versions of our online offerings or parts thereof.

Unless otherwise stated below, profiles—i.e., aggregated data for a usage process—may be created for these purposes, and the information may be stored in a browser or end device and subsequently retrieved. The information collected includes, in particular, websites visited and the elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have given consent for the collection of their location data by us or by the providers of the services we use, it is also possible to process location data.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. In general, in the context of web analytics, A/B testing, and optimization, no clear user data (such as email addresses or names) is stored, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective process.

Notes on legal bases: When we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Metadata, communication, and process data (e.g., IP addresses, time stamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g., traffic statistics, identification of returning visitors); profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness; click tracking; A/B testing; feedback (e.g., collection of feedback via online forms); heat maps (users’ mouse movements aggregated into an overall picture); surveys and questionnaires (e.g., surveys with text fields, multiple-choice questions). Marketing.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General information about data storage and deletion." Cookies are stored for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user ID. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analytical information to an end device in order to identify which content users have accessed during one or more sessions, which search terms they have used, which pages they have revisited, or which interactions they have had with our online offering. The time of use and its duration are also stored, as well as the sources from which users are referred to our online offering and technical aspects of their end devices and browsers.
    Pseudonymized user profiles are created using information from the use of various devices, whereby cookies may be used. Google Analytics does not record or store individual IP addresses for EU users. However, Analytics provides raw geographic location data by deriving the following metadata from IP addresses: City (and the derived longitude and latitude of the city), Continent, Country, Region, Subcontinent (and ID-based equivalents). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on servers located in the EU before the traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms); Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad display settings: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (types of processing and data processed).
  • Google Tag Manager: We use Google Tag Manager, a Google software tool that allows us to centrally manage so-called website tags via a user interface. Tags are small pieces of code on our website that are used to track and analyze visitor activity. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services we use on our website. Nevertheless, when using Google Tag Manager, the user’s IP address is transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies may also be set during this process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information about these services and their data processing, please refer to the subsequent sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement:
    https://business.safety.google/adsprocessorterms. Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://business.safety.google/adsprocessorterms).
  • Hotjar: Software for the analysis and optimization of online services based on feedback features and pseudonymous measurements and analyses of user behavior, including in particular A/B testing (measuring the popularity and usability of different content and features), tracking click paths, and measuring interaction with the content and features of the online service (so-called heat maps and recordings); service provider: Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hotjar.com; Privacy Policy: https ://www.hotjar.com/legal/policies/privacy; Data deletion: The cookies used by Hotjar have different "lifespans"; some remain valid for up to 365 days, others only during the current visit; Cookie policy: https://www.hotjar.com/legal/policies/cookie-information. Option to object (opt-out): https://www.hotjar.com/legal/compliance/opt-out.

Online marketing

We process personal data for online marketing purposes, including, in particular, the marketing of advertising space or the display of advertisements and other content (collectively referred to as "content") based on users' potential interests and the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a "cookie") or similar procedures are used to store information about the user that is relevant to the presentation of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and information regarding usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

Users' IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by truncating the IP address) to protect the user. In general, no clear user data (such as email addresses or names) is stored as part of the online marketing process, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profile.

The information stored in the profiles is generally saved in cookies or through similar methods. These cookies can generally also be read and analyzed later on other websites that use the same online marketing process for the purpose of displaying content, and they may be supplemented with additional data and stored on the server of the provider of the online marketing process.

In exceptional cases, it is possible to associate specific data with user profiles, particularly if, for example, users are members of a social network whose online marketing processes we utilize and the network links user profiles to the aforementioned data. Please note that users may enter into additional agreements with the providers, for example by giving their consent during registration.

In principle, we only have access to summary information regarding the success of our advertisements. However, as part of what is known as conversion tracking, we can determine which of our online marketing activities have led to a conversion—that is, for example, to the conclusion of a contract with us. Conversion tracking is used exclusively to analyze the success of our marketing efforts.

Unless otherwise stated, we assume that the cookies used will be stored for two years.

Notes on legal bases: When we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

Information about cancellation and appeals:

Please refer to the privacy policies of the respective providers and the opt-out options they offer. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, this may limit the functionality of our website. We therefore recommend the following additional opt-out options, which are summarized for the respective areas:

a) Europe: https:// youronlinechoices.eu/.

b) Canada: https:// youradchoices.ca/.

c) VS: https:// optout.aboutads.info/.

d) Cross-regional: https://optout.aboutads.info.

  • Types of data processed: Content data (e.g., text or image messages and posts, and related information such as authorship or creation date); usage data (e.g., pages viewed and time spent on them, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, individuals involved); event data (Facebook; “event data” refers to information regarding, for example, metapixels—whether via apps or other channels—or other data). (e.g., IP addresses, time data, identification numbers, individuals involved); event data (Facebook) (“event data” is information sent to the provider Meta via, for example, meta-pixels (whether via apps or other channels) and relating to individuals or their actions. This data includes, for example, data regarding website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not contain actual content, such as written comments, login details, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the audiences created based on this data are deleted when our Meta user accounts are deleted); contact information (Facebook) (“contact information” refers to data that can be used to (clearly) identify data subjects, such as names, email addresses, and phone numbers, which may be transmitted to Facebook—for example, via Facebook pixels or uploads—for matching purposes to create custom audiences. The contact information is deleted after matching for audience creation).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g., traffic statistics, identification of returning visitors); tracking (e.g., interest/behavioral profiling, use of cookies); conversion tracking (measuring the effectiveness of marketing measures); target group segmentation; marketing; profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness. Remarketing.
  • Storage and deletion: Deletion in accordance with the information provided in the section "General information about data storage and deletion." Cookies are stored for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Meta Pixel and Audience Targeting (Custom Audiences): Using the Meta Pixel (or similar features for transmitting event data or contact information via in-app interfaces), Meta is able to identify visitors to our online platform as a target audience for the display of advertisements (so-called "Meta ads"). Accordingly, we use the Meta pixel to display the Meta ads we place only to those users on Meta platforms and within the services of Meta’s partner networks (so-called “audience network” https://www.facebook.com/audiencenetwork/ ) who have also shown interest in our online offerings or who have certain characteristics (e.g., interest in certain topics or products as indicated by the websites visited) that we share with Meta (so-called "custom audiences"). We also use the Meta pixel to ensure that our Meta ads align with users’ potential interests and are not intrusive. Using the Meta pixel, we can also track the effectiveness of Meta ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta ad (so-called "conversion tracking"); service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Event user data, i.e., behavioral and interest data, is processed for the purpose of targeted advertising and targeting based on the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint control is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the exclusive responsibility of Meta Platforms Ireland Limited, which in particular relates to the transfer of the data to the parent company Meta Platforms, Inc. in the U.S. (based on the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Extensive matching for the Meta Pixel: In addition to processing event data in connection with the use of the Meta Pixel (or similar features, e.g., in apps), contact information (data that identifies individual persons, such as names, email addresses, and phone numbers) is also collected by Meta within our online offerings or transmitted to Meta. The processing of contact data is used to create target groups (so-called "custom audiences") for the display of content and advertising information based on users’ presumed interests. The collection, transmission, and comparison with data available at Meta does not occur in plain text, but as so-called "hash values," i.e., mathematical representations of the data (this method is used, for example, when storing passwords). After matching for the creation of target groups, the contact data is deleted; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Privacy Policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum). More information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook Ads: placing ads on the Facebook platform and analyzing ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https ://www.facebook.com; Privacy Policy: https:// www.facebook.com/privacy/policy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Opt-out: We refer to the data protection and advertising settings in the user’s profile on the Facebook platforms, as well as to Facebook’s consent procedures and contact options for exercising information and other rights of data subjects, as described in Facebook’s privacy policy; Further information: Event user data, i.e., behavioral and interest data, is processed for the purpose of targeted advertising and targeting based on the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint control is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the exclusive responsibility of Meta Platforms Ireland Limited, which in particular relates to the transfer of the data to the parent company Meta Platforms, Inc. in the U.S. (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
  • Google Ad Manager: We use the "Google Ad Manager" service to place ads on Google's advertising network (for example, in search results, in videos, on websites, and so on). Google Ad Manager is characterized by the fact that ads are displayed in real time based on users' presumed interests. This enables us to display ads for our online offerings to users who may be interested in our offerings or have previously shown interest in our offerings, and to measure the success of the ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Terms of data processing for Google advertising products: Information about the services, terms of data processing between data controllers, and standard contractual clauses for the transfer of data to third countries: https://business.safety.google/adscontrollerterms. If Google acts as a processor, terms for data processing for Google advertising products and standard contractual clauses for the transfer of data to third countries: https://business.safety.google/adsprocessorterms.
  • Google Ads and conversion tracking: an online marketing process aimed at placing content and ads within the service provider’s ad network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are believed to be interested in the ads. In addition, we measure the conversion of the ads, i.e., whether users have interacted with the ads and taken advantage of the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https ://marketingplatform.google.com; Privacy Policy: https ://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Terms and conditions for data processing between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Extended conversions for Google Ads: When users click on our Google ads and then use the advertised service (known as a "conversion"), the data entered by the user—such as email address, name, home address, or phone number—may be shared with Google. The hash values are then compared with the users’ existing Google accounts to better analyze and improve the users’ interaction with the ads (e.g., clicks or views) and, consequently, their performance; legal basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
  • Google AdSense with personalized ads: We integrate the Google AdSense service, which allows us to display personalized ads on our website. Google AdSense analyzes user behavior and uses this data to display targeted ads tailored to the interests of our visitors. We receive financial compensation for each ad displayed or for any other use of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Terms of data processing for Google advertising products: Information about the services, terms of data processing between data controllers, and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized ads on our website. These ads are not based on individual user behavior, but are selected based on general characteristics such as the page content or your estimated geographic location. We receive compensation for displaying or otherwise using these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Terms of data processing for Google advertising products: Information about the services, terms of data processing between data controllers, and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • TikTok Pixel: Code that is loaded when a user visits our website and tracks and stores the user’s behavior and conversions in a profile (possible uses: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences). - We and TikTok are jointly responsible for collecting and transmitting event data, as well as for measuring and creating insight reports (statistics) for profile holders. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data) and information from the user’s profile, such as country or location. Information regarding data protection related to TikTok’s processing of user data can be found in TikTok’s privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a special agreement with TikTok regarding joint responsibility, which specifically outlines the security measures TikTok must observe and in which TikTok has committed to respecting the rights of data subjects (for example, users can send information or deletion requests directly to TikTok). Users’ rights (in particular regarding information, deletion, objection, and filing a complaint with the competent supervisory authority) are not restricted by the agreements with TikTok. The agreement on joint responsibility can be found in TikTok’s “Jurisdiction-Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://ads.tiktok.com/help/article/tiktok-pixel; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfer to third countries: Standard Contractual Clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).

Customer reviews and evaluation process

We participate in review processes to evaluate, optimize, and promote our services. When users rate us or provide feedback in any other way through the participating review platforms or processes, the providers’ terms and conditions or terms of use, as well as their privacy notices, also apply. As a rule, registration with the respective providers is required to submit a review.

To ensure that reviewers have actually used our services, we send the necessary information regarding the customer and the service used (including name, email address, and order number or item number) to the relevant review platform with the customer’s consent. This information is used solely to verify the user’s authenticity.

  • Types of data processed: contract data (e.g., subject matter of the contract, duration, customer category); usage data (e.g., pages viewed and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • Individuals affected: Service recipients and customers. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Feedback (e.g., collecting feedback via an online form). Marketing.
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

More information about processing activities, procedures, and services:

  • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction ratings and customer reviews; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF); Further information: In the context of collecting customer reviews, an identification number and the time of the business transaction to be evaluated are processed; in the case of review requests sent directly to customers, the customer’s email address and country of residence, as well as the review data itself, are processed; Further information on the types of processing and the data processed: https://business.safety.google/adsservices/. Terms of data processing for Google advertising products: Information about the services, terms of data processing between data controllers, and standard contractual clauses for the transfer of data to third countries: https://business.safety.google/adscontrollerterms.
  • Trusted Shops (Trust Badge): Review Platform - As part of the joint responsibility between us and Trusted Shops, if you encounter any data protection issues, you can contact Trusted Shops and exercise your rights using the contact details provided in the privacy policy. In addition, you can always contact the data controller responsible for processing your data. If necessary, your inquiry will then be forwarded to the other data controller for a response.

    The Trustbadge is provided by a U.S.-based CDN provider (content delivery network). An appropriate level of data protection is ensured through standard data protection clauses and other contractual measures.
    When accessing the Trustbadge, the web server automatically stores a so-called server log file, which also contains your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access. The IP address is anonymized immediately after collection, so that the stored data cannot be linked to your person. The anonymized data is used primarily for statistical purposes and for error analysis.

    If you have given your consent, the Trustbadge has access to the order information stored on your device (total order amount, order number, purchased product if applicable) and your email address after the order is completed and your email address has been hashed using a cryptographic one-way function. The hash value is then transmitted to Trusted Shops along with the order data in accordance with Art. 6(1)(a) GDPR. This is used to verify whether you are already registered for Trusted Shops’ services. If this is the case, further processing takes place in accordance with the agreement concluded between you and Trusted Shops. If you are not yet registered for the services or do not consent to automatic recognition via the Trustbadge, you will then be given the opportunity to manually register for the use of the services or to complete the protection under your existing user agreement.

    For this purpose, the Trustbadge has access to the following information, which is stored on the device you are using after you have completed your order: order total, order number, and email address. This is necessary so that we can provide you with buyer protection. The data is only transmitted to Trusted Shops if you yourself choose to use buyer protection by clicking the corresponding button on the so-called Trustcard. If you decide to use the services, further processing takes place on the basis of the contractual agreement with Trusted Shops in accordance with Art. 6(1)(b) of the GDPR to complete your registration for buyer protection, secure the order, and, if necessary, send you an invitation to leave a review via email at a later date.

    Trusted Shops uses service providers for hosting, monitoring, and logging. The legal basis for this is Art. 6(1)(f) of the GDPR to ensure smooth operation. Processing may take place in third countries (the U.S. and Israel). An adequate level of data protection is ensured by standard data protection clauses and other contractual measures in the case of the U.S., and by an adequacy decision in the case of Israel.
    Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de. Privacy Policy: https://www.trustedshops.de/impressum-datenschutz/.
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy Policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfer to third countries: Data Privacy Framework (DPF).

Presence on social media

We maintain an online presence on social media platforms and process user data in this context to communicate with users who are active there or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This may pose risks to users, as it may, for example, be more difficult to enforce user rights.

In addition, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on user behavior and the resulting user interests. These interests, in turn, may be used, for example, to place advertisements within and outside the networks that are likely to match the users’ interests. Cookies are therefore generally stored on users’ computers, where user behavior and interests are recorded. In addition, data may also be stored in user profiles, regardless of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of data processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the exercise of data subjects’ rights, we would also like to point out that these can be exercised most effectively through the service providers. Only they have access to user data and can take appropriate measures and provide information directly. If you still need assistance, please contact us.

  • Types of data processed: contact information (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image messages and posts, as well as related information, such as details regarding authorship or time of creation); usage data (e.g., pages viewed and duration of visit, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved). Inventory data (e.g., full name, home address, contact information, customer number, etc.)
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; Feedback (e.g., collecting feedback via an online form); Public relations; Marketing. Providing our online services and ensuring user-friendliness.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

More information about processing activities, procedures, and services:

  • Instagram: A social network that allows you to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the Facebook social network - The controller, together with Meta Platforms Ireland Limited, is responsible for collecting and transmitting data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behavior (e.g., content viewed or interactions, actions taken) and device information (e.g., IP address, operating system, browser type, language settings, cookie data). You can find more information on this in Facebook’s privacy policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provides information on how people interact with our site and its content. The basis for this is an agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of the data subject’s rights. More information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore send requests for information or deletion directly to Facebook. Users’ rights (in particular the right to information, erasure, objection, and the right to lodge a complaint with a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any transfer to Meta Platforms Inc. in the U.S.; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfer to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses(https://www.facebook.com/legal/EU_data_transfer_addendum).
  • Pinterest: A social network that allows users to share photos, comment, favorite and curate posts, send messages, and follow profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com. Privacy Policy: https://policy.pinterest.com/de/privacy-policy.
  • TikTok: a social network that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data processing agreement: provided by the service provider.
  • TikTok Business: A social network that allows users to share photos and videos, comment on and favorite posts, send messages, and follow accounts—We and TikTok are jointly responsible for collecting and transmitting event data, as well as for measuring and generating insights reports (statistics) for profile holders. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data) and information from users’ profiles, such as country or location. Information regarding data protection related to TikTok’s processing of user data can be found in TikTok’s privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a special agreement with TikTok regarding joint responsibility, which specifically outlines the security measures TikTok must observe and in which TikTok has committed to respecting the rights of data subjects (for example, users can send information or deletion requests directly to TikTok). Users’ rights (in particular regarding information, deletion, objection, and filing a complaint with the competent supervisory authority) are not limited by the agreements with TikTok. The agreement on joint responsibility can be found in TikTok’s “Jurisdiction-Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfer to third countries: Standard Contractual Clauses(https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://business.safety.google/privacy/; Basis for transfer to third countries: Data Privacy Framework (DPF). Right to object (opt-out): https://myadcenter.google.com/.

Plug-ins, embedded features, and content

We incorporate functional and content elements into our online offerings that are obtained from the servers of their respective providers (hereinafter referred to as "external providers"). These may include, for example, images, videos, or city maps (hereinafter collectively referred to as "content").

This integration always requires that the third-party providers of this content process the user’s IP address, as they would not be able to send the content to the browser without it. The IP address is therefore required to display this content or feature. We strive to use only content where the respective providers use the IP address solely to deliver the content. External providers may also use so-called pixel tags (invisible images, also known as "web beacons") for statistical or marketing purposes. Pixel tags may be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and other information regarding the use of our online services, but may also be linked to such information from other sources.

Notes on legal bases: When we ask users for consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., pages viewed and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); meta, communication, and process data (e.g., IP addresses, time stamps, identification numbers, individuals involved); location data (information about the geographic position of a device or person). Event data (Facebook) (“Event data” is information sent to the provider Meta, for example via Meta pixels (via apps or other channels), and relates to individuals or their actions. This data includes, for example, data on website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not contain actual content, such as written comments, login details, or contact information such as names, email addresses, or phone numbers. "Event data" is deleted by Meta after a maximum of two years, and the audiences created based on this data are deleted when our Meta user accounts are deleted.
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Providing our online services and ensuring user-friendliness. Profiles containing user-related information (creation of user profiles).
  • Storage and deletion: Deletion in accordance with the information provided in the section "General information about data storage and deletion." Cookies are stored for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
  • Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

More information about processing activities, procedures, and services:

  • Facebook plugins and content: Facebook social plugins and content—this may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this website on Facebook. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - Together with Meta Platforms Ireland Limited, we are responsible for the collection or receipt (but not for the further processing) of “event data” that Facebook collects or receives in connection with a transfer via the Facebook Social Plugins (and content embedding features) implemented on our online offering for the following purposes: a) Displaying content and advertising information that corresponds to users’ presumed interests; b) Delivering commercial and transaction-related messages (e.g., contacting users via Facebook). (e.g., contacting users via Facebook Messenger); c) Improving the delivery of advertisements and personalizing features and content (e.g., improving the recognition of which content or advertising information is likely to match users’ interests). We have entered into a special agreement with Facebook (“Addendum for Data Controllers,” https://www.facebook.com/legal/controller_addendum), which specifically outlines the security measures Facebook must observe(https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has committed to respecting the rights of data subjects (for example, users can send information or deletion requests directly to Facebook). Note: If Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing is not carried out under joint responsibility but on the basis of a data processing agreement ("Data Processing Terms," https://www.facebook.com/legal/terms/dataprocessing ), the "Data Security Terms"(https://www.facebook.com/legal/terms/data_security_terms), and, with regard to processing in the U.S., on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum," https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular to information, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • Google Maps: We integrate maps from Google’s “Google Maps” service. The data processed may include , in particular , users’ IP addresses and location data : Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https ://mapsplatform.google.com/; Privacy Policy: https://business.safety.google/privacy/. Basis for transfer to third countries: Data Privacy Framework (DPF).
  • Font Awesome (retrieved from the provider’s server): Retrieving fonts (as well as icons) to ensure the technically secure, maintenance-free, and efficient use of fonts and icons in terms of timeliness and loading times, their consistent display, and compliance with any licensing restrictions. The font provider is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) necessary for making the fonts available is transmitted, depending on the devices used and the technical environment; service provider: Fonticons, Inc. 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fontawesome.com/. Privacy policy: https://fontawesome.com/privacy.
  • TikTok plugins and content: TikTok plugins and content—this may include, for example, content such as images, videos, or text, as well as buttons; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de.
  • Adobe Fonts: provision of fonts for integration into web and print designs, synchronization of fonts across different devices, access to a library of licensed fonts for creative projects, management and organization of fonts within projects; service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/; Privacy Policy: https://www.adobe.com/de/privacy.html; Basis for transfer to third countries: Data Privacy Framework (DPF). More information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

Tools for management, organization, and support

To organize, manage, plan, and deliver our services, we use services, platforms, and software from other providers (hereinafter referred to as "third-party providers"). When selecting third-party providers and their services, we comply with all legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various types of data that we process in accordance with this privacy policy. In particular, this data may include users’ personal and contact information, as well as data related to transactions, contracts, other processes, and their content.

When users are redirected to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, those third-party providers may process usage data and metadata for security, service optimization, or marketing purposes. We therefore ask that you review the privacy notices of the respective third-party providers.

  • Types of data processed: Content data (e.g., textual or visual messages and posts, and related information, such as information about authorship or time of creation); usage data (e.g., pages viewed and time spent on the site, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, time data, identification numbers, individuals involved).
  • People affected: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
  • Storage and disposal: Disposal in accordance with the information provided in the section "General information on data storage and disposal."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Edit and update

We ask that you review the content of our privacy policy on a regular basis. We will update the privacy policy as soon as changes to our data processing practices make it necessary to do so. We will notify you as soon as the changes require your cooperation (e.g., consent) or any other individual notification.

When we provide addresses and contact information for companies and organizations in this privacy policy, please keep in mind that these details may change over time, so please verify the information before contacting us.

Definitions of terms

This section provides an overview of the terms used in this privacy policy. To the extent that these terms are defined by law, their legal definitions apply. However, the following explanations are primarily intended to clarify the meaning of these terms.

  • A/B testing: A/B testing is used to improve the user-friendliness and performance of online services. For example, users are shown different versions of a website or its elements, such as forms, where the placement of content or the labeling of navigation elements may differ. User behavior—such as spending more time on the website or interacting more frequently with the elements—can then be used to determine which of these websites or elements is likely to better meet the user’s needs.
  • Inventory data: Inventory data includes essential information required for the identification and management of contractual partners, user accounts, profiles, and similar records. This data may include personal and demographic information, such as names, contact details (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, facilities, or systems by enabling clear assignment and communication.
  • Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that enables the content of a website—particularly large media files such as images or program scripts—to be delivered more quickly and securely using regionally distributed servers connected to each other via the internet.
  • Heatmaps: "Heatmaps" are visualizations of users' mouse movements that provide an overall picture, which can be used, for example, to identify which website elements are preferred and which are less popular among users.
  • Content data: Content data includes information generated during the creation, editing, and publication of all types of content. This category of data may include text, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
  • Click tracking: Click tracking allows us to track users’ movements across an entire online platform. Because the results of these tests are more accurate when user interaction can be tracked over a specific period (allowing us, for example, to determine whether a user likes to return), cookies are typically stored on the user’s computer for these testing purposes.
  • Contact information: Contact information is essential data that enables communication with individuals or organizations. This includes phone numbers, mailing addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
  • Conversion tracking: Conversion tracking (also known as "campaign evaluation") is a process used to determine the effectiveness of marketing initiatives. To do this, a cookie is typically stored on the user’s device on the websites where the marketing initiatives take place and then retrieved on the target website. This allows us, for example, to determine whether the ads we placed on other websites were successful.
  • Artificial Intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions, and improve the efficiency and quality of our services. This includes collecting, cleaning, and structuring data; training and applying AI models; and continuously evaluating and optimizing the results, and is carried out exclusively with the user’s consent or on the basis of legal authorization.
  • Metadata, communication, and procedural data: Metadata, communication, and procedural data are categories that contain information about how data is processed, transferred, and managed. Metadata, also known as “data about data,” contains information that describes the context, origin, and structure of other data. It may include information about file size, creation date, the author of a document, and the revision history. Communication data records the exchange of information between users via various channels, such as email correspondence, call logs, social media posts, and chat histories, including the individuals involved, timestamps, and transmission paths. Process data describes the processes and procedures within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used to track and evaluate processes.
  • Usage data: Usage data refers to information that tracks how users interact with digital products, services, or platforms. This data encompasses a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages, and which paths they take to navigate through an application. Usage data may also include usage frequency, timestamps of activities, IP addresses, device information, and location data. This data is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles containing user-related information: The processing of "profiles containing user-related information," or simply "profiles," includes any form of automated processing of personal data that consists of using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc. Cookies and web beacons are often used for profiling purposes.
  • Log data: Log data refers to information about events or activities recorded on a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details regarding the use or operation of a system. Log data is often used to analyze system issues, for security monitoring, or to generate performance reports.
  • Web analytics: Web analytics (also known as web analysis) is used to evaluate visitor traffic to an online service and may include information about visitors’ behavior or interests in specific content, such as website content. Using web analytics, online service providers can, for example, identify when users visit their websites and what content they are interested in. This allows them, for example, to better tailor the content of their websites to the needs of their visitors. Pseudonymous cookies and web beacons are often used for web analytics purposes to identify returning visitors and thus obtain more precise analyses of the use of an online offering.
  • Remarketing: The term "remarketing" or "retargeting" is used, for example, when a website tracks which products a user was interested in for advertising purposes, in order to remind the user of those products on other websites, such as through ads.
  • Location data: Location data is generated when a mobile device (or another device capable of determining location) connects to a cellular network, a Wi-Fi network, or similar technical means and location-determination functions. Location data is used to indicate the geographical position on Earth where the device in question is located. Location data can be used, for example, to display map features or other location-based information.
  • Tracking: The term "tracking" is used when users' behavior can be tracked across multiple online services. As a rule, information about behavior and interests is stored in cookies or on the servers of the providers of the tracking technologies associated with the online services used (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
  • Data controller: "Data controller" means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any form of data processing, whether it involves collection, analysis, storage, transmission, or deletion.
  • Contract data: Contract data consists of specific information relating to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms of the agreement. Contract data may consist of the start and end dates of the contract, the type of services or products agreed upon, pricing terms, payment terms, cancellation rights, renewal options, and special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
  • Payment data: Payment data includes all the information needed to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction details, verification codes, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.
  • Target audience creation: In target audience creation (custom audiences), target groups are identified for advertising purposes, such as displaying ads. Based on a user’s interest in certain products or topics online, it can be concluded, for example, that this user is interested in ads for similar products or the online store where they viewed those products. "Lookalike audiences" (or similar audiences) refer to situations where content deemed suitable is displayed to users whose profiles or interests are presumed to match those of the users for whom the profiles were originally created. Cookies and web beacons are generally used to create custom audiences and lookalike audiences.