Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about what types of your personal data (hereinafter also referred to as “Data”) we process, for what purposes, and to what extent. The Privacy Policy applies to all processing of personal data carried out by us , both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).

The terms used are gender-neutral.

Last updated: November 13, 2025

Table of Contents

• Preamble
• Data Controller
• Overview of Processing Activities
• Applicable Legal Bases
• Security Measures
• Transfer of Personal Data
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Use of Online Platforms for Marketing and Sales Purposes
• Providers and Services Used in the Course of Business Operations
• Payment Methods
• Provision of the online service and web hosting
• Use of cookies
• Data processing within the application (app)
• Registration, login, and user account
• Blogs and Publishing Platforms
• Contact and Inquiry Management
• Messenger communication
• Chatbots and chat functions
• Artificial Intelligence (AI)
• Cloud Services
• Newsletters and Electronic Notifications
• Promotional Communications via Email, Mail, fax, or telephone
• Web analytics, monitoring, and optimization
• Online marketing
• Customer reviews and rating systems
• Social media presence
• Plug-ins, embedded functions, and content
• Management, organization, and tools
• Application Process

Contact Person

Christian Haverkamp
oxytec AG
Feldeggstr. 39
8034 Zurich

Email address: info@oxytec.com

Legal Notice: https://www.oxytec.com/en/imprint/

Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing, and identifies the data subjects.

Types of data processed

• Master data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and process data.
• Applicant data.
• Event data (Facebook).
• Log data.

Categories of data subjects

• Service recipients and clients.
• Prospective customers.
• Communication partners.
• Users.
• Applicants.
• Business and contractual partners.
• Third parties.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Remarketing.
• Conversion measurement.
• Click tracking.
• Target group formation.
• A/B testing.
• Organizational and administrative procedures.
• Application procedures.
• Feedback.
• Marketing.
• Profiles containing user-related information.
• Cross-device tracking.
• Provision of our online services and user-friendliness.
• IT infrastructure.
• Public relations.
• Sales promotion.
• Business processes and operational procedures.
• Artificial Intelligence (AI).

Applicable Legal Bases

Applicable legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data in accordance with the Federal Act on Data Protection (abbreviated as the “Swiss FADP”). Unlike the GDPR, for example, the Swiss DPA generally does not require that a legal basis for the processing of personal data be specified, and the processing of personal data is considered lawful and proportionate if it is carried out in good faith , lawful, and proportionate (Art. 6(1) and (2) of the Swiss DPA). Furthermore, we collect personal data only for a specific purpose that is recognizable to the data subject and process it only in a manner compatible with that purpose (Art. 6(3) of the Swiss Data Protection Act).

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability, and maintaining its segregation. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the erasure of data, and responses to data breaches. Furthermore, we take the protection of personal data into account from the very beginning of the development and selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the course of our processing of personal data, such data may be transferred to or disclosed to other agencies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

Data Transfer Within the Corporate Group: Data Transfer Within the Corporate Group: We may transfer personal data to other companies within our corporate group or grant them access to such data. This data transfer is based on our legitimate business and operational interests. By this we mean, for example, improving business processes, ensuring efficient and effective internal communication, making optimal use of our human and technological resources, and enabling us to make informed business decisions. In certain cases, the transfer of data may also be necessary to fulfill our contractual obligations, or it may be based on the consent of the data subjects or a legal authorization.

Data transfer within the organization: We may transfer personal data to other departments or units within our organization or grant them access to such data. If the data transfer is for administrative purposes, it is based on our legitimate business and operational interests, or it is carried out if it is necessary to fulfill our contractual obligations, or if consent from the data subjects or legal authorization has been obtained.

International Data Transfers

Disclosure of Personal Data Abroad: In accordance with the Swiss Data Protection Act (DSG), we only disclose personal data abroad if adequate protection for the data subjects is ensured (Art. 16 Swiss DSG). Unless the Federal Council has determined that adequate protection exists (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by a Swiss adequacy decision dated June 7, 2024. In addition, we have entered into standard data protection clauses with the respective providers, which have been approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF constitutes the primary level of protection, while the standard data protection clauses serve as an additional safeguard. Should changes arise within the framework of the DPF, the Standard Data Protection Clauses serve as a reliable fallback option. This ensures that your data remains adequately protected at all times, even in the event of any political or legal changes.

For each service provider, we will inform you whether they are certified under the DPF and whether standard data protection clauses are in place. The list of certified companies and further information on the DPF can be found on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, including international agreements, specific safeguards, standard data protection clauses approved by the EDÖB, or internal corporate data protection policies pre-approved by the EDÖB or a competent data protection authority in another country.

General Information on Data Storage and Deletion

We delete the personal data we process in accordance with legal requirements as soon as the underlying consent is withdrawn or there is no longer a legal basis for processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information regarding the retention and deletion of data that applies specifically to certain processing operations.

If there are multiple specifications regarding the retention period or deletion deadlines for a particular date, the longest period shall always apply. We process data that is no longer retained for its originally intended purpose, but rather due to legal requirements or other reasons, exclusively for the purposes that justify its retention.

Data Retention and Deletion: The following general retention periods apply to the retention and archiving of data under Swiss law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents, and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).
• 10 years – Data necessary to address potential claims for damages or similar contractual claims and rights, as well as for processing related inquiries, based on past business experience and standard industry practices, is stored stored for the statutory limitation period of ten years, unless a shorter period of five years applies, which is applicable in certain cases (Art. 127, 130 OR). Claims for rent, lease payments, and interest on capital, as well as other periodic payments arising from the delivery of food, for meals, and for tavern debts, as well as from craftsmanship, retail sales of goods, medical services, professional services provided by attorneys, legal agents, solicitors, and notaries, and from the employment relationship of employees (Art. 128 CO).

Rights of Data Subjects

Rights of data subjects under the Swiss Data Protection Act (DSG):

As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss Data Protection Act (DSG):

• Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary to enable you to exercise your rights under this law and to ensure transparent data processing.
• Right to data disclosure or portability: You have the right to request the disclosure of your personal data that you have provided to us in a commonly used electronic format.
• Right to Rectification: You have the right to request the correction of inaccurate personal data concerning you.
• Right to Object, Erasure, and Destruction: You have the right to object to the processing of your data, as well as to request that the personal data concerning you be erased or destroyed.

Business Services

We process data from our contractual and business partners, e.g. customers and prospects (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships as well as related measures and with regard to communication with contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed-upon services, any update obligations, and remedies for warranty claims and other service disruptions. In addition, we use the data to protect our rights and for the purposes of administrative tasks associated with these obligations, as well as for corporate organization. We also process the data based on our legitimate interests in both proper and sound business management and in security measures to protect our contractual partners and our business operations from misuse, compromise of their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other support services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of applicable law, we disclose the data of contractual partners to third parties only to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, such as for marketing purposes, within the scope of this privacy policy.

We inform contractual partners of which data is required for the aforementioned purposes prior to or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks, etc.), or in person.

We delete the data once statutory warranty obligations and similar obligations have expired, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving purposes (such as for tax purposes, typically ten years). We delete data disclosed to us by the contractual partner in the context of an order in accordance with the specifications and, as a general rule, upon completion of the order.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Service recipients and clients; prospective clients. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and business management procedures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Online store, order forms, e-commerce, and performance of services: We process our customers’ data to enable them to select, purchase, or order the products, goods, and related services of their choice, as well as to facilitate payment, provision, delivery, or fulfillment. If necessary for the fulfillment of an order, we engage service providers, in particular postal, freight, and shipping companies, to carry out the delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is identified as such during the ordering or comparable purchase process and includes the information necessary for delivery, provision, and billing, as well as contact information to enable any necessary consultation; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Craft services: We process the data of our customers and clients (hereinafter collectively referred to as “customers”) to enable them to select, purchase, or commission the chosen services or works, as well as related activities, and to facilitate their payment, delivery, or performance.
  The required information is identified as such in the context of the conclusion of the contract, order, or comparable agreement and includes the information necessary for delivery and billing, as well as contact information to facilitate any necessary communication; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Rental services: We process the data of our tenants and prospective tenants in accordance with the underlying lease agreement. We may also process information regarding the characteristics and circumstances of individuals or their property if this is necessary within the context of the tenancy agreement. This may include, for example, information regarding personal living circumstances, movable or immovable property, financial situation, and the use of ancillary services (such as water or energy supply).
  
  Within the scope of our mandate, it may be necessary for us to process special categories of data within the meaning of Art. 9(1) GDPR, in particular information regarding a person’s health. Processing is carried out to protect the health interests of the tenants and otherwise only with the tenants’ consent.
  
  To the extent necessary for the performance of the contract, required by law, authorized by the tenants, or based on our legitimate interests, we disclose or transfer tenants’ data in connection with coverage inquiries, contract conclusions, and contract processing, e.g., to financial service providers, credit institutions, utility providers (e.g., electricity), or government agencies.
  
  We also process tenants’ data if this is necessary to comply with legal obligations (e.g., information requirements related to ancillary services and utility costs); Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Use of Online Platforms for Marketing and Sales Purposes

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our privacy policy. This applies in particular with regard to the execution of the payment process and the procedures used on the platforms for reach measurement and interest-based marketing.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); contact information (e.g., mailing and email addresses or phone numbers); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Service recipients and clients; business and contractual partners. Prospective customers.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and business management procedures; Conversion tracking (measuring the effectiveness of marketing measures). Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Amazon: Online marketplace for e-commerce; Service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.amazon.de/; Privacy Policy: https://www.amazon.de/gp/help/customer/display. html?nodeId=201909010. Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
• eBay: Online marketplace for e-commerce; Service provider: eBay Marketplaces GmbH, Helvetiastrasse 15/17, 3005 Bern, Switzerland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.ebay.de/; Privacy Policy: https://www.ebay.de/help/policies/member-behavior-policies/datenschutzerklrung?id=4260. Data Processing Agreement: Provided by the service provider.

Third-party providers and services used in the course of our business operations

In the course of our business operations, we use additional third-party services, platforms, interfaces, or plug-ins (hereinafter “Services”) in compliance with legal requirements. Their use is based on our interests in the proper, lawful, and efficient management of our business operations and internal organization.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, as well as related information such as details regarding authorship or the time of creation). Contract data (e.g., subject matter of the contract, term, customer category).
• Data subjects: Service recipients and clients; prospective clients. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; administrative and organizational procedures. Business processes and operational procedures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) .

Further information on processing procedures, processes, and services:

• Collmex: Merchandise management.

Payment Procedures

Within the framework of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, engage banks, credit institutions, and other service providers (collectively, “payment service providers”).

The data processed by the payment service providers includes personal information, such as name and address; banking information, such as account numbers or credit card numbers; passwords, TANs, and verification codes; as well as details related to the contract, transaction amounts, and recipients. This information is required to process the transactions. However, the data entered is processed and stored solely by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or rejecting the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit bureaus. The purpose of this transmission is to verify identity and creditworthiness. For this, we refer you to the Terms and Conditions and the Privacy Policy of the payment service providers.

Payment transactions are subject to the terms and conditions and privacy policies of the respective payment service providers, which are available on their respective websites or within the transaction applications. We also refer to these for further information and for the exercise of rights of withdrawal, access, and other data subject rights.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Contact data (e.g., postal and email addresses or phone numbers).
• Data subjects: Service recipients and clients; business and contractual partners. Prospective clients.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and operational procedures.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Amazon Payments: Payment services (technical integration of online payment methods); Service provider: Amazon Payments Europe S.C.A., 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://pay.amazon.de/. Privacy Policy: https://pay.amazon.de/help/201212490.
• Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
• Mollie: Payment services (technical integration of online payment methods); Service provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.mollie.com/de. Privacy Policy: https://www.mollie.com/de/privacy.
• PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/legalhub/paypal/privacy-full.

Provision of the Online Service and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., page views and duration of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, time stamps, identification numbers, involved persons); Log data (e.g., log files regarding logins, data retrieval, or access times). Contact data (e.g., postal and email addresses or phone numbers).
• Data subjects: Users (e.g., website visitors, users of online services). Prospective customers.
• Purposes of processing: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures; Communication; Direct marketing (e.g., via email or mail); Audience measurement (e.g., access statistics, identification of returning visitors); Conversion measurement (measurement of the effectiveness of marketing measures); Target group formation; A/B testing. Marketing.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Provision of online services on rented server space: To provide our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider (also known as a “web host”); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online service is logged in the form of so-called “server log files.” Server log files may include the address and name of the web pages and files accessed, the date and time of the request, the amount of data transferred, a notification of a successful request, the browser type and version, the user’s operating system, the referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files may be used, on the one hand, for security purposes, e.g., to prevent server overload (particularly in the case of malicious attacks, so-called DDoS attacks), and, on the other hand, to ensure server capacity and stability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and is then deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
• Content Delivery Network: We use a “Content Delivery Network” (CDN). A CDN is a service that enables the content of an online offering—in particular large media files such as graphics or program scripts—to be delivered more quickly and securely using servers distributed regionally and connected via the Internet; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Hetzner: Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hetzner.com; Privacy Policy: https://www.hetzner.com/de/rechtliches/datenschutz. Data Processing Agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
• HubSpot Forms: Creation and management of forms, collection and storage of user data, integration into websites and CRM systems, automation of follow-up emails, analysis of form performance, segmentation of data for targeted marketing campaigns; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.com/products/marketing/forms; Privacy Policy: https://legal.hubspot.com/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
• Yoast SEO: Search engine optimization of websites; Service provider: Yoast B.V., Don Emanuelstraat 3, 6602 GX Wijchen, Netherlands; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://yoast.com/; Privacy Policy: https://www.newfold.com/privacy-center?currencyCode=EUR&langPref=de. Further information: Operation within a dedicated hosting environment.

Use of Cookies

The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. To this end, we obtain the user’s consent in advance when necessary. If consent is not required, we rely on our legitimate interests. This applies when the storage and retrieval of information is essential to provide explicitly requested content and functions. This includes, for example, the storage of settings as well as ensuring the functionality and security of our online offering. Consent may be withdrawn at any time. We provide clear information about the scope of our use of cookies and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the device is closed. This allows, for example, the login status to be saved and preferred content to be displayed immediately when the user visits a website again. Likewise, user data collected via cookies may be used for audience measurement. Unless we provide users with explicit information regarding the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these are persistent and may be stored for up to two years.

General information on revocation and objection (opt-out): Users may revoke the consent they have given at any time and may also object to the processing in accordance with legal requirements, including through their browser’s privacy settings.

• Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution to obtain users’ consent to the use of cookies or to the procedures and providers specified within the scope of the consent management solution. This procedure serves to obtain, log, manage, and revoke consents, particularly regarding the use of cookies and comparable technologies used to store, read, and process information on users’ end devices. As part of this procedure, user consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management procedure. Users also have the option to manage and revoke their consents. Consent statements are stored to avoid having to ask for consent again and to maintain proof of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (a so-called opt-in cookie) or via comparable technologies to enable the consent to be assigned to a specific user or their device. Unless specific information regarding the providers of consent management services is available, the following general guidelines apply: Consent is stored for up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details regarding the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, the system, and the end device used; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Usercentrics: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of notices regarding data protection and cookies, enabling users to withdraw or modify their consents; Service provider: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; Website: https://usercentrics.com/de/. Privacy Policy: https://usercentrics.com/de/datenschutzerklaerung/.

Processing of Data Within the Application (App)

We process the data of our application’s users to the extent necessary to provide users with the application and its features, to monitor its security, and to further develop it. We may also contact users in accordance with legal requirements, provided that such communication is necessary for administrative purposes or for the use of the application. For further information regarding the processing of user data, please refer to the privacy notice in this privacy policy.

Legal basis: The processing of data necessary for providing the application’s functionalities serves to fulfill contractual obligations. This also applies if the provision of the functions requires user authorization (e.g., enabling device functions). If the processing of data is not necessary for the provision of the application’s functionalities but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or for security purposes), it is carried out on the basis of our legitimate interests. If users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on that consent.

• Types of data processed: Personal data (e.g., full name, home address, contact information, customer number, etc.); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures. Provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Registration, Login, and User Account

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The data processed includes, in particular, login information (username, password, and an email address).

When you use our registration and login functions, as well as when you use your user account, we store the IP address and the time of the respective user action. This storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. This data is generally not disclosed to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users may be notified via email about events relevant to their user account, such as technical changes.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Log data (e.g., log files regarding logins, data retrieval, or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online offering and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Deletion following termination.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Registration with real names: Due to the nature of our community, we ask users to use our service only under their real names. This means that the use of pseudonyms is not permitted; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• User profiles are not public: User profiles are not publicly visible and are not accessible.
• No obligation to retain data: It is the users’ responsibility to back up their data prior to the end of the contract in the event of termination. We are entitled to permanently delete all user data stored during the term of the contract; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). Readers’ data is processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons. For further details, please refer to the information regarding the processing of visitors to our publication medium within this privacy policy.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Feedback (e.g., collecting feedback via online form). Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, phone, or social media), as well as in the context of existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to contact inquiries and any requested actions.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online forms); provision of our online services and user-friendliness; direct marketing (e.g., via email or mail); Reach measurement (e.g., access statistics, identification of returning visitors); Conversion measurement (measuring the effectiveness of marketing measures); Click tracking; Marketing. Profiles containing user-related information (creation of user profiles).
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR) . Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing operations, procedures, and services:

• Contact form: Bei When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to us in order to respond to and handle your inquiry. This typically includes information such as your name, contact details, and, where applicable, any additional information you provide that is necessary for us to handle your inquiry appropriately. We use this data exclusively for the stated purpose of establishing contact and communication; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
• HubSpot CRM: Management of customer contacts, tracking of sales activities, automation of marketing campaigns, analysis of sales data, creation and management of email campaigns, integration with other tools and platforms, management of customer support requests, AI-powered content generation, personalized email creation, predictive sales forecasting, automated workflow descriptions, and AI chatbots for customer interaction; Service Provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de/pa/crm; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
• HubSpot WordPress: Collection of visitor data, analysis of user behavior, contact management, creation and management of forms, integration with email marketing tools, tracking of website visitor interactions; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://wordpress.org/plugins/leadin/; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

Communication via Messenger

We use Messenger for communication purposes and therefore ask that you review the following information regarding the functionality of Messenger, encryption, the use of communication metadata, and your options for objecting.

You can also contact us through alternative channels, such as by phone or email. Please use the contact options provided to you or those listed on our website.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger app with encryption enabled to ensure that your messages are encrypted.

However, we also wish to inform our communication partners that while the messenger providers do not view the content, they can determine that and when communication partners are communicating with us, as well as process technical information about the communication partner’s device and, depending on the settings of their device, location information (so-called metadata).

Notes on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for consent and you, for example, contact us on your own initiative, we use Messenger in our relationship with our contractual partners as well as in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and in meeting our communication partners’ needs regarding communication via Messenger. We would also like to point out that we will not initially transmit the contact information you have provided to the messaging services without your consent.

Withdrawal, Objection, and Deletion: You may withdraw your consent at any time and object to communication with us via messaging services at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any inquiries from the communication partners, provided that no reference to a previous conversation is to be expected and no legal retention obligations preclude deletion.

Reservation regarding the use of other communication channels: To ensure your security, we ask for your understanding that, for certain reasons, we may not be able to respond to inquiries via messenger. This applies to situations where, for example, contract details must be treated as particularly confidential or a response via Messenger does not meet formal requirements. In such cases, we recommend that you use more appropriate communication channels.

• Types of data processed: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication. Direct marketing (e.g., via email or mail).
• Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal basis: Consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• WhatsApp: A communication service that enables the sending and receiving of text messages, voice messages, images, videos, documents, as well as voice and video calls via the Internet. Communication takes place via end-to-end encryption, meaning that content is accessible only to the communication partners involved. To provide the service, the platform processes metadata (e.g., phone numbers, timestamps, device information) and may use this data to improve functionality, enhance security, and optimize the service; Service Provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal/privacy-policy-eea. Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF).

Chatbots and chat functions

We offer online chats and chatbot functions as a means of communication (collectively referred to as “chat services”). A chat is an online conversation conducted in real time. A chatbot is software that answers users’ questions or informs them via messages. When you use our chat functions, we may process your personal data.

If you use our chat services within an online platform, your identification number will also be stored within that platform. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations via the chat services and log registration and consent processes in order to be able to provide evidence of these in accordance with legal requirements.

We would like to inform users that the respective platform provider may determine that and when users communicate via our chat services, as well as collect technical information about the user’s device and, depending on the user’s device settings, location information (so-called metadata) for the purposes of optimizing the respective services and for security purposes. Likewise, the metadata of communications via chat services (i.e., for example, information about who communicated with whom) may be used by the respective platform providers in accordance with their terms and conditions—to which we refer for further information—for marketing purposes or to display advertisements tailored to users.

If users agree to receive regular messages from a chatbot, they have the option at any time to unsubscribe from future messages. The chatbot informs users how and using which keywords they can unsubscribe from the messages. Upon unsubscribing from the chatbot messages, the user’s data is deleted from the list of message recipients.

We use the aforementioned information to operate our chat services, e.g., to address users personally, to answer their inquiries, to transmit any requested content, and also to improve our chat services (e.g., to “teach” chatbots answers to frequently asked questions or to identify unanswered inquiries).

Notes on legal bases: We use the chat services on the basis of consent if we have previously obtained users’ permission to process their data within the scope of our chat services (this applies to cases in which users are asked for consent, e.g., so that a chatbot can send them regular ). If we use chat services to respond to user inquiries about our services or our company, this is done for the purpose of contractual and pre-contractual communication. In addition, we use chat services based on our legitimate interests in optimizing the chat services, ensuring their operational efficiency, and enhancing the user experience.

Withdrawal, Objection, and Deletion: You may withdraw your consent at any time or object to the processing of your data in connection with our chat services.

• Types of data processed: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts, as well as related information such as details regarding authorship or the time of creation). Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Communication partners.
• Purposes of processing: Communication.
• Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal bases: Consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Chat-GPT: Non-binding answers to simple questions based on our database; Service provider: oxytec AG
  Feldeggstr. 39
  8034 Zurich
  Switzerland; Website: www.oxytec.com. Privacy Policy: https://www.oxytec.com/en/privacy-policy/.

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our interest in using AI are listed below. In accordance with the definition of an “AI system” under Article 3(1) of the AI Regulation, we understand AI to mean a machine-based system designed for operation with varying degrees of autonomy, which, following its implementation , and which produces results—such as predictions, content, recommendations, or decisions—from the inputs received that may affect physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for artificial intelligence and data protection requirements. In doing so, we adhere in particular to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, and integrity, as well as confidentiality. We ensure that the processing of personal data is always based on a legal basis. This may be either the consent of the data subjects or a statutory authorization.

When using external AI systems, we carefully select their providers (hereinafter “AI providers”). In accordance with our legal obligations, we ensure that the AI providers comply with applicable regulations. We also observe the obligations incumbent upon us when using or operating the AI services we have procured. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or legal authorization. In doing so, we place particular emphasis on transparency, fairness, and the preservation of human control over AI-supported decision-making processes.

To protect the processed data, we implement appropriate and robust technical and organizational measures. These ensure the integrity and confidentiality of the processed data and minimize potential risks. Through regular reviews of AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

• Types of data processed: Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation). Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services). Third parties.
• Purposes of processing: Artificial intelligence (AI).
• Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• ChatGPT: AI-based service designed to understand and generate natural language and related inputs and data, analyze information, and make predictions (“AI,” i.e., “Artificial Intelligence,” is to be understood in the applicable legal sense of the term); Service Provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website: https://openai.com/de-DE/chatgpt/overview/; Privacy Policy: https://openai.com/de-DE/policies/privacy-policy/. Opt-out option: https://privacy.openai.com/policies?modal=select-subject.
• DeepL: Translation of texts into various languages and provision of synonyms and contextual examples. Support for correcting and improving texts in various languages; Service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.deepl.com; Privacy Policy: https://www.deepl.com/de/privacy. Data Processing Agreement: Provided by the service provider.
• OpenAI API: An API (application programming interface) for artificial intelligence that provides developers with access to language and image models such as GPT and DALL·E. It enables the integration of features such as automatic text generation, natural language processing (NLP), translation, code generation, image generation, and image analysis into your own applications. Complex AI functions can be integrated and processes automated via standardized interfaces; Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://openai.com/; Privacy Policy: https://openai.com/de/policies/eu-privacy-policy; Data Processing Agreement: https://openai.com/policies/data-processing-addendum; Basis for transfers to third countries: Standard contractual clauses (https://openai.com/policies/data-processing-addendum), Standard Contractual Clauses (https://openai.com/policies/data-processing-addendum). Right to object (opt-out): https://privacy.openai.com/policies?modal=select-subject.

Cloud Services

We use software services accessible via the Internet and hosted on their providers’ servers (so-called “cloud services,” also referred to as “Software as a Service”) for the storage and management of content (e.g., document storage and management, exchange of documents, content, and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers’ servers to the extent that such data is part of communication processes with us or is otherwise processed by us as described in this Privacy Policy. This data may include, in particular, users’ master data and contact information, as well as data regarding transactions, contracts, other processes, and their contents. The cloud service providers also process usage data and metadata, which they use for security purposes and to optimize their services.

If we use cloud services to provide forms or similar documents and content to other users or on publicly accessible websites, the providers may store cookies on users’ devices for web analytics purposes or to remember user settings (e.g., in the case of media controls).

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation). Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Prospective customers; communication partners. Business and contractual partners.
• Purposes of processing: Office and organizational procedures. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
• Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Microsoft 365 and Microsoft cloud services: Provision of applications, protection of data and IT systems, and use of system-generated log, diagnostic, and metadata for the performance of the contract by Microsoft. The following data is processed: contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe), as well as log and metadata. The processing is carried out for the purposes of increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security, and business operations by Microsoft. Data retention is governed by the relevant documents and company policies: up to 12 months for Defender (data and IT system protection) and 10 days for print management. In addition, diagnostic data is collected for product stability and improvement; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) exclusively with the consent of the recipients or on a legal basis. If the content of the newsletter is specified during the subscription process, this content is decisive for the user’s consent. To subscribe to our newsletter, providing your email address is usually sufficient. However, in order to offer you a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide additional information if this is necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to demonstrate that consent was previously given. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that the prior existence of consent is confirmed at the same time. In the event of obligations to permanently comply with objections, we reserve the right to store the email address solely for this purpose in a blocklist (so-called “blocklist”).

The logging of the registration process is based on our legitimate interests for the purpose of verifying its proper execution. To the extent that we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure delivery system.

Content:

Technical information about Oxytec’s services, promotions, and offers.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., via email or mail). Audience measurement (e.g., access statistics, recognition of returning visitors).
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).
• Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or opt out of receiving further issues. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably email, for this purpose.

Further information on processing procedures, methods, and services:

• Measurement of open and click rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server or that of our mailing service provider when the newsletter is opened. As part of this retrieval, technical information—such as details about your browser and system—as well as your IP address and the time of retrieval are initially collected. This information is used to technically improve our newsletter based on the technical data or the target groups and their reading behavior, determined by their access locations (which can be identified using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until it is deleted. The analyses are used to identify our users’ reading habits and tailor our content to them, or to send different content based on our users’ interests. The measurement of open and click-through rates, as well as the storage of the measurement results in users’ profiles and their further processing, are based on the users’ consent. Unfortunately, it is not possible to revoke consent for performance measurement separately; in this case, the entire newsletter subscription must be canceled or opted out of. In that case, the stored profile information will be deleted; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Delivery via SMS: The electronic notifications may also be sent as SMS text messages (or are sent exclusively via SMS if the authorization to send, e.g., consent, covers only delivery via SMS); Legal basis: Consent (Art. 6(1)(a) GDPR).
• HubSpot Email Marketing: Sending emails, creating personalized campaigns, automating workflows, segmenting target groups, integrating with CRM systems, analyzing performance through reports and dashboards; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.com/products/marketing/email; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
• Brevo: Email delivery and automation services; Service provider: Sendinblue GmbH, Köpnicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.brevo.com/; Privacy Policy: https://www.brevo.com/legal/privacypolicy/. Data Processing Agreement: Provided by the service provider.

Marketing communications via email, mail, fax, or telephone

We process personal data for the purpose of marketing communications, which may be conducted via various channels, such as email, telephone, mail, or fax, in accordance with legal requirements.

Recipients have the right to revoke their consent at any time or to object to promotional communications at any time.

Following a revocation or objection, we store the data necessary to prove prior authorization for contacting you or sending you communications for up to three years after the end of the year in which the revocation or objection was made, based on our legitimate interests. The processing of this data is limited to the purpose of potentially defending against claims. Based on the legitimate interest in permanently honoring the user’s revocation or objection, we also store the data necessary to prevent further contact (e.g., depending on the communication channel, the email address, phone number, or name).

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers). Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., via email or mail); Marketing. Sales promotion.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor traffic to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, in pseudonymous form. With the help of reach analysis, we can, for example, determine at what times our online offering or its functions and content are used most frequently, or encourage repeat visits. It also allows us to identify which areas require optimization.

In addition to web analytics, we may also use testing methods to test and optimize different versions of our online offering or its components.

Unless otherwise specified below, profiles—that is, data aggregated for a specific usage session—may be created for these purposes, and information may be stored in a browser or on a device and subsequently retrieved. The data collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and details regarding usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software we use know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Remarketing; target group formation; reach measurement (e.g., access statistics, recognition of returning visitors); profiles containing user-related information (creation of user profiles); Provision of our online offering and user-friendliness; tracking (e.g., interest-based/behavioral profiling, use of cookies). Marketing.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years.).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR) .

Further information on processing operations, procedures, and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any personally identifiable data, such as names or email addresses. It serves to assign analytical information to a device in order to determine which content users have accessed during one or more sessions, which search terms they used, whether they revisited the content, or how they interacted with our online offering. The time of use and its duration are also stored, as well as the sources from which users were referred to our online service and technical aspects of their devices and browsers.
  In this process, pseudonymous user profiles are created using information from the use of various devices, and cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (Types of processing and the data processed).
• Google Signals (Google Analytics feature): Google Signals consists of session data from websites and apps that Google associates with users who are signed in to their Google accounts and have enabled ad personalization. This association of data with these signed-in users is used to enable cross-device reporting, cross-device remarketing, and cross-device conversion measurement. This includes: cross-platform reporting – Linking data across devices and activities from different sessions using your User ID or Google Signals data, which enables an understanding of user behavior at every step of the conversion process, from initial contact through to conversion and beyond; Remarketing with Google Analytics – Creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; Demographics and Interests – Google Analytics collects additional information about the demographics and interests of users who are signed in to their Google accounts and have enabled ad personalization; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=de; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms). Further information: https://business.safety.google/adsservices/ (Types of processing and the data processed).
• Target audience segmentation with Google Analytics: We use Google Analytics to display ads served through Google’s advertising services and those of its partners specifically to users who have already shown an interest in our online offerings or who exhibit certain characteristics (e.g., interests in specific topics or products, determined based on the websites they have visited). We transmit this data to Google as part of what is known as “remarketing” or “Google Analytics Audiences.” The purpose of using Remarketing Audiences is to ensure that our ads align as closely as possible with users’ potential interests; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Legal basis: https://business.safety.google/adsprocessorterms/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
• Google as the recipient of consent: The consent provided by users through a consent dialog (also known as “cookie opt-in,” “cookie banner,” etc.) serves several purposes. On the one hand, it enables us to fulfill our obligation to obtain consent for the storage and retrieval of information on and from the user’s device (in accordance with the ePrivacy Directive). On the other hand, it covers the processing of users’ personal data in accordance with data protection requirements. Furthermore, this consent also applies to Google, as the company is required under the Digital Markets Act to obtain consent for personalized services. Therefore, we share the status of the consents granted by users with Google. Our consent management software informs Google whether or not consent has been granted. The goal is to ensure that users’ granted or withheld consents are taken into account when using Google Analytics and when integrating features and external services. This allows user consents and their revocations within the scope of Google Analytics and other Google services on our website to be dynamically adjusted based on user selections; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy Policy: https://policies.google.com/privacy.
• Google Tag Manager: We use Google Tag Manager, a software tool from Google that allows us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that are used to track and analyze visitor activity. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform any independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services we use on our website. Nevertheless, when using Google Tag Manager, users’ IP addresses are transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place when services are integrated via Tag Manager. For more detailed information about these services and their data processing, please refer to the relevant sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
  https://business.safety.google/adsprocessorterms. Legal basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms).
• HubSpot Tracking Code: The tracking code and tracking pixel collect visitor data, including website activities, IP addresses, and online identifiers, to monitor website traffic and analyze user behavior. This data helps identify visiting companies, attribute visits to known contacts, and store information about browsers and devices. The insights gained contribute to optimizing the user experience and website performance. The data collected includes the company domain (in cases of self-identification by filling out a form or registering), IP address, visit timestamps, visitor ID, page views, clicks, and device information. In addition, interactions such as scrolling behavior, time spent on pages, navigation paths, and referring URLs are recorded to enable a more precise analysis of user behavior and detailed insights into visitor journeys. This data is processed based on cookie consent and account settings to improve digital services, generate reports on website traffic and interactions, and refine strategies for optimizing content and user engagement. By analyzing user behavior, companies can tailor content, improve conversion rates, and optimize marketing efforts. In addition, this data collection helps identify repeat visits, segment target audiences, and personalize user experiences based on past interactions. Furthermore, tracking mechanisms enable companies to track leads and evaluate the effectiveness of marketing campaigns by analyzing click-through rates, form submissions, and interactions with call-to-action elements. This data helps optimize strategies, target audiences more effectively, and maximize engagement with digital content; Service providers: HubSpot Ireland Limited, Erdgeschoss, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://knowledge.hubspot.com/account/how-does-hubspot-track-visitors; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for data transfers to third countries: Standard contractual clauses (https://legal.hubspot.com/dpa), Standard contractual clauses (https://legal.hubspot.com/dpa).
• HubSpot Sales Hub: Sales process management, automation of sales tasks, tracking of customer interactions, analysis of sales data, integration with email and calendars, creation of reports and forecasts, management of contacts and leads, support for communication with customers; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hubspot.com/products/sales; Privacy Policy: https://legal.hubspot.com/privacy-policy; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (yes), Data Privacy Framework (DPF), Standard Contractual Clauses (yes). Further information: https://legal.hubspot.com/dpa.
• HubSpot Analytics: Web analytics, reach measurement, and analysis of user behavior regarding usage and interests in relation to features and content, as well as duration of use, based on a pseudonymous user identification number and profiling; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hubspot.com/products/marketing/analytics; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).

Online Marketing

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “Content”) based on users’ potential interests, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”) or similar methods are used to store user information relevant to the display of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical details such as the browser used, the computer system used, and information regarding usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by truncating the IP address) to protect users. In general, online marketing processes do not store users’ personal data (such as email addresses or names), but rather pseudonyms. This means that neither we nor the providers of online marketing services know the users’ actual identities, but only the information stored in their profiles.

The information in the profiles is typically stored in cookies or via similar methods. These cookies can generally also be read later on other websites that use the same online marketing service, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing service provider.

In exceptional cases, it is possible to associate clear data with user profiles, particularly when users are, for example, members of a social network whose online marketing methods we use and the network links user profiles with the aforementioned information. Please note that users may enter into additional agreements with the providers, for example by giving consent during registration.

We generally only have access to aggregated information regarding the performance of our advertisements. However, as part of so-called conversion tracking, we can determine which of our online marketing methods led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion tracking is used solely for the purpose of analyzing the success of our marketing measures.

Unless otherwise specified, please assume that cookies used on this site are stored for a period of two years.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

Information on withdrawal and objection:

Please refer to the privacy policies of the respective providers and the opt-out options provided by them. If no explicit opt-out option is provided, you have the option of disabling cookies in your browser settings. However, this may limit the functionality of our online services. We therefore also recommend the following opt-out options, which are summarized and offered by region:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://youradchoices.ca/.

c) USA: https://optout.aboutads.info/.

d) Cross-regional: https://optout.aboutads.info.

• Types of data processed: Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved); Event data (Facebook) (“Event data” refers to information sent to the provider Meta—for example, via Meta pixels (whether through apps or other channels)—that relates to individuals or their actions. This data includes, for example, details on website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target audiences for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as comments posted, login information, or contact information such as names, email addresses, or phone numbers. “Event data” is deleted by Meta after a maximum of two years, and the audiences created from it disappear when our Meta user accounts are deleted. Master data (e.g., full name, home address, contact information, customer number, etc.).
• Data subjects: Users (e.g., website visitors, users of online services). Service recipients and clients.
• Purposes of processing: Reach measurement (e.g., access statistics, identification of returning visitors); Tracking (e.g., interest-based/behavioral profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); target group formation; marketing; profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness; remarketing; click tracking. Cross-device tracking (cross-device processing of user data for marketing purposes).
• Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Retention and Deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years.).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Meta-pixels and audience targeting (Custom Audiences): With the help of the Meta Pixel (or similar features for transmitting event data or contact information via interfaces within apps), Meta is able to identify visitors to our website as a target audience for the display of ads (so-called “Meta Ads”). Accordingly, we use the Meta Pixel to display the Meta Ads we place only to users on Meta platforms and within the services of partners cooperating with Meta (the so-called “Audience Network” https://www.facebook.com/audiencenetwork/ ) to users who have also shown an interest in our online offering or who exhibit certain characteristics (e.g., interest in specific topics or products, as indicated by the websites they have visited) that we transmit to Meta (so-called “Custom Audiences”). We also use the Meta pixel to ensure that our Meta ads align with users’ potential interests and do not appear intrusive. With the help of the Meta Pixel, we can also track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called “conversion tracking”); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for Transfers to Third Countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: User event data, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the joint controller agreement (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Facebook Ads: Placement of advertisements on the Facebook platform and analysis of ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Right to object (opt-out): We refer to the privacy and advertising settings in users’ profiles on Facebook platforms, as well as to Facebook’s consent procedures and contact options for exercising the right to access information and other data subject rights, as described in Facebook’s Privacy Policy; Further information: User event data, i.e., behavioral and interest-based information, is processed for the purposes of targeted advertising and audience targeting based on the joint controller agreement (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company Meta Platforms, Inc. in the U.S. (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Google Ads and conversion tracking: Online marketing methods for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are presumed to have an interest in the ads. In addition, we measure ad conversion, i.e., whether users have interacted with the ads and taken advantage of the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing agreements between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
• Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that adds users who use an online service to a pseudonymous remarketing list, so that ads can be displayed to users on other online platforms based on their visit to the online service; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing agreements between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
• Enhanced conversions for Google Ads: When users click on our Google ads and subsequently use the advertised service (so-called “conversion”), the data entered by the user, such as the email address, name, home address, or phone number, may be transmitted to Google. The hash values are then matched with the users’ existing Google accounts to better evaluate and improve user interaction with the ads (e.g., clicks or views) and thus their performance; Legal basis: Consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.
• Instagram Ads: Placement of ads within the Instagram platform and analysis of ad performance; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Right to object (opt-out): Please refer to the privacy and advertising settings in users’ profiles on the Instagram platform, as well as to Instagram’s consent procedures and contact options for exercising data subject rights, as outlined in Instagram’s Privacy Policy; Further information: User event data, i.e., behavioral and interest data, is processed for the purposes of targeted advertising and audience targeting based on the agreement on joint responsibility (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum). The joint controller arrangement is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company Meta Platforms, Inc. in the United States.
• LinkedIn Insight Tag: Code that is loaded when a user visits our website and tracks the user’s behavior and conversions, storing this information in a profile (possible uses: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences); Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Cookie Policy: https://www.linkedin.com/legal/cookie_policy; Data Processing Agreement: https://www.linkedin.com/legal/l/dpa; Basis for Transfers to Third Countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• Microsoft Advertising: Online marketing method for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are presumed to have an interest in the ads. In addition, we measure the conversion of the ads, i.e., whether users have been prompted to interact with the ads and take advantage of the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; Service Provider: Microsoft Irland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Irland; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://about.ads.microsoft.com/; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Opt-out option: https://account.microsoft.com/privacy/ad-settings/.
• Outbrain Direct Response (ODR) by teads: Performance marketing platform that enables personalized advertising campaigns across various digital media. It supports targeted outreach to user groups, automated bidding processes, and the adaptation of advertising materials to the specific context in which they appear; Service provider: Teads France SAS, 97 rue du Cherche-Midi, 75006 Paris, France; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.outbrain.com; Privacy Policy: https://www.outbrain.com/privacy/; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Further information: https://dsr.outbrain.com/recommendations-settings/home/de.
• Pinterest Tag: The “Pinterest Tag” is a piece of code that is executed when you visit our website and tracks users’ interactions with our website. The “Pinterest Tag” is used in particular to measure campaign performance, optimize ad delivery, and build custom and lookalike audiences within the Pinterest platform and Pinterest’s partner network. In doing so, so-called activity data is processed, which includes, in particular, user behavior (e.g., page views, search queries, transactions, video views), technical information (e.g., IP address, operating system, browser type, language settings, cookie data), and demographic information (e.g., country or city): https://policy.pinterest.com/de/ad-data-terms. We and Pinterest are jointly responsible for the collection and transmission of this data as well as for the creation of statistical reports. The relevant agreement on joint responsibility can be viewed in the “Pinterest Advertising Services Agreement – Appendix B: Pinterest Joint Controller Addendum”: https://business.pinterest.com/de/pinterest-advertising-services-agreement/. In particular, Pinterest commits to implementing appropriate security measures and protecting the rights of data subjects. Users may exercise their rights, such as requests for access or deletion, directly with Pinterest. Users’ rights remain unaffected by this agreement; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://help.pinterest.com/en/business/article/track-conversions-with-pinterest-tag; Privacy Policy: https://policy.pinterest.com/de/privacy-policy. Opt-out option: https://help.pinterest.com/de/article/personalized-ads-on-pinterest.
• Taboola: Provision of features for displaying personalized advertising based on interest- and behavior-based information, which includes users’ demographic characteristics, interests, and browsing history and is stored in user profiles; Service provider: Taboola, Inc. 16 Madison Square West 7th Floor New York, New York 10010, USA; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.taboola.com/de; Privacy Policy: https://www.taboola.com/privacy-policy; Data Processing Agreement: Provided by the service provider; Basis for Transfers to Third Countries: Standard Contractual Clauses (provided by the service provider), Standard Contractual Clauses (provided by the service provider); Data deletion: Taboola stores user information collected directly for the purpose of ad serving for a maximum of eighteen (18) months after the user’s last interaction with Taboola’s services and anonymizes it by removing personal identifiers or aggregating the data. Taboola stores anonymous or aggregated data that cannot identify a person or a device and uses it for reporting and analysis purposes for as long as is commercially necessary. Opt-out option: https://www.taboola.com/privacy-policy#user-choices-and-optout.
• HubSpot Marketing Hub: email marketing, lead generation, marketing automation, campaign performance analysis, management of social media interactions, creation and optimization of landing pages, and contact management; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
• Leadinfo: Leadinfo analyzes general website usage data to identify trends and patterns in visitor behavior. In doing so, it provides aggregated information about companies, assists in classifying potential leads, enables notification systems, and allows integration with CRM systems. How it works: Leadinfo identifies visits by companies to our website based on IP addresses and provides us with publicly available information such as company names or addresses. In addition, Leadinfo uses two first-party cookies to analyze user behavior on our website and processes domains from form submissions (e.g., “leadinfo.com”) to correlate IP addresses with companies and improve the services; Service provider: Leadinfo B.V., Rivium Quadrant 141, 2909 LC Capelle aan den IJssel, Netherlands; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.leadinfo.com; Privacy Policy: https://www.leadinfo.com/de/rechtliches/datenschutz/; Data Processing Agreement: Provided by the service provider. Opt-out option: https://www.leadinfo.com/de/rechtliches/opt-out/.

Customer Reviews and Rating Processes

We participate in review and rating processes to evaluate, optimize, and promote our services. If users rate us or provide feedback via the participating rating platforms or processes, the providers’ general terms and conditions or terms of use and privacy policies also apply. As a rule, the rating also requires registration with the respective providers.

To ensure that reviewers have actually used our services, we transmit the necessary data regarding the customer and the service used to the respective review platform (including name, email address, and order number or item number) with the customer’s consent. This data is used solely to verify the user’s authenticity.

• Types of data processed: Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, persons involved). Content data (e.g., textual or visual messages and posts, as well as related information, such as details regarding authorship or the time of creation).
• Data subjects: Service recipients and clients; users (e.g., website visitors, users of online services). Business and contractual partners.
• Purposes of processing: Feedback (e.g., collecting feedback via an online form). Marketing.
• Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures, and services:

• Rating widget: We integrate so-called “rating widgets” into our online offering. A widget is a functional and content element integrated into our online offering that displays variable information. It can, for example, be displayed in the form of a seal or a comparable element, sometimes also referred to as a “badge.” While the corresponding content of the widget is displayed within our online offering, it is retrieved at that moment from the servers of the respective widget provider. This is the only way to ensure that the current content is always displayed, particularly the most recent rating. To do this, a data connection must be established between the webpage accessed within our online service and the widget provider’s server, and the widget provider receives certain technical data (access data, including the IP address) that is necessary to deliver the widget’s content to the user’s browser. Furthermore, the widget provider receives information that users have visited our online offering. This information may be stored in a cookie and used by the widget provider to identify which online offerings participating in the rating process have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Legal basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF); Further information: When collecting customer reviews, an identification number and the time of the transaction to be reviewed are processed; for review requests sent directly to customers, the customer’s email address, country of residence, and the review details themselves are processed; Further details on the types of processing and the data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google Advertising Products: Information on the services, data processing terms between controllers, and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
• Trusted Shops (Trustedbadge): Review platform – As part of the joint responsibility arrangement between us and Trusted Shops, please contact Trusted Shops directly regarding data protection questions and to exercise your rights, using the contact details provided in the privacy policy. Regardless of this, you may always contact the controller of your choice. Your inquiry will then be forwarded to the other controller for a response, if necessary.
  
  The Trustbadge is provided by a U.S.-based CDN (Content Delivery Network) provider. An adequate level of data protection is ensured through standard data protection clauses and other contractual measures.
  When the Trustbadge is accessed, the web server automatically stores a so-called server log file, which contains your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access. The IP address is anonymized immediately after collection, so that the stored data cannot be associated with you personally. The anonymized data is used primarily for statistical purposes and for error analysis.
  
  If you have given your consent, the Trustbadge accesses order information stored on your device (order total, order number, and, if applicable, the product purchased) as well as your email address after the order is completed, and your email address is hashed using a cryptographic one-way function. The hash value is then transmitted to Trusted Shops along with the order information in accordance with Art. 6(1)(a) of the GDPR. This serves to verify whether you are already registered for Trusted Shops services. If this is the case, further processing takes place in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered for the services or do not give your consent to automatic recognition via the Trustbadge, you will subsequently have the opportunity to manually register for the use of the services or to conclude the insurance coverage under your existing user agreement, if applicable.
  
  For this purpose, after you complete your order, the Trustbadge accesses the following information stored on the end device you are using: order total, order number, and email address. This is necessary so that we can offer you buyer protection. Your data will not be transmitted to Trusted Shops until you actively choose to activate buyer protection by clicking the button labeled as such on the Trustcard. If you decide to use the services, further processing is governed by the contractual agreement with Trusted Shops pursuant to Art. 6(1)(b) GDPR in order to complete your registration for buyer protection and to secure the order, as well as to send you review invitations via email if applicable.
  
  Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Art. 6(1)(f) GDPR for the purpose of ensuring trouble-free operation. In this context, processing may take place in third countries (the U.S. and Israel). An adequate level of data protection is ensured in the case of the U.S. through standard data protection clauses and other contractual measures, and in the case of Israel through an adequacy decision.
  ; Service Provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.trustedshops.de. Privacy Policy: https://www.trustedshops.de/impressum-datenschutz/.
• Trustpilot: Review platform; Service provider: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://de.trustpilot.com; Privacy Policy: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms. Data Processing Agreement: https://de.legal.trustpilot.com/for-businesses/data-processing-agreement.

Social Media Presence

We maintain an online presence on social media platforms and, in this context, process user data in order to communicate with users active on those platforms or to provide information about us.

Please note that user data may be processed outside the European Union in this context. This may entail risks for users, as it could, for example, make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on users’ behavior and the resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that are presumed to correspond to users’ interests. For this reason, cookies are typically stored on users’ computers to record their usage behavior and interests. In addition, data may also be stored in the usage profiles regardless of the devices used by users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the specific forms of data processing and the options for objecting (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

We also note that requests for information and the exercise of data subject rights are most effectively addressed directly with the providers. Only the latter have access to the user data and can take appropriate measures directly and provide information. If you still need assistance, you can contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information such as details regarding authorship or the time of creation). Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
• Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Instagram: Social network that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
• Facebook pages: Profiles on the Facebook social network – The data controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page (“Fan Page”). This includes, in particular, information about user behavior (e.g., content viewed or interacted with, actions taken) as well as device information (e.g., IP address, operating system, browser type, language settings, cookie data). Further details can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the “Page Insights” service, which provide information on how people interact with our page and its content. This is based on an agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which governs, among other things, security measures and the exercise of data subjects’ rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore direct requests for information or deletion directly to Facebook. Users’ rights (in particular the right to access, erasure, objection, and complaint to a supervisory authority) remain unaffected by this. Joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including any possible transfer to Meta Platforms Inc. in the United States; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
• LinkedIn: Social Network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data used to generate the “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. In addition, details about the devices used are collected, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles, such as job title, country, industry, hierarchical level, company size, and employment status. Privacy information regarding the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
  We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum,” https://legal.linkedin.com/ pages-joint-controller-addendum), which specifically outlines the security measures LinkedIn must adhere to and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can, for example, submit requests for access or deletion directly to LinkedIn). Users’ rights (in particular the right to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the United States; Service providers: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• Pinterest: Social network that allows users to share photos, comment on, favorite, and curate posts, send messages, and follow profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.pinterest.com. Privacy Policy: https://policy.pinterest.com/de/privacy-policy.
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Right to object (opt-out): https://myadcenter.google.com/personalizationoff.

Plug-ins, embedded features, and content

We incorporate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as “content”).

This integration always requires that the third-party providers of this content process the user’s IP address, as they would be unable to send the content to the user’s browser without it. The IP address is therefore necessary for the display of this content or these functions. We strive to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags allow information, such as visitor traffic on the pages of this website, to be analyzed. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and other details regarding the use of our online offering, as well as being linked to such information from other sources.

Information on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Location data (information regarding the geographic position of a device or a person).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; audience measurement (e.g., traffic statistics, identification of returning visitors); tracking (e.g., interest-based/behavioral profiling, use of cookies); audience targeting. Marketing.
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for a period of two years.).
• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures, and services:

• Google Fonts (hosted on our own server): Provision of font files for the purpose of a user-friendly presentation of our online offering; Service provider: Google Fonts are hosted on our server; no data is transmitted to Google; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Google Fonts (Retrieval from Google Server): Retrieval of fonts (and icons) for the purpose of ensuring technically secure, maintenance-free, and efficient use of fonts and icons with regard to up-to-date content and loading times, their consistent display, and compliance with any applicable licensing restrictions. The font provider is notified of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server belonging to the font provider in the United States. When visiting our website, users’ browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and, subsequently, the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the webpage on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wishes to load fonts. This data is logged so that Google can determine how often a specific font family is requested. With the Google Fonts Web API, the user-agent must match the font generated for the respective browser type. The user-agent is primarily logged for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referring URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to Google, it does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
• Google Maps: We integrate maps from the “Google Maps” service provided by Google. The data processed may include, in particular, users’ IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF).
• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Right to object (opt-out): Opt-out plugin:https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

Management, Organization, and Tools

We use services, platforms, and software from other providers (hereinafter referred to as “third-party providers”) for the purposes of organizing, managing, planning, and delivering our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may involve various types of data that we process in accordance with this Privacy Policy. This data may include, in particular, users’ master data and contact information, as well as data regarding transactions, contracts, other processes, and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, to optimize services, or for marketing purposes. We therefore ask that you review the privacy policies of the respective third-party providers.

• Types of data processed: Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Communication partners. Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; Reach measurement (e.g., access statistics, recognition of returning visitors). Profiles containing user-related information (creation of user profiles).
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing procedures, methods, and services:

• HubSpot Social Media Publishing and Contact Management: Social media publishing, reporting (e.g., traffic sources, visitor numbers, web analytics), contact management (e.g., contact forms, direct communication, and user segmentation), landing pages; Service provider: HubSpot Ireland Limited, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa), Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.hubspot.com/dpa).
• AI software (on our own server): Use of “artificial intelligence” as defined by applicable law, i.e., software that is primarily based on specific logic and is essentially capable of autonomously understanding and generating natural language or other inputs and data, analyzing information, and making predictions; Service provider: Execution on servers and/or computers under our own responsibility under data protection law; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Application Process

The application process requires that applicants provide us with the data necessary for their evaluation and selection. The information required is specified in the job description or, in the case of online forms, in the details provided therein.

Generally, the required information includes personal details such as name, address, contact information, and proof of the qualifications necessary for the position. Upon request, we are happy to provide additional details regarding the specific information required.

If available, applicants are welcome to submit their applications via our online form, which is encrypted using state-of-the-art technology. Alternatively, you may also send your application to us by email. However, we would like to point out that emails are generally not sent in encrypted form over the internet. Although emails are usually encrypted during transmission, this encryption does not occur on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the security of the application during its transmission between the sender and our server.

For the purposes of candidate search, application submission, and candidate selection, we may use applicant tracking systems, recruitment software, and third-party platforms and services in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send their application by mail.

Processing of special categories of data: To the extent that special categories of personal data (Art. 9(1) GDPR, e.g. health data, such as severe disability status or ethnic origin), the processing is carried out to enable the controller or the data subject to exercise the rights arising from labor law and the law on social security and social protection and to fulfill their respective obligations in this regard possible obligations arising therefrom, in the case of the protection of the vital interests of the applicants or other persons, or for the purposes of preventive healthcare or occupational medicine, for the assessment of the employee’s fitness for work, for medical diagnosis, for the provision of care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector.

Data Deletion: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job opening is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion takes place, subject to a valid revocation by the applicant, no later than six months after the application is submitted, so that we can answer any follow-up questions regarding the application and fulfill our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements are archived in accordance with tax regulations.

Inclusion in a candidate pool: Inclusion in a candidate pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application process, and that they may revoke their consent at any time with future effect.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact information (e.g., mailing and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, as well as related information such as details regarding authorship or the time of creation). Applicant data (e.g., personal details, mailing and contact addresses, documents related to the application and the information contained therein, such as cover letters, resumes, certificates, as well as other information regarding a specific position or voluntarily provided by applicants regarding their person or qualifications).
• Data subjects: Applicants.
• Purposes of processing: Recruitment process (initiation and any subsequent implementation, as well as possible subsequent termination of the employment relationship).
• Retention and deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
• Legal basis: The application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR).