Privacy Policy
Controller
Chantal van der Bol Leopoldstraße 160 80804 München Germany E-Mail-Adresse: hello@branddeliveryoffice.com
Overview of Processing Activities
The following overview summarises the types of data processed and the purposes of processing, and refers to the data subjects concerned. Types of data processed • Master data. • Payment data. • Location data. • Contact data. • Content data. • Contract data. • Usage data. • Meta, communication and process data. • Applicant data. • Image and/or video recordings. • Audio recordings. • Event data (Facebook). • Log data. Categories of data subjects • Service recipients and clients. • Employees. • Prospects. • Communication partners. • Users. • Applicants. • Business and contractual partners. • Depicted persons. • Third parties. • Customers. Purposes of processing • Provision of contractual services and fulfilment of contractual obligations. • Communication. • Security measures. • Direct marketing. • Reach measurement. • Tracking. • Office and organisational procedures. • Remarketing. • Conversion measurement. • Audience building. • Organisational and administrative procedures. • Application procedures. • Feedback. • Surveys and questionnaires. • Marketing. • Profiles containing user-related information. • Provision of our online offering and user-friendliness. • Establishment and performance of employment relationships. • Information technology infrastructure. • Financial and payment management. • Public relations. • Sales promotion. • Business processes and commercial procedures. • Artificial intelligence (AI).
Relevant Legal Bases
Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or registered office. If more specific legal bases apply in individual cases, we will inform you of these in this Privacy Policy. • Consent (Art. 6(1) sentence 1 lit. a GDPR) - The data subject has given consent to the processing of personal data relating to him or her for one or more specific purposes. • Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is party, or in order to take pre-contractual steps at the request of the data subject. • Legal obligation (Art. 6(1) sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject. • Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights and freedoms of the data subject which require the protection of personal data do not override those interests. National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), the Act on the Protection against Misuse of Personal Data in Data Processing. The BDSG contains specific provisions, in particular on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, data transfers and automated decision-making in individual cases, including profiling. Data protection laws of the individual German federal states may also apply. Notice on the application of the GDPR and the Swiss FADP: These privacy notices are intended to provide information both under the Swiss Federal Act on Data Protection (FADP) and under the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are used because of their broader territorial application and for ease of understanding. In particular, instead of the terms used in the Swiss FADP, such as "processing" of "personal data", "overriding interest" and "sensitive personal data", the GDPR terms "processing" of "personal data", "legitimate interest" and "special categories of data" are used. However, where the Swiss FADP applies, the legal meaning of these terms remains determined by the Swiss FADP.
Security Measures
In accordance with the statutory requirements, and taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing, as well as the different likelihoods and severity of the risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, safeguarding of availability and separation of the data. We have also established procedures that ensure the exercise of data subject rights, the deletion of data and responses to threats to the data. In addition, we take the protection of personal data into account when developing or selecting hardware, software and procedures, in line with the principle of data protection by design and by default. Securing online connections using TLS/SSL encryption technology (HTTPS): To protect users' data transmitted via our online services against unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indication to users that their data is transmitted securely and in encrypted form.
Disclosure and Transfer of Personal Data
As part of our processing of personal data, it may happen that this data is transferred to, or disclosed to, other bodies, companies, legally independent organisational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the statutory requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data. Data transfer within the organisation: We may transfer personal data to other departments or units within our organisation or grant them access to such data. If the data is shared for administrative purposes, this is based on our legitimate corporate and business interests, or takes place where necessary for the fulfilment of our contractual obligations, or where the data subjects have given consent or a legal permission exists. International Data Transfers Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or disclosing or transferring data to other persons, bodies or companies (which can be identified from the postal address of the respective provider or where this Privacy Policy expressly refers to data transfers to third countries), this is always done in accordance with the statutory requirements. For data transfers to the USA, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the European Commission and establish contractual obligations to protect your data. This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the standard contractual clauses serve as an additional safeguard. If changes occur within the DPF framework, the standard contractual clauses will apply as a reliable fallback option. This ensures that your data remains appropriately protected at all times, even in the event of political or legal changes. For the individual service providers, we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). For data transfers to other third countries, corresponding safeguards apply, in particular standard contractual clauses, explicit consent or transfers required by law. Information on transfers to third countries and applicable adequacy decisions is available from the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.
General Information on Data Storage and Deletion
We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are withdrawn or no further legal bases for processing exist. This applies in cases where the original processing purpose no longer applies or the data is no longer required. Exceptions to this rule exist where legal obligations or special interests require longer retention or archiving of the data. In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons, must be archived accordingly. Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations. Where several retention periods or deletion deadlines are stated for a piece of data, the longest period always applies. Data that is no longer retained for its originally intended purpose, but because of legal requirements or other reasons, is processed by us solely for the reasons that justify its retention. Retention and deletion of data: The following general periods apply to retention and archiving under German law: • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the working instructions and other organisational documents necessary to understand them (Section 147(1) no. 1 in conjunction with (3) German Fiscal Code (AO), Section 14b(1) German VAT Act (UStG), Section 257(1) no. 1 in conjunction with (4) German Commercial Code (HGB)). • 8 years - Accounting vouchers, such as invoices and expense receipts (Section 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO and Section 257(1) no. 4 in conjunction with (4) HGB). • 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, such as hourly wage slips, cost accounting sheets, calculation documents, price labels, as well as payroll documents insofar as they are not already accounting vouchers, and cash register tapes (Section 147(1) nos. 2, 3, 5 in conjunction with (3) AO, Section 257(1) nos. 2 and 3 in conjunction with (4) HGB). • 3 years - Data required in order to take into account potential warranty and damages claims or similar contractual claims and rights, and to process related enquiries, based on previous business experience and customary industry practice, is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 German Civil Code (BGB)). Commencement of periods at the end of the year: If a period does not expressly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the effective date of termination or other end of the legal relationship.
Rights of Data Subjects
Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, arising in particular from Articles 15 to 21 GDPR: • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data relating to you that is carried out on the basis of Art. 6(1) lit. e or f GDPR; this also applies to profiling based on those provisions. Where personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for such marketing; this also applies to profiling insofar as it is related to such direct marketing. • Right to withdraw consent: You have the right to withdraw consents you have given at any time. • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain access to such data, as well as further information and a copy of the data in accordance with the statutory requirements. • Right to rectification: In accordance with the statutory requirements, you have the right to request that data concerning you be completed or that inaccurate data concerning you be rectified. • Right to erasure and restriction of processing: In accordance with the statutory requirements, you have the right to request that data concerning you be erased without undue delay or, alternatively, to request restriction of the processing of the data in accordance with the statutory requirements. • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the statutory requirements, or to request that it be transmitted to another controller. • Complaint to a supervisory authority: In accordance with the statutory requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Business Services
We process personal data of our contractual and business partners, such as customers, clients, prospects, suppliers and other cooperation partners (collectively referred to as "contractual partners"), for the initiation, performance and processing of contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken upon request, as well as communication in connection with the respective contractual relationship. The processing serves in particular to fulfil our primary and ancillary contractual obligations. This includes the provision of the agreed services, any update and information obligations, handling of warranty claims and other service disruptions, processing of withdrawals, termination of continuing obligations, reversals, refunds and the handling of other contract-related declarations and enquiries. Both one-off contracts and ongoing contractual relationships are covered. The data processed includes, in particular, master data such as name, address and, where applicable, company, contact data such as email address and telephone number, contract and service data such as subject matter of the contract, contract term, order or transaction number, usage and service data, payment and billing data as well as communication content and histories. Where necessary, we also process data disclosed or transmitted to us in the course of carrying out an assignment. In addition, we process the data to protect our rights and to comply with legal obligations. This includes, in particular, retention obligations under commercial and tax law, documentation obligations and, where applicable, obligations to provide evidence and accountability. Processing is also carried out on the basis of our legitimate interests in proper business management, internal administration, risk management and IT security, as well as in protecting our business operations and our contractual partners against misuse, threats to data, secrets and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisers or other vicarious agents, insofar as this is necessary for the performance of the contract or for compliance with legal obligations. Personal data is disclosed to third parties only insofar as this is necessary for the performance of a contract, the implementation of pre-contractual measures, the protection of legitimate interests or compliance with legal obligations. We provide separate information within this Privacy Policy about any further processing, in particular for marketing purposes. We inform contractual partners which data is required in each individual case when the data is collected, for example by corresponding markings in online forms or in personal contact. The data is deleted as soon as it is no longer required for the above-mentioned purposes and no statutory retention obligations prevent deletion. Statutory retention periods, in particular under commercial and tax law, may require longer storage. Data transmitted as part of a specific assignment is deleted after completion of the assignment and expiry of any retention periods, unless further statutory or contractual obligations to store it exist. The legal basis for processing is Art. 6(1) lit. b GDPR for the implementation of pre-contractual measures and the fulfilment of the respective contractual relationship, as well as Art. 6(1) lit. c GDPR for compliance with legal obligations. Where processing is based on legitimate interests, it is carried out on the basis of Art. 6(1) lit. f GDPR. Where processing is based on Art. 6(1) lit. f GDPR, it is carried out to protect our legitimate interests in a proper and efficient business organisation, internal administration and documentation of business transactions, the establishment, exercise and defence of legal claims, ensuring IT and data security, preventing misuse and fraud, and the economic management and development of our business operations. These interests consist in particular in ensuring secure and legally compliant business operations and maintaining our entrepreneurial ability to act. • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers). Contract data (e.g. subject matter of the contract, term, customer category). • Data subjects: Service recipients and clients; prospects. Business and contractual partners. • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures. Business processes and commercial procedures. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR); legal obligation (Art. 6(1) sentence 1 lit. c GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Agency services: We process our customers' data in the context of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services and training services; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR). • Provision of mobile applications: We process the data of our customers and users (hereinafter collectively referred to as "users") in order to provide them with our contractual services in connection with the provision and operation of our mobile applications and, on the basis of legitimate interests, to ensure the security, availability and further development of our offering. The required information is identified as such in the context of the order, purchase or comparable contractual conclusion and includes the information needed for providing the service and billing, as well as contact information for any necessary follow-up; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Consulting: We process the data of our clients, prospects and other customers or contractual partners (collectively referred to as "clients") in order to provide our services to them. The procedures that form part of, and serve the purposes of, consulting include: contacting and communicating with clients, carrying out needs and requirements analyses, planning and implementing consulting projects, documenting project progress and results, collecting and managing client-specific information and data, scheduling and organisation, providing consulting resources and materials, invoicing and payment administration, follow-up and aftercare of consulting projects, quality assurance and feedback processes. The processed data, and the type, scope, purpose and necessity of its processing, are determined by the underlying contractual and client relationship. Where this is necessary for the performance of our contract, for the protection of vital interests, required by law or based on the consent of the clients, we disclose or transfer the clients' data, in compliance with professional law requirements, to third parties or agents, such as authorities, subcontractors or providers in the field of IT, office or comparable services; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR). • Marketing and advertising: We process the data of our customers and clients (hereinafter collectively referred to as "customers") in order to offer marketing services such as market research, advertising campaigns, content creation and social media management. The required information is identified as such when the order is placed and includes the information needed for service provision and billing, as well as contact information for any necessary follow-up. Where we receive access to information about end customers, employees or other persons, we process it in accordance with statutory and contractual requirements. Procedures required in the context of marketing and advertising measures include creating marketing strategies and campaigns, designing advertising materials and content, selecting advertising channels and platforms, conducting market analyses and target group surveys, and measuring success and analysing marketing measures. They also include managing and maintaining customer and prospect data, segmenting target groups, sending newsletters and promotional emails, tracking online marketing activities and cooperating with external service providers in the field of marketing and advertising. These procedures serve to develop effective marketing strategies for our customers, tailor advertising measures to target groups, measure and analyse the success of marketing activities and ensure efficient management of customer contacts and information; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Artistic services: The procedures in the context of artistic services include the acquisition and management of customer and client data, which involves collecting, storing and using contact information, contract details and project-related data. The management and coordination of artistic projects require the creation of project plans, allocation of resources, coordination of appointments and monitoring of progress. For events and exhibitions, the processing of visitor data is necessary, such as collecting contact details for invitations, ticket sales or newsletter registrations. Financial management in the context of artistic services involves the processing of personal data for invoicing, fee settlement and payment processing. Communication and exchange with customers, partners and the public take place via various channels such as email, social media or messaging services and require the use of personal data; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Online courses and online training: We process the data of participants in our online courses and online training (collectively referred to as "participants") in order to provide them with our course and training services. The data processed in this context, as well as the type, scope, purpose and necessity of its processing, are determined by the underlying contractual relationship. The data generally includes information about the courses and services used and, insofar as part of our service offering, participants' personal requirements and results. Forms of processing also include performance assessment and evaluation of our services and those of course and training instructors. Depending on the equipment and structure of the respective courses or learning content, additional processing operations may also be implemented, such as attendance tracking to document participation, progress monitoring to measure and analyse learning progress by collecting exam and test results, and analysis of interactions on learning platforms, such as forum posts and assignment submissions; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR). • Project and development services: We process the data of our customers and clients (hereinafter collectively referred to as "customers") to enable them to select, purchase or commission the chosen services or works and associated activities, as well as to make payment and receive or use their provision, execution or delivery. The required information is identified as such in the context of the order, purchase or comparable contractual conclusion and includes the information needed for providing the service and billing, as well as contact information for any necessary follow-up. Where we receive access to information about end customers, employees or other persons, we process it in accordance with statutory and contractual requirements; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR).
Business Processes and Procedures
Personal data of service recipients and clients - including customers, clients or, in special cases, mandators, patients or business partners and other third parties - is processed in the context of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment transactions, accounting and project management. The collected data serves to fulfil contractual obligations and make business processes efficient. This includes processing business transactions, managing customer relationships, optimising sales strategies and ensuring internal accounting and financial processes. In addition, the data supports the protection of the controller's rights and promotes administrative tasks and the organisation of the company. Personal data may be disclosed to third parties where this is necessary to fulfil the stated purposes or legal obligations. After statutory retention periods have expired, or where the purpose of processing no longer applies, the data is deleted. This also includes data that must be stored for a longer period due to tax-law and statutory evidence obligations. • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation); contract data (e.g. subject matter of the contract, term, customer category); log data (e.g. log files relating to logins or data retrieval or access times); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved). • Data subjects: Service recipients and clients; prospects; communication partners; business and contractual partners; third parties; users (e.g. website visitors, users of online services); employees (e.g. employees, applicants, temporary workers and other staff). Customers. • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and commercial procedures; communication; marketing; sales promotion; public relations; financial and payment management. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Legal obligation (Art. 6(1) sentence 1 lit. c GDPR).
Further information on processing operations, procedures and services:
• Customer management and customer relationship management (CRM): Procedures required in the context of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service taking data protection into account, data management and analysis to support customer relationships, administration of CRM systems, secure account management, customer segmentation and audience building); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Contact management and contact maintenance: Procedures required for the organisation, maintenance and safeguarding of contact information (e.g. setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restoring contact data, training employees in the effective use of contact management software, regularly reviewing communication histories and adapting contact strategies); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • General payment transactions: Procedures required for carrying out payment transactions, monitoring bank accounts and controlling payment flows (e.g. creating and checking transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, managing returned direct debits, account reconciliation, cash management); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Accounting, accounts payable and accounts receivable: Procedures required for recording, processing and controlling business transactions in the area of accounts payable and accounts receivable (e.g. creating and checking incoming and outgoing invoices, monitoring and managing open items, carrying out payment transactions, handling reminders, account reconciliation in connection with receivables and liabilities, accounts payable and accounts receivable); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Financial accounting and taxes: Procedures required for recording, managing and controlling finance-related business transactions and for calculating, reporting and paying taxes (e.g. account assignment and posting of business transactions, preparation of quarterly and annual financial statements, carrying out payment transactions, handling reminders, account reconciliation, tax advice, preparation and submission of tax returns, handling tax matters); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Marketing, advertising and sales promotion: Procedures required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group definition, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control); legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Public relations: Procedures required in the context of public relations and PR (e.g. development and implementation of communication strategies, planning and implementation of PR campaigns, creation and distribution of press releases, maintaining media contacts, monitoring and analysing media response, organising press conferences and public events, crisis communication, creating content for social media and company websites, managing corporate branding); legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Providers and Services Used in the Course of Business Activities In the course of our business activities, and in compliance with statutory requirements, we use additional services, platforms, interfaces or plug-ins from third-party providers (referred to briefly as "services"). Their use is based on our interests in the proper, lawful and economical management of our business operations and internal organisation. • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). Contract data (e.g. subject matter of the contract, term, customer category). • Data subjects: Service recipients and clients; prospects; business and contractual partners. Employees (e.g. employees, applicants, temporary workers and other staff). • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures. Business processes and commercial procedures. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • DATEV: Provision of cloud applications for accounting, payroll accounting, document and data exchange, and cooperation with tax advisers and companies. Processing, storage and transfer of data in data centres (servers) for the use of the respective applications; service provider: DATEV eG, Paumgartnerstr. 6 - 14, 90429 Nuremberg, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.datev.de/web/de/mydatev/datev-cloud-anwendungen/; privacy policy: https://www.datev.de/web/de/berufsgruppenuebergreifend/ueber-datev/datenschutz-und-compliance/datenschutz-und-unternehmenssicherheit. Data processing agreement: provided by the service provider.
Provision of the Online Offering and Web Hosting
We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device. • Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); log data (e.g. log files relating to logins or data retrieval or access times). Content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). • Data subjects: Users (e.g. website visitors, users of online services). • Purposes of processing and legitimate interests: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures. Reach measurement (e.g. access statistics, recognition of returning visitors). • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Provision of the online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity and software that we rent or otherwise obtain from an appropriate server provider (also referred to as a "web host"); legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed websites and files, the date and time of access, transferred data volumes, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes, for example to avoid server overload (particularly in the case of abusive attacks, known as DDoS attacks), and, on the other hand, to ensure server utilisation and stability; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is required for evidentiary purposes is excluded from deletion until the relevant incident has been finally clarified. • Email sending and hosting: The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of recipients and senders, as well as further information relating to email dispatch (e.g. the providers involved) and the content of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of emails between the sender and receipt on our server; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • DomainFactory: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: Domainfactory GmbH, c/o WeWork, Neuturmstrasse 5, 80331 Munich, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.df.eu; privacy policy: https://www.df.eu/de/datenschutz/. Data processing agreement: https://www.df.eu/de/support/formulare/. • Framer: Creation, administration and hosting of websites, online forms and other web elements, real-time collaboration, integration of design workflows and functions for user testing; service provider: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.framer.com/; privacy policy: https://www.framer.com/legal/privacy-statement/. Data processing agreement: https://www.framer.com/legal/data-processing-addendum/.
Use of Cookies
The term "cookies" refers to functions that store information on users' devices and read information from them. Cookies may also be used for different purposes, such as ensuring the functionality, security and convenience of online offerings and creating analyses of visitor flows. We use cookies in accordance with legal requirements. Where necessary, we obtain users' consent in advance. If consent is not required, we rely on our legitimate interests. This applies where storing and reading information is essential in order to provide expressly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We provide clear information about its scope and which cookies are used. Information on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent exists, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures. Storage period: With regard to the storage period, the following types of cookies are distinguished: • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their device (e.g. browser or mobile application). • Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, the login status can be stored and preferred content displayed directly when the user revisits a website. Usage data collected with the help of cookies may also be used for reach measurement. Unless we provide users with explicit information on the type and storage period of cookies (e.g. when obtaining consent), they should assume that these are persistent and that the storage period may be up to two years. General information on withdrawal and objection (opt-out): Users can withdraw the consents they have given at any time and may also object to processing in accordance with the statutory requirements, including through the privacy settings of their browser. • Types of data processed: Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved). • Data subjects: Users (e.g. website visitors, users of online services). • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Consent (Art. 6(1) sentence 1 lit. a GDPR). Further information on processing operations, procedures and services: • Processing of cookie data on the basis of consent: We use a consent management solution that obtains users' consent for the use of cookies or for the procedures and providers specified within the consent management solution. This procedure serves to obtain, log, manage and withdraw consent, particularly in relation to the use of cookies and comparable technologies used to store, read and process information on users' devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing operations and providers named in the consent management procedure. Users also have the option to manage and withdraw their consents. The declarations of consent are stored in order to avoid having to request consent again and to be able to provide evidence of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by comparable technologies in order to assign the consent to a specific user or the user's device. Unless specific information is available on the providers of consent management services, the following general information applies: the consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, system and device used; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR). • BorlabsCookie: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of privacy and cookie notices, enabling users to withdraw or adjust consents; service provider: execution on servers and/or computers under our own data protection responsibility; website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, types of consents and the time at which they were given are stored server-side and in the cookie on the user's device.
Contact and Enquiry Management
When contacting us (e.g. by post, contact form, email, telephone or via social media), as well as in the context of existing user and business relationships, the information provided by the enquiring persons is processed insofar as this is necessary to respond to the contact enquiries and any requested measures. • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved). • Data subjects: Communication partners. • Purposes of processing and legitimate interests: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR). Further information on processing operations, procedures and services: • Contact form: When you contact us via our contact form, by email or through other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective matter. This usually includes details such as name, contact information and, where applicable, further information provided to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Artificial Intelligence (AI)
We use artificial intelligence (AI), whereby personal data is processed. The specific purposes and our interest in the use of AI are stated below. In line with the definition of an "AI system" in Article 3 no. 1 of the AI Act, we understand AI to mean a machine-based system designed to operate with varying levels of autonomy, which may be adaptive after deployment and which, from the input it receives, produces outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments. Our AI systems are used in strict compliance with statutory requirements. These include both specific regulations for artificial intelligence and data protection requirements. In doing so, we observe in particular the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimisation, integrity and confidentiality. We ensure that the processing of personal data is always carried out on a legal basis. This may be either the consent of the data subjects or a statutory permission. When using external AI systems, we carefully select their providers (hereinafter "AI providers"). In accordance with our statutory obligations, we ensure that the AI providers comply with the applicable provisions. We also comply with the obligations incumbent on us when using or operating the AI services obtained. The processing of personal data by us and the AI providers is carried out solely on the basis of consent or statutory authorisation. We attach particular importance to transparency, fairness and the preservation of human oversight over AI-supported decision-making processes. To protect the processed data, we implement appropriate and robust technical and organisational measures. These ensure the integrity and confidentiality of the processed data and minimise potential risks. Through regular reviews of the AI providers and their services, we ensure ongoing compliance with current legal and ethical standards. • Types of data processed: Content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). • Data subjects: Users (e.g. website visitors, users of online services). Third parties. • Purposes of processing and legitimate interests: Artificial intelligence (AI). • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Adobe AI: AI-supported tools and functions in Adobe products that support creative processes. Adobe AI offers functions such as automatic image editing, content generation and intelligent image adjustments to optimise the creative workflow; service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://business.adobe.com/de/ai/adobe-genai.html; privacy policy: https://www.adobe.com/de/privacy.html; data processing agreement: provided by the service provider. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (provided by the service provider). • ChatGPT: AI-based service designed to understand and generate natural language and related inputs and data, analyse information and make predictions ("AI", i.e. "artificial intelligence", is to be understood within the meaning of the term under the applicable law); service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://openai.com/de-DE/chatgpt/overview/; privacy policy: https://openai.com/de-DE/policies/privacy-policy/. Opt-out option: https://privacy.openai.com/policies?modal=select-subject. • DeepL: Translation of texts into various languages and provision of synonyms and contextual examples. Support with correcting and improving texts in various languages; service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.deepl.com; privacy policy: https://www.deepl.com/de/privacy. Data processing agreement: provided by the service provider. • FLUX: An AI-supported text-to-image service that enables users to generate images based on text input; service provider: BFL GmbH, Bertoldstr. 48, 79098 Freiburg im Breisgau, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://bfl.ai/. Privacy policy: https://bfl.ai/legal/privacy-policy. • Google Gemini: AI-supported system developed to provide advanced language and image processing capabilities. It uses machine learning to understand and generate natural language and analyse images, thereby offering versatile applications in various fields; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://cloud.google.com/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/processorterms/?hl=de. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/processorterms/?hl=de). • Microsoft Copilot: Microsoft Copilot: Support with creating and editing texts, spreadsheets and presentations, analysing data, automating tasks and integrating with Office applications. Content data (files, conversations, metadata) and employee credentials (Org ID/Entra ID) are processed for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility and integration with M365. Chat histories are stored for up to 30 days and content until deleted by the user. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de/microsoft-copilot/organizations; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Midjourney: Creation of AI-generated images based on text inputs, adaptation and refinement of generated images through iterative inputs, storage and management of created content, provision of an online platform for interaction with other users and for sharing results; service provider: Midjourney, Inc., 795 Folsom Street, 1st Floor, San Francisco, CA 94107 USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.midjourney.com/. Privacy policy: https://docs.midjourney.com/docs/privacy-policy. • OpenAI API: An API (programming interface) for artificial intelligence that gives developers access to language and image models such as GPT and DALL-E. It enables the integration of functions such as automatic text generation, natural language processing (NLP), translation, code generation, image generation and image analysis into proprietary applications. Complex AI functions can be integrated and processes automated via standardised interfaces; service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://openai.com/; privacy policy: https://openai.com/de-DE/policies/eu-privacy-policy/; data processing agreement: https://openai.com/de-DE/policies/data-processing-addendum/; basis for third-country transfers: standard contractual clauses (https://openai.com/de-DE/policies/data-processing-addendum/). Opt-out option: https://privacy.openai.com/policies?modal=select-subject.
Video Conferences, Online Meetings, Webinars and Screen Sharing
We use platforms and applications of other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (collectively referred to as "conferences"). When selecting conference platforms and their services, we observe the statutory requirements. Data processed by conference platforms: When participating in a conference, the conference platforms process the participants' personal data listed below. The scope of processing depends, on the one hand, on which data is required in the context of a specific conference (e.g. access data or real names) and, on the other hand, on which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participants' data may also be processed by the conference platforms for security purposes or service optimisation. The processed data includes personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet connection, information on the participants' devices, their operating system, browser and its technical and language settings, information on communication content, i.e. entries in chats as well as audio and video data, and use of other available functions (e.g. surveys). Communication content is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider. Logging and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, participants will be transparently informed of this in advance and, where necessary, asked for their consent. Data protection measures for participants: Please refer to the privacy notices of the conference platforms for details of how they process your data and select the security and privacy settings that are optimal for you within the settings of the conference platforms. Please also ensure data and personality rights protection in the background of your recording for the duration of a video conference (e.g. by informing cohabitants, closing doors and, where technically possible, using the function to blur the background). Links to conference rooms and access data must not be passed on to unauthorised third parties. Information on legal bases: Where, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to recording conferences), this consent is the legal basis for processing. Our processing may also be necessary to fulfil our contractual obligations (e.g. in participant lists or when processing meeting results, etc.). Otherwise, users' data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners. • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g. photographs or video recordings of a person); audio recordings. Log data (e.g. log files relating to logins or data retrieval or access times). • Data subjects: Communication partners; users (e.g. website visitors, users of online services). Depicted persons. • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organisational procedures. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Google Meet: Video conferences and online meetings with audio and video transmission, screen sharing (display of one's own screen), chat messages, appointment and participant management, and dial-in via link or browser (Internet programme). Storage and transfer of connection, usage and communication data for the purpose of providing the service; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://meet.google.com/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). • Microsoft Teams: Use for conducting online events and conferences and for communication with internal and external participants. Voice transmission, direct messages, group communication and collaboration functions are used; name, business contact details, work profile, participation and content (audio/video, speech, chat, files, speech transcription) are processed for the purposes and in the interests of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and Microsoft's business processing. Audio signals are generally not stored, except when recording is activated. Meeting and conference recordings are stored by default for 90 days unless a different period is specified. Chat and file content is stored according to policies set by the administrator or user; no automatic deletion is set by default. Channels must be renewed every 180 days, otherwise content is deleted. System-generated log, diagnostic and metadata are also processed, and diagnostic data is collected for product stability, security and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de/microsoft-teams/; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Zoom: Video conferences, online meetings, webinars, screen sharing, optional recording of sessions, chat function, integration with calendars and other apps; service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.zoom.com; privacy policy: https://www.zoom.com/de/trust/privacy/privacy-statement/; data processing agreement: https://media.zoom.com/download/assets/zoom-global-dpa.pdf/dd327ebea27e11efb613d6ba63ed4cee. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://media.zoom.com/download/assets/zoom-global-dpa.pdf/dd327ebea27e11efb613d6ba63ed4cee).
Cloud Services
We use software services accessible via the Internet and operated on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information). In this context, personal data may be processed and stored on the providers' servers insofar as it forms part of communication processes with us or is otherwise processed by us as set out in this Privacy Policy. This data may include, in particular, master data and contact data of users, data relating to transactions, contracts, other processes and their content. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimisation. If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analytics purposes or to remember users' settings (e.g. in the case of media controls). • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Image and/or video recordings (e.g. photographs or video recordings of a person). • Data subjects: Prospects; communication partners. Business and contractual partners. • Purposes of processing and legitimate interests: Office and organisational procedures; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Provision of contractual services and fulfilment of contractual obligations. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Adobe Creative Cloud: Cloud storage, cloud infrastructure services and cloud-based application software, including for photo editing, video editing, graphic design and web development; service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.adobe.com/de/creativecloud.html; privacy policy: https://www.adobe.com/de/privacy.html; data processing agreement: provided by the service provider. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (provided by the service provider). • Apple iCloud: Cloud storage service; service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/. • Dropbox: Cloud storage service; service provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.dropbox.com/de; privacy policy: https://www.dropbox.com/privacy; data processing agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf). • Google Cloud Storage: Cloud storage, cloud infrastructure services and cloud-based application software; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://cloud.google.com/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy. • Microsoft 365 and Microsoft cloud services: Provision of applications, protection of data and IT systems, and use of system-generated log, diagnostic and metadata by Microsoft for contract performance. Contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe) and log and metadata are processed. Processing takes place for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security and Microsoft's business processing. Retention of data is governed by the respective documents and company policies, up to 12 months for Defender (protection of data and IT systems) and 10 days for print management. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Nextcloud: Cloud storage, cloud infrastructure services and cloud-based application software; service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://nextcloud.com/de/. Privacy policy: https://nextcloud.com/de/privacy/.
Newsletters and Electronic Notifications
We send newsletters, emails and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or on the basis of a legal basis. If the content of the newsletter is specified when subscribing, that content is decisive for the users' consent. Normally, providing your email address is sufficient to subscribe to our newsletter. However, in order to provide you with a personalised service, we may ask you to provide your name for a personal salutation in the newsletter or further information if this is necessary for the purpose of the newsletter. Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove consent previously given. Processing of this data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (known as a "blocklist"). The subscription process is logged on the basis of our legitimate interests for the purpose of proving its proper operation. Where we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system. Content: Information about us, our services, promotions and offers. • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). • Data subjects: Communication partners; service recipients and clients; prospects; users (e.g. website visitors, users of online services). Business and contractual partners. • Purposes of processing and legitimate interests: Direct marketing (e.g. by email or post); marketing; provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; feedback (e.g. collecting feedback via online form); profiles containing user-related information (creation of user profiles); provision of our online offering and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Opt-out option: You can unsubscribe from receiving our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can otherwise use one of the contact options stated above, preferably email, for this purpose. Further information on processing operations, procedures and services: • Measurement of opening and click rates: The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from that provider's server when the newsletter is opened. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter based on the technical data or target groups and their reading behaviour, on the basis of their access locations (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The collected information is assigned to the individual newsletter recipients and stored in their profiles until deletion. On this basis, user profiles are created in which usage behaviour and user characteristics are stored. Measurement of opening and click rates and the storage of measurement results in users' profiles, as well as their further processing, are carried out on the basis of users' consent. A separate withdrawal of performance measurement is unfortunately not possible; in this case the entire newsletter subscription must be cancelled or objected to. In that case, the stored profile information is deleted; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR). • Condition for using free services: Consent to the sending of mailings may be made a condition for using free services (e.g. access to certain content or participation in certain promotions). If users wish to use the free service without subscribing to the newsletter, we ask them to contact us. • Adobe Experience Cloud: Cloud storage, cloud infrastructure services and cloud-based application software for customer relationship management solutions, including analytics, marketing automation, advertising and personalisation tools; service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.adobe.com/de/creativecloud.html; privacy policy: https://www.adobe.com/de/privacy.html; data processing agreement: provided by the service provider. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (provided by the service provider). • Zapier: Automation of processes, linking of various services, import and export of personal and contact data, and analyses of these processes; service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://zapier.com; privacy policy: https://zapier.com/privacy; data processing agreement: https://zapier.com/legal/data-processing-addendum. Basis for third-country transfers: standard contractual clauses (https://zapier.com/legal/standard-contractual-clauses).
Web Analytics, Monitoring and Optimisation
Web analytics (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what times our online offering or its functions or content are most frequently used, or invite reuse. We can also identify areas requiring optimisation. In addition to web analytics, we may also use test procedures, for example to test and optimise different versions of our online offering or its components. Unless otherwise stated below, profiles, i.e. data combined for a usage process, may be created for these purposes and information may be stored in a browser or on a device and then read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data by us or by providers of the services we use, location data may also be processed. In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the context of web analytics, A/B testing and optimisation; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures. Information on legal bases: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, users' data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy. • Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved). • Data subjects: Users (e.g. website visitors, users of online services). • Purposes of processing and legitimate interests: Remarketing; audience building; reach measurement (e.g. access statistics, recognition of returning visitors); profiles containing user-related information (creation of user profiles). Provision of our online offering and user-friendliness. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years). • Security measures: IP masking (pseudonymisation of the IP address). • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Google as recipient of consent: The consent given by users as part of a consent dialogue (also known as "cookie opt-in/consent", "cookie banner", etc.) serves several purposes. First, it serves to fulfil our obligation to obtain consent for the storage of information on, and the reading of information from, users' devices in accordance with the ePrivacy requirements. Second, it covers the processing of users' personal data in accordance with data protection requirements. In addition, this consent also applies vis-à-vis Google, because the company is obliged under the Digital Markets Act (DMA) to obtain valid consent for personalised services. For this reason, we share with Google the status of consents granted or refused by users. Our consent management software informs Google whether consent has been given or not. The aim is to ensure that users' decisions are taken into account when Google measurement services are used - in particular in the context of reach measurement, conversion tracking and personalised advertising (e.g. Google Analytics, Google Ads and comparable services) - and when further functions and external services are integrated. Processing is dynamic and depends on the respective user selection, including any withdrawal of consent; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy policy: https://business.safety.google/privacy/. • Google Analytics (server-side use): We use Google Analytics to measure and analyse users' use of our online services. Users' data is processed, but it is not transmitted directly from users' devices to Google. In particular, users' IP addresses are not transmitted to Google. Instead, the data is first transmitted to our server, where users' data records are assigned to our internal user identification number. The subsequent transmission from our server to Google takes place only in this pseudonymised form. The identification number does not contain any unique data, such as names or email addresses. It is used to assign analytics information to a device in order to identify which content users accessed within one or more usage processes, which search terms they used, whether they accessed them again or interacted with our online offering. The time and duration of use are also stored, as are the sources of users who refer to our online offering and technical aspects of their devices and browsers. Pseudonymous profiles of users are created using information from the use of different devices, whereby cookies may be used. In Analytics, higher-level geographic location data is provided by collecting the following metadata based on IP lookup: "city" (and the derived latitude and longitude of the city), "continent", "country", "region", "subcontinent" (and ID-based equivalents); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms/). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google Signals (Google Analytics function): Google Signals are session data from websites and apps that Google associates with users who have signed in to their Google accounts and enabled ad personalisation. This association of data with these signed-in users is used to enable cross-device reports, cross-device remarketing and cross-device conversion measurement. This includes: cross-platform reports - linking data across devices and activities from different sessions using your user ID or Google Signals data, enabling an understanding of user behaviour at each step of the conversion process, from first contact to conversion and beyond; remarketing with Google Analytics - creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; demographics and interests - Google Analytics collects additional information about demographics and interests of users who are signed in to their Google accounts and have enabled ad personalisation; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://support.google.com/analytics/answer/7532985?hl=de; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Audience building with Google Analytics: We use Google Analytics to display ads served via Google's advertising services and those of its partners specifically to those users who have already shown interest in our online offering or who have certain characteristics (e.g. interests in specific topics or products determined on the basis of the websites they have visited). We transmit this data to Google as part of so-called "remarketing" or "Google Analytics Audiences". The purpose of using remarketing audiences is to ensure that our ads correspond as closely as possible to users' potential interests; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; legal bases: https://business.safety.google/adsprocessorterms/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF); further information: types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and standard contractual clauses for third-country data transfers: https://business.safety.google/adsprocessorterms. • No collection of detailed location and device data (Google Analytics function): No detailed location and device data is collected (further information: https://support.google.com/analytics/answer/12017362). • Google Tag Manager: We use Google Tag Manager, a tool provided by Google, to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that are used, among other things, to measure and analyse visitor activities. This technology helps us to improve our website and the offering on it. Google Tag Manager itself does not create user profiles, store cookies or carry out independent analyses. It merely serves to integrate the tools and services that we use for our website more easily and efficiently. Nevertheless, when Google Tag Manager is used, users' IP addresses are transmitted to Google, which is technically necessary to operate the various services we use. It is important to know that this data processing only takes place if services are integrated via the Tag Manager that require this. For details of these services and how they process data, we refer to the further sections of this Privacy Policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google Tag Manager: We use Google Tag Manager, software from Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that serve to record and analyse visitor activities. This technology supports us in improving our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies with user profiles and does not perform independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when Google Tag Manager is used, users' IP addresses are transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in this process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this Privacy Policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms).
Presences on Social Networks (Social Media)
We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us. We point out that user data may be processed outside the European Union. This may entail risks for users, for example because it could make it more difficult to enforce users' rights. Furthermore, users' data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created on the basis of users' usage behaviour and resulting interests. These profiles may then be used, for example, to place advertisements within and outside the networks that are presumed to correspond to users' interests. As a rule, cookies are therefore stored on users' computers, in which users' usage behaviour and interests are stored. In addition, data may also be stored in the usage profiles independently of the devices used by the users (in particular if they are members of the respective platforms and are logged in there). For a detailed description of the respective forms of processing and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks. In the case of access requests and the exercise of data subject rights, we also point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data in each case and can take appropriate measures and provide information directly. If you nevertheless need assistance, you can contact us. • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). • Data subjects: Users (e.g. website visitors, users of online services). • Purposes of processing and legitimate interests: Communication; feedback (e.g. collecting feedback via online form). Public relations. • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Instagram: Social network enabling the sharing of photos and videos, commenting on and favouriting posts, sending messages and subscribing to profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.instagram.com; privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Facebook Pages: Profiles within the Facebook social network - The controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page ("fan page"). This includes, in particular, information about user behaviour (e.g. content viewed or interacted with, actions taken) and device information (e.g. IP address, operating system, browser type, language settings, cookie data). Further details can be found in Facebook's Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical evaluations through the "Page Insights" service, which provide information about how people interact with our page and its content. The basis for this is an agreement with Facebook ("Page Insights Controller Addendum": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users can therefore address access or deletion requests directly to Facebook. Users' rights (in particular access, deletion, objection and complaint to a supervisory authority) remain unaffected. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited alone is responsible for further processing, including any transfer to Meta Platforms Inc. in the USA; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). • Facebook Groups: We use the "Groups" function of the Facebook platform to create interest groups in which Facebook users can contact and exchange information with each other or with us. In this context, we process personal data of users of our groups insofar as this is necessary for the purpose of using the group and moderating it. Our rules within the groups may contain further requirements and information on the use of the respective group. This data includes first and last names, published or privately communicated content, and values relating to the status of group membership or group-related activities, such as joining or leaving, as well as timestamps relating to the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or actions they take (see "Things you and others do and provide" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/). As explained in Facebook's Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Insights", to group operators, so that they can obtain insights into how people interact with their groups and associated content; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Facebook Events: Event profiles within the Facebook social network - We use the "Events" function of the Facebook platform to draw attention to events and appointments, to contact users (participants and interested persons) and to exchange information. In this context, we process personal data of users of our event pages insofar as this is necessary for the purpose of the event page and its moderation. This data includes first and last names, published or privately communicated content, values relating to participation status and timestamps relating to the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or actions they take (see "Things you and others do and provide" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see "Device information" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/). As explained in Facebook's Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Insights", to event providers, so that they can obtain insights into how people interact with their event pages and associated content; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). • LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors that is used to create "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content that users view or interact with, as well as actions they take. Details of the devices used are also recorded, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority, company size and employment status. Information on LinkedIn's processing of user data can be found in LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy. We have concluded a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can, for example, address access or deletion requests directly to LinkedIn). Users' rights (in particular the right of access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.linkedin.com/legal/privacy-policy). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. • Vimeo: Platform for providing and delivering video content; service provider: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://vimeo.com; privacy policy: https://vimeo.com/legal/terms/de/datenschutz/policy; data processing agreement: https://vimeo.com/legal/enterprise-terms/dpa. Basis for third-country transfers: standard contractual clauses (https://vimeo.com/legal/enterprise-terms/dpa). • YouTube: Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/. • Xing: Social network; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.xing.com/. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
Plug-ins, Embedded Functions and Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos or city maps (hereinafter collectively referred to as "content"). Integration always requires that the third-party providers of this content process users' IP addresses, as they would not be able to send the content to users' browsers without the IP address. The IP address is therefore necessary for displaying this content or these functions. We endeavour to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through these pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on users' devices and may include, among other things, technical information about the browser and operating system, referring websites, visit time and further information on the use of our online offering, and may also be linked with such information from other sources. Information on legal bases: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, users' data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy. • Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); location data (information on the geographical position of a device or person); event data (Facebook) ("event data" is information that is sent, for example via Meta Pixel (whether through apps or other channels), to the provider Meta and relates to persons or their actions. This data includes, for example, details of website visits, interactions with content and functions, app installations and product purchases. Event data is processed with the aim of creating audiences for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information or contact information such as names, email addresses or telephone numbers. "Event data" is deleted by Meta after a maximum of two years, and the audiences created from it disappear when our Meta user accounts are deleted.); contact data (e.g. postal and email addresses or telephone numbers). Content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation). • Data subjects: Users (e.g. website visitors, users of online services). • Purposes of processing and legitimate interests: Provision of our online offering and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behaviour-based profiling, use of cookies); audience building; marketing; provision of contractual services and fulfilment of contractual obligations. Profiles containing user-related information (creation of user profiles). • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years). • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Further information on processing operations, procedures and services: • Integration of third-party software, scripts or frameworks (e.g. jQuery): We integrate software into our online offering that we retrieve from the servers of other providers (e.g. function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect users' IP addresses and may process them for the purposes of transmitting the software to users' browsers, for security purposes and for the evaluation and optimisation of their own offering. - We integrate software into our online offering that we retrieve from the servers of other providers (e.g. function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect users' IP addresses and may process them for the purposes of transmitting the software to users' browsers, for security purposes and for the evaluation and optimisation of their own offering; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Facebook plug-ins and content: Facebook social plug-ins and content - This may include, for example, content such as images, videos or texts and buttons with which users can share content from this online offering within Facebook. The list and appearance of Facebook social plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the context of a transmission (but not further processing) of "event data" that Facebook collects using Facebook social plug-ins (and embedding functions for content) executed on our online offering, or receives in the context of a transmission, for the following purposes: a) displaying content and advertising information that corresponds to users' presumed interests; b) delivering commercial and transactional messages (e.g. addressing users via Facebook Messenger); c) improving ad delivery and personalisation of functions and content (e.g. improving recognition of which content or advertising information presumably corresponds to users' interests). We have concluded a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which regulates in particular which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfil data subject rights (i.e. users can, for example, address access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous for us), this processing does not take place within the framework of joint responsibility but on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of standard contractual clauses ("Facebook EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users' rights (in particular to access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Google Fonts (obtained from Google's server): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform display and consideration of possible licence restrictions. The user's IP address is communicated to the font provider so that the fonts can be provided in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted that is necessary for providing the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA - When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving the fonts). The Google Fonts Web API provides users with the cascading style sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on Google's server and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, as well as the referrer URL (i.e. the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analysed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adapt the font generated for the respective browser type. The user agent is logged primarily for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on Google Fonts' "Analytics" page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on top integrations can be generated based on the number of font requests. According to Google, Google does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://fonts.google.com/; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de. • Google Maps: We integrate the maps of the "Google Maps" service provided by Google. The processed data may include, in particular, users' IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://mapsplatform.google.com/; privacy policy: https://business.safety.google/privacy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Instagram plug-ins and content: Instagram plug-ins and content - This may include, for example, content such as images, videos or texts and buttons with which users can share content from this online offering within Instagram. - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt in the context of a transmission (but not further processing) of "event data" that Facebook collects using Instagram functions (e.g. embedding functions for content) executed on our online offering, or receives in the context of a transmission, for the following purposes: a) displaying content and advertising information that corresponds to users' presumed interests; b) delivering commercial and transactional messages (e.g. addressing users via Facebook Messenger); c) improving ad delivery and personalisation of functions and content (e.g. improving recognition of which content or advertising information presumably corresponds to users' interests). We have concluded a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which regulates in particular which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfil data subject rights (i.e. users can, for example, address access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous for us), this processing does not take place within the framework of joint responsibility but on the basis of a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of standard contractual clauses ("Facebook EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Users' rights (in particular to access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/. • LinkedIn plug-ins and content: LinkedIn plug-ins and content - This may include, for example, content such as images, videos or texts and buttons with which users can share content from this online offering within LinkedIn; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; data processing agreement: https://de.linkedin.com/legal/l/dpa; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.linkedin.com/legal/l/dpa). Opt-out option: https://www.linkedin.com/mypreferences/g/guest-retargeting-opt-out. • MyFonts: Fonts; data processed in connection with font retrieval: the identification number of the webfont project (anonymised), the URL of the licensed website linked to a customer number to identify the licensee and licensed webfonts, and the referrer URL; the anonymised webfont project identification number is stored in encrypted log files together with such data for 30 days in order to determine the monthly number of page views; after such extraction and storage of the number of page views, the log files are deleted; service provider: Monotype Imaging Holdings Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.myfonts.com. Privacy policy: https://www.myfonts.com/de/a/font/legal/website-use-privacy-policy. • reCAPTCHA: We integrate the "reCAPTCHA" function in order to detect whether entries (e.g. in online forms) are made by humans and not by automated machines (so-called "bots"). The processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is carried out on the basis of our legitimate interest in protecting our online offering against abusive automated crawling and spam; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://cloud.google.com/security/products/recaptcha; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/sccs/eu-c2p). • YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.youtube.com; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. • Xing plug-ins and buttons: Xing plug-ins and buttons - This may include, for example, content such as images, videos or texts and buttons with which users can share content from this online offering within Xing; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.xing.com. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung. • Vimeo video player: Integration of a video player; service provider: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://vimeo.com; privacy policy: https://vimeo.com/legal/terms/de/datenschutz/policy; data processing agreement: https://vimeo.com/legal/enterprise-terms/dpa. Basis for third-country transfers: standard contractual clauses (https://vimeo.com/legal/enterprise-terms/dpa). • Types of data processed: Content data (e.g. text or image messages and posts and related information, such as authorship details or time of creation); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, persons involved); contact data (e.g. postal and email addresses or telephone numbers); master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category); log data (e.g. log files relating to logins or data retrieval or access times); applicant data (e.g. personal details, postal and contact addresses, documents forming part of the application and the information contained therein, such as cover letter, CV, certificates and other information relating to a specific position or voluntarily provided by applicants about their person or qualifications). Location data (information on the geographical position of a device or person). • Data subjects: Users (e.g. website visitors, users of online services); communication partners; service recipients and clients; prospects; business and contractual partners; third parties; applicants. Customers. • Purposes of processing and legitimate interests: Reach measurement (e.g. access statistics, recognition of returning visitors); provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); communication; direct marketing (e.g. by email or post); provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; organisational and administrative procedures; conversion measurement (measuring the effectiveness of marketing measures); marketing; artificial intelligence (AI); business processes and commercial procedures; surveys and questionnaires (e.g. surveys with input options, multiple-choice questions); application procedures (establishment and possible later performance and possible later termination of the employment relationship); establishment and performance of employment relationships (processing of employee data in the context of establishing and performing employment relationships); tracking (e.g. interest-/behaviour-based profiling, use of cookies); remarketing; audience building. Profiles containing user-related information (creation of user profiles). • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion". • Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); consent (Art. 6(1) sentence 1 lit. a GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR). Legal obligation (Art. 6(1) sentence 1 lit. c GDPR). Further information on processing operations, procedures and services: • Framer: Creation, administration and hosting of websites, online forms and other web elements, real-time collaboration, integration of design workflows and functions for user testing; service provider: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.framer.com/; privacy policy: https://www.framer.com/legal/privacy-statement/. Data processing agreement: https://www.framer.com/legal/data-processing-addendum/. • WeTransfer: Transfer of files via the Internet; service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://wetransfer.com. Privacy policy: https://wetransfer.com/de-DE/explore/legal/privacy. • Sending by SMS: Electronic notifications may also be sent as SMS text messages (or are sent exclusively by SMS if the authorisation to send, e.g. consent, covers only sending by SMS); legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR). • SEO and online marketing agency: We process the data of our customers and clients in order to offer them marketing services such as search engine optimisation (SEO), online advertising campaigns, social media management and related consulting services. The required information is identified as such when the order is placed and includes the information needed for service provision and billing, as well as contact information for any necessary follow-up. Where we receive access to information about end customers, employees or other persons, we process it in accordance with statutory and contractual requirements; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Legal bases (Germany): Insofar as we process data in order to comply with our legal obligations under the Whistleblower Protection Act (HinSchG), the legal basis for processing is Art. 6(1) sentence 1 lit. c GDPR and, in the case of special categories of personal data, Art. 9(2) lit. g GDPR and Section 22 BDSG, each in conjunction with Section 10 HinSchG. This relates to the obligation to set up and operate an internal whistleblower reporting office, to fulfil its statutory duties and, in the case of using data collected in the reporting procedure, to take further investigative or employment-law steps against persons who have been found to have committed a violation. Insofar as we process data (in particular where misconduct has been established) in the context of, or in preparation for, legal defence, this is carried out on the basis of our legitimate interests in legally compliant and ethical conduct pursuant to Art. 6(1) sentence 1 lit. f GDPR. Where you have granted us consent to process personal data for specific purposes, the processing is carried out on that basis pursuant to Art. 6(1) sentence 1 lit. a GDPR and, in the case of special categories of personal data, Art. 9(2) lit. a GDPR. An example would be disclosure of the whistleblower's identity or the preparation of a verbatim record during an in-person meeting. Consent given may be withdrawn at any time with effect for the future. • Project management: For the implementation and management of projects, we specifically collect personal data that provides us with insights into the specific requirements of each project. This data includes details of project objectives that enable a clear definition of expected results and success criteria. It also includes information on resource allocation, including the assignment of personnel and the availability of technical and financial resources that are crucial for implementing the project. In addition, we collect comprehensive schedules that ensure precise planning and monitoring of all project steps, from the initial phase to completion. This data is processed with a high degree of responsibility and care in order to ensure compliance with data protection provisions. In doing so, we attach particular importance to ensuring that personal information is used exclusively for defined, legitimate project tasks; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Project and consulting services: We process the data of our customers and clients (hereinafter collectively referred to as "customers") to enable them to select, purchase or commission the chosen services or works and associated activities, as well as to make payment and receive or use their provision, execution or delivery. The required information is identified as such in the context of the order, purchase or comparable contractual conclusion and includes the information needed for providing the service and billing, as well as contact information for any necessary follow-up. Where we receive access to information about end customers, employees or other persons, we process it in accordance with statutory and contractual requirements; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Outlook: Sending and receiving messages, storing contacts and using filtering and protection functions (spam, viruses). Contact data (name, email address), content data (messages, attachments) and metadata are processed for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility and integration of email software. Retention is governed by the respectively specified policies, with no automatic deletion by default; mailboxes are generally removed 30 days after departure. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement. • OpenAI API: An API (programming interface) for artificial intelligence that gives developers access to language and image models such as GPT and DALL-E. It enables the integration of functions such as automatic text generation, natural language processing (NLP), translation, code generation, image generation and image analysis into proprietary applications. Complex AI functions can be integrated and processes automated via standardised interfaces; service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://openai.com/; privacy policy: https://openai.com/de-DE/policies/eu-privacy-policy/; data processing agreement: https://openai.com/de-DE/policies/data-processing-addendum/; basis for third-country transfers: standard contractual clauses (https://openai.com/de-DE/policies/data-processing-addendum/). Opt-out option: https://privacy.openai.com/policies?modal=select-subject. • Use of contact data for contact matching purposes: Data of contacts stored in the device's contact directory may be used to check whether these contacts also use our application. For this purpose, the contact data of the respective contacts (including telephone number, email address and names) is uploaded to our server and used only for the purpose of matching. • National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), the Act on the Protection against Misuse of Personal Data in Data Processing. The BDSG contains specific provisions, in particular on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, data transfers and automated decision-making in individual cases, including profiling. Data protection laws of the individual German federal states may also apply. • Midjourney: Creation of AI-generated images based on text inputs, adaptation and refinement of generated images through iterative inputs, storage and management of created content, provision of an online platform for interaction with other users and for sharing results; service provider: Midjourney, Inc., 795 Folsom Street, 1st Floor, San Francisco, CA 94107 USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.midjourney.com/. Privacy policy: https://docs.midjourney.com/docs/privacy-policy. • Microsoft Teams: Use for conducting online events and conferences and for communication with internal and external participants. Voice transmission, direct messages, group communication and collaboration functions are used; name, business contact details, work profile, participation and content (audio/video, speech, chat, files, speech transcription) are processed for the purposes and in the interests of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and Microsoft's business processing. Audio signals are generally not stored, except when recording is activated. Meeting and conference recordings are stored by default for 90 days unless a different period is specified. Chat and file content is stored according to policies set by the administrator or user; no automatic deletion is set by default. Channels must be renewed every 180 days, otherwise content is deleted. System-generated log, diagnostic and metadata are also processed, and diagnostic data is collected for product stability, security and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de/microsoft-teams/; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Microsoft Teams: Enables online meetings and video conferences, voice and text communication, screen sharing (display of one's own screen to others), file transfer, and appointment and group management. Content and metadata (data about use) are processed for the provision and coordination of communication; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://teams.live.com/; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement. Basis for third-country transfers: Data Privacy Framework (DPF). • Microsoft SharePoint: Support for collaboration through storage and access management for documents, spreadsheets, presentations and more. Content data (files) and contact data (name, email address) are processed for the purposes and in the interests of increasing efficiency and productivity, cost efficiency, flexibility, mobility, integration with M365 and improved collaboration. Retention depends on the business function of the content; SharePoint sites must be renewed every 180 days, otherwise content is deleted. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Microsoft Forms: Creation of online forms, collection of responses in real time, analysis of results with integrated charts. Integration into other Office applications for further data processing. Customisable forms with different question types and answer options as well as data export; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://forms.office.com/; privacy policy: https://privacy.microsoft.com/de-de/privacystatement; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Microsoft Copilot: Microsoft Copilot: Support with creating and editing texts, spreadsheets and presentations, analysing data, automating tasks and integrating with Office applications. Content data (files, conversations, metadata) and employee credentials (Org ID/Entra ID) are processed for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility and integration with M365. Chat histories are stored for up to 30 days and content until deleted by the user. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de/microsoft-copilot/organizations; privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Microsoft 365 and Microsoft cloud services: Provision of applications, protection of data and IT systems, and use of system-generated log, diagnostic and metadata by Microsoft for contract performance. Contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe) and log and metadata are processed. Processing takes place for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security and Microsoft's business processing. Retention of data is governed by the respective documents and company policies, up to 12 months for Defender (protection of data and IT systems) and 10 days for print management. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/de-de; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Microsoft 365 Outlook: Use of email and calendar functions for communication and organisation of meetings. Contact data (name, email address), content data (messages, attachments, meeting content) and metadata are processed for the purposes and in the interests of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication and integration with M365. Retention of emails and calendar entries is governed by policies set by the administrator or user; no automatic deletion takes place by default. Mailboxes and calendars are generally removed 30 days after departure. Diagnostic data is also collected for product stability and improvement; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.microsoft.com/; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). • Marketing and advertising: We process the data of our customers and clients (hereinafter collectively referred to as "customers") in order to offer marketing services such as market research, advertising campaigns, content creation and social media management. The required information is identified as such when the order is placed and includes the information needed for service provision and billing, as well as contact information for any necessary follow-up. Where we receive access to information about end customers, employees or other persons, we process it in accordance with statutory and contractual requirements. Procedures required in the context of marketing and advertising measures include creating marketing strategies and campaigns, designing advertising materials and content, selecting advertising channels and platforms, conducting market analyses and target group surveys, and measuring success and analysing marketing measures. They also include managing and maintaining customer and prospect data, segmenting target groups, sending newsletters and promotional emails, tracking online marketing activities and cooperating with external service providers in the field of marketing and advertising. These procedures serve to develop effective marketing strategies for our customers, tailor advertising measures to target groups, measure and analyse the success of marketing activities and ensure efficient management of customer contacts and information; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legal obligation (Art. 6(1) sentence 1 lit. c GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors that is used to create "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content that users view or interact with, as well as actions they take. Details of the devices used are also recorded, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority, company size and employment status. Information on LinkedIn's processing of user data can be found in LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy. We have concluded a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can, for example, address access or deletion requests directly to LinkedIn). Users' rights (in particular the right of access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.linkedin.com/legal/privacy-policy). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. • LinkedIn Recruiter: Job search and application-related services within the LinkedIn platform; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; data processing agreement: https://www.linkedin.com/legal/l/dpa. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.linkedin.com/legal/l/dpa). • LinkedIn Insight Tag: Code that is loaded when a user visits our online offering and tracks the user's behaviour and conversions and stores them in a profile (possible purposes: measurement of campaign performance, optimisation of ad delivery, creation of custom and similar audiences); service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; data processing agreement: https://www.linkedin.com/legal/l/dpa; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.linkedin.com/legal/l/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. • Customer management and customer relationship management (CRM): Procedures required in the context of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service taking data protection into account, data management and analysis to support customer relationships, administration of CRM systems, secure account management, customer segmentation and audience building); legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). • Google as recipient of consent: The consent given by users as part of a consent dialogue (also known as "cookie opt-in/consent", "cookie banner", etc.) serves several purposes. First, it serves to fulfil our obligation to obtain consent for the storage of information on, and the reading of information from, users' devices in accordance with the ePrivacy requirements. Second, it covers the processing of users' personal data in accordance with data protection requirements. In addition, this consent also applies vis-à-vis Google, because the company is obliged under the Digital Markets Act (DMA) to obtain valid consent for personalised services. For this reason, we share with Google the status of consents granted or refused by users. Our consent management software informs Google whether consent has been given or not. The aim is to ensure that users' decisions are taken into account when Google measurement services are used - in particular in the context of reach measurement, conversion tracking and personalised advertising (e.g. Google Analytics, Google Ads and comparable services) - and when further functions and external services are integrated. Processing is dynamic and depends on the respective user selection, including any withdrawal of consent; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy policy: https://business.safety.google/privacy/. • Google Forms: Creation and evaluation of online forms, surveys, feedback forms, etc.; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://docs.google.com/forms/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). • Google Translate: Translation of content and inputs into other languages; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://translate.google.com/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). • Google Tag Manager: We use Google Tag Manager, software from Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that serve to record and analyse visitor activities. This technology supports us in improving our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies with user profiles and does not perform independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when Google Tag Manager is used, users' IP addresses are transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in this process. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this Privacy Policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms). • Google Tag Manager (server-side use): Google Tag Manager is an application with which we can manage so-called website tags via an interface and thereby integrate other services into our online offering (see also the further information in this Privacy Policy). With the Tag Manager itself (which implements the tags), no user profiles or cookies are stored. The integration of the other services takes place server-side. This means that users' data is not transmitted directly from their device to the respective service or Google. In particular, users' IP addresses are not transmitted to the other service. Instead, the data is first transmitted to our server, where users' data records are assigned to our internal user identification number. The subsequent transmission of data from our server to the servers of the respective service providers takes place only in this pseudonymised form. The user identification number does not contain any unique data, such as names or email addresses; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms//). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google Sheets: Online application for spreadsheets, document storage, collaboration and exchange of documents; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.google.com/sheets/about/; privacy policy: https://www.google.com/policies/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy. • Google Sites: Creation of websites and web hosting (provision of storage space and computing capacity); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://workspace.google.com/products/sites/; privacy policy: https://cloud.google.com/privacy; data processing agreement: https://cloud.google.com/terms/data-processing-addendum; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy. • Google Signals (Google Analytics function): Google Signals are session data from websites and apps that Google associates with users who have signed in to their Google accounts and enabled ad personalisation. This association of data with these signed-in users is used to enable cross-device reports, cross-device remarketing and cross-device conversion measurement. This includes: cross-platform reports - linking data across devices and activities from different sessions using your user ID or Google Signals data, enabling an understanding of user behaviour at each step of the conversion process, from first contact to conversion and beyond; remarketing with Google Analytics - creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; demographics and interests - Google Analytics collects additional information about demographics and interests of users who are signed in to their Google accounts and have enabled ad personalisation; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://support.google.com/analytics/answer/7532985?hl=de; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google single sign-on: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.google.de; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: settings for displaying advertisements: https://myadcenter.google.com/. • Google Search Console: Monitoring website performance, analysing search queries, identifying indexing problems, providing data on visibility in search results, checking mobile usability, identifying security issues and managing sitemaps; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://search.google.com/search-console/about; privacy policy: https://business.safety.google/privacy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Google Search Ads 360: Search management platform that enables agencies and advertisers to manage search engine marketing campaigns across different search engines and media channels and to build audiences; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com/intl/de/about/search-ads-360/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms/). Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google Slides: Online application for creating presentations, document storage, collaboration and exchange of documents; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.google.de/slides/about/; privacy policy: https://cloud.google.com/privacy; data processing agreement: https://cloud.google.com/terms/data-processing-addendum; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy. • Google Maps APIs and SDKs: Interfaces to Google's mapping and location services that allow, for example, the completion of address entries, location determinations, distance calculations or the provision of supplementary information on locations and other places; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://mapsplatform.google.com/; privacy policy: https://business.safety.google/privacy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Google Maps: We integrate the maps of the "Google Maps" service provided by Google. The processed data may include, in particular, users' IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://mapsplatform.google.com/; privacy policy: https://business.safety.google/privacy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Google Calendar: Software for planning and managing appointments, with functions for payment processing, customer management and interfaces for integration with external calendars and online platforms; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://calendar.google.com; privacy policy: https://business.safety.google/privacy/. Basis for third-country transfers: Data Privacy Framework (DPF). • Google Drive: Cloud storage service that enables users to store, synchronise and collaboratively edit files online. Data is stored in encrypted form during transmission and at rest. Content is processed to improve services such as spam filtering and virus detection; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://workspace.google.com/intl/de/products/drive/; privacy policy: https://business.safety.google/privacy/; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). • Google Docs: Online application for word processing, document storage, collaboration and exchange of documents; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.google.de/docs/about/; privacy policy: https://cloud.google.com/privacy; data processing agreement: https://cloud.google.com/terms/data-processing-addendum; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://cloud.google.com/terms/eu-model-contract-clause). Further information: https://cloud.google.com/privacy. • Google Fonts (obtained from Google's server): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform display and consideration of possible licence restrictions. The user's IP address is communicated to the font provider so that the fonts can be provided in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted that is necessary for providing the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA - When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving the fonts). The Google Fonts Web API provides users with the cascading style sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on Google's server and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, as well as the referrer URL (i.e. the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analysed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adapt the font generated for the respective browser type. The user agent is logged primarily for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on Google Fonts' "Analytics" page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on top integrations can be generated based on the number of font requests. According to Google, Google does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://fonts.google.com/; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de. • Google Analytics: We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analytics information to a device in order to identify which content users accessed within one or more usage processes, which search terms they used, whether they accessed them again or interacted with our online offering. The time and duration of use are also stored, as are the sources of users who refer to our online offering and technical aspects of their devices and browsers. Pseudonymous profiles of users are created using information from the use of different devices, whereby cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible and is not used for any further purposes. When Google Analytics collects measurement data, all IP lookups are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics/; security measures: IP masking (pseudonymisation of the IP address); privacy policy: https://business.safety.google/privacy/; data processing agreement: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms); opt-out option: opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data). • Google Adsense with personalised ads: We integrate the Google Adsense service, which enables personalised advertisements to be placed within our online offering. Google Adsense analyses user behaviour and uses this data to display targeted advertising tailored to the interests of our visitors. For each ad placement or other use of these ads, we receive financial remuneration; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF); further information: types of processing and processed data: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services, controller-to-controller data processing terms and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms. • Google Ads and conversion measurement: Online marketing procedures for placing content and ads within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who presumably have an interest in the ads. We also measure the conversion of ads, i.e. whether users used them as an opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we receive only anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR), legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://marketingplatform.google.com; privacy policy: https://business.safety.google/privacy/; basis for third-country transfers: Data Privacy Framework (DPF); further information: types of processing and processed data: https://business.safety.google/adsservices/. Controller-to-controller data processing terms and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms. • Figma: Interactive design, prototyping and collaboration for digital projects. Graphic editing, vector tools, commenting functions and version control. Data storage and processing in the cloud for teamwork; service provider: Figma, Inc., 760 Market St FL 10, 94102 San Francisco, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.figma.com/de-de/; privacy policy: https://www.figma.com/de-de/legal/; data processing agreement: provided by the service provider. Basis for third-country transfers: Data Privacy Framework (DPF). • Facebook Ads: Placement of advertisements within the Facebook platform and evaluation of advertising results; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/; basis for third-country transfers: Data Privacy Framework (DPF); opt-out option: We refer to the privacy and advertising settings in the user's profile on the Facebook platforms and to Facebook's consent procedure and contact options for exercising access and other data subject rights, as described in Facebook's privacy policy; further information: Users' event data, i.e. behaviour and interest information, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by, and transmission of data to, Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.). • FaceTime: Messenger, video calls, audio calls, group calls, screen sharing, call scheduling, integration with contacts and calendars; service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/. • Etsy: Online marketplace for e-commerce; service provider: Etsy, Inc., 55 Washington Street, Suite 712, Brooklyn, NY 11201, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.etsy.com/de. Privacy policy: https://www.etsy.com/de/legal/privacy/?ref=ftr. • Dropbox: Cloud storage service; service provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.dropbox.com/de; privacy policy: https://www.dropbox.com/privacy; data processing agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf). • DomainFactory: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: Domainfactory GmbH, c/o WeWork, Neuturmstrasse 5, 80331 Munich, Germany; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.df.eu; privacy policy: https://www.df.eu/de/datenschutz/. Data processing agreement: https://www.df.eu/de/support/formulare/. • DocuSign: Electronic signature of documents, sending documents for signature, tracking the status of documents, storing signed documents; service provider: DocuSign, Inc., 221 Main Street Suite 1000 San Francisco, CA 94105, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.docusign.com/; privacy policy: https://www.docusign.com/privacy; data processing agreement: https://www.docusign.com/legal/terms-and-conditions/data-protection-attachment; basis for third-country transfers: standard contractual clauses (https://www.docusign.com/legal/terms-and-conditions/data-protection-attachment). Further information: Processing as a processor and controller is also carried out on the basis of approved Binding Corporate Rules that ensure a level of data protection corresponding to the requirements of the GDPR (Art. 47 GDPR): https://www.docusign.com/trust/privacy/binding-corporate-rules. • Cookie opt-out: In the footer of our website you will find a link through which you can change your cookie settings and withdraw corresponding consents. • Cookie Notice: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of privacy and cookie notices, enabling users to withdraw or adjust consents; service provider: execution on servers and/or computers under our own data protection responsibility; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Website: https://wordpress.org/plugins/cookie-notice/. • Claude API: Interface access (so-called "API") to AI-based services designed to understand and generate natural language and related inputs, analyse information and make predictions ("AI", i.e. "artificial intelligence", is to be understood within the meaning of the term under the applicable law). The provision of the AI services includes the processing (including collection, storage, organisation and structuring) of personal data as part of a natural-language-based machine learning process; carrying out activities to verify or maintain the quality of the services; identifying and fixing errors that affect the existing intended functionality; and support to ensure the security and integrity of the AI services; service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.anthropic.com/; privacy policy: https://www.anthropic.com/legal/privacy; data processing agreement: https://www.anthropic.com/legal/data-processing-addendum. Basis for third-country transfers: standard contractual clauses (https://www.anthropic.com/legal/data-processing-addendum). • Claude API: AI-supported service designed to understand and generate natural language and related inputs, analyse information and make predictions ("AI", i.e. "artificial intelligence", is to be understood within the meaning of the term under the applicable law). The provision of the AI services includes the processing (including collection, storage, organisation and structuring) of personal data in the context of a natural-language-based machine learning process; carrying out measures to verify and maintain the quality of the services; identifying and fixing errors that may impair the intended functionality; and support to ensure the security and integrity of the AI services; service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.anthropic.com/; privacy policy: https://www.anthropic.com/legal/privacy; data processing agreement: https://www.anthropic.com/legal/data-processing-addendum. Basis for third-country transfers: standard contractual clauses (https://www.anthropic.com/legal/data-processing-addendum). • ChatGPT: AI-based service designed to understand and generate natural language and related inputs and data, analyse information and make predictions ("AI", i.e. "artificial intelligence", is to be understood within the meaning of the term under the applicable law); service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://openai.com/de-DE/chatgpt/overview/; privacy policy: https://openai.com/de-DE/policies/privacy-policy/. Opt-out option: https://privacy.openai.com/policies?modal=select-subject. • BorlabsCookie: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of privacy and cookie notices, enabling users to withdraw or adjust consents; service provider: execution on servers and/or computers under our own data protection responsibility; website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, types of consents and the time at which they were given are stored server-side and in the cookie on the user's device.
If you have any further questions, please reach out via our contact page.