Privacy statement

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data” for short) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

As of October 25, 2023

Sandra von Gneisenau Salon GmbH
Burgkmairstr.38
80686 Munich
germany
Authorized representatives:
Sandra Countess Neidhardt von Gneisenau

email address: datenschutz@sandravongneisenau.de
telephone: +49 (0) 89/998 2950 60
imprint: https://www.sandravongneisenau.de/impressum

The following overview summarizes the types of data processed and the purposes of their processing and refers to the persons concerned.

Inventory data (names, addresses, etc.).
Content data (text inputs, photographs, videos).
contact details (e-mail, telephone numbers).
Meta/communication data (device information, IP addresses).
usage data (websites visited, interest in content, access times).
Contract data (subject matter of contract, duration, customer category).
Payment details (bank details, invoices, payment history).

Employees (employees, applicants, former employees).
Business and contract partners.
interested parties.
communication partner.
customers.
users (website visitors, users of online services).
participants of sweepstakes and competitions.

Provision of our online offering and user-friendliness.
Visit action evaluation.
Office and organizational procedures.
Direct marketing (via email or post).
Conducting sweepstakes and contests.
Interest-based and behavioral marketing.
Contact requests and communication.
Conversion measurement (measurement of the effectiveness of marketing measures).
profiling (creating user profiles).
Remarketing.
Reach measurement (access statistics, recognition of returning visitors).
safety measures.
Tracking (interest/behavioral profiling, cookies).
Contractual benefits and service.
Managing and responding to inquiries.

In the following, we share the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence and place of residence.
‍
— Consent (Art. 6 (1) (a) GDPR) — The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
— Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the data subject.
‍ — Legal obligation (Art. 6 (1) (c) GDPR) — Processing is necessary to fulfill a legal obligation to which the person responsible is subject.
— Legitimate interests (Art. 6 (1) (f) GDPR) — Processing is necessary to protect the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
‍National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act — BDSG). In particular, the BDSG contains special rules on the right to information, the right to deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission and automated decision-making in individual cases, including profiling. It also regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. In addition, state data protection laws of the individual federal states may apply.

In accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, transfer, availability and separation of data. We have also set up procedures that ensure the exercise of data subject rights, deletion of data and response to data risks. In addition, we take the protection of personal data into account right from the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through privacy-friendly default settings.

TLS/SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https://in the address bar of your browser.

As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them. Recipients of this data may include, for example, payment institutions as part of payment transactions, service providers tasked with IT tasks, or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

“Cookies” are small files that are stored on users' devices. Various information can be stored within cookies. The information may include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was watched.

Cookies are usually also used when a user's interests or behavior (e.g. viewing certain content, using functions, etc.) are stored in a user profile via individual websites. These profiles are used, for example, to show users ads that match their potential interests. This process is also known as “tracking”, i.e. tracking the potential interests of users. The term cookies also includes other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also known as “user IDs”).

If we use cookies or “tracking” technologies, we will inform you about this in our privacy policy.

‍Information on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g., in operating our online offering and improving it) or if the use of cookies is necessary to fulfill our contractual obligations.

‍Withdrawal and objection (opt-out): Regardless of whether the processing is based on consent or legal permission, you have the option at any time to withdraw your consent or to object to the processing of your data using cookie technologies (collectively referred to as “opt-out”).

You can first declare your objection using your browser settings, e.g. by deactivating the use of cookies (which may also restrict the functionality of our online offering).

An objection to the use of cookies for online marketing purposes can be declared for a variety of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ or generally on http://optout.aboutads.info.

Further information on objection options can also be found in the information on the respective processing in this privacy policy.

— Types of data processed: Usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
‍ — Affected persons: users (website visitors, users of online services).
‍ — Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) within the framework of contractual and comparable legal relationships as well as related measures and communication with the contractual partners (or pre-contractual), e.g. to answer inquiries.

We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of administrative tasks associated with this information and corporate organization. Within the framework of applicable law, we only pass on the data of the contractual partners to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations or is carried out with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Contractual partners will be informed about further processing, e.g. for marketing purposes, as part of this privacy policy.

We will inform the contractual partners which data is required for the above purposes before or as part of data collection, e.g. in online forms by means of special identification (e.g. colors) or symbols (e.g. asterisks, etc.), or personally.

We delete the data after expiry of legal warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for archiving legal reasons (e.g., usually 10 years for tax purposes). In the case of data that has been disclosed to us as part of an order by the contractual partner, we delete the data in accordance with the requirements of the order, generally after the end of the order.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between users and providers.

‍Craftsmanship services: We process the data of our customers and clients (hereinafter uniformly referred to as “customers”) to enable them to select, purchase or commission the selected services or works as well as related activities, as well as their payment and delivery, or execution or provision.

The required information is marked as such in the context of the conclusion of an order, order or comparable contract and includes the information required for delivery and billing as well as contact information in order to be able to hold any consultations.

— Types of data processed: Inventory data (names, addresses, etc.), payment data (bank details, invoices, payment history), contact data (e-mail, telephone numbers), contract data (subject of contract, duration, customer category).
— Affected persons: interested parties, business and contract partners.
‍— Purposes of processing: Contractual services and service, contact requests and communication, office and organizational procedures, administration and response to inquiries.
— Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f)).

As part of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions (collectively “payment service providers”).
The data processed by payment service providers includes inventory data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by payment service providers and stored by them. This means that we do not receive any account or credit card information, but only information with confirmation or negative information of the payment. Payment service providers may transfer the data to credit agencies. The purpose of this transfer is to verify identity and credit. In this regard, we refer to the terms and conditions and privacy policies of the payment service providers.

Payment transactions are subject to the terms and conditions and data protection notices of the respective payment service providers, which are available within the respective websites or transaction applications. We also refer to these for further information and to assert revocation, information and other data subject rights.

— Types of data processed: Inventory data (names, addresses, etc.), payment data (bank details, invoices, payment history), contract data (subject of contract, duration, customer category), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: customers, prospects.
— Purposes of processing: Contractual benefits and service.
— Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (1) (f) GDPR).

‍Services and service providers used:
‍
- VR Payment: Payment services; service provider: VR Payment GmbH, Saonestrasse 3a, 60528 Frankfurt am Main; privacy policy: https://www.vr-payment.de/datenschutz-haftung
— Mastercard: Payment services; service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; website: https://www.mastercard.de/de-de.html; privacy policy: https://www.mastercard.de/de-de/datenschutz.html.
— PayPal: Payment services; service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/de; privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
— Visas: Payment services; service provider: Visa Europe Services Inc., London branch, 1 Sheldon Square, London W2 6TT, UK; website: https://www.visa.de; privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

When contacting us (e.g. via contact form, e-mail, telephone or via social media), the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact requests and any measures requested.

Contact requests within the framework of contractual or pre-contractual relationships are answered in order to fulfill our contractual obligations or answer (pre) contractual inquiries and otherwise on the basis of the legitimate interests in answering the inquiries.

— Types of data processed: Inventory data (names, addresses, etc.), contact data (e-mail, telephone numbers), content data (text entries, photographs, videos).
— Affected persons: communication partner.
— Purposes of processing: Contact requests and communication.
‍— Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (1) (f) GDPR).

We use messenger services for communication purposes and therefore ask you to follow the following information on the functionality of the messengers, encryption, use of communication metadata and your options for objection.

You can also contact us by alternative means, e.g. via telephone or e-mail. Please use the contact options provided to you or use the contact options provided within our online offer.

If content (i.e. the content of your message and attachments) is encrypted end-to-end, we would like to point out that the content of the communication (i.e. the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages is not visible, not even by the messenger providers themselves. You should always use a current version of the messengers with activated encryption to ensure that the message content is encrypted.

However, we also point out to our communication partners that although the messenger providers do not see the content, they can find out that and when communication partners communicate with us and process technical information about the device used by the communication partners and, depending on the settings of their device, also location information (so-called metadata).

‍Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. In addition, unless we ask for consent and, for example, you contact us on your own initiative, we use Messenger in relation to our contractual partners and as part of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in communicating quickly and efficiently and meeting the needs of our communication partner in communication via messengers. We would also like to point out that we will not transfer the contact details provided to us to messengers for the first time without your consent.

‍Withdrawal, objection and deletion: You can withdraw your consent at any time or object to communication with us via Messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion policy (i.e. as described above after the end of contractual relationships, archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information from the communication partners, if no reference to a previous conversation is to be expected and the deletion does not conflict with legal storage obligations.

‍Reservation of referrals to other means of communication: Finally, we would like to point out that for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case when, for example, internal contracts require special secrecy or an answer via the messenger does not meet the formal requirements. In such cases, we will refer you to more appropriate communication channels.

— Types of data processed: Contact data (e-mail, telephone numbers), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses), content data (text inputs, photographs, videos).
— Affected persons: communication partner.
— Purposes of processing: Contact requests and communication, direct marketing (by email or post).
— Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).

‍Services and service providers used:

— Facebook Messenger: Facebook messenger with end-to-end encryption (Facebook Messenger end-to-end encryption requires activation unless activated by default); service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; Privacy Shield (guarantee level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; option to object (opt-out): https://www.facebook.com/settings?tab=ads.

— WhatsApp: WhatsApp messenger with end-to-end encryption; service provider: WhatsApp Inc. WhatsApp Legal 1601 Willow Road Menlo Park, California 94025, USA; Website: https://www.whatsapp.com/; Privacy Shield (ensuring data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active. https://www.whatsapp.com/legal

The surveys and surveys carried out by us (hereinafter “surveys”) are evaluated anonymously. Personal data will only be processed to the extent necessary to provide and technically carry out the survey (e.g. processing of the IP address to display the survey in the user's browser or to enable the survey to be resumed using a temporary cookie (session cookie)) or users have given their consent.

‍Information on legal bases: If we ask participants for consent to process their data, this is the legal basis for processing, otherwise the participants' data is processed on the basis of our legitimate interests in carrying out an objective survey.

— Types of data processed: Contact data (e-mail, telephone numbers), content data (text entries, photographs, videos), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: communication partner.
— Purposes of processing: Contact requests and communication, direct marketing (by email or post).
— Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).

In order to be able to provide our online offer securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage and database services, as well as security services and technical maintenance services.

The data processed as part of providing the hosting service may include all information relating to users of our online offer that is generated in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offering or from websites.

‍Email delivery and hosting: The web hosting services we use also include sending, receiving and storing emails. For these purposes, the addresses of recipients and senders, as well as other information regarding email delivery (e.g. the providers involved) and the content of the respective emails are processed. The above data may also be processed for the purpose of detecting SPAM. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of emails between the sender and receipt on our server.

‍Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the retrieved websites and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and optimize their stability.

— Types of data processed: Content data (text inputs, photographs, videos), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: users (website visitors, users of online services).
— Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

We use software services (so-called “cloud services”, also known as “software as a service”) accessible via the Internet and executed on their providers' servers for the following purposes: document storage and administration, calendar management, email delivery, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information, and chats and participation in audio and video conferences.

Within this framework, personal data may be processed and stored on the providers' servers, insofar as this is part of communication processes with us or is otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of users, data on processes, contracts, other processes and their content. Cloud service providers also process usage data and metadata, which are used by them for security purposes and service optimization.

If we use cloud services to provide other users or publicly accessible websites, forms, etc. documents and content, the providers can store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

‍Information on legal bases: If we ask for consent to use cloud services, the legal basis for processing data for online marketing purposes is consent. Furthermore, their use may be part of our (pre) contractual services, provided that the use of cloud services has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient and secure administrative and collaboration processes.)

— Types of data processed: Inventory data (names, addresses, etc.), contact data (e-mail, telephone numbers), content data (text inputs, photographs, videos), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: Customers, employees (employees, applicants, former employees), interested parties, communication partners.
— Purposes of processing: Office and organizational procedures.

‍Services and service providers used:

— Microsoft OneDrive: cloud storage services (e.g. Office 365); service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: http://microsoft.com/de-de; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; Privacy Shield (ensuring data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.

We only send newsletters, emails and other electronic notifications (hereinafter “newsletters”) with the consent of the recipients or legal permission. If the content of the newsletter is specifically described as part of a subscription to the newsletter, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us.

In order to subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name in order to personally address you in the newsletter or further information if this is necessary for the purposes of the newsletter.

‍Double opt-in process: Registration for our newsletter is generally carried out in a so-called double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with foreign email addresses. Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes saving the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

‍Deletion and restriction of processing: We can store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently comply with objections, we reserve the right to store the email address in a blacklist (so-called “blacklist”) for this purpose alone.

The registration process is logged on the basis of our legitimate interests for the purpose of proving that it has been completed correctly. Insofar as we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

‍Information on legal bases: The newsletter is sent on the basis of the consent of the recipients or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and insofar as this is permitted by law, e.g. in the case of advertising to existing customers. Insofar as we engage a service provider to send emails, this is done on the basis of our legitimate interests. The registration process is recorded based on our legitimate interests to prove that it was carried out in accordance with the law.

‍contents:
Information about us, our services, promotions and offers.

— Types of data processed: Inventory data (names, addresses, etc.), contact data (e-mail, telephone numbers), meta/communication data (device information, IP addresses).
— Affected persons: communication partner.
— Purposes of processing: Direct marketing (via email or post).
— Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).

‍Objection option (opt-out): You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will either find a link to cancel the newsletter at the end of each newsletter or you can otherwise use one of the contact options listed above, preferably e-mail.

We process personal data of participants in sweepstakes and competitions only in compliance with the relevant data protection regulations insofar as processing is contractually necessary to provide, carry out and process the competition, the participants have consented to the processing or the processing serves our legitimate interests (e.g., in the security of the competition or the protection of our interests from misuse through possible collection of IP addresses when submitting sweepstakes entries). As part of the competitions, participants' contributions are published (e.g. as part of a vote or presentation of the competition entries, or the winner or reporting on the competition), we would like to point out that the names of the participants may also be published in this context. Participants can object to this at any time

If the competition takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as “online platform”), the usage and data protection regulations of the respective platforms also apply. In these cases, we would like to point out that we are responsible for the information provided by participants as part of the competition and that inquiries regarding the competition must be addressed to us.

The participants' data will be deleted as soon as the competition or competition has ended and the data is no longer required to inform the winners or because questions about the competition are likely to be answered. In principle, the participants' data will be deleted no later than 6 months after the end of the competition. Winners' data can be kept longer, e.g. to answer questions about the prizes or to fulfill the prize payments; in this case, the storage period depends on the type of prize and is up to three years, e.g. for goods or services, in order to be able to process warranty cases. In addition, the participants' data can be stored for longer, e.g. in the form of reporting on the competition in online and offline media.

If data was also collected for other purposes as part of the competition, its processing and storage period are governed by the data protection information on this use (e.g. in the case of registration for the newsletter as part of a competition).

— Types of data processed: Inventory data (names, addresses, etc.), content data (text entries, photographs, videos).
— Affected persons: participants of sweepstakes and competitions.
— Purposes of processing: Conducting sweepstakes and contests.
— Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Web analysis (also known as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include their behavior, interests or demographic information, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are most frequently used or invite them to be reused, as well as which areas require optimization.

In addition to web analysis, we can also use test methods, for example to test and optimize different versions of our online offering or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called “cookie”) or similar procedures in which the user information relevant to the aforementioned analyses is stored. This information may include, for example, content viewed, websites visited and elements used there, and technical information, such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can also be processed, depending on the provider.

The IP addresses of users are also stored. However, we use an existing IP masking process (i.e. pseudonymization by shortening the IP address) to protect users. In general, as part of web analysis, A/B testing and optimization, no clear user data (such as email addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

‍Information on legal bases: If we ask users for their consent (e.g. as part of a so-called “cookie banner consent”), the legal basis for processing data for online marketing purposes is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering. In this regard, we refer to the information on the use of cookies in this privacy policy.

— Affected persons: users (website visitors, users of online services).
— Purposes of processing: Reach measurement (access statistics, recognition of returning visitors), tracking (interest/behavior-related profiling, cookies), visit action evaluation, profiling (creating user profiles).
— Safety measures: IP masking (pseudonymization of the IP address).
— Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).

We process personal data for online marketing purposes, which includes in particular the presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures in which the user information relevant to the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information, such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can also be processed.

The IP addresses of users are also stored. However, we use existing IP masking methods (i.e. pseudonymization by shortening the IP address) to protect users. In general, as part of the online marketing process, no clear user data (such as email addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of online marketing processes, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or similar processes. These cookies can later, generally also on other websites that use the same online marketing process, be read out and analyzed for the purpose of presenting content, as well as stored with further data and stored on the server of the online marketing process provider.

As an exception, plain data can be assigned to the profiles. This is the case if the users are, for example, members of a social network whose online marketing process we use and the network connects the users' profiles using the above information. Please note that users can make additional agreements with providers, e.g. through consent as part of registration.

In principle, we only have access to summarized information about the success of our advertisements. However, as part of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us, for example. Conversion measurement is used solely to analyse the success of our marketing measures.

‍Information on legal bases: If we ask users for their consent (e.g. as part of a so-called “cookie banner consent”), the legal basis for processing data for online marketing purposes is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering. In this regard, we refer to the information on the use of cookies in this privacy policy.

‍Types of data processed: Usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).

— Affected persons: users (website visitors, users of online services), interested parties.
— Purposes of processing: Tracking (interest/behavioral profiling, cookies), remarketing, visit action evaluation, interest-based and behavioral marketing, profiling (creating user profiles), conversion measurement (measuring the effectiveness of marketing measures), reach measurement (access statistics, recognition of returning visitors).
— Safety measures: IP masking (pseudonymization of the IP address).
— Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), legitimate interests (Art. 6 para. 1 p. f. GDPR).
— Opt-out option: We refer to the data protection policies of the respective providers and the objection options provided to the providers (so-called\” opt-out\”). If no explicit opt-out option has been specified, it is possible, on the one hand, to switch off cookies in your browser settings. However, this may restrict the functions of our online offering. We therefore recommend the following additional opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territorial: http://optout.aboutads.info.

‍Services and service providers used:

— Google Analytics: Google Analytics; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google.com/privacy; Privacy Shield (ensuring data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; opt-out option: opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://adssettings.google.com/authenticated.

We maintain online presences within social networks in order to communicate with users active there or to offer information about us there.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. With regard to US providers who are certified under the Privacy Shield or offer comparable guarantees of a secure level of data protection, we would like to point out that they are committed to complying with EU data protection standards.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created from user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably match the interests of users. For these purposes, cookies are usually stored on users' computers, in which user behavior and interests are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them). For a detailed description of the respective processing and the options for objection (opt-out), we refer to the respective data protection declarations and information provided by the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to user data and can directly take appropriate measures and provide information. Should you still need help, you can contact us.

— Types of data processed: Inventory data (names, addresses, etc.), contact data (e-mail, telephone numbers), content data (text inputs, photographs, videos), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: users (website visitors, users of online services).
— Purposes of processing: Contact requests and communication, tracking (interest/behavioral profiling, cookies), remarketing, reach measurement (access statistics, recognition of returning visitors).
— Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

‍Services and service providers used:
‍
— Instagram: Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; privacy policy: http://instagram.com/about/legal/privacy.
— Facebook: Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; Privacy Shield (ensuring data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; opt-out option: ad settings: https://www.facebook.com/settings?tab=ads; Additional information on Data protection: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, privacy policy for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
— YouTube: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://policies.google.com/privacy; Privacy Shield (ensuring data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; opt-out option: https://adssettings.google.com/authenticated.
- Pinterest: Service provider: Pinterest Europe Ltd.Palmerston House, 2nd FloorFenian StreetDublin 2, Ireland; privacy statement: https://www.pinterest.de/settings/privacy/

We use services, platforms and software from other providers (hereinafter referred to as “third-party providers”) for the purposes of organizing, managing, planning and providing our services. When selecting third-party providers and their services, we comply with legal requirements.

Within this framework, personal data may be processed and stored on the servers of third-party providers. This may include various data that we process in accordance with this privacy policy. This data may include in particular master data and contact details of users, data on processes, contracts, other processes and their content.

If users are referred to the third-party providers or their software or platforms as part of communication, business or other relationships with us, the third-party providers may process usage data and metadata, which are processed by them for security purposes, service optimization or marketing purposes. We therefore ask you to comply with the privacy policies of the respective third-party providers.

‍Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data for online marketing purposes is consent. Furthermore, their use may be part of our (pre) contractual services, provided that the use of third-party providers has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services.)

— Types of data processed: Inventory data (names, addresses, etc.), contact data (e-mail, telephone numbers), content data (text inputs, photographs, videos), usage data (websites visited, interest in content, access times), meta/communication data (device information, IP addresses).
— Affected persons: Communication partners, users (website visitors, users of online services).
— Legal bases: Consent (Article 6 (1) (1) (a) GDPR), contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Article 6 (1) (f)).

The data processed by us will be deleted in accordance with legal requirements as soon as their consent permitted for processing is withdrawn or other permits no longer apply (e.g. if the purpose of processing this data has ceased to apply or they are not necessary for the purpose).

Unless the data is deleted because it is necessary for other and legally permitted purposes, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on the deletion of personal data can also be provided as part of the individual data protection notices in this privacy policy.

We ask you to regularly check the content of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

— Right of objection: For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.
— Right of withdrawal in case of consent: You have the right to withdraw your consent at any time.
— Right to information: You have the right to request confirmation as to whether the relevant data is being processed and for information about this data as well as further information and a copy of the data in accordance with legal requirements.
— Right to rectification: In accordance with legal requirements, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
— Right to delete and restrict processing: In accordance with legal requirements, you have the right to request that the relevant data be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal requirements.
— Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible. — Complaint to supervisory authority: In accordance with legal requirements, you also have the right to lodge a complaint with the competent supervisory authority.

This section provides an overview of the terms used in this privacy statement. Many of the terms are taken from law and are defined primarily in Article 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended for understanding. The terms are sorted alphabetically.

— Visit action evaluation: “Conversion Tracking” means a process with which the effectiveness of marketing measures can be determined. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing measures are carried out and then retrieved again on the target website (e.g. this allows us to understand whether the ads we placed on other websites were successful)
— IP masking: “IP masking” is a method in which the last octet, i.e. the last two numbers of an IP address, is deleted so that the IP address can no longer be used to uniquely identify a person. IP masking is therefore a means of pseudonymizing processing methods, particularly in online marketing.
— Interest-based and behavior-based marketing: Interest-based and/or behavior-based marketing is when potential user interest in ads and other content is predetermined as precisely as possible. This is done on the basis of information about their previous behavior (e.g. visiting and visiting certain websites, buying behavior or interaction with other users), which is stored in a so-called profile. Cookies are usually used for these purposes.
— Conversion measurement: Conversion measurement is a method that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing measures are carried out and then retrieved again on the target website (e.g. this allows us to understand whether the ads we placed on other websites were successful).
— Profiling: “Profiling” is any type of automated processing of personal data that consists of using this personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information regarding age, gender, location data and movement data, interaction with websites and their content, shopping behavior, social interactions with other people) (e.g. interests in specific content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
— Range measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offer and can include visitors' behavior or interests in certain information, such as the content of websites. With the help of reach analysis, website owners can, for example, recognize at what time visitors visit their website and what content they are interested in. This allows them, for example, to better optimize the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for audience analysis purposes to recognize returning visitors and thus obtain more detailed analyses of the use of an online offer.
— Remarketing: We speak of “remarketing” or “retargeting” when, for example, for advertising purposes, it is noted which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in advertisements.
— Tracking: We speak of “tracking” when the behavior of users can be traced across several online offerings. As a rule, behavioral and interest information with regard to the online offers used is stored in cookies or on servers of the tracking technology providers (so-called profiling). This information can then be used, for example, to show users advertisements that presumably match their interests.
— Processing: “Processing” means any process carried out with or without the aid of automated procedures or any such series of processes in connection with personal data. The term is broad and covers virtually any handling of data, whether collecting, evaluating, storing, transmitting or deleting.

‍Created with Datenschutz-generator.de by Dr. jur. Thomas Schwenke