Privacy policy

Preamble

With this Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) we process, the purposes for which we process it, and the scope of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).

The terms used are gender-neutral.

As of March 13, 2026

Legal text by Dr. Schwenke – click here for more information.

Table of Contents

Person responsible

Stoll Group Ventures GmbH
Aegeristrasse 116
6300 Zug
Switzerland

Authorized representatives: Oliver Stoll

Email address: lockenkopf

Legal Notice: lockenkopf

Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of such processing, and identifies the data subjects.

Types of data processed

  • Inventory data.
  • Payment information.
  • Location data.
  • Contact information.
  • Table of Contents.
  • Contract details.
  • Usage data.
  • Meta data, communication data, and transaction data.
  • Contact information (Facebook).
  • Event details (Facebook).
  • Log data.

Categories of affected persons

  • Service recipients and clients.
  • Prospective buyers.
  • Communication partner.
  • Users.
  • Participants in sweepstakes and contests.
  • Business and contractual partners.
  • Third parties.

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Safety measures.
  • Direct marketing.
  • Range measurement.
  • Tracking.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion tracking.
  • Click tracking.
  • Target audience identification.
  • A/B testing.
  • Organizational and administrative procedures.
  • Organizing sweepstakes and contests.
  • Content Delivery Network (CDN).
  • Feedback.
  • Heatmaps.
  • Surveys and questionnaires.
  • Marketing.
  • Profiles containing user-specific information.
  • Provision of our online services and user-friendliness.
  • Information technology infrastructure.
  • Public relations.
  • Sales promotion.
  • Business processes and management practices.
  • Artificial Intelligence (AI).

Relevant legal bases

Relevant Legal Bases Under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or our country of incorporation. Furthermore, should more specific legal bases apply in individual cases, we will inform you of these in the Privacy Policy.

  • Consent (Art. 6(1)(a) of the GDPR) – The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or for several specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Art. 6(1)(c) of the GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) of the GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss Data Protection Act (DSG): This privacy notice serves to provide information in accordance with both the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are employed here due to its broader geographical scope and greater clarity. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data” used in the Swiss Data Protection Act (DSG), the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” used in the GDPR are employed. However, the legal meaning of these terms continues to be determined in accordance with the Swiss Data Protection Act (DSG) within the scope of its application.

Security measures

In accordance with legal requirements, and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability, and maintaining its separation. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the erasure of data, and responses to data breaches. Furthermore, we take the protection of personal data into account from the very beginning of the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and through privacy-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transfer of Personal Data

As part of our processing of personal data, such data may be transferred to or disclosed to other agencies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

International Data Transfers

Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other individuals, entities, or companies (which can be identified by the postal address of the respective provider or if the privacy policy explicitly refers to data transfers to third countries), this is always done in accordance with legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a safe legal framework by an adequacy decision of the European Commission dated July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers that comply with the European Commission’s requirements and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection for your data: The DPF serves as the primary layer of protection, while the standard contractual clauses provide an additional layer of security. Should any changes arise within the scope of the DPF, the standard contractual clauses serve as a reliable fallback option. This ensures that your data remains adequately protected at all times, even in the event of political or legal changes.

For each service provider, we will inform you whether they are certified under the DPF and whether standard contract clauses are in place. For more information on the DPF and a list of certified companies, please visit the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).

Data transfers to other third countries are subject to appropriate safeguards, in particular standard contractual clauses, explicit consent, or transfers required by law. Information on transfers to third countries and applicable adequacy decisions can be found on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete the personal data we process in accordance with legal requirements as soon as the underlying consent is withdrawn or there is no longer a legal basis for processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule apply when legal obligations or legitimate interests require the data to be retained or archived for a longer period.

In particular, data that must be retained for commercial or tax purposes, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information regarding the retention and deletion of data that applies specifically to certain processing operations.

If there are multiple specifications regarding the retention period or deletion deadlines for a particular piece of data, the longest period shall always apply. We process data that is no longer retained for its originally intended purpose—but rather due to legal requirements or other reasons—exclusively for the purposes that justify its retention.

Data Retention and Deletion: The following general time limits apply to data retention and archiving under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (Section 147(1)(1) in conjunction with (3) of the German Fiscal Code (AO), § 14b(1) UStG, § 257(1)(1) in conjunction with (4) HGB).
  • 8 years – accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with Section 147(3), first sentence, of the German Fiscal Code (AO), and Section 257(1)(4) in conjunction with Section 257(4) of the German Commercial Code (HGB)).
  • 6 years – Other business records: incoming commercial or business correspondence, copies of outgoing commercial or business correspondence, and other documents to the extent they are relevant for tax purposes, e.g. hourly wage slips, operating statement forms, cost calculation documents, price tags, as well as payroll documents, provided they are not already accounting vouchers, and cash register receipts (Section 147(1)(2), 3, 5 in conjunction with para. 3 AO, § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).
  • 3 years – Data necessary to address potential warranty and indemnity claims or similar contractual claims and rights, as well as to process related inquiries, based on past business experience and standard industry practices, will be retained for the duration of the standard statutory limitation period of three years (Sections 195 and 199 of the German Civil Code (BGB)).

Start of the period at the end of the year: If a period does not expressly begin on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships under which data is stored, the event triggering the period is the date on which the termination or other termination of the legal relationship takes effect.

Rights of the data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which are set forth in particular in Articles 15 through 21 of the GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to request confirmation as to whether your personal data is being processed, as well as access to that data, further information, and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request that data concerning you be completed or that inaccurate data concerning you be corrected.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without delay, or, alternatively, to request that the processing of such data be restricted in accordance with legal requirements.
  • Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request that it be transmitted to another controller.
  • Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your workplace or the location of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process the personal data of our contractual and business partners—such as customers, clients, prospective customers, suppliers, and other partners (collectively, “contractual partners”)—for the purpose of establishing, executing, and fulfilling contractual relationships and similar legal relationships. This also includes pre-contractual measures taken upon request, as well as communication related to the respective contractual relationship.

The processing is primarily intended to fulfill our primary and ancillary contractual obligations. This includes the provision of the agreed-upon services, any obligations to provide updates and information, the handling of warranty claims and other service disruptions, the processing of revocations, terminations of continuing obligations, rescissions, refunds, as well as the handling of other contract-related statements and inquiries. This covers both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as name, address, and, where applicable, company name; contact information such as email address and phone number; contract and service data such as the subject matter of the contract, contract term, order or transaction number; usage and service data; payment and billing data; as well as communication content and history. Where necessary, we also process data that is disclosed or transmitted to us in connection with the performance of an order.

In addition, we process the data to protect our rights and to comply with legal obligations. This includes, in particular, retention requirements under commercial and tax law, documentation requirements, and, where applicable, obligations to provide evidence and accountability. Furthermore, processing is carried out based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners from misuse and threats to data, trade secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other vicarious agents, to the extent that this is necessary for the performance of the contract or to fulfill legal obligations.

Personal data will be disclosed to third parties only to the extent necessary to fulfill a contract, carry out pre-contractual measures, protect legitimate interests, or comply with legal obligations. We provide separate information regarding any additional processing, particularly for marketing purposes, within this Privacy Policy.

We inform our contractual partners of the specific data required in each individual case during the data collection process, for example by clearly marking online forms or through personal contact.

Data is deleted as soon as it is no longer necessary for the aforementioned purposes and there are no legal retention requirements to the contrary. Legal retention periods, particularly under commercial and tax law, may require longer storage. We delete data transmitted in connection with a specific order upon completion of the order and the expiration of any retention periods, provided there are no further legal or contractual obligations to retain the data.

The legal basis for the processing is Article 6(1)(b) of the GDPR for the implementation of pre-contractual measures and the fulfillment of the respective contractual relationship, as well as Article 6(1)(c) of the GDPR for the fulfillment of legal obligations. To the extent that the processing is based on legitimate interests, it is carried out pursuant to Article 6(1)(f) of the GDPR. To the extent that processing is based on Article 6(1)(f) of the GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, the assurance of IT and data security, the prevention of misuse and fraud, and the economic management and further development of our business operations. These interests consist, in particular, of ensuring secure and legally compliant business operations as well as safeguarding our ability to act as a business entity.

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank account details, invoices, payment history); contact data (e.g., mailing and email addresses or phone numbers); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Service recipients and clients; prospective clients; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and business management procedures.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods, and services:

  • Online Store, Order Forms, E-Commerce, and Service Fulfillment: We process our customers’ data to enable them to select, purchase, or order the products, goods, and related services of their choice, as well as to facilitate payment, provision, delivery, or fulfillment of those items. Where necessary for the fulfillment of an order, we engage service providers, in particular postal, freight, and shipping companies, to carry out the delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is identified as such during the ordering or comparable purchase process and includes the details necessary for delivery, provision, and billing, as well as contact information to facilitate any necessary communication; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Use of online platforms for marketing and sales purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our privacy policy. This applies in particular to the processing of payments and the methods used on the platforms for measuring reach and for interest-based marketing.

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank account details, invoices, payment history); contact data (e.g., mailing and email addresses or phone numbers); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
  • Affected parties: Service recipients and clients. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and operational procedures.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Shopify: A platform through which e-commerce services are offered and provided. The services and processes carried out in connection with them include, in particular, online stores, websites, their offerings and content, community features, purchase and payment transactions, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.

Payment methods

In the context of contractual and other legal relationships, in accordance with legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, engage banks, credit institutions, and other service providers (collectively, “payment service providers”). Payment transactions are conducted exclusively via encrypted connections in accordance with the state of the art, ensuring that the data entered is protected against unauthorized access during transmission.

The data processed by payment service providers includes personal information, such as name and address; banking information, such as account numbers or credit card numbers; passwords, TANs, and verification codes; as well as details related to the contract, transaction amounts, and recipients. This information is required to process the transactions. However, the data entered is processed and stored solely by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or rejecting the payment. Under certain circumstances, the payment service providers may transmit the data to credit bureaus. The purpose of this transmission is to verify identity and creditworthiness. For more information, please refer to the Terms and Conditions and Privacy Policy of the payment service providers.

Payment transactions are subject to the terms and conditions and privacy policies of the respective payment service providers, which are available on their respective websites or within the transaction applications. We also refer you to these documents for further information and to exercise your rights of withdrawal, access, and other data subject rights.

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Contact data (e.g., postal and email addresses or phone numbers).
  • Data subjects: Service recipients and clients; business and contractual partners; prospective clients.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and operational procedures; office and organizational procedures.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

Provision of the online service and web hosting

We process users' data in order to provide them with our online services. To this end, we process the user's IP address, which is necessary to deliver the content and features of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); Log data (e.g., log files regarding logins, data retrieval, or access times); Content data (e.g., textual or visual messages and posts, as well as related information such as authorship details or creation dates); Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, term, customer category).
  • Data subjects: Users (e.g., website visitors, users of online services); business and contractual partners; service recipients and clients.
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; Content Delivery Network (CDN). Provision of contractual services and fulfillment of contractual obligations.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Provision of our online services on rented server space: To provide our online services, we use server space, computing capacity, and software that we rent or otherwise obtain from a server provider (also known as a "web host"); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our website is logged in the form of so-called "server log files." Server log files may include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, a notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files may be used, on the one hand, for security purposes, e.g., to prevent server overload (particularly in the event of malicious attacks, so-called DDoS attacks), and, on the other hand, to ensure server capacity and stability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
  • Amazon Web Services (AWS): Services related to the provision of IT infrastructure and associated services (e.g., storage space and/or computing capacity); Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://aws.amazon.com/de/compliance/gdpr-center/).
  • GoDaddy: Domain registration and web hosting services; Service provider: Go Daddy Operating Company, LLC, 14455 N. Hayden Road, Scottsdale, Arizona 85254, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.godaddy.com/de-de; Privacy Policy: https://www.godaddy.com/de-de/legal/agreements/privacy-policy. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Cloudflare: Content Delivery Network (CDN) – a service that enables the faster and more secure delivery of content from an online platform, particularly large media files such as graphics or program scripts, using servers distributed across different regions and connected via the Internet; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).
  • GDPR Legal Cookie: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of notices regarding data protection and cookies, enabling users to withdraw or modify their consents; Service provider: beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://gdpr-legal-cookie.myshopify.com/. Privacy Policy: https://gdpr-legal-cookie.myshopify.com/pages/datenschutzerklarung.
  • Shopify: A platform through which e-commerce services are offered and provided. The services and processes carried out in connection with them include, in particular, online stores, websites, their offerings and content, community features, purchase and payment transactions, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.shopify.com/de/. Privacy Policy: https://www.shopify.com/de/legal/datenschutz.
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Amazon CloudFront: Content Delivery Network (CDN) – a service that enables the faster and more secure delivery of content from an online offering, particularly large media files such as graphics or program scripts, using servers distributed across different regions and connected via the Internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://aws.amazon.com/de/cloudfront/; Privacy Policy: https://aws.amazon.com/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Standard contractual clauses (provided by the service provider).
  • JSDelivr: Content Delivery Network (CDN) that helps deliver media and files quickly and efficiently, especially under high load; Service provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.jsdelivr.com. Privacy Policy: https://www.jsdelivr.com/terms/privacy-policy.

Use of Cookies

The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as for analyzing visitor traffic. We use cookies in accordance with legal requirements. To this end, we obtain users’ consent in advance when necessary. If consent is not required, we rely on our legitimate interests. This applies when the storage and retrieval of information is essential to provide explicitly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online service. Consent may be revoked at any time. We provide clear information about the scope of our use and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: Withregard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves a website and closes their device (e.g., browser or mobile app).
  • Persistent cookies: Persistent cookies remain stored even after the device is turned off. This allows, for example, the user’s login status to be saved and preferred content to be displayed immediately when the user visits a website again. Likewise, user data collected via cookies may be used for audience measurement. Unless we provide users with explicit information regarding the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are persistent and may be stored for up to two years.

General Information on Withdrawal of Consent and Objection (Opt-out): Usersmay withdraw their consent at any time and may also object to the processing of their data in accordance with legal requirements, including through their browser’s privacy settings.

  • Types of data processed: metadata, communication data, and transaction data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Further information on processing procedures, methods, and services:

  • Processing of cookie data based on consent: We use a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers specified within the consent management solution. This procedure serves to obtain, log, manage, and revoke consents, particularly with regard to the use of cookies and comparable technologies used to store, read, and process information on users’ end devices. As part of this process, users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management process. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated requests and to maintain proof of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (so-called opt-in cookie) or via comparable technologies to enable the consent to be assigned to a specific user or their device. Unless specific information regarding the providers of consent management services is available, the following general guidelines apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details regarding the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, the system, and the end device used; Legal basis: Consent (Art. 6(1)(a) GDPR).
  • TrustArc: Storage and management of consent (consent to cookies and data processing), logging of user decisions, display of notices regarding data protection and cookies, enabling users to withdraw or modify their consent; Service provider: TrustArc Inc., 111 Sutter Street, Suite 600, San Francisco, CA 94104, USA; Website: https://www.trustarc.com/products/cookie-consent-manager/; Privacy Policy: https://trustarc.com/privacy-policy/; Data Processing Agreement: Provided by the service provider. Basis for transfers to third countries: Standard contractual clauses (provided by the service provider
    ).

Data processing within the application (app)

We process the data of our app’s users to the extent necessary to provide users with the app and its features, monitor its security, and further develop it. We may also contact users in accordance with legal requirements, provided that such communication is necessary for the administration or use of the application. For further information regarding the processing of user data, please refer to the privacy notice in this Privacy Policy.

Legal Basis: The processing of data necessary to provide the application’s functionalities serves to fulfill contractual obligations. This also applies if the provision of these functions requires user authorization (e.g., enabling device functions). If the processing of data is not necessary for the provision of the application’s functionalities but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or for security purposes), it is carried out on the basis of our legitimate interests. If users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on that consent.

  • Types of data processed: Personal data (e.g., full name, home address, contact information, customer number, etc.); usage data (e.g., page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Providing contractual services and fulfilling contractual obligations; security measures. Providing our online services and ensuring user-friendliness.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Device permissions for accessing features and data: Using our application or its features may require users to grant permissions to access certain features of the devices being used, or to access data stored on those devices or accessible via them. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective devices. The exact procedure for managing app permissions may vary depending on the device and the user’s software. Users may contact us if they require further clarification. Please note that denying or revoking these permissions may affect the functionality of our application.

Registration, Sign-In, and User Account

Users can create a user account. During the registration process, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The data processed includes, in particular, login information (username, password, and email address).

When you use our registration and login functions, as well as your user account, we store your IP address and the time of each user action. This data is stored based on our legitimate interests, as well as those of our users, in protecting against misuse and other unauthorized use. This data is generally not disclosed to third parties, unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users can be notified via email about matters relevant to their user account, such as technical changes.

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Log data (e.g., log files regarding logins, data retrieval, or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures; provision of our online services and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion." Deletion upon termination.
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Registration using real names: Due to the nature of our community, we ask users to use our services only under their real names. This means that the use of pseudonyms is not permitted; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • User profiles are not public: User profiles are not visible to the public and cannot be accessed.
  • No obligation to retain data: It is the user’s responsibility to back up their data upon termination of the contract prior to its expiration. We are entitled to permanently delete all user data stored during the term of the contract; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, phone, or social media), as well as in the context of existing user and business relationships, we process the information provided by the individuals making the inquiry to the extent necessary to respond to their inquiries and take any requested actions.

  • Types of data processed: Contact information (e.g., postal and email addresses or phone numbers); content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected individuals: Communication partners.
  • Purposes of processing and legitimate interests: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via an online form). Provision of our online services and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR).

Further information on processing procedures, methods, and services:

  • Contact Form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to us in order to respond to and handle your inquiry. This typically includes information such as your name, contact details, and, where applicable, any additional information provided to us that is necessary for proper processing. We use this data exclusively for the stated purpose of establishing contact and communication; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Communication via Messenger

We use messaging apps for communication purposes and therefore ask that you review the following information regarding the functionality of these apps, encryption, the use of communication metadata, and your options for objecting.

You can also contact us through other channels, such as by phone or email. Please use the contact information provided to you or the contact information listed on our website.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), please note that the communication content (i.e., the message content and attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure that the message content is encrypted.

However, we would also like to inform our communication partners that, while the messaging service providers do not view the content of the messages, they can determine whether and when communication partners are communicating with us, and they process technical information about the communication partners’ devices as well as location information (so-called metadata), depending on the settings of their devices.

Information on Legal Bases: If we ask communication partners for permission before communicating with them via Messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for consent and you, for example, contact us on your own initiative, we use Messenger in our relationship with our contractual partners and in the context of contract initiation as a contractual measure, and in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and in meeting our communication partners’ needs for communication via Messenger. Furthermore, we would like to point out that we do not initially transmit the contact details provided to us to the messaging services without your consent.

Withdrawal, Objection, and Deletion: You may withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we will delete the messages in accordance with our general deletion policy (i.e., e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any inquiries from the communication partner, provided that no reference back to a previous conversation is expected and no legal retention obligations preclude deletion.

Note regarding other communication channels: To ensure your security, please understand that, for certain reasons, we may not be able to respond to inquiries sent via messaging apps. This applies to situations where, for example, contract details must be treated as particularly confidential or where a response via a messaging app does not meet formal requirements. In such cases, we recommend that you use more appropriate communication channels.

  • Types of data processed: Contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Affected individuals: Communication partners.
  • Purposes of processing and legitimate interests: Communication. Direct marketing (e.g., via email or mail).
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR); legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our interest in using AI are outlined below. We define AI in accordance with the term “AI system” as defined in Article 3(1) of the AI Regulation as a machine-based system designed to operate with varying degrees of autonomy, capable of adapting after deployment, and producing outputs such as predictions, content, recommendations, or decisions based on the inputs received, which may affect physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations governing artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality. We ensure that the processing of personal data always takes place on a legal basis. This can be either the consent of the data subjects or a legal authorization.

When using external AI systems, we carefully select their providers (hereinafter “AI providers”). In accordance with our legal obligations, we ensure that AI providers comply with applicable regulations. We also fulfill our obligations when using or operating the AI services we have procured. The processing of personal data by us and the AI providers is carried out exclusively on the basis of consent or legal authorization. In doing so, we place particular emphasis on transparency, fairness, and the preservation of human control over AI-supported decision-making processes.

To protect the data we process, we implement appropriate and robust technical and organizational measures. These measures ensure the integrity and confidentiality of the processed data and minimize potential risks. By regularly reviewing AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

  • Types of data processed: Content data (e.g., text-based or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation). Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
  • Data subjects: Users (e.g., website visitors, users of online services). Third parties.
  • Purposes of processing and legitimate interests: Artificial Intelligence (AI).
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."

Newsletters and electronic notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) exclusively with the recipients’ consent or on a legal basis. If the content of the newsletter is specified during the sign-up process, this content is decisive for the user’s consent. To subscribe to our newsletter, providing your email address is usually sufficient. However, in order to offer you a personalized service, we may ask you to provide your name so we can address you personally in the newsletter, or to provide additional information if it is necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to demonstrate that consent was previously given. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for erasure is possible at any time, provided that the prior existence of consent is confirmed at the same time. In the event of obligations to permanently honor objections, we reserve the right to store the email address solely for this purpose in a blocklist.

We log the registration process based on our legitimate interests for the purpose of verifying that it was carried out properly. If we engage a service provider to send emails, we do so based on our legitimate interests in maintaining an efficient and secure email delivery system.

Contents:

Information about us, our services, promotions, and special offers.

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., mailing and email addresses or phone numbers); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail). Provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).
  • Opt-out option: You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or opt out of receiving further issues. You will find a link to unsubscribe from the newsletter at the bottom of each issue, or you can use one of the contact options listed above—preferably email—to do so.

Further information on processing procedures, methods, and services:

  • Measuring open and click-through rates: The newsletters contain a so-called “web beacon,” which is a pixel-sized file that is retrieved from our server—or the server of the mailing service provider we use, if applicable—when the newsletter is opened. As part of this retrieval, technical information—such as details about your browser and system—as well as your IP address and the time of retrieval are initially collected. This information is used to technically improve our newsletter based on the technical data or the target groups and their reading behavior, determined by their location (which can be identified using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The collected information is assigned to individual newsletter recipients and stored in their profiles until deletion. On this basis, user profiles are created in which usage behavior and user characteristics are stored. The measurement of open and click rates, as well as the storage of the measurement results in user profiles and their further processing, are based on the user’s consent. Unfortunately, it is not possible to revoke consent for performance measurement separately; in this case, the entire newsletter subscription must be canceled or objected to. In that case, the stored profile information will be deleted; legal basis: consent (Art. 6(1)(a) GDPR).
  • Requirements for accessing free services: Consent to receive email communications may be required in order to access free services (e.g., access to certain content or participation in certain promotions). If you wish to access the free service without subscribing to the newsletter, please contact us.
  • Reminder emails regarding the ordering process: If users do not complete an ordering process, we may send them an email reminding them of the process and providing a link to resume it. This feature can be useful, for example, if the purchase process could not be continued due to a browser crash, an oversight, or forgetfulness. These emails are sent based on consent, which users may revoke at any time; legal basis: consent (Art. 6(1)(a) GDPR).
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Marketing communications via email, mail, fax, or telephone

We process personal data for the purpose of sending promotional communications, which may be sent via various channels, such as email, telephone, mail, or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to opt out of promotional communications at any time, free of charge, by using the contact information provided above.

Following a revocation or objection, we store the data necessary to demonstrate prior authorization for contacting you or sending you communications for up to three years after the end of the year in which the revocation or objection was made, based on our legitimate interests. The processing of this data is limited to the purpose of potentially defending against claims. Based on the legitimate interest in permanently honoring the user’s revocation or objection, we also store the data necessary to prevent further contact (e.g., depending on the communication channel, the email address, phone number, or name).

  • Types of data processed: Personal information (e.g., full name, home address, contact information, customer number, etc.); contact details (e.g., mailing and email addresses or phone numbers); content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation).
  • Affected individuals: Communication partners.
  • Purposes of processing and legitimate interests: Direct marketing (e.g., via email or mail); marketing; sales promotion.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Giveaways and Contests

We process the personal data of participants in sweepstakes and contests only in compliance with applicable data protection regulations, provided that such processing is contractually necessary for the provision, conduct, and administration of the sweepstakes, the participants have consented to the processing, or the processing serves our legitimate interests (e.g., the security of the sweepstakes or the protection of our interests against misuse through the potential collection of IP addresses when submitting sweepstakes entries).

If participants’ entries are published in connection with the contest (e.g., as part of a vote, a presentation of contest entries or winners, or coverage of the contest), please note that participants’ names may also be published in this context. Participants may object to this at any time.

If the contest takes place on an online platform or social network (e.g., Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and privacy policies of the respective platforms also apply. In such cases, we would like to point out that we are responsible for the information provided by participants in connection with the contest and that any inquiries regarding the contest should be directed to us.

Participants’ data will be deleted as soon as the sweepstakes or contest has ended and the data is no longer needed to notify the winners or because no further inquiries regarding the sweepstakes are expected. As a general rule, participants’ data will be deleted no later than 6 months after the end of the sweepstakes. Data regarding winners may be retained for a longer period, for example, answer questions regarding the prizes or to fulfill the prize obligations; in this case, the retention period depends on the type of prize and may be up to three years for goods or services, for example, to handle warranty claims. Furthermore, participants’ data may be stored for a longer period, e.g., in the form of reporting on the sweepstakes in online and offline media.

If data was collected for other purposes as part of the contest, its processing and retention period are governed by the privacy policy applicable to that specific use (e.g., in the case of subscribing to a newsletter as part of a contest).

  • Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Participants in sweepstakes and contests. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Conducting sweepstakes and contests.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Facebook Pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page (“Fan Page”). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details can be found in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provide information on how people interact with our page and its content. This is based on an agreement with Facebook (“Information on Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore direct requests for information or deletion directly to Facebook. Users’ rights (in particular the right to access, erasure, objection, and lodging a complaint with a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any potential transfer to Meta Platforms Inc. in the U.S.; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • Instagram: Social network that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • TikTok: Social network that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data processing agreement: Provided by the service provider.

Web Analytics, Monitoring, and Optimization

Web analytics (also known as “audience measurement”) is used to analyze visitor traffic to our website and may include pseudonymized data on visitor behavior, interests, or demographic information, such as age or gender. With the help of audience measurement, we can, for example, identify when our website or its features and content are used most frequently, or encourage repeat visits. It also allows us to identify which areas require optimization.

In addition to web analytics, we can also use testing methods to test and optimize different versions of our website or its components.

Unless otherwise specified below, profiles—that is, data aggregated for a specific usage session—may be created for these purposes, and information may be stored in a browser or on a device and subsequently retrieved. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and details regarding usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. In general, no personally identifiable user data (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Information on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this Privacy Policy.

  • Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g., traffic statistics, identification of returning visitors); profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness; click tracking; A/B testing; feedback (e.g., collection of feedback via online forms); Heatmaps (user mouse movements aggregated into an overall picture); Surveys and questionnaires (e.g., surveys with text fields, multiple-choice questions). Marketing.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to associate analytical information with a device in order to determine which content users accessed during one or more sessions, which search terms they used, whether they revisited the content, or how they interacted with our online offering. Likewise, the time of use and its duration are stored, as well as the sources from which users access our online offering and technical aspects of their devices and browsers.
    In doing so, pseudonymous user profiles are created using information from the use of various devices, whereby cookies may be employed. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based equivalents). For EU data traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).
  • Google Tag Manager: We use Google Tag Manager, a software tool from Google that allows us to centrally manage so-called website tags via a user interface. Tags are small pieces of code on our website that are used to track and analyze visitor activity. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services we use on our website. Nevertheless, when using Google Tag Manager, users’ IP addresses are transmitted to Google, which is necessary for technical reasons to implement the services we use. Cookies may also be set in the process. However, this data processing only occurs when services are integrated via Tag Manager. For more detailed information on these services and their data processing, please refer to the relevant sections of this Privacy Policy; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
    https://business.safety.google/adsprocessorterms. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).
  • Hotjar: Software for analyzing and optimizing online offerings based on feedback features as well as pseudonymized measurements and analyses of user behavior, which may include, in particular, A/B testing (measuring the popularity and user-friendliness of different content and features), tracking click paths, and measuring interaction with the content and features of the online offering (so-called heatmaps and recordings); Service Provider: Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hotjar.com; Privacy Policy: https://www.hotjar.com/legal/policies/privacy; Data Deletion: The cookies used by Hotjar have varying "lifespans"; some remain valid for up to 365 days, while others are only valid during the current visit; Cookie Policy: https://www.hotjar.com/legal/policies/cookie-information. Opt-out option: https://www.hotjar.com/legal/compliance/opt-out.

Online marketing

We process personal data for online marketing purposes, which may include, in particular, the sale of advertising space or the display of advertising and other content (collectively referred to as “Content”) based on users’ potential interests, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”) or similar methods are used to store user information relevant to the display of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical details such as the browser used, the computer system used, and information regarding usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of the online marketing process; instead, pseudonyms are used. This means that neither we nor the providers of the online marketing services know the actual identity of the users, but only the information stored in their profiles.

The information contained in the profiles is typically stored in cookies or using similar methods. These cookies can generally be read later on other websites that use the same online marketing method, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing provider.

In exceptional cases, it is possible to associate personal data with user profiles, particularly when users are members of a social network whose online marketing methods we use and the network links user profiles with the aforementioned information. Please note that users may enter into additional agreements with these providers, for example by providing consent during the registration process.

We generally only have access to aggregated data regarding the performance of our advertisements. However, through conversion tracking, we can determine which of our online marketing methods have led to a conversion—for example, the signing of a contract with us. Conversion tracking is used solely to analyze the effectiveness of our marketing efforts.

Unless otherwise stated, please assume that the cookies we use will be stored for a period of two years.

Notes on Legal Bases: When we ask users for their consent to the use of third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this Privacy Policy.

Information on cancellation and objection:

Please refer to the privacy policies of the respective providers and the opt-out options provided by them. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, doing so may limit the functionality of our website. We therefore also recommend the following opt-out options, which are offered in summary form for the respective areas:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://youradchoices.ca/.

c) United States: https://optout.aboutads.info/.

d) Cross-regional: https://optout.aboutads.info.

  • Types of data processed: Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); usage data (e.g., page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals); Event data (Facebook) (“Event data” refers to information sent to the provider Meta—for example, via Meta pixels (whether through apps or other channels)—that relates to individuals or their actions. This data includes details such as website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target audiences for content and advertising messages (Custom Audiences). It is important to note that Event Data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event Data" is deleted by Meta after a maximum of two years, and the target audiences created from it disappear upon deletion of our Meta user accounts.); Contact Information (Facebook) ("Contact information" refers to data that (clearly) identifies data subjects, such as names, email addresses, and phone numbers, which may be transmitted to Facebook—e.g., via Facebook Pixel or upload—for matching purposes to create Custom Audiences. After matching to create target groups, the contact information is deleted).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g., traffic statistics, identification of returning visitors); Tracking (e.g., interest-based/behavioral profiling, use of cookies); Conversion measurement (measuring the effectiveness of marketing measures); audience targeting; marketing; profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness; remarketing.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Meta Pixel and Audience Targeting (Custom Audiences): Using the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces within apps), Meta is able to identify visitors to our website as a target audience for the display of ads (so-called "Meta Ads"). Accordingly, we use the Meta Pixel to display the Meta Ads we place only to those users on Meta platforms and within the services of partners cooperating with Meta (the so-called “Audience Network” https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offering or who exhibit certain characteristics (e.g., interest in specific topics or products, as indicated by the websites visited), which we transmit to Meta (so-called "Custom Audiences"). With the help of the Meta Pixel, we also aim to ensure that our Meta Ads align with users’ potential interests and do not appear intrusive. With the help of the Meta pixel, we can also track the effectiveness of Meta ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta ad (so-called "conversion tracking"); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: User event data, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement ("Addendum for Controllers," https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Extended matching for the Meta Pixel: In addition to the processing of event data in connection with the use of the Meta Pixel (or similar features, e.g., in apps), contact information (data that identifies specific individuals, such as names, email addresses, and phone numbers) is also collected by Meta within our online platform or transmitted to Meta. The processing of contact information serves to create target groups (so-called "Custom Audiences") for the display of content and advertising information tailored to users’ presumed interests. The collection, transmission, and comparison with data held by Meta do not occur in plain text, but rather as so-called "hash values," i.e., mathematical representations of the data (this method is used, for example, when storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted; Legal basis: Consent (Art. 6(1)(a) GDPR); Privacy Policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook Ads: Placement of ads within the Facebook platform and analysis of ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for transfers to third countries: Data Privacy Framework (DPF); Right to object (opt-out): We refer to the privacy and advertising settings in users’ profiles on the Facebook platforms, as well as to Facebook’s consent procedures and contact options for exercising the right to access and other data subject rights, as described in Facebook’s Privacy Policy; Further Information: User event data, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement ("Addendum for Controllers," https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ad Manager: We use the "Google Ad Manager" service to place ads on the Google advertising network (e.g., in search results, in videos, on websites, etc.). Google Ad Manager is distinguished by the fact that ads are displayed in real time based on users' presumed interests. This allows us to display ads for our online offering to users who may have a potential interest in our offering or who have previously shown interest in it, as well as to measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Data processing terms for Google advertising products: Information on the services, data processing terms between controllers, and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms. If Google acts as a processor, data processing terms for Google advertising products and standard contractual clauses for third-country data transfers: https://business.safety.google/adsprocessorterms.
  • Google Ads and conversion tracking: Online marketing methods used to place content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are likely to be interested in the ads. In addition, we measure the conversion of the ads, i.e., whether users have taken the opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for transfers of data to third countries: https://business.safety.google/adscontrollerterms.
  • Enhanced Conversions for Google Ads: When users click on our Google ads and subsequently use the advertised service (known as a "conversion"), the data entered by the user—such as their email address, name, home address, or phone number—may be transmitted to Google. The hash values are then matched with the users’ existing Google accounts to better evaluate and improve user interaction with the ads (e.g., clicks or views) and thus their performance; Legal basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
  • Google AdSense with personalized ads: We integrate the Google AdSense service, which allows us to place personalized ads within our website. Google AdSense analyzes user behavior and uses this data to display targeted advertising tailored to our visitors’ interests. We receive financial compensation for each ad impression or other forms of use of these ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services, data processing terms between controllers, and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
  • Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized ads on our website. These ads are not based on individual user behavior but are selected based on general characteristics such as the content of the page or your approximate geographic location. We receive compensation for the display or other use of these ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services, data processing terms between controllers, and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
  • TikTok Pixel: Code that is loaded when a user visits our website and tracks the user’s behavior and conversions, storing this data in a profile (possible uses: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences). - We and TikTok are jointly responsible for the collection and transmission of event data, as well as for the measurement and creation of insights reports (statistics) for profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and details from users’ profiles, such as country or location. Privacy information regarding TikTok’s processing of user data can be found in TikTok’s Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a specific joint controller agreement with TikTok, which specifically outlines the security measures TikTok must adhere to and in which TikTok has agreed to fulfill data subject rights (i.e., users may, for example, submit requests for information or deletion directly to TikTok). Users’ rights (in particular the rights to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with TikTok. The joint controller agreement can be found in TikTok’s “Jurisdiction Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://ads.tiktok.com/help/article/tiktok-pixel; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).

Customer Reviews and Rating Processes

We participate in review and rating programs to evaluate, optimize, and promote our services. When users rate us or provide feedback through the participating review platforms or programs, the providers’ terms and conditions and privacy policies also apply. As a rule, submitting a review also requires registration with the respective providers.

To ensure that reviewers have actually used our services, we transmit the necessary customer data—including the customer’s name, email address, and order number or item number—to the respective review platform with the customer’s consent. This data is used solely to verify the user’s authenticity.

  • Types of data processed: Contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Service recipients and clients. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Feedback (e.g., collecting feedback via an online form). Marketing.
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Further information on processing procedures, methods, and services:

  • Google Customer Reviews: A service for collecting and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); Further information: When collecting customer reviews, an identification number and the time of the transaction being reviewed are processed; for review requests sent directly to customers, the customer’s email address, country of residence, and the review details themselves are processed; Further details on the types of processing and the data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google Advertising Products: Information on the services, Data Processing Terms between controllers, and Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
  • Trusted Shops (Trustedbadge): Review platform – As part of the joint responsibility arrangement between us and Trusted Shops, please contact Trusted Shops directly regarding data protection issues and to exercise your rights, using the contact details provided in the privacy policy. Regardless of this, you may always contact the controller of your choice. Your inquiry will then, if necessary, be forwarded to the other controller for a response.

    The Trustbadge is provided by a U.S.-based CDN provider (Content Delivery Network). An adequate level of data protection is ensured through standard data protection clauses and other contractual measures.
    When the Trustbadge is accessed, the web server automatically stores a so-called server log file, which also contains your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access. The IP address is anonymized immediately after collection, so that the stored data cannot be associated with you personally. The anonymized data is used in particular for statistical purposes and for error analysis.

    If you have given your consent, the Trustbadge accesses order information stored on your device (order total, order number, product purchased, if applicable) as well as your email address after the order is completed, and your email address is hashed using a cryptographic one-way function. The hash value is then transmitted to Trusted Shops along with the order information in accordance with Art. 6(1)(a) GDPR. This serves to verify whether you are already registered for Trusted Shops services. If this is the case, further processing takes place in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered for the services or do not give your consent to automatic recognition via the Trustbadge, you will subsequently have the option to manually register for the use of the services or to complete the verification process within the scope of your existing user agreement, if applicable.

    For this purpose, after you complete your order, the Trustbadge accesses the following information stored on the device you are using: order total, order number, and email address. This is necessary so that we can offer you buyer protection. Data is only transmitted to Trusted Shops once you actively decide to complete the buyer protection process by clicking the button labeled accordingly in the so-called Trustcard. If you decide to use the services, further processing is governed by the contractual agreement with Trusted Shops pursuant to Art. 6(1)(b) GDPR in order to complete your registration for buyer protection, secure the order, and, if applicable, subsequently send you review invitations via email.

    Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Art. 6(1)(f) GDPR for the purpose of ensuring trouble-free operation. Processing may take place in third countries (the U.S. and Israel). An adequate level of data protection is ensured in the case of the U.S. through standard data protection clauses and other contractual measures, and in the case of Israel through an adequacy decision.
    ; Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de. Privacy Policy: https://www.trustedshops.de/impressum-datenschutz/.
  • Klaviyo: Email and SMS marketing platform; Service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.klaviyo.com/; Privacy policy: https://www.klaviyo.com/legal/privacy-notice. Basis for transfers to third countries: Data Privacy Framework (DPF).

Social media presence

We maintain online presences on social media platforms and, in this context, process user data in order to communicate with users active on those platforms or to provide information about us.

Please note that user data may be processed outside the European Union. This may pose risks to users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on users’ behavior and the resulting interests. These profiles may in turn be used to display advertisements—both within and outside the networks—that are presumed to align with users’ interests. For this reason, cookies are typically stored on users’ computers to record their usage behavior and interests. Additionally, usage profiles may also store data regardless of the devices used by users (particularly if they are members of the respective platforms and are logged in there).

For a detailed description of the specific processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

We would also like to point out that requests for information and the exercise of data subject rights are most effectively handled directly with the service providers. Only they have access to user data and can take appropriate action and provide information directly. If you still need assistance, please feel free to contact us.

  • Types of data processed: Contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons). Master data (e.g., full name, residential address, contact information, customer number, etc.).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; feedback (e.g., collecting feedback via an online form); public relations; marketing. Providing our online services and ensuring user-friendliness.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Further information on processing procedures, methods, and services:

  • Instagram: Social network that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page (“Fan Page”). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details can be found in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provide information on how people interact with our page and its content. This is based on an agreement with Facebook (“Information on Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore direct requests for information or deletion directly to Facebook. Users’ rights (in particular the right to access, erasure, objection, and lodging a complaint with a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any potential transfer to Meta Platforms Inc. in the U.S.; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • Pinterest: Social network that allows users to share photos, comment on, favorite, and curate posts, send messages, and follow profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com. Privacy Policy: https://policy.pinterest.com/de/privacy-policy.
  • TikTok: Social network that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.tiktok.com; Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Data processing agreement: Provided by the service provider.
  • TikTok Business: A social network that allows users to share photos and videos, comment on and like posts, send messages, and follow accounts. We and TikTok are jointly responsible for the collection and transmission of event data, as well as for measuring and generating insights reports (statistics) for profile owners. This event data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and details from users’ profiles, such as country or location. Privacy information regarding TikTok’s processing of user data can be found in TikTok’s Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. We have entered into a specific joint controller agreement with TikTok, which specifically outlines the security measures TikTok must adhere to and in which TikTok has agreed to fulfill data subject rights (i.e., users can, for example, submit requests for information or deletion directly to TikTok). Users’ rights (in particular the rights to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with TikTok. The joint controller agreement can be found in TikTok’s “Jurisdiction Specific Terms”: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.; Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. Basis for transfers to third countries: Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF). Option to object (opt-out): https://myadcenter.google.com/personalizationoff.

Plug-ins, embedded features, and content

We incorporate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).

The integration always requires that the third-party providers of this content process the user’s IP address, as they would not be able to send the content to the user’s browser without it. The IP address is therefore necessary for the display of this content or these functions. We strive to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags allow information, such as visitor traffic on the pages of this website, to be analyzed. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and other details regarding the use of our online offering, as well as being linked to such information from other sources.

Notes on Legal Bases: When we ask users for their consent to the use of third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this Privacy Policy.

  • Types of data processed: Usage data (e.g., page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); Location data (information regarding the geographic position of a device or a person). Event data (Facebook) (“Event data” refers to information sent to the provider Meta—for example, via Meta pixels (whether through apps or other channels)—that relates to individuals or their actions. This data includes details such as website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target audiences for content and advertising messages (Custom Audiences). It is important to note that Event Data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or phone numbers. "Event Data" is deleted by Meta after a maximum of two years, and the target audiences created from it are deleted when our Meta user accounts are deleted.).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Providing our online services and ensuring user-friendliness. Profiles containing user-related information (creation of user profiles).
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Legal basis: Consent (Art. 6(1)(a) of the GDPR). Legitimate interests (Art. 6(1)(f) of the GDPR).

Further information on processing procedures, methods, and services:

  • Facebook Plugins and Content: Facebook Social Plugins and Content – This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this website on Facebook. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the further processing) of "Event Data" that Facebook collects via the Facebook Social Plugins (and content embedding features) running on our online service, or receives as part of a transfer, for the following purposes: a) Displaying content and advertising information that corresponds to users’ presumed interests; b) Delivering commercial and transaction-related messages (e.g., contacting users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., improving the identification of which content or advertising information is presumed to correspond to users’ interests). We have entered into a special agreement with Facebook (“Addendum for Controllers,”https://www.facebook.com/legal/controller_addendum), which specifically regulates the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill data subject rights (i.e., users can, for example, submit requests for information or deletion directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous to us), this processing does not take place under joint controllership but rather on the basis of a data processing agreement ("Data Processing Terms," https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms), and, with regard to processing in the U.S., on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular the right to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Google Maps: We integrate maps from the "Google Maps" service provided by Google. The data processed may include, in particular, users' IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Font Awesome (fetched from the provider’s server): Retrieval of fonts (and icons) for the purpose of ensuring technically secure, maintenance-free, and efficient use of fonts and icons in terms of up-to-date content and loading times, their consistent display, and compliance with any applicable licensing restrictions. The font provider is provided with the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the devices used and the technical environment; Service provider: Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fontawesome.com/. Privacy policy: https://fontawesome.com/privacy.
  • TikTok plugins and content: TikTok plugins and content—this may include, for example, content such as images, videos, or text, as well as buttons; Service Providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.tiktok.com. Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de.
  • Adobe Fonts: Provision of fonts for integration into web and print designs; synchronization of fonts across devices; access to a library of licensed fonts for creative projects; management and organization of fonts within projects; Service provider: Adobe Systems Software Ireland, 4-6 Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/; Privacy Policy: https://www.adobe.com/de/privacy.html; Basis for transfers to third countries: Data Privacy Framework (DPF). Further information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

Management, Organization, and Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning, and delivering our services. When selecting third-party providers and their services, we comply with all applicable legal requirements.

In this context, personal data may be processed and stored on third-party servers. This may involve various types of data that we process in accordance with this Privacy Policy. Such data may include, in particular, users’ master data and contact information, as well as data relating to transactions, contracts, other processes, and their contents.

If, in the course of communication, business, or other relationships with us, users are directed to third-party providers or their software or platforms, those third-party providers may process usage data and metadata for security purposes, to optimize their services, or for marketing purposes. We therefore ask that you review the privacy policies of the respective third-party providers.

  • Types of data processed: Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); usage data (e.g., page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion."
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Changes and Updates

We ask that you review the content of our Privacy Policy on a regular basis. We will update the Privacy Policy as soon as changes to our data processing activities make this necessary. We will notify you as soon as the changes require action on your part (e.g., consent) or any other individual notification.

Please note that any addresses and contact information for companies and organizations provided in this Privacy Policy may change over time; we ask that you verify this information before contacting them.

Definitions of Terms

This section provides an overview of the terms used in this Privacy Policy. Where these terms are defined by law, their legal definitions apply. The explanations below are intended primarily to aid understanding.

  • A/B Testing: A/B testing is used to improve the usability and performance of online offerings. In this process, users are shown, for example, different versions of a website or its elements—such as input forms—in which the placement of content or the labels of navigation elements may differ. Subsequently, based on user behavior—such as spending more time on the website or interacting more frequently with the elements—it can be determined which of these websites or elements better meet the users’ needs.
  • Master data: Master data comprises essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include, among other things, personal and demographic information such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling unique mapping and communication.
  • Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service that enables the content of a website—particularly large media files such as graphics or program scripts—to be delivered more quickly and securely using servers distributed across different regions and connected via the Internet.
  • Heatmaps: "Heatmaps" are visualizations of users' mouse movements that are compiled into an overall picture, which can be used, for example, to identify which website elements users prefer to interact with and which ones they interact with less frequently.
  • Content data: Content data encompasses information generated during the creation, editing, and publication of all types of content. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself, but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates
  • Click tracking: Click tracking allows us to monitor users’ movements across an entire website. Since the results of these tests are more accurate when user interactions can be tracked over a certain period of time (e.g., to determine whether a user is likely to return), cookies are typically stored on users’ computers for these testing purposes.
  • Contact information: Contact information is essential data that enables communication with individuals or organizations. It includes, among other things, phone numbers, mailing addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
  • Conversion tracking: Conversion tracking (also known as "visit-action analysis") is a method used to determine the effectiveness of marketing campaigns. To do this, a cookie is typically stored on users' devices within the websites where the marketing campaigns are running and then retrieved again on the destination website. For example, this allows us to track whether the ads we placed on other websites were successful.
  • Artificial Intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions, and improve the efficiency and quality of our services. This includes the collection, cleaning, and structuring of data, the training and application of AI models, as well as the continuous review and optimization of results, and is carried out exclusively with the users’ consent or on the basis of legal authorization.
  • Meta, communication, and operational data: Meta, communication, and operational data are categories that contain information about how data is processed, transmitted, and managed. Meta data, also known as data about data, includes information that describes the context, origin, and structure of other data. It may include details on file size, creation date, the author of a document, and change histories. Communication data captures the exchange of information between users via various channels, such as email correspondence, call logs, social media messages, and chat histories, including the individuals involved, timestamps, and transmission methods. Process data describes the processes and procedures within systems or organizations, including workflow documentation, transaction and activity logs, as well as audit logs used to track and verify operations.
  • Usage data: Usage data refers to information that tracks how users interact with digital products, services, or platforms. This data encompasses a wide range of information that reveals how users utilize applications, which features they prefer, how long they stay on specific pages, and the paths they take when navigating through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles containing user-related information: The processing of "profiles containing user-related information," or "profiles" for short, encompasses any form of automated processing of personal data that involves using such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.), or to predict them (e.g., interests in specific content or products, click behavior on a website, or location). Cookies and web beacons are frequently used for profiling purposes.
  • Log data: Log data refers to information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details regarding the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
  • Audience measurement: Audience measurement (also known as web analytics) is used to analyze visitor traffic to an online service and may include the behavior or interests of visitors regarding specific information, such as website content. With the help of audience analysis, operators of online services can, for example, determine at what times users visit their websites and what content they are interested in. This allows them, for example, to better tailor the content of their websites to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are frequently used to identify returning visitors and thus obtain more accurate analyses of the use of an online offering.
  • Remarketing: The terms "remarketing" or "retargeting" refer to the practice of tracking which products a user has viewed on a website—for example, for advertising purposes—in order to remind the user of those products on other websites, such as through advertisements.
  • Location data: Location data is generated when a mobile device (or another device capable of determining its location) connects to a cellular network, a Wi-Fi network, or similar technical means and location-determination functions. Location data is used to indicate the specific geographic location of the device on Earth. Location data can be used, for example, to display map features or other location-based information.
  • Tracking: The term "tracking" refers to the ability to track users' behavior across multiple online services. Typically, information about behavior and interests related to the online services used is stored in cookies or on the servers of the providers of tracking technologies (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
  • Controller: A "controller" means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any interaction with data, including collection, analysis, storage, transmission, or deletion.
  • Contract data: Contract data refers to specific information related to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This data category is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the nature of the agreed-upon services or products, pricing agreements, payment terms, termination rights, renewal options, and special terms or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
  • Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is critical for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction dates, verification codes, and billing information. Payment data may also include information regarding payment status, chargebacks, authorizations, and fees.
  • Target audience creation: The term "target audience creation" (also known as "Custom Audiences") refers to the process of defining target audiences for advertising purposes, such as displaying ads. For example, based on a user’s interest in certain products or topics online, it can be inferred that this user is interested in ads for similar products or the online store where they viewed those products. The term "Lookalike Audiences" (or similar target groups) is used when content deemed suitable is displayed to users whose profiles or interests are presumed to match those of the users whose profiles were used to create the audience. Cookies and web beacons are typically used for the purpose of creating Custom Audiences and Lookalike Audiences.