Privacy Policy

In the following, we inform you about the collection of personal data when using our website https://peopleix.com as well as our social media profiles. Personal data refers to any data that can be related to a specific natural person, such as their name or IP address. On this page, I would like to inform you about how your data is processed. Let's talk about a few legal matters.

Designation of the Responsible Party

The responsible party for data processing on this website is: Nick Stodt/Georg Schaal, peopleIX GmbH, Spichernstrasse 2, 50672 Cologne, Germany Email: contact@peopleix.com

The responsible party decides alone or jointly with others about the purposes and means of processing personal data (e.g. names, contact details, etc.).

Revocation of Your Consent to Data Processing

Some data processing operations are only possible with your explicit consent. You may revoke any consent you have already given at any time. An informal notification by email is sufficient for revocation. The lawfulness of the data processing carried out up to the point of revocation remains unaffected by the revocation.

Right to Lodge a Complaint with the Competent Supervisory Authority

As a data subject, you have the right to lodge a complaint with the competent supervisory authority in the event of a data protection violation. The competent supervisory authority for data protection matters is the data protection commissioner of the federal state in which our company is headquartered. The following link provides a list of data protection officers and their contact details: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a machine-readable format. If you require the direct transfer of data to another responsible party, this will only be done to the extent that it is technically feasible.

Right to Information, Correction, Blocking, Deletion

You have the right at any time, within the framework of the applicable legal provisions, to obtain free information about your stored personal data, the origin of the data, its recipients, and the purpose of the data processing, and if applicable, a right to correction, blocking, or deletion of this data. For this purpose, and also for further questions on the subject of personal data, you can contact us at any time using the contact options listed in the imprint.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses SSL or TLS encryption. This means that data you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line in your browser and by the lock symbol in the browser bar.

Server Log Files

The website provider automatically collects and stores information in server log files that your browser automatically transmits to us. These are:

Page visited on our domain
Date and time of the server request
Browser type and browser version
Operating system used
Referrer URL
Hostname of the accessing computer
IP address

This data is not merged with other data sources. The basis for data processing is Art. 6(1)(b) GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Applicable Legal Bases

Applicable legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Should more specific legal bases also be relevant in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6(1)(a) GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not override those interests.
Application procedures as pre-contractual or contractual relationships (Art. 6(1)(b) GDPR) – To the extent that special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants during the application process, so that the controller or the data subject can exercise their rights and fulfill their obligations arising from labor law and the law on social security and social protection, their processing shall be carried out in accordance with Art. 9(2)(b) GDPR; in the case of protecting the vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR; or for purposes of preventive health care or occupational medicine, assessment of the employee's work capacity, medical diagnosis, care or treatment in the health or social sector, or the management of systems and services in the health or social sector pursuant to Art. 9(2)(h) GDPR. In the case of notification of special categories of data based on voluntary consent, their processing shall be carried out on the basis of Art. 9(2)(a) GDPR.
Processing of special categories of personal data in relation to healthcare, profession, and social security (Art. 9(2)(h) GDPR) – Processing is necessary for the purposes of preventive health care or occupational medicine, assessment of the employee's work capacity, medical diagnosis, care or treatment in the health or social sector, or the management of systems and services in the health or social sector, on the basis of Union or Member State law or pursuant to a contract with a health professional.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains in particular special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the Applicability of the GDPR and the Swiss DPA: These data protection notices serve both to provide information pursuant to the Swiss DPA and pursuant to the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to their broader spatial applicability and comprehensibility. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "sensitive personal data" used in the Swiss DPA, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" as used in the GDPR are employed. However, the legal meaning of the terms shall continue to be determined in accordance with the Swiss DPA where the Swiss DPA applies.

Security Measures

In accordance with legal requirements, and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, assurance of availability of, and separation of such data. Furthermore, we have established procedures that ensure the exercise of data subjects' rights, the deletion of data, and responses to data threats. We also take the protection of personal data into account from the outset when developing or selecting hardware, software, and processes, in accordance with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and in encrypted form.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this is done only in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractually or legally required transmission (Art. 49(1) GDPR). In addition, we will inform you of the basis for third-country transfers for individual providers from third countries, with adequacy decisions taking precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the EU Commission's information portal: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Within the framework of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA as adequate under the adequacy decision of July 10, 2023. The list of certified companies, as well as further information on the DPF, can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in our privacy notices which service providers we use that are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is revoked or no further legal basis for processing exists. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist where legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the pursuit of legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

Where multiple periods for the retention or deletion of a data item are specified, the longest period shall always apply.

If a period does not expressly begin on a specific date and is at least one year in length, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships within which data is stored, the triggering event is the time at which the termination or other ending of the legal relationship takes effect.

Data that is no longer retained for its originally intended purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Further information on processing operations, procedures, and services:

Retention and deletion of data: The following general retention and archiving periods apply under German law:

10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the operating instructions and other organizational documents required for their understanding, accounting documents, and invoices (§ 147(3) in conjunction with (1) nos. 1, 4, and 4a AO; § 14b(1) UStG; § 257(1) nos. 1 and 4, (4) HGB).
6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents insofar as they are relevant for taxation purposes, e.g. hourly pay slips, internal cost accounting sheets, calculation documents, price lists, as well as payroll documents insofar as they are not already accounting documents and cash register receipts (§ 147(3) in conjunction with (1) nos. 2, 3, 5 AO; § 257(1) nos. 2 and 3, (4) HGB).
3 years – Data required to take into account potential warranty and damages claims or similar contractual claims and rights, and to handle related inquiries, based on past business experience and standard industry practices, is retained for the duration of the standard statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, arising in particular from Articles 15 to 21 GDPR:

Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw consent you have given at any time.
Right of access: You have the right to request confirmation as to whether relevant data is being processed, and to receive information about such data as well as further details and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted without undue delay, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
Right to data portability: You have the right to receive data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
Complaint to a supervisory authority: In accordance with legal requirements, and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

Business Services

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships and related measures, and in connection with communication with contractual partners (or pre-contractually), e.g. to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations, and remedying warranty and other service disruptions. In addition, we use the data to protect our rights and for the administrative tasks associated with these obligations as well as corporate organization. We also process data on the basis of our legitimate interests in proper and commercially sound business management, as well as in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g. involving telecommunications, transport, and other auxiliary services and subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the framework of applicable law, we only share the data of contractual partners with third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, such as for marketing purposes, within the scope of this privacy policy.

We will inform contractual partners of what data is required for the aforementioned purposes before or during data collection, e.g. in online forms, through special marking (e.g. colors) or symbols (e.g. asterisks), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons (such as ten years for tax purposes as a general rule). Data disclosed to us by the contractual partner in the context of an order is deleted in accordance with the applicable requirements and generally after the end of the order.

Data subjects: Recipients of services and clients; prospective customers; business and contractual partners.

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures; business processes and operational procedures.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Provision of software and platform services: We process the data of our users, registered users, and any trial users (hereinafter collectively referred to as "users") in order to provide them with our contractual services, and on the basis of legitimate interests, in order to ensure the security of our offering and to further develop it. The required information is identified as such within the scope of the order, purchase, or comparable contract conclusion, and includes the information required for service provision and billing as well as contact information to allow for any necessary follow-up inquiries. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Business Processes and Procedures

Personal data of recipients of services and clients — including customers, clients, or in special cases mandates, patients, or business partners, as well as other third parties — is processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates operational business workflows in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data serves to fulfill contractual obligations and to organize operational processes efficiently. This includes the handling of business transactions, the management of customer relationships, the optimization of sales strategies, and the assurance of internal accounting and financial processes. In addition, the data supports the protection of the controller's rights and promotes administrative tasks as well as the organization of the company.

Personal data may be shared with third parties to the extent necessary to fulfill the aforementioned purposes or legal obligations. After the expiry of statutory retention periods or when the purpose of processing no longer applies, the data is deleted. This also includes data that must be retained for longer periods due to tax law and statutory documentation requirements.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Recipients of services and clients; prospective customers; communication partners; business and contractual partners; customers.

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and operational procedures; security measures; provision of our online offering and user-friendliness; communication.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Customer management and Customer Relationship Management (CRM): Procedures required in the context of customer management and CRM (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaints management and customer service with consideration of data protection, data management and analysis to support the customer relationship, administration of CRM systems, secure account management, customer segmentation and target group formation). Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Customer account: Customers may create an account within our online offering (e.g. a customer or user account, referred to as a "customer account"). If the registration of a customer account is required, customers will be informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration as well as subsequent logins and use of the customer account, we store the IP addresses of customers along with the access times, in order to be able to prove registration and to prevent potential misuse of the customer account. If the customer account is terminated, the data of the customer account will be deleted after the date of termination, unless it is retained for purposes other than providing the customer account, or must be retained for legal reasons (e.g. internal storage of customer data, order processes, or invoices). It is the responsibility of customers to back up their data upon termination of the customer account. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Business analysis and market research: For the fulfillment of business purposes and to identify market trends and the wishes of contractual partners and users, the available data on business transactions, contracts, inquiries, etc. is analyzed. The group of data subjects may include contractual partners, prospective customers, customers, visitors, and users of the controller's online offering. The analyses serve the purposes of business evaluation, marketing, and market research (e.g. to determine customer groups with different characteristics). Where available, profiles of registered users, including their details of services used, are taken into account. The analyses are for the exclusive use of the controller and are not disclosed externally, unless they are anonymous analyses with aggregated, i.e. anonymized, values. In addition, the privacy of users is respected; the data is processed for analysis purposes in as pseudonymized a form as possible and, where feasible, anonymized (e.g. as aggregated data). Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Online Offering and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

Data subjects: Users (e.g. website visitors, users of online services); business and contractual partners.

Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; office and organizational procedures.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Provision of the online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called a "web host"). Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and in general IP addresses and the requesting provider. Server log files may be used on the one hand for security purposes, e.g. to avoid server overload (in particular in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure server utilization and stability. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.

Webflow: Creation, management, and hosting of websites, online forms, and other web elements. Service provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://webflow.com. Privacy policy: https://webflow.com/legal/eu-privacy-policy. Data processing agreement: https://webflow.com/legal/dpa. Basis for third-country transfers: Data Privacy Framework (DPF).

GoDaddy: Services in the area of providing IT infrastructure and related services (e.g. storage space and/or computing capacity). Service provider: GoDaddy., Pilgrimstr. 6, c/o WeWork Wallarkaden, D-50674 Cologne. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.godaddy.com. Privacy policy: https://www.godaddy.com/de/legal/agreements/privacy-policy. Data processing agreement: https://www.godaddy.com/de/legal/agreements/.

Google: Services in the area of providing IT infrastructure and related services (e.g. storage space and/or computing capacity). Service provider: Google.de, Google Ireland Limited, Gordon House, Borrow Street Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.google.de. Privacy policy: https://cloud.google.com/terms/data-processing-addendum?hl=de.

Use of Cookies

Cookies are small text files or other storage entries that store and read information on end devices — for example, to save a login status in a user account, the contents of a shopping cart in an online shop, the content accessed, or functions used in an online offering. Cookies may also be used for various purposes, such as for the functionality, security, and convenience of online offerings, as well as for the creation of analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. We therefore obtain prior consent from users unless it is not required by law. Consent is not required in particular if the storage and reading of information, including cookies, is strictly necessary in order to provide users with a telemedia service they have expressly requested (i.e. our online offering). The revocable consent is communicated clearly to users and includes information on the respective cookie use.

Notes on legal bases under data protection law: The legal basis on which we process users' personal data using cookies depends on whether we ask for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g. in the commercially sound operation of our online offering and the improvement of its usability), or, if this takes place within the framework of fulfilling our contractual obligations, when the use of cookies is necessary to comply with our contractual obligations. We will explain the purposes for which we use cookies in the course of this privacy policy or within our consent and processing procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved and preferred content displayed directly when the user visits a website again. Likewise, user data collected using cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), they should assume that cookies are permanent and that the storage duration may be up to two years.

General notes on revocation and objection (opt-out): Users may revoke the consents they have given at any time and also object to processing in accordance with legal requirements, including via their browser's privacy settings.

Cookie settings/opt-out option: See bottom left ⚙️

Types of data processed: Meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of our online offering and user-friendliness.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures, and services:

Processing of cookie data on the basis of consent: We use a consent management solution through which users' consent to the use of cookies or to the procedures and providers mentioned within the consent management solution is obtained. This procedure is used to obtain, log, manage, and revoke consent, in particular with regard to the use of cookies and comparable technologies that are used to store, read, and process information on users' end devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing operations and providers mentioned in the consent management procedure. Users also have the option to manage and revoke their consents. Consent declarations are stored in order to avoid repeated requests and to be able to provide evidence of consent in accordance with legal requirements. Storage is carried out server-side and/or in a cookie (a so-called opt-in cookie) or by means of comparable technologies, in order to be able to assign consent to a specific user or their device. Unless specific information is provided on the providers of consent management services, the following general notes apply: The consent storage duration is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, the details of the scope of consent (e.g. relevant categories of cookies and/or service providers), and information about the browser, system, and end device used. Legal bases: Consent (Art. 6(1)(a) GDPR).

Cookie opt-out: In the footer of our website, you will find a link through which you can change your cookie settings and revoke the corresponding consents. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

CookieBot: Consent Management Platform. Service provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Website: https://www.cookiebot.com. Privacy policy: https://www.cookiebot.com/en/privacy-policy/.

Special Notes on Applications (Apps)

We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security, and to further develop it. We may also contact users in compliance with legal requirements if communication is necessary for the administration or use of the application. Otherwise, with regard to the processing of users' data, we refer to the privacy notices in this privacy policy.

Legal bases: The processing of data required to provide the functionalities of the application serves the fulfillment of contractual obligations. This also applies when the provision of functions requires authorization from users (e.g. granting access to device functions). If the processing of data is not necessary for the provision of the application's functionalities but serves the security of the application or our business interests (e.g. collection of data for the purpose of optimizing the application or for security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent is carried out on the basis of that consent.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, duration, customer category).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; provision of our online offering and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Commercial use: We process the data of users of our application, registered users, and any trial users (hereinafter collectively referred to as "users") in order to provide them with our contractual services, and on the basis of legitimate interests, in order to ensure the security of our application and to further develop it. The required information is identified as such within the scope of the usage, order, purchase, or comparable contract conclusion, and may include the information required for service provision and any billing, as well as contact information to allow for any necessary follow-up inquiries. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Device permissions for access to functions and data: The use of our application or its functionalities may require users to grant permissions to access certain functions of the devices used or to data stored on or accessible via the devices. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective device. The exact procedure for controlling app permissions may depend on the user's device and software. If users require clarification, they are welcome to contact us. We point out that the refusal or revocation of the respective permissions may affect the functionality of our application.

Processing of stored contacts: In the context of using our application, contact information of persons stored in the device's contact directory (name, email address, telephone number) is processed. The use of contact information requires user authorization, which can be revoked at any time. The use of contact information serves solely the provision of the respective functionality of our application, in accordance with its description to users or its typical and expected mode of operation. Users are advised that permission to process contact information must be granted, and in particular, in the case of natural persons, their consent or a legal authorization is required.

Use of contact data for contact matching purposes: The data of contacts stored in the device's contact directory may be used to check whether those contacts also use our application. For this purpose, the contact data of the respective contacts (including telephone number, email address, and names) is uploaded to our server and used solely for the purpose of matching.

Registration, Login, and User Account

Users may create a user account. During registration, users are informed of the required mandatory details, which are processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The data processed includes in particular login information (username, password, and an email address).

In the context of using our registration and login functions as well as the use of the user account, we store the IP address and the time of each user action. Storage is carried out on the basis of our legitimate interests as well as those of users in protection against misuse and other unauthorized use. This data is generally not shared with third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users may be informed by email about events relevant to their user account, such as technical changes.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures; provision of our online offering and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Deletion upon termination.

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Registration with real names: Due to the nature of our community, we ask users to use our offering only under their real names. This means the use of pseudonyms is not permitted. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

User profiles are not public: User profiles are not publicly visible or accessible.

Two-factor authentication: Two-factor authentication provides an additional layer of security for your user account and ensures that only you can access your account, even if someone else knows your password. For this purpose, in addition to your password, you must complete a further authentication step (e.g. entering a code sent to a mobile device). We will inform you of the procedure we use. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Deletion of data upon termination: When users have terminated their user account, their data relating to the user account will be deleted, subject to legal permission, obligation, or consent from users. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

No obligation to retain data: It is the responsibility of users to back up their data upon termination before the end of the contract. We are entitled to permanently delete all data of the user stored during the contract period. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Single Sign-On Login

"Single sign-on" or "single sign-on login/authentication" refers to procedures that allow users to log in to our online offering using a user account held with a single sign-on provider (e.g. a social network). The prerequisite for single sign-on authentication is that users are registered with the respective single sign-on provider and enter the required access credentials in the designated online form, or are already logged in with the single sign-on provider and confirm the single sign-on login via a button.

Authentication takes place directly with the respective single sign-on provider. In the course of such authentication, we receive a user ID along with the information that the user is logged in under that user ID with the respective single sign-on provider, as well as an ID that cannot be used by us for any other purposes (a so-called "user handle"). Whether additional data is transmitted to us depends solely on the single sign-on procedure used, the data sharing choices made during authentication, and on what data users have shared in the privacy or other settings of their user account with the single sign-on provider. Depending on the single sign-on provider and the user's choices, this may vary, but typically includes the email address and username. The password entered with the single sign-on provider during the single sign-on process is neither visible to us nor stored by us.

Users are asked to note that the information stored with us can be automatically synchronized with their user account at the single sign-on provider, although this is not always possible or actually carried out. If, for example, users' email addresses change, they must update these manually in their user account with us.

We may use single sign-on login, where agreed with users, in the context of or prior to the fulfillment of a contract, to the extent users have been asked to do so, process it within the scope of consent, and otherwise use it on the basis of our legitimate interests and users' interests in an effective and secure login system.

Should users decide that they no longer wish to use the link to their user account with the single sign-on provider for the single sign-on procedure, they must remove this connection within their user account with the single sign-on provider. If users wish to delete their data with us, they must cancel their registration with us.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; login procedures; provision of our online offering and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Deletion upon termination.

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Auth0: Authentication services for user logins, provision of single sign-on functions, management of identity information, and application integrations. Service provider: Auth0, Inc., 10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://auth0.com/. Privacy policy: https://www.okta.com/privacy-policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software. Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://microsoft.com/de-de. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement. Security notices: https://www.microsoft.com/de-de/trustcenter. Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). The data of readers is processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of these privacy notices.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Feedback (e.g. collecting feedback via online form); provision of our online offering and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g. by post, contact form, email, telephone, or via social media), as well as within the framework of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Communication partners.

Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online offering and user-friendliness.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing operations, procedures, and services:

Contact form: When contacting us via our contact form, by email, or through other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective request. This generally includes details such as name, contact information, and where applicable, further information communicated to us that is required for appropriate handling. We use this data exclusively for the stated purpose of making contact and communication. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Attio: Customer management and process and sales support with personalized customer care using multi-channel communication, i.e. management of customer inquiries from various channels, as well as analysis and feedback functions. Service provider: Attio Limited, Exmouth House Unit 120, 3-11 Pine Street, London, EC1R 0JH, United Kingdom. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.attio.com. Privacy policy: https://attio.com/legal/privacy. Data processing agreement: https://attio.com/legal/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from third-party providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as "conferences"). When selecting conference platforms and their services, we comply with applicable legal requirements.

Data processed by conference platforms: In the context of participating in a conference, the conference platforms process the personal data of participants listed below. The scope of processing depends on the one hand on what data is required for a specific conference (e.g. providing access credentials or real names) and on the optional information provided by participants. In addition to processing for the purpose of conducting the conference, participant data may also be processed by the conference platforms for security purposes or service optimization. The data processed includes personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, details of professional position/role, the IP address of the internet connection, details of participants' end devices, their operating system, browser and its technical and language settings, information about the content of communications, i.e. inputs in chats as well as audio and video data, and the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Recording and logging: If text inputs, participation results (e.g. from surveys), and video or audio recordings are logged, participants will be informed of this in advance in a transparent manner and, where required, asked for their consent.

Privacy measures for participants: Please refer to the privacy notices of the conference platforms for details on the processing of your data by those platforms, and select the security and privacy settings that are optimal for you within the settings of the conference platforms. Furthermore, please ensure the protection of data and privacy in the background of your recording for the duration of a video conference (e.g. by informing housemates, locking doors, and using the background blurring function where technically possible). Links to conference rooms and access credentials must not be shared with unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary for the fulfillment of our contractual obligations (e.g. in participant lists, in the case of processing discussion outcomes, etc.). Otherwise, users' data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g. photographs or video recordings of a person); audio recordings; log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Communication partners; users (e.g. website visitors, users of online services); persons depicted.

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Google Hangouts / Meet: Conference and communication software. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://hangouts.google.com/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF).

Microsoft Teams: Audio and video conferencing, chat, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording. Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.microsoft.com/de-de/microsoft-365. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement. Security notices: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: Data Privacy Framework (DPF).

Zoom: Conference and communication software. Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://zoom.us. Privacy policy: https://explore.zoom.us/docs/de-de/privacy-and-legal.html. Data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third-country transfers: Data Privacy Framework (DPF).

Cloud Services

We use software services accessible via the internet and run on the servers of their providers (so-called "cloud services," also referred to as "Software as a Service") for the storage and management of content (e.g. document storage and management, exchange of documents, content, and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers' servers to the extent that it forms part of communication processes with us or is otherwise processed by us as set out in this privacy policy. Such data may include in particular master data and contact data of users, data relating to transactions, contracts, other processes and their contents. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimization.

If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analytics purposes or to remember users' settings (e.g. in the case of media controls).

Data subjects: Prospective customers; communication partners; business and contractual partners; users (e.g. website visitors, users of online services).

Purposes of processing: Office and organizational procedures; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Google Workspace: Cloud-based application software (e.g. word processing, spreadsheet editing, calendar and contact management), cloud storage and cloud infrastructure services. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://workspace.google.com/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://cloud.google.com/privacy.

Notion: Platform for documentation, project management, and internal collaboration. Processing includes in particular the storage and management of texts, files, and communication content within the scope of organizational and administrative processes. Service provider: Notion Labs, Inc., 2300 Harrison Street, San Francisco, CA 94110, USA. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests in efficient internal communication and documentation (Art. 6(1)(f) GDPR). Data transfer to third countries: A transfer to the USA takes place. The data transfer is carried out on the basis of the EU-US Data Privacy Framework certification pursuant to Art. 45 GDPR. Further information: https://www.notion.so/privacy.

n8n: Automation and integration platform for linking various systems (e.g. CRM, databases, communication or marketing tools) and for the automated processing of internal workflows. Processing includes in particular the transmission, structuring, and synchronization of data between the services used. Service provider: n8n GmbH, Harzer Straße 39, 12059 Berlin, Germany. Legal bases: Legitimate interests in efficient, secure, and low-error data processing and process automation (Art. 6(1)(f) GDPR).

Attributer.io: Analytics and tracking tool for capturing and attributing website traffic sources, marketing channels, and user interactions. Processing serves the evaluation of marketing campaigns and the optimization of our online offerings and sales channels. Information about the origin of website visits (e.g. source, medium, campaign) and interactions with our website is processed. Service provider: Attributer Pty Ltd, 50 Yeo Street, Neutral Bay, NSW 2089, Australia. Legal bases: Legitimate interests in the analysis, optimization, and commercial improvement of our online offering (Art. 6(1)(f) GDPR). Data transfer to third countries: A transfer to Australia may take place. This is carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (standard contractual clauses). Further information: https://www.attributer.io/privacy-policy.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletter") exclusively with the consent of the recipients or on the basis of a legal ground. If the content of the newsletter is stated during sign-up, it is determinative for the user's consent. To sign up for our newsletter, providing your email address is generally sufficient. However, in order to provide you with a personalized service, we may ask for your name for a personal salutation in the newsletter, or for further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to provide evidence of consent previously given. The processing of this data is restricted to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is simultaneously confirmed. In the case of obligations to permanently honor objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of providing evidence that it has been conducted properly. Where we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Contents: Information about us, our services, promotions, and offers.

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects: Communication partners.

Purposes of processing: Direct marketing (e.g. by email or post).

Retention and deletion: 3 years — contractual claims (AT) (data required to take into account potential warranty and damages claims or similar contractual claims and rights, and to handle related inquiries, based on past business experience and standard industry practices, is stored for the duration of the standard statutory limitation period of three years (§§ 1478, 1480 ABGB)). 10 years — contractual claims (CH) (data required to take into account potential damages claims or similar contractual claims and rights, and to handle related inquiries, based on past business experience and standard industry practices, is stored for the duration of the statutory limitation period of ten years, unless a shorter period of 5 years applies, which is relevant in certain cases (Art. 127, 130 OR)).

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Opt-out option: You may cancel your newsletter subscription at any time, i.e. revoke your consent or object to further receipt. A link to unsubscribe from the newsletter can be found either at the end of each newsletter, or you may use one of the contact options provided above, preferably email.

Further information on processing operations, procedures, and services:

Measurement of open and click rates: The newsletters contain a so-called "web beacon," i.e. a pixel-sized file that is retrieved from our server, or from the server of the dispatch service provider if one is used, when the newsletter is opened. As part of this retrieval, technical information such as details about the browser and your system, as well as your IP address and the time of retrieval, are collected. This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behavior, based on their retrieval locations (determinable by means of IP addresses) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to identify the reading habits of our users and to adapt our content to them, or to send different content according to the interests of our users. The measurement of open and click rates and the storage of measurement results in user profiles and their further processing are carried out on the basis of user consent. Unfortunately, a separate revocation of the success measurement is not possible; in this case, the entire newsletter subscription must be canceled or objected to. In that case, the stored profile information will be deleted. Legal bases: Consent (Art. 6(1)(a) GDPR).

Mailchimp: Email marketing and automation platform for managing newsletter subscriptions, sending emails, and analyzing open and click rates. Processing includes in particular the storage of email addresses, send times, and interaction data in order to optimize newsletter dispatch and communication. Service provider: Intuit Inc. (Mailchimp), 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA. Legal bases: Consent of the data subjects (Art. 6(1)(a) GDPR) for receiving newsletters; legitimate interests in efficient management and analysis of email marketing (Art. 6(1)(f) GDPR). Data transfer to third countries: A transfer to the USA takes place. The data transfer is carried out on the basis of the EU-US Data Privacy Framework certification pursuant to Art. 45 GDPR. Further information: https://www.intuit.com/privacy/statement/.

Advertising Communication via Email, Post, Fax, or Telephone

We process personal data for the purposes of advertising communication, which may be carried out via various channels such as email, telephone, post, or fax, in accordance with legal requirements.

Recipients have the right to revoke consent given at any time or to object to advertising communication at any time.

Following revocation or objection, we store the data required to prove prior authorization for contact or mailing for up to three years after the end of the year of revocation or objection, on the basis of our legitimate interests. The processing of this data is restricted to the purpose of potentially defending against claims. On the basis of the legitimate interest in permanently honoring users' revocation or objection, we also store the data required to avoid renewed contact (e.g. depending on the communication channel, the email address, telephone number, name).

Data subjects: Communication partners.

Purposes of processing: Direct marketing (e.g. by email or post); marketing; sales promotion.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Lemlist: Email and sales automation platform for conducting personalized outreach campaigns, managing contact lists, and tracking interactions (e.g. opens, clicks, replies) within the scope of sales and marketing activities. Service provider: Lemlist SAS, 10 Rue de Penthièvre, 75008 Paris, France. Legal bases: Consent (Art. 6(1)(a) GDPR) or legitimate interest in efficient and targeted sales and communication management (Art. 6(1)(f) GDPR). Website: https://www.lemlist.com. Privacy policy: https://www.lemlist.com/privacy. Data processing agreement: https://www.lemlist.com/dpa. Basis for third-country transfers: Transfers to third countries are carried out on the basis of EU standard contractual clauses pursuant to Art. 46 GDPR.

Attio: CRM software for managing customer, partner, and prospective customer data, communication, and sales activities. Service provider: Attio Ltd., 24a Downham Road, London, N1 5AA, United Kingdom. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.attio.com. Privacy policy: https://www.attio.com/legal/privacy-policy. Data processing agreement: https://www.attio.com/legal/data-processing-addendum. Basis for third-country transfers: Adequacy decision for the United Kingdom pursuant to Art. 45 GDPR.

Prize Draws and Competitions

We process personal data of participants in prize draws and competitions only in compliance with the relevant data protection regulations, to the extent that processing is contractually necessary for the provision, conduct, and processing of the prize draw, participants have consented to the processing, or the processing serves our legitimate interests (e.g. in the security of the prize draw or the protection of our interests against misuse through the possible recording of IP addresses when submitting entries).

If participants' entries are published in the context of the prize draw (e.g. as part of a vote or presentation of entries or winners, or in reporting on the prize draw), we point out that the names of participants may also be published in this context. Participants may object to this at any time.

If the prize draw takes place on an online platform or social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and privacy provisions of the respective platforms also apply. In such cases, we point out that we are responsible for the information provided by participants in the context of the prize draw, and that inquiries regarding the prize draw should be directed to us.

Participants' data will be deleted as soon as the prize draw or competition has ended and the data is no longer needed to notify the winners, or once further inquiries regarding the prize draw are no longer to be expected. As a general rule, participants' data is deleted no later than 6 months after the end of the prize draw. Data of winners may be retained for longer, e.g. to answer queries about prizes or to fulfill prize obligations; in this case, the retention period depends on the nature of the prize and amounts to, for example, up to three years for goods or services, in order to be able to handle warranty claims. Furthermore, participants' data may be stored for longer, e.g. in the form of reporting on the prize draw in online and offline media.

If data was also collected in the context of the prize draw for other purposes, the processing and retention period for such data are governed by the privacy notices applicable to that use (e.g. in the case of a newsletter sign-up as part of a prize draw).

Data subjects: Prize draw and competition participants.

Purposes of processing: Conducting prize draws and competitions.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Surveys and Questionnaires

We conduct surveys and questionnaires to gather information for the respective communicated survey or questionnaire purpose. The surveys and questionnaires we conduct (hereinafter "surveys") are evaluated anonymously. Personal data is only processed to the extent necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user's browser, or to enable the survey to be resumed using a cookie).

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Participants; users (e.g. website visitors, users of online services).

Purposes of processing: Feedback (e.g. collecting feedback via online form); surveys and questionnaires (e.g. surveys with input options, multiple-choice questions); tracking (e.g. interest-/behavior-based profiling, use of cookies); click tracking; A/B testing; heatmaps (mouse movements by users that are aggregated into an overall picture); profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness; communication; direct marketing (e.g. by email or post); reach measurement (e.g. access statistics, identification of returning visitors); conversion measurement (measuring the effectiveness of marketing measures); marketing; target group formation.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures, and services:

Webflow (Forms): Website and form hosting service for the provision and management of online forms on our website. Data submitted via embedded forms (e.g. name, email address, message text) is processed by Webflow and forwarded to us in order to handle contact or registration requests. Service provider: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests in the secure and functional provision of our online offering (Art. 6(1)(f) GDPR). Data transfer to third countries: A transfer to the USA takes place. The data transfer is carried out on the basis of the EU-US Data Privacy Framework certification pursuant to Art. 45 GDPR. Further information: https://webflow.com/legal/privacy.

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as "reach measurement") serves to evaluate visitor flows to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. Using reach analysis, we can for example identify at what times our online offering or its functions or content is used most frequently, or to encourage re-engagement. We are also able to identify which areas are in need of optimization.

In addition to web analytics, we may also use testing procedures, for example to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles — i.e. data aggregated into a usage process — may be created for these purposes, and information may be stored in and subsequently read from a browser or end device. The information collected includes in particular websites visited and elements used therein, as well as technical details such as the browser used, the computer system in use, and information on usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, location data may also be processed.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymization by truncating the IP address) to protect users. In general, no clear-text user data (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization — only pseudonyms. This means that neither we nor the providers of the software used know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. an interest in efficient, commercially sound, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Reach measurement (e.g. access statistics, identification of returning visitors); profiles with user-related information (creation of user profiles); A/B testing; feedback (e.g. collecting feedback via online form); heatmaps (mouse movements by users that are aggregated into an overall picture); provision of our online offering and user-friendliness; tracking (e.g. interest-/behavior-based profiling, use of cookies); click tracking; remarketing.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of up to two years).

Security measures: IP masking (pseudonymization of the IP address).

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. This identification number contains no clearly identifiable data such as names or email addresses. It is used to assign analytical information to an end device in order to identify which content users have accessed within one or multiple usage sessions, which search terms they have used, whether they have accessed content again, or have interacted with our online offering. The time and duration of use are also stored, as well as the sources referring users to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users are created with information from the use of various devices, with cookies potentially being used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and the derived city latitude and longitude), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purpose. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com/intl/de/about/analytics/. Security measures: IP masking (pseudonymization of the IP address). Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms/. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de; settings for advertising display: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Google Analytics (Server-Side Usage): We use Google Analytics to measure and analyze the use of our online services by users. User data is processed, but not transmitted directly from users' end devices to Google. In particular, users' IP addresses are not transmitted to Google. Instead, the data is first transmitted to our server, where user records are assigned to our internal user identification number. Subsequent transmission takes place only in this pseudonymized form from our server to Google. The identification number contains no clearly identifiable data such as names or email addresses. It is used to assign analytical information to an end device in order to identify which content users have accessed within one or multiple usage sessions, which search terms they have used, whether they have accessed content again, or have interacted with our online offering. The time and duration of use are also stored, as well as the sources referring users to our online offering and technical aspects of their end devices and browsers. Pseudonymous profiles of users are created with information from the use of various devices, with cookies potentially being used. In Analytics, higher-level geographic location data is provided by collecting the following metadata via IP lookup: "city" (and the derived city latitude and longitude), "continent," "country," "region," "subcontinent" (and ID-based equivalents). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com/intl/de/about/analytics/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms/. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://business.safety.google/adsservices/(types of processing and data processed).

Google Tag Manager: We use Google Tag Manager, a software by Google that enables us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that serve to capture and analyze visitor activity. This technology helps us to improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not carry out independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when using Google Tag Manager, users' IP addresses are transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set. However, this data processing only takes place when services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer you to the relevant sections of this privacy policy. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF).

Google Tag Manager (Server-Side Usage): Google Tag Manager is an application that allows us to manage so-called website tags via an interface, and to integrate other services into our online offering (see also the further information in this privacy policy). The Tag Manager itself (which implements the tags) does not store user profiles or cookies. The integration of other services takes place server-side. This means that user data is not transmitted directly from their end device to the respective service or to Google. In particular, users' IP addresses are not transmitted to the other service. Instead, the data is first transmitted to our server, where user records are assigned to our internal user identification number. Subsequent transmission of the data from our server to the servers of the respective service providers takes place only in this pseudonymized form. The user identification number contains no clearly identifiable data such as names or email addresses. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com/intl/de/about/analytics/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms/. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://business.safety.google/adsservices/(types of processing and data processed).

Google Optimize: Software for the analysis and optimization of online offerings on the basis of feedback functions and pseudonymously conducted measurements and analyses of user behavior, which may include in particular A/B tests (measuring the popularity and user-friendliness of different content and functions), measurement of click paths, and interaction with content and functions of the online offering. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://optimize.google.com. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://business.safety.google/adsservices/(types of processing and data processed).

Google Universal Analytics: Reach measurement and web analytics — We use Universal Analytics, a version of Google Analytics, to conduct user analysis on the basis of a pseudonymous user identification number. This identification number contains no clear-text data such as names or email addresses. It serves to assign analytical information to a user, e.g. to identify which content users have accessed during a session or whether they return to our online offering. Pseudonymous profiles of users are created with information from the use of various devices. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com. Terms and conditions: https://business.safety.google/adsprocessorterms/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de; settings for advertising display: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Leadfeeder: Analytics tool for identifying business visitors to our website and evaluating user interactions for marketing and sales purposes. Service provider: Dealfront Group GmbH (formerly Leadfeeder), Hörvelsinger Weg 29, 89081 Ulm, Germany. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.dealfront.com. Privacy policy: https://www.dealfront.com/privacy-notice/. Data processing agreement: https://www.dealfront.com/data-processing-agreement/. Basis for third-country transfers: To the extent that data is transferred to third countries, this is done on the basis of EU standard contractual clauses pursuant to Art. 46 GDPR.

Online Marketing

We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on the potential interests of users, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called "cookie") or similar procedures are used, by means of which information relevant to the display of the aforementioned content is stored about the user. This may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical details such as the browser used, the computer system in use, and information on usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

In addition, users' IP addresses are stored. However, we use available IP masking procedures (i.e. pseudonymization by truncating the IP address) to protect users. In general, no clear-text user data (such as email addresses or names) is stored in the context of online marketing procedures — only pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of users, but only the information stored in their profiles.

The information in the profiles is generally stored in cookies or by means of similar procedures. These cookies can later also be read on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing procedure provider.

Exceptionally, it is possible to assign clear-text data to profiles, primarily when users are, for example, members of a social network whose online marketing procedure we use and that network links user profiles with the aforementioned information. We ask that users note that they may enter into additional arrangements with providers, for example by giving consent during registration.

We generally only receive access to aggregated information about the success of our advertisements. However, within the scope of so-called conversion measurement, we can check which of our online marketing procedures has led to a so-called conversion, i.e. for example to the conclusion of a contract with us. Conversion measurement is used solely for the purpose of analyzing the success of our marketing measures.

Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. an interest in efficient, commercially sound, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Notes on revocation and objection: We refer to the privacy notices of the respective providers and the opt-out options indicated for those providers. If no explicit opt-out option has been specified, one option is to disable cookies in your browser settings. However, this may restrict the functionality of our online offering. We therefore also recommend the following opt-out options, which are offered in summary form for the respective regions:

a) Europe: https://www.youronlinechoices.eu b) Canada: https://www.youradchoices.ca/choices c) USA: https://www.aboutads.info/choices d) Cross-regional: https://optout.aboutads.info

Types of data processed: Content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); event data (Facebook) ("event data" is information sent to the provider Meta, for example via Meta Pixel (whether via apps or other channels), relating to persons or their actions. This data includes details of website visits, interactions with content and functions, app installations, and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. Event data is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted.); contact information (Facebook) ("contact information" is data that clearly identifies data subjects, such as names, email addresses, and telephone numbers, which may be transmitted to Facebook, e.g. via Facebook Pixel or upload for matching purposes to form custom audiences. Following matching for the purpose of forming target groups, the contact information is deleted).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Reach measurement (e.g. access statistics, identification of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness; remarketing; click tracking.

Security measures: IP masking (pseudonymization of the IP address).

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Meta Pixel and Target Group Formation (Custom Audiences): With the help of Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Meta is able to determine visitors to our online offering as a target group for the display of advertisements (so-called "Meta Ads"). Accordingly, we use Meta Pixel to display the Meta Ads we place only to those users on Meta platforms and within the services of partners cooperating with Meta (the so-called "Audience Network": https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offering or who exhibit certain characteristics (e.g. an interest in certain topics or products, which are evident from the websites visited) that we transmit to Meta (so-called "custom audiences"). We also use Meta Pixel to ensure that our Meta Ads correspond to the potential interests of users and do not cause annoyance. Furthermore, with the help of Meta Pixel, we can track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were directed to our website after clicking on a Meta Ad (so-called "conversion measurement"). Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: Event data of users, i.e. behavioral and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Enhanced Matching for Meta Pixel: In addition to the processing of event data in the context of using Meta Pixel (or comparable functions, e.g. in apps), contact information (data that identifies individual persons, such as names, email addresses, and telephone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information serves the formation of target groups (so-called "custom audiences") for the display of content and advertising information oriented towards the presumed interests of users. The collection, transmission, and matching with data held by Meta takes place not in clear text but in so-called "hash values," i.e. mathematical representations of the data (this method is used for example when storing passwords). Following matching for the purpose of forming target groups, the contact information is deleted. Legal bases: Consent (Art. 6(1)(a) GDPR). Privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://www.facebook.com/legal/terms/data_security_terms.

Meta — Target Group Formation via Data Upload: Formation of target groups for marketing purposes — We transmit contact information (names, email addresses, and telephone numbers) in list form to Meta for the purpose of forming target groups (so-called "custom audiences") for the display of content and advertising information oriented towards the presumed interests of users. Transmission and matching with data held by Meta takes place not in clear text but in so-called "hash values," i.e. mathematical representations of the data (this method is used for example when storing passwords). Following matching for the purpose of forming target groups, the contact information is deleted. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers: Data Privacy Framework (DPF).

Facebook Advertisements: Placement of advertisements within the Facebook platform and evaluation of advertisement results. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: We refer to the privacy and advertising settings in users' profiles on Facebook platforms, as well as to Facebook's consent procedures and contact options for exercising rights of access and other data subject rights as described in Facebook's privacy policy. Further information: Event data of users, i.e. behavioral and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Google Ad Manager: We use the "Google Ad Manager" service to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.). Google Ad Manager is characterized by the fact that advertisements are displayed in real time based on the presumed interests of users. This allows us to display advertisements for our online offering to users who may have a potential interest in our offering or who have previously shown interest in it, and to measure the success of the advertisements. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the data processing terms between controllers and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms. Where Google acts as a data processor, data processing terms for Google advertising products and standard contractual clauses for third-country transfers: https://business.safety.google/adsprocessorterms.

Google Ads and Conversion Measurement: Online marketing procedure for the purpose of placing content and advertisements within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the advertisements. In addition, we measure the conversion of advertisements, i.e. whether users have used them as an occasion to interact with the advertisements and use the advertised offerings (so-called conversions). However, we only receive anonymous information and no personal information about individual users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.

Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology by which users who use an online service are added to a pseudonymous remarketing list, so that advertisements can be displayed to those users on other online offerings based on their visit to the online service. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.

Enhanced Conversions for Google Ads: When users click on our Google advertisements and subsequently use the advertised service (so-called "conversion"), data entered by the user, such as the email address, name, residential address, or telephone number, may be transmitted to Google. The hash values are then matched with existing Google accounts of users in order to better evaluate and improve users' interaction with the advertisements (e.g. clicks or views) and thus their performance. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.

Google AdSense with Personalized Ads: We integrate the Google AdSense service, which enables personalized advertisements to be placed within our online offering. Google AdSense analyzes user behavior and uses this data to deliver targeted advertising tailored to the interests of our visitors. We receive financial compensation for each advertisement displayed or other forms of use of these advertisements. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the data processing terms between controllers and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.

Instagram Advertisements: Placement of advertisements within the Instagram platform and evaluation of advertisement results. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: We refer to the privacy and advertising settings in users' profiles on the Instagram platform, as well as to Instagram's consent procedures and Instagram's contact options for exercising rights of access and other data subject rights in Instagram's privacy policy. Further information: Event data of users, i.e. behavioral and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controller agreement ("Controller Addendum," https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

LinkedIn Insight Tag: Code that is loaded when a user visits our online offering and tracks user behavior and conversions, storing them in a profile (possible uses: measurement of campaign performance, optimization of ad delivery, building custom and lookalike audiences). Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Cookie policy: https://www.linkedin.com/legal/cookie_policy. Data processing agreement: https://www.linkedin.com/legal/l/dpa. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Microsoft Advertising: Online marketing procedure for the purpose of placing content and advertisements within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the advertisements. In addition, we measure the conversion of advertisements, i.e. whether users have used them as an occasion to interact with the advertisements and use the advertised offerings (so-called conversion). However, we only receive anonymous information and no personal information about individual users. Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Website: https://about.ads.microsoft.com/en-us. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://account.microsoft.com/privacy/ad-settings/. Further information: https://about.ads.microsoft.com/de-de/policies/legal-privacy-and-security.

UTM Parameters: Analysis of sources and user actions on the basis of an extension of web addresses referring to us with an additional parameter, the "UTM" parameter. For example, a UTM parameter "utm_source=platformX&utm_medium=video" can tell us that a person clicked on the link on platform X within a video. UTM parameters provide information about the source of the link, the medium used (e.g. social media, website, newsletter), the type of campaign, or the content of the campaign (e.g. post, link, image, and video). With the help of this information, we can for example check our visibility on the internet or the effectiveness of our campaigns. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

LinkedIn Advertisements: Placement of advertisements within the LinkedIn platform and evaluation of advertisement results. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Website: https://business.linkedin.com/de-de/marketing-solutions/ads. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information: https://legal.linkedin.com/dpa.

Offering an Affiliate Program

We offer an affiliate program, i.e. commissions or other benefits (collectively referred to as "commission") for users (referred to as "affiliates") who refer to our offerings and services. The referral is made via a link assigned to the respective affiliate or by other methods (e.g. discount codes) that allow us to recognize that the use of our services was based on the referral (collectively referred to as "affiliate links").

In order to be able to track whether users have used our services as a result of the affiliate links deployed by affiliates, it is necessary for us to know that a user has followed an affiliate link. The assignment of affiliate links to the respective transactions or other use of our services serves solely the purpose of commission accounting and is revoked as soon as it is no longer required for that purpose.

For the purposes of the aforementioned assignment of affiliate links, the affiliate links may be supplemented with certain values that form part of the link or may be stored in other ways, e.g. in a cookie. These values may include in particular the originating website (referrer), the time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offering, the type of link used, the type of offering, and an online identifier of the user.

Notes on legal bases: The processing of data of our partners takes place for the provision of our (pre-)contractual services. Users' data is processed on the basis of their consent.

Types of data processed: Contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Users (e.g. website visitors, users of online services); business and contractual partners.

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; affiliate tracking.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Customer Reviews and Rating Procedures

We participate in review and rating procedures in order to evaluate, optimize, and promote our services. If users rate us via the participating rating platforms or procedures or otherwise provide feedback, the general terms and conditions or terms of use and the privacy notices of the providers also apply. As a general rule, a rating also requires registration with the respective providers.

In order to ensure that the persons rating us have actually used our services, we transmit, with the consent of customers, the data required for this purpose regarding the customer and the service used to the respective rating platform (including name, email address, and order number or item number). This data is used solely for the purpose of verifying the authenticity of the user.

Types of data processed: Contract data (e.g. subject matter of the contract, duration, customer category); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

Data subjects: Recipients of services and clients; users (e.g. website visitors, users of online services).

Purposes of processing: Feedback (e.g. collecting feedback via online form); marketing.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Rating Widget: We integrate so-called "rating widgets" into our online offering. A widget is a functional and content element integrated into our online offering that displays variable information. It may be presented, for example, in the form of a seal or comparable element, sometimes also called a "badge." The corresponding content of the widget is displayed within our online offering, but is retrieved at that moment from the servers of the respective widget provider. This is the only way to always display current content, in particular the most current rating. For this purpose, a data connection must be established from the website accessed within our online offering to the widget provider's server, and the widget provider receives certain technical data (access data, including IP address) that is necessary for the widget's content to be delivered to the user's browser. Furthermore, the widget provider receives information that users have visited our online offering. This information may be stored in a cookie and used by the widget provider to identify which online offerings participating in the rating procedure have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: In the context of obtaining customer reviews, an identification number and the time of the transaction to be reviewed, the customer's email address in the case of review requests sent directly to customers, their indication of their country of residence, and the review information itself are processed. Further details on the types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the data processing terms between controllers and standard contractual clauses for third-country transfers: https://business.safety.google/adscontrollerterms.

kununu: Rating platform. Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.kununu.com/de. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

Trustpilot: Rating platform. Service provider: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://de.trustpilot.com. Privacy policy: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms.

OMR Reviews: Platform for researching and comparing business software and tools. Service provider: Software Reviews GmbH, Lagerstraße 36, 20357 Hamburg. Website: https://omr.com/de/reviews. Privacy policy: https://omr.com/de/datenschutz.

Capterra: Platform for researching and comparing business software and tools. Service provider: Lehrer-Wirth-Str. 2, 81829 Munich. Website: https://www.capterra.com.de/. Privacy policy: https://www.capterra.com.de/legal/privacy-policy.

G2: Platform for researching and comparing business software and tools. Service provider: 100 S. Wacker Dr., Suite 600, Chicago, IL 60606, USA. Website: https://www.g2.com/de. Privacy policy: https://legal.g2.com/privacy-policy.

Presences in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the European Union in this context. This may give rise to risks for users, for example by making it more difficult to enforce user rights.

Furthermore, users' data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created on the basis of users' usage behavior and resulting interests. These profiles may in turn be used to place advertisements inside and outside the networks that are presumed to correspond to the interests of users. For this reason, cookies are generally stored on users' computers, in which usage behavior and the interests of users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by users (in particular if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we also point out that these can most effectively be asserted with the providers. Only the latter have access to users' data and can directly take appropriate measures and provide information. Should you nevertheless require assistance, you are welcome to contact us.

Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Communication; feedback (e.g. collecting feedback via online form); public relations.

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Instagram: Social network enabling the sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

Facebook Pages: Profiles within the Facebook social network — We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in Facebook's data policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in Facebook's data policy: https://www.facebook.com/privacy/policy/). As explained in Facebook's data policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Page Insights," to page operators, enabling them to gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ("Information about Page Insights," https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill data subjects' rights (i.e. users can, for example, direct requests for information or deletion directly to Facebook). Users' rights (in particular the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

LinkedIn: Social network — We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors that is generated for the purpose of creating "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data) and details from users' profiles such as professional function, country, industry, seniority level, company size, and employment status. Privacy information on LinkedIn's processing of user data can be found in LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy. We have concluded a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum (the 'Addendum')," https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill data subjects' rights (i.e. users can, for example, direct requests for information or deletion directly to LinkedIn). Users' rights (in particular the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data and its transmission to Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of Ireland Unlimited Company, in particular with regard to the transmission of data to the parent company LinkedIn Corporation in the USA. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

YouTube: Social network and video platform. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as "content").

Integration always requires the third-party providers of this content to process users' IP addresses, as without an IP address they would be unable to send the content to users' browsers. The IP address is therefore necessary for the display of this content or these functions. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may furthermore be stored in cookies on users' devices and may contain, among other things, technical information about the browser and operating system, referring websites, visit times, and further details about the use of our online offering, but may also be linked with such information from other sources.

Types of data processed: Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); location data (information on the geographic position of a device or person); event data (Facebook) ("event data" is information sent to the provider Meta, for example via Meta Pixel (whether via apps or other channels), relating to persons or their actions. This data includes details of website visits, interactions with content and functions, app installations, and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. Event data is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted.); contract data (e.g. subject matter of the contract, duration, customer category).

Data subjects: Users (e.g. website visitors, users of online services); prospective customers; communication partners; business and contractual partners.

Purposes of processing: Provision of our online offering and user-friendliness; provision of contractual services and fulfillment of contractual obligations; marketing; profiles with user-related information (creation of user profiles); communication; office and organizational procedures.

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

Facebook Plugins and Content: Facebook Social Plugins and content — These may include, for example, content such as images, videos, or texts and buttons that allow users to share content from this online offering within Facebook. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt by means of transmission (but not the further processing) of "event data" that Facebook collects via the Facebook Social Plugins (and content embedding functions) running on our online offering, or receives by means of transmission for the following purposes: a) display of content and advertising information that corresponds to users' presumed interests; b) delivery of commercial and transactional messages (e.g. addressing users via Facebook Messenger); c) improvement of ad delivery and personalization of functions and content (e.g. improving the identification of which content or advertising information is presumed to correspond to users' interests). We have concluded a special agreement with Facebook ("Controller Addendum," https://www.facebook.com/legal/controller_addendum), which regulates in particular which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill data subjects' rights (i.e. users can, for example, direct requests for information or deletion directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e. do not contain information about individual users and are anonymous to us), this processing does not take place under joint responsibility but on the basis of a data processing agreement ("Data Processing Terms," https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms), and, with regard to processing in the USA, on the basis of standard contractual clauses ("Facebook EU Data Transfer Addendum," https://www.facebook.com/legal/EU_data_transfer_addendum). Users' rights (in particular the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

Google Fonts (Retrieved from Google Server): Retrieval of fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to currency and loading times, their uniform display, and consideration of possible licensing restrictions. The IP address of the user is communicated to the font provider so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted that is necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and subsequently the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the User-Agent describing the browser and operating system versions of website visitors, as well as the referrer URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, User-Agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wishes to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the User-Agent must adapt the font generated for the respective browser type. The User-Agent is primarily logged for debugging purposes and used to generate aggregated usage statistics measuring the popularity of font families. These aggregated usage statistics are published on the Google Fonts "Analytics" page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations based on the number of font requests can be generated. According to Google's own statement, Google does not use any of the information collected by Google Fonts to create end-user profiles or to serve targeted advertisements. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://fonts.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.

Google Maps: We integrate the maps of the "Google Maps" service by Google. The data processed may include in particular IP addresses and location data of users. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://mapsplatform.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

LinkedIn Plugins and Content: LinkedIn plugins and content — these may include, for example, content such as images, videos, or texts and buttons that allow users to share content from this online offering within LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Data processing agreement: https://legal.linkedin.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

reCAPTCHA: We integrate the "reCAPTCHA" function in order to be able to recognize whether inputs (e.g. in online forms) are made by humans and not by automatically acting machines (so-called "bots"). The data processed may include IP addresses, information about operating systems, devices, or browsers used, language settings, location, mouse movements, keystrokes, time spent on web pages, previously visited web pages, interactions with reCAPTCHA on other websites, possibly cookies, and results of manual recognition processes (e.g. answering questions posed or selecting objects in images). Data processing takes place on the basis of our legitimate interest in protecting our online offering from abusive automated crawling and spam. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.google.com/recaptcha/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de; settings for advertising display: https://myadcenter.google.com/personalizationoff.

YouTube Videos: Video content. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de; settings for advertising display: https://myadcenter.google.com/personalizationoff.

YouTube Videos (Enhanced Privacy Mode): Video content — YouTube videos are integrated via a special domain (recognizable by the "youtube-nocookie" component) in the so-called "Enhanced Privacy Mode," whereby no cookies are collected relating to user activity in order to personalize video playback. Nevertheless, information about users' interaction with the video (e.g. remembering the last playback position) may be stored. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Google Hosted Libraries: Google Hosted Libraries is a globally available content delivery network (CDN) for the most popular open-source JavaScript libraries. These serve to provide web libraries for optimizing website loading times, reducing bandwidth usage, and improving performance through the use of shared, public resources. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://developers.google.com/speed/libraries/. Privacy policy: https://policies.google.com/privacy.

Notion: Project management — organization and administration of teams, groups, workflows, projects, and processes. Service provider: Notion Labs, Inc., 548 Market St #74567, San Francisco, CA 94104-5401, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.notion.so/de-de/product. Privacy policy: https://www.notion.so/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091. Data processing agreement: Provided by the service provider. Basis for third-country transfers: Standard contractual clauses (provided by the service provider).

Miro: Online whiteboard and collaboration platform. Service provider: Realtimeboard Inc. dba Miro, 201 Spear Street Suite 1100, San Francisco, California 94105, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://miro.com/. Privacy policy: https://miro.com/legal/privacy-policy/. Data processing agreement: https://miro.com/legal/vendor-data-processing-addendum/. Basis for third-country transfers: Standard contractual clauses (https://miro.com/legal/vendor-data-processing-addendum/).

Management, Organization, and Auxiliary Tools

We use services, platforms, and software from third-party providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning, and providing our services. When selecting third-party providers and their services, we comply with applicable legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. Various types of data that we process in accordance with this privacy policy may be affected. Such data may include in particular master data and contact data of users, data relating to transactions, contracts, other processes, and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask users to observe the privacy notices of the respective third-party providers.

Data subjects: Communication partners; users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; reach measurement (e.g. access statistics, identification of returning visitors); profiles with user-related information (creation of user profiles).

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

ChatGPT: AI-based service designed to understand and generate natural language and related inputs and data, analyze information, and make predictions ("AI," i.e. "Artificial Intelligence," is to be understood in the applicable legal sense of the term). Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://openai.com/product. Privacy policy: https://openai.com/de/policies/eu-privacy-policy.

Perplexity: AI-based service for answering questions, analyzing and presenting information, and generating texts on the basis of natural language inputs. Service provider: Perplexity AI, Inc., 2261 Market Street #4330, San Francisco, CA 94114, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.perplexity.ai. Privacy policy: https://www.perplexity.ai/privacy. Basis for third-country transfers: EU standard contractual clauses pursuant to Art. 46 GDPR.

Claude: AI-based service for the processing, analysis, and generation of texts and content on the basis of natural language inputs. Service provider: Anthropic PBC, 548 Market Street, PMB 10152, San Francisco, CA 94104, USA. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.anthropic.com. Privacy policy: https://www.anthropic.com/legal/privacy. Basis for third-country transfers: EU standard contractual clauses pursuant to Art. 46 GDPR.

Processing of Data in the Context of Employment Relationships

In the context of employment relationships, personal data is processed with the aim of effectively establishing, conducting, and terminating such relationships. This data processing supports various operational and administrative functions required for the management of employee relations.

The data processing covers various aspects ranging from the initiation to the termination of a contract. This includes the organization and management of daily working hours, the management of access rights and permissions, and the handling of personnel development measures and employee appraisals. Processing also serves payroll administration and the management of wage and salary payments, which are critical aspects of contract performance.

In addition, the data processing takes into account the legitimate interests of the responsible employer, such as ensuring workplace safety or capturing performance data for the evaluation and optimization of operational processes. Data processing also includes the disclosure of employee data in the context of external communication and publication processes where this is required for operational or legal purposes.

The processing of this data is always carried out in compliance with the applicable legal framework, with the aim of creating and maintaining a fair and efficient working environment. This also includes respecting the privacy of the employees concerned, as well as the anonymization or deletion of data after the purpose of processing has been fulfilled or in accordance with statutory retention periods.

Types of data processed: Employee data (information about employees and other persons in an employment relationship); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, duration, customer category); master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); social data (data subject to social secrecy and processed e.g. by social insurance institutions, social welfare authorities, or pension authorities); log data (e.g. log files relating to logins or the retrieval of data or access times); performance and behavioral data (e.g. performance and behavioral aspects such as performance appraisals, feedback from supervisors, training participation, compliance with company policies, self-assessments, and behavioral assessments); working time data (e.g. start of working time, end of working time, actual working hours, target working hours, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); salary data (e.g. base salary, bonus payments, premiums, tax bracket information, supplements for night work/overtime, tax deductions, social insurance contributions, net payout amount).

Data subjects: Employees (e.g. staff, applicants, temporary workers, and other employees).

Purposes of processing: Establishment and conduct of employment relationships (processing of employee data in the context of establishing and conducting employment relationships); business processes and operational procedures; provision of contractual services and fulfillment of contractual obligations; security measures; office and organizational procedures.

Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); processing of special categories of personal data in relation to healthcare, profession, and social security (Art. 9(2)(h) GDPR).

Further information on processing operations, procedures, and services:

Purposes of data processing: The personal data of employees is processed primarily for the establishment, conduct, and termination of the employment relationship. In addition, the processing of this data is necessary to fulfill legal obligations in the areas of tax and social insurance law. Beyond these primary purposes, employee data is also used to fulfill regulatory and supervisory requirements, to optimize electronic data processing procedures, and to compile internal or cross-company data, possibly including statistical data. Furthermore, employee data may be processed for the assertion of legal claims and defense in legal disputes. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Transmission of employee data: Employee data is only processed internally by those departments that require it for the fulfillment of operational, contractual, and legal obligations. Data is only shared with external recipients where required by law or where the employees concerned have given their consent. Possible scenarios for this may include requests for information from authorities or in the case of wealth accumulation benefits. Furthermore, the controller may forward personal data to additional recipients to the extent necessary for the fulfillment of its contractual and legal obligations as an employer. These recipients may include: a) banks; b) health insurance funds, pension insurance institutions, old-age provision providers, and other social insurance carriers; c) authorities and courts (e.g. tax authorities, labor courts, other supervisory authorities in the context of fulfilling reporting and disclosure obligations); d) tax and legal advisors; e) third-party debtors in the case of wage and salary garnishments; f) other bodies to which legally required declarations must be made. In addition, data may be shared with third parties if this is necessary for communication with business partners, suppliers, or other service providers. Examples include details in the sender section of emails or letterheads, as well as the creation of profiles on external platforms. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Business travel and travel expense accounting: Procedures required for the planning, implementation, and settlement of business trips (e.g. booking travel, organizing accommodation and transport, managing travel advance payments, submitting and verifying travel expense reports, controlling and posting costs incurred, compliance with travel policies, handling of travel expense management). Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); processing of special categories of personal data in relation to healthcare, profession, and social security (Art. 9(2)(h) GDPR).

Payroll and wage accounting: Procedures required for the calculation, payment, and documentation of wages, salaries, and other remuneration of employees (e.g. recording of working hours, calculation of deductions and supplements, remittance of taxes and social insurance contributions, preparation of payslips, maintenance of payroll accounts, reporting to tax authorities and social insurance carriers). Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR).

Personnel file management: Procedures required for the organization, updating, and management of employee data and documents (e.g. recording of master employee data, storage of employment contracts, references, and certificates, updating data upon changes, compiling documents for employee appraisals, archiving of personnel files, compliance with data protection regulations). Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); processing of special categories of personal data in relation to healthcare, profession, and social security (Art. 9(2)(h) GDPR).

Personnel development, performance appraisal, and employee meetings: Procedures required in the area of promoting and developing employees, as well as assessing their performance and conducting employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, preparation of performance appraisals, conducting objective-setting and feedback meetings, career planning and talent management, succession planning). Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); processing of special categories of personal data in relation to healthcare, profession, and social security (Art. 9(2)(h) GDPR).

Application Procedures

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. What information is required is set out in the job description or, in the case of online forms, from the information provided therein.

In general, the required details include personal information such as name, address, contact details, and evidence of the qualifications necessary for a position. Upon request, we are happy to additionally inform applicants of what information is needed.

Where available, applicants are welcome to submit their applications via our online form, which is encrypted in accordance with the latest state of the art. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not transmitted in encrypted form over the internet. Although emails are generally encrypted during transmission, this does not apply to the servers from which they are sent and received. We are therefore unable to take responsibility for the security of the application during its transmission between the sender and our server.

For the purposes of applicant searches, submission of applications, and selection of applicants, we may use applicant management or recruitment software, platforms, and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application, or to send the application to us by post.

Processing of special categories of data: To the extent that special categories of personal data (Art. 9(1) GDPR, e.g. health data such as severely disabled status or ethnic origin) are requested or provided by applicants in the context of the application procedure, their processing takes place so that the controller or the data subject can exercise their rights arising from labor law and the law on social security and social protection and fulfill their obligations in this regard, in the case of protecting the vital interests of applicants or other persons, or for the purposes of preventive health care or occupational medicine, assessment of the employee's work capacity, medical diagnosis, care or treatment in the health or social sector, or the management of systems and services in the health or social sector.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if an application for a vacancy is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion takes place, subject to a legitimate revocation by applicants, no later than after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and fulfill our evidentiary obligations under the provisions on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is carried out on the basis of consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application procedure, and that they may revoke their consent at any time with effect for the future.

Duration of data retention in the applicant pool in months: 3

Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as related information such as details of authorship or time of creation); applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, and further information communicated by applicants regarding their person or qualifications, either in relation to a specific position or voluntarily).

Data subjects: Applicants.

Purposes of processing: Application procedures (establishment and any subsequent conduct as well as possible later termination of the employment relationship).

Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."

Legal bases: Application procedures as pre-contractual or contractual relationship (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing operations, procedures, and services:

LinkedIn Recruiter: Job search and application-related services within the LinkedIn platform. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.linkedin.com. Terms and conditions: https://legal.linkedin.com/dpa. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Data processing agreement: https://legal.linkedin.com/dpa. Basis for third-country transfers: Data Privacy Framework (DPF).

JOIN: Services in connection with employee recruitment (searching for employees, communication, application procedures, contract negotiations). Service provider: JOIN Solutions GmbH, Schönhauser Allee 36, 10435 Berlin, Germany. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://join.com/de. Privacy policy: https://join.com/de/datenschutz.

Definitions

In this section you will find an overview of the terms used in this privacy policy. Where terms are defined by law, their statutory definitions apply. The following explanations are intended primarily to aid understanding.

A/B testing: A/B tests serve to improve the user-friendliness and performance of online offerings. Users are presented with, for example, different versions of a website or its elements, such as input forms, in which the placement of content or the labeling of navigation elements may differ. Based on users' behavior, such as spending more time on the website or interacting more frequently with the elements, it can then be determined which of these websites or elements better meet the needs of users.

Affiliate tracking: Within the scope of affiliate tracking, links by means of which linking websites refer users to websites with products or other offerings are logged. The operators of the respective linking websites may receive a commission if users follow these so-called affiliate links and subsequently take up the offerings (e.g. purchase goods or use services). For this purpose, it is necessary for providers to be able to track whether users who are interested in certain offerings subsequently take them up at the instigation of the affiliate links. For this reason, it is necessary for the functioning of affiliate links that they be supplemented with certain values that become part of the link or are stored in other ways, e.g. in a cookie. These values include in particular the originating website (referrer), the time, an online identifier of the operators of the website on which the affiliate link was located, an online identifier of the respective offering, an online identifier of the user, and tracking-specific values such as advertising material ID, partner ID, and categorizations.

Employees: Employees refers to persons in an employment relationship, whether as workers, staff, or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It includes the obligation of the employer to pay the employee remuneration, while the employee performs their work. The employment relationship encompasses various phases, including establishment, in which the employment contract is concluded, conduct, in which the employee carries out their work activities, and termination, when the employment relationship ends, whether by notice, termination agreement, or otherwise. Employee data includes all information relating to these persons and pertaining to the context of their employment. This encompasses aspects such as personal identification data, identification numbers, salary and banking data, working hours, vacation entitlements, health data, and performance appraisals.

Master data: Master data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. Such data may include personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between persons and services, institutions, or systems by enabling unambiguous identification and communication.

Heatmaps: "Heatmaps" are mouse movements by users that are aggregated into an overall picture, which can be used, for example, to identify which website elements are preferentially accessed and which website elements users interact with less.

Content data: Content data encompasses information generated in the course of creating, editing, and publishing content of all kinds. This category of data may include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.

Click tracking: Click tracking makes it possible to monitor users' movements within an entire online offering. Since the results of these tests are more accurate when user interactions can be tracked over a certain period of time (e.g. to find out whether a user likes to return), cookies are generally stored on users' computers for these testing purposes.

Contact data: Contact data is essential information that enables communication with persons or organizations. It includes telephone numbers, postal addresses, and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.

Conversion measurement: Conversion measurement (also referred to as "visit action evaluation") is a procedure for determining the effectiveness of marketing measures. For this purpose, a cookie is generally stored on users' devices within the websites on which the marketing measures take place, and then retrieved again on the target website. For example, in this way we can track whether advertisements placed by us on other websites were successful.

Performance and behavioral data: Performance and behavioral data relates to information about how individuals perform tasks or behave in a particular context, such as in an educational, professional, or social setting. This data may include metrics such as productivity, efficiency, quality of work, attendance, and compliance with policies or procedures. Behavioral data may encompass interactions with colleagues, communication styles, decision-making processes, and responses to various situations. These types of data are often used for performance appraisals, training and development measures, and decision-making within organizations.

Meta, communication, and procedural data: Meta, communication, and procedural data are categories that contain information about the manner in which data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. It may contain details such as file size, creation date, the author of a document, and change histories. Communication data captures the exchange of information between users via various channels, such as email traffic, call logs, messages in social networks and chat histories, including the persons involved, timestamps, and transmission routes. Procedural data describes the processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to trace and verify processes.

Usage data: Usage data refers to information capturing how users interact with digital products, services, or platforms. This data encompasses a wide range of information showing how users use applications, which functions they prefer, how long they spend on certain pages, and via which paths they navigate through an application. Usage data may also include the frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for the analysis of user behavior, the optimization of user experiences, the personalization of content, and the improvement of products or services. In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.

Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Profiles with user-related information: The processing of "profiles with user-related information," or "profiles" for short, encompasses any form of automated processing of personal data consisting of the use of such personal data to evaluate, analyze, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.) (e.g. interests in certain content or products, click behavior on a website, or whereabouts). Cookies and web beacons are frequently used for profiling purposes.

Log data: Log data is information about events or activities that have been recorded in a system or network. Such data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for the analysis of system problems, security monitoring, or the generation of performance reports.

Reach measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows to an online offering and may include the behavior or interests of visitors in certain information, such as the content of web pages. Using reach analysis, operators of online offerings can for example identify at what times users visit their websites and what content they are interested in. This allows them to, for example, better tailor the content of their websites to the needs of their visitors. Pseudonymous cookies and web beacons are frequently used for reach analysis purposes in order to identify returning visitors and thus obtain more accurate analyses of the use of an online offering.

Remarketing: "Remarketing" or "retargeting" refers to the practice of, for example, noting for advertising purposes which products a user has shown interest in on a website, in order to remind the user of these products on other websites, e.g. in advertisements.

Location data: Location data is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WLAN, or similar technical means and location determination functions. Location data serves to indicate the geographically determinable position on Earth at which the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.

Tracking: "Tracking" refers to the ability to trace users' behavior across multiple online offerings. As a general rule, behavioral and interest information relating to the online offerings used is stored in cookies or on the servers of the providers of the tracking technologies (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that are expected to correspond to their interests.

Controller: A "controller" is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, whether collecting, evaluating, storing, transmitting, or deleting.

Contract data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for the management and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of services or products agreed upon, pricing agreements, payment terms, termination rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for the clarification of rights and obligations, the enforcement of claims, and the resolution of disputes.

Payment data: Payment data encompasses all information required for the processing of payment transactions between buyers and sellers. This data is of critical importance for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information on payment status, chargebacks, authorizations, and fees.

Target group formation: "Target group formation" (in English also known as "custom audiences") refers to the determination of target groups for advertising purposes, such as the display of advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or the online shop in which they have viewed the products. "Lookalike audiences" (or similar audiences) refers to the display of content deemed appropriate to users whose profiles or interests are presumed to correspond to those of the users for whom the profiles were created. Cookies and web beacons are generally used for the purposes of forming custom audiences and lookalike audiences.

‍