Privacy Policy | The Cue Group

Table of Contents

Preamble
Controller
Overview of processing activities
Legal bases
Security measures
Transfer of personal data
International data transfers
General information on data storage and deletion
Rights of data subjects
Business services
Provision of the online offering and web hosting
Use of cookies
Contact and inquiry management
Newsletter and electronic notifications
Advertising communication via email, post, fax or telephone
Web analytics, monitoring and optimization
Customer reviews and rating procedures
Social media presences
Plugins and embedded functions and content
Amendments and updates
Definitions

Controller

The Cue Group GmbH
Blumenstraße 6
65189 Wiesbaden
Germany

Authorized representative: Mike Bertsch

Overview of processing activities

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the categories of data subjects.

Types of data processed

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and process data
• Log data

Categories of data subjects

• Customers and clients
• Prospective customers
• Communication partners
• Users
• Business and contractual partners

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Direct marketing
• Reach measurement
• Tracking
• Office and organizational procedures
• Target group formation
• Organizational and administrative procedures
• Feedback
• Marketing
• Profiles with user-related information
• Provision of our online services and user experience optimization
• Information technology infrastructure
• Public relations
• Sales promotion
• Business processes and economic operations

Relevant legal bases under the GDPR:

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Should more specific legal bases be relevant in individual cases, we will inform you of these in this privacy policy.

Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany:
In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, data transfers, and automated individual decision-making, including profiling. In addition, state-level data protection laws of the individual German federal states may apply.

Security measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. In addition, we take the protection of personal data into account already during the development or selection of hardware, software and processes, in accordance with the principle of data protection by design and by default.

Shortening of IP addresses:
Where IP addresses are processed by us or by the service providers and technologies we use, and where the processing of the full IP address is not necessary, the IP address is shortened (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly hinder the identification of a person based on their IP address.

Securing online connections through TLS/SSL encryption technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of personal data

In the course of our processing of personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

Data transfer within the organization:
We may transfer personal data to other departments or units within our organization or grant them access to such data. Where data is disclosed for administrative purposes, this is based on our legitimate business and economic interests or is carried out where it is necessary for the fulfillment of our contractual obligations or where consent of the data subjects or a legal authorization exists.

International data transfers

Data processing in third countries:
If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies (which can be identified by the postal address of the respective provider or if the privacy policy explicitly refers to data transfers to third countries), this is always carried out in accordance with the applicable legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by an adequacy decision of the European Commission dated July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, in accordance with the requirements of the European Commission, which establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF constitutes the primary level of protection, while the Standard Contractual Clauses serve as an additional layer of security. Should there be any changes within the framework of the DPF, the Standard Contractual Clauses act as a reliable fallback mechanism. In this way, we ensure that your data remains adequately protected at all times, even in the event of political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information on data storage and deletion

We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are withdrawn or no further legal basis for processing exists. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist where legal obligations or specific interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically applies to certain processing activities.

If multiple retention periods or deletion deadlines are specified for a given dataset, the longest period shall always prevail. Data that is no longer required for the originally intended purpose but is retained due to legal requirements or other reasons will only be processed for the purposes that justify its retention.

Retention and deletion of data:
The following general retention periods apply under German law:

10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).

8 years – Accounting records, such as invoices and expense receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO as well as § 257 para. 1 no. 4 in conjunction with para. 4 HGB).

6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, e.g. time sheets, cost accounting sheets, calculation documents, price markings, as well as payroll documents insofar as they are not already accounting records, and cash register receipts (§ 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).

3 years – Data required to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and standard industry practice, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the retention period:
If a period does not explicitly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the time at which the termination becomes effective or the legal relationship otherwise ends.

Rights of data subjects

Rights of data subjects under the GDPR:
As a data subject, you are entitled to various rights under the GDPR, in particular pursuant to Articles 15 to 21 GDPR:

Right to object:
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Right to withdraw consent:
You have the right to withdraw any consent you have given at any time.

Right of access:
You have the right to request confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to that data as well as further information and a copy of the data in accordance with the statutory provisions.

Right to rectification:
You have the right, in accordance with the statutory provisions, to request the completion of incomplete personal data concerning you or the correction of inaccurate data concerning you.

Right to erasure and restriction of processing:
You have the right, in accordance with the statutory provisions, to request that personal data concerning you be deleted without undue delay or, alternatively, to request restriction of processing of the data.

Right to data portability:
You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used and machine-readable format, or to request its transmission to another controller.

Right to lodge a complaint with a supervisory authority:
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships as well as related measures and with regard to communication with the contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any update obligations, and remedies in the case of warranty claims or other service disruptions. In addition, we use the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations, as well as for corporate organization. Furthermore, we process the data on the basis of our legitimate interests in proper and efficient business management and in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g. through the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the scope of applicable law, we only disclose data of contractual partners to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, e.g. for marketing purposes, within this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special markings (e.g. colors) or symbols (e.g. asterisks), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons (typically ten years for tax purposes). Data disclosed to us by the contractual partner as part of an assignment will be deleted in accordance with the requirements and generally after the end of the assignment.

Types of data processed:
Master data (e.g. full name, address, contact details, customer number, etc.);
Payment data (e.g. bank details, invoices, payment history);
Contact data (e.g. postal and email addresses or telephone numbers);
Contract data (e.g. subject matter of the contract, term, customer category).

Data subjects:
Service recipients and clients;
Interested parties;
Business and contractual partners.

Purposes of processing:
Provision of contractual services and fulfillment of contractual obligations;
Communication;
Office and organizational procedures;
Organizational and administrative processes;
Business processes and economic operations.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.

Legal bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR);
Legal obligation (Art. 6(1) sentence 1 lit. c GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Agency services:
We process our customers' data within the scope of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services;
Legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Technical services:
We process the data of our customers and clients (hereinafter uniformly referred to as “customers”) in order to enable them to select, purchase or commission the chosen services or works, as well as related activities, and to facilitate their payment and provision or execution.

The required information is marked as such within the framework of the order, booking or comparable contract conclusion and includes the information necessary for service provision and billing, as well as contact information to allow for any necessary follow-up communication. If we receive access to information of end customers, employees or other persons, we process this in accordance with legal and contractual requirements;
Legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Event management:
We process the data of participants of events, functions and similar activities offered or organized by us (hereinafter uniformly referred to as “participants” and “events”) in order to enable them to participate in the events and to make use of the services or actions associated with participation.

If, in this context, we process health-related data, religious, political or other special categories of data, this is done within the scope of obvious disclosure (e.g. in the case of thematically oriented events), for the purposes of health care, safety, or on the basis of the data subject’s consent.

Provision of the online offering and web hosting

We process users’ data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Types of data processed:
Usage data (e.g. page views and duration of visits, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons);
Log data (e.g. log files relating to logins or the retrieval of data or access times);
Content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation).

Data subjects:
Users (e.g. website visitors, users of online services).

Purposes of processing:
Provision of our online offering and user-friendliness;
Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.);
Security measures.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.

Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Provision of online services on rented server space:
For the provision of our online offering, we use storage space, computing capacity and software that we rent or otherwise obtain from a server provider (also referred to as a “web host”);
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Collection of access data and log files:
Access to our online offering is logged in the form of so-called “server log files”. Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider. Server log files may be used for security purposes, e.g. to prevent server overload (especially in the case of abusive attacks such as DDoS attacks), and to ensure the utilization and stability of the servers;
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Deletion of data:
Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Email dispatch and hosting:
The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of recipients and senders, as well as further information regarding email transmission (e.g. the involved providers) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transmission, but (unless end-to-end encryption is used) not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of emails between the sender and receipt on our server;
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Mittwald:
Services in the field of providing IT infrastructure and related services (e.g. storage space and/or computing capacity);
Service provider: Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany;
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.mittwald.de
Privacy policy: https://www.mittwald.de/datenschutz
Data processing agreement: https://www.mittwald.de/faq/service-informationen/faq/datenschutz-alles-wichtige-zur-dsgvo

Use of cookies

The term “cookies” refers to functions that store information on users’ devices and read it from them. Cookies can also be used for various purposes, such as ensuring functionality, security, and convenience of online services, as well as for analyzing visitor traffic. We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests. This applies where storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We clearly inform users about the scope of cookies used and their purposes.

Notes on legal bases under data protection law:
Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained above in this section and in the context of the respective services and procedures.

Storage duration:
With regard to storage duration, the following types of cookies are distinguished:

Temporary cookies (also: session cookies):
Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g. browser or mobile application).

Persistent cookies:
Persistent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user revisits a website. Likewise, usage data collected via cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are persistent and may be stored for up to two years.

General information on withdrawal and objection (opt-out):
Users can withdraw their consent at any time and may also object to processing in accordance with statutory provisions, including via their browser’s privacy settings.

Types of data processed:
Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).

Data subjects:
Users (e.g. website visitors, users of online services).

Legal bases:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Consent (Art. 6(1) sentence 1 lit. a GDPR).

Further information on processing operations, procedures and services:

Processing of cookie data based on consent:
We use a consent management solution in which users’ consent to the use of cookies or to the procedures and providers specified within the consent management system is obtained. This procedure serves to obtain, log, manage and withdraw consent, particularly with regard to the use of cookies and similar technologies that are used to store, read and process information on users’ devices.

Within this process, users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers named within the consent management procedure. Users also have the option to manage and withdraw their consent.

Consent declarations are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to assign the consent to a specific user or their device.

Unless specific information about consent management service providers is provided, the following general information applies: The consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details of the scope of consent (e.g. relevant cookie categories and/or service providers), as well as information about the browser, system and device used.

Legal basis:
Consent (Art. 6(1) sentence 1 lit. a GDPR).

Contact and inquiry management

When contacting us (e.g. by post, contact form, email, telephone or via social media), as well as within the framework of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to the contact requests and any requested measures.

Types of data processed:
Master data (e.g. full name, address, contact details, customer number, etc.);
Contact data (e.g. postal and email addresses or telephone numbers);
Content data (e.g. textual or visual messages and posts as well as related information such as authorship or time of creation);
Usage data (e.g. page views and duration of visits, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).

Data subjects:
Communication partners.

Purposes of processing:
Communication;
Organizational and administrative procedures;
Feedback (e.g. collecting feedback via online forms);
Provision of our online offering and user-friendliness.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.

Legal bases:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Further information on processing operations, procedures and services:

Contact form:
When contacting us via our contact form, by email or other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective request. This generally includes information such as name, contact details and, where applicable, further information provided to us that is necessary for proper processing. We use this data exclusively for the stated purpose of contact and communication.

Legal bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Newsletter and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or on the basis of a legal authorization. If the contents of the newsletter are described during registration, these contents are decisive for the user’s consent. To subscribe to our newsletter, it is generally sufficient to provide your email address. However, in order to offer you a personalized service, we may ask for your name for personal addressing in the newsletter or for additional information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing:
We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove previously given consent. The processing of this data is limited to the purpose of a potential defense against claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”).

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Content:
Information about us, our services, campaigns and offers.

Data subjects:
Communication partners.

Purposes of processing:
Direct marketing (e.g. via email or postal mail).

Legal basis:
Consent (Art. 6(1) sentence 1 lit. a GDPR).

Right to object (opt-out):
You may unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe can be found at the end of each newsletter, or you may alternatively use one of the contact options provided above, preferably via email.

Promotional communication via email, post, fax or telephone

We process personal data for the purposes of promotional communication, which may take place via various channels such as email, telephone, post or fax in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to promotional communication at any time free of charge using the contact options provided above.

After withdrawal or objection, we store the data required to prove the previous authorization for contact or delivery for up to three years after the end of the year in which the withdrawal or objection was made, based on our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on our legitimate interest in permanently observing the withdrawal or objection of users, we also store the data necessary to prevent further contact (e.g. depending on the communication channel: email address, telephone number, name).

Data subjects:
Communication partners.

Purposes of processing:
Direct marketing (e.g. via email or postal mail);
Marketing;
Sales promotion.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.

Legal bases:
Consent (Art. 6(1) sentence 1 lit. a GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Web analysis, monitoring and optimization

Web analysis (also referred to as “reach measurement”) is used to evaluate visitor flows on our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, in pseudonymous form. With the help of reach analysis, we can, for example, identify at what times our online offering or its functions or content are used most frequently, or encourage reuse. It also enables us to identify areas that require optimization.

In addition to web analysis, we may also use testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise specified below, profiles, i.e. data aggregated for a specific usage process, may be created for these purposes and information may be stored in and read from a browser or device. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used and information about usage times. If users have consented to the collection of their location data either by us or by the providers of the services we use, location data may also be processed.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored in the context of web analysis, A/B testing and optimization, but only pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases:
If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Data subjects:
Users (e.g. website visitors, users of online services).

Purposes of processing:
Reach measurement (e.g. access statistics, recognition of returning visitors);
Profiles with user-related information (creation of user profiles);
Provision of our online offering and user-friendliness.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.
Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage technologies may be stored on users' devices for a period of up to two years).

Security measures:
IP masking (pseudonymization of the IP address).

Legal bases:
Consent (Art. 6(1) sentence 1 lit. a GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Google Analytics:
We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It is used to assign analysis information to a device in order to understand which content users accessed within one or multiple usage processes, which search terms they used, revisited or how they interacted with our online offering. The time and duration of use are also stored, as well as the sources of users referring to our online offering and technical aspects of their devices and browsers.

Pseudonymous user profiles are created using information from the use of different devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographical location data by deriving the following metadata from IP addresses: city (and derived latitude/longitude), continent, country, region, subcontinent. For EU data traffic, IP address data is used solely for deriving geolocation data and is immediately deleted afterwards. It is not logged, accessible, or used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent (Art. 6(1) sentence 1 lit. a GDPR)
Website: https://marketingplatform.google.com/intl/de/about/analytics/
Security measures: IP masking (pseudonymization of the IP address)
Privacy policy: https://policies.google.com/privacy
Data processing agreement: https://business.safety.google/adsprocessorterms/
Third country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses
Opt-out: https://tools.google.com/dlpage/gaoptout?hl=en
Ad settings: https://myadcenter.google.com/personalizationoff
Further information: https://business.safety.google/adsservices/

Google Tag Manager:
We use Google Tag Manager, a software by Google that allows us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that are used to record and analyze visitor activities. This technology helps us improve our website and the content offered on it.

Google Tag Manager itself does not create user profiles, store cookies with user profiles, or perform independent analyses. Its function is limited to facilitating and managing the integration of tools and services we use on our website. However, when using Google Tag Manager, the IP address of users is transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set in this process. However, such data processing only takes place if services are integrated via the Tag Manager. For more detailed information about these services and their data processing, please refer to the relevant sections of this privacy policy.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent (Art. 6(1) sentence 1 lit. a GDPR)
Website: https://marketingplatform.google.com
Privacy policy: https://policies.google.com/privacy
Data processing agreement: https://business.safety.google/adsprocessorterms
Third country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses

Customer reviews and rating procedures

We participate in review and rating procedures in order to evaluate, optimize and promote our services. If users rate us via the respective review platforms or otherwise provide feedback, the general terms and conditions and data protection notices of the respective providers also apply. As a rule, submitting a review requires registration with the respective provider.

To ensure that reviewers have actually used our services, we transmit, with the consent of the customer, the data necessary for this purpose relating to the customer and the service used to the respective review platform (including name, email address and order number or item number). This data is used solely to verify the authenticity of the user.

Types of data processed:
Contract data (e.g. subject of the contract, duration, customer category);
Usage data (e.g. page views and duration of visits, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved parties).

Data subjects:
Service recipients and clients;
Users (e.g. website visitors, users of online services).

Purposes of processing:
Feedback (e.g. collection of feedback via online forms);
Marketing.

Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Review widget:
We integrate so-called “review widgets” into our online offering. A widget is a functional and content element embedded in our online offering that displays dynamic information. It may, for example, appear in the form of a seal or similar element, sometimes referred to as a “badge”.

Although the widget content is displayed within our online offering, it is retrieved in real time from the servers of the respective widget provider. This ensures that the content is always up to date, particularly the current rating. For this purpose, a data connection must be established between the website accessed within our online offering and the server of the widget provider, and the widget provider receives certain technical data (access data, including IP address) necessary to deliver the widget content to the user’s browser.

In addition, the widget provider receives information that users have visited our online offering. This information may be stored in a cookie and used by the widget provider to identify which online offerings participating in the review process have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes.

Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

ProvenExpert:
Review platform;
Service provider: Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin, Germany;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.provenexpert.com/en/
Privacy policy: https://www.provenexpert.com/en/privacy-policy/

Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

Please note that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of user rights could, for example, be made more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on usage behavior and resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that are presumed to match users' interests. For this purpose, cookies are usually stored on users’ devices, in which usage behavior and interests are stored. In addition, data may be stored in user profiles independently of the devices used by the users (in particular if they are members of the respective platforms and logged in).

For a detailed description of the respective processing operations and the possibilities to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be exercised most effectively with the respective providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you can contact us.

Types of data processed:
Contact data (e.g. postal and email addresses or telephone numbers);
Content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation);
Usage data (e.g. page views and duration of visits, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).

Data subjects:
Users (e.g. website visitors, users of online services).

Purposes of processing:
Communication;
Feedback (e.g. collection of feedback via online forms);
Public relations.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.

Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Instagram:
Social network enabling the sharing of photos and videos, commenting and liking posts, sending messages, and following profiles and pages;
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.instagram.com
Privacy policy: https://privacycenter.instagram.com/policy/
Basis for third country transfers: Data Privacy Framework (DPF).

LinkedIn:
Social network — We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and the actions they take. It also includes details about the devices used, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles such as job function, country, industry, seniority level, company size and employment status.

Data protection information regarding the processing of user data by LinkedIn can be found here:
https://www.linkedin.com/legal/privacy-policy

We have concluded a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”: https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can, for example, send access or deletion requests directly to LinkedIn). The rights of users (in particular the right to access, deletion, objection and complaint to a supervisory authority) are not restricted by the agreements with LinkedIn.

Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, an EU-based company. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA.

Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.linkedin.com
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Basis for third country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses
Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

YouTube:
Social network and video platform;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Privacy policy: https://policies.google.com/privacy
Basis for third country transfers: Data Privacy Framework (DPF)
Opt-out: https://myadcenter.google.com/personalizationoff

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or maps (hereinafter collectively referred to as “content”).

The integration always requires that the third-party providers process the users’ IP address, as they would otherwise not be able to send the content to the users’ browser. The IP address is therefore required for the display of this content or functionality. We strive to use only such content whose respective providers use the IP address solely for delivering the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Through these pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit and other details regarding the use of our online offering, and may also be combined with such information from other sources.

Data subjects:
Users (e.g. website visitors, users of online services).

Purposes of processing:
Provision of our online offering and user-friendliness;
Reach measurement (e.g. access statistics, recognition of returning visitors);
Tracking (e.g. interest- or behavior-based profiling, use of cookies);
Target group formation;
Marketing.

Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion”.
Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage technologies may be stored on users’ devices for up to two years).

Legal bases:
Consent (Art. 6(1) sentence 1 lit. a GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing operations, procedures and services:

Google Fonts (hosted locally):
Provision of font files for a user-friendly display of our online offering;
Service provider: Google Fonts are hosted on our own server; no data is transmitted to Google;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

OpenStreetMap:
We integrate maps from the service “OpenStreetMap”, which are provided on the basis of the Open Data Commons Open Database License (ODbL) by the OpenStreetMap Foundation (OSMF). User data is processed by OpenStreetMap exclusively for the purpose of displaying map functions and temporarily storing selected settings.

This data may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually as part of the settings of their device or browser).

Service provider: OpenStreetMap Foundation (OSMF);
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.openstreetmap.org
Privacy policy: https://osmfoundation.org/wiki/Privacy_Policy

YouTube videos:
Video content;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Consent (Art. 6(1) sentence 1 lit. a GDPR);
Website: https://www.youtube.com
Privacy policy: https://policies.google.com/privacy
Basis for third country transfers: Data Privacy Framework (DPF)
Opt-out: https://tools.google.com/dlpage/gaoptout?hl=en
Ad settings: https://myadcenter.google.com/personalizationoff

Changes and updates

We kindly ask you to regularly review the content of our privacy policy. We update this privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you whenever such changes require your cooperation (e.g. consent) or any other individual notification.

Where we provide addresses and contact details of companies and organizations in this privacy policy, please note that these may change over time. We therefore ask you to verify the information before contacting them.

Definitions

This section provides an overview of the terms used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are intended to facilitate understanding.

Inventory data:
Inventory data includes essential information required for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic information such as names, contact details (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions or systems by enabling clear identification and communication.

Content data:
Content data includes information generated in the course of creating, editing and publishing content of any kind. This category may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the content itself, but also includes metadata that provides information about the content, such as tags, descriptions, author details and publication dates.

Contact data:
Contact data consists of essential information that enables communication with individuals or organizations. This includes telephone numbers, postal addresses and email addresses, as well as communication identifiers such as social media handles and instant messaging IDs.

Meta, communication and procedural data:
Meta, communication and procedural data are categories that contain information about how data is processed, transmitted and managed. Metadata (data about data) includes information describing the context, origin and structure of other data, such as file size, creation date, document author and change history. Communication data records the exchange of information between users via various channels, such as email correspondence, call logs, social media messages and chat histories, including involved parties, timestamps and transmission routes. Procedural data describes processes and workflows within systems or organizations, including workflow documentation, transaction logs and activity logs used for tracking and auditing.

Usage data:
Usage data refers to information that captures how users interact with digital products, services or platforms. This includes a wide range of data showing how users use applications, which features they prefer, how long they stay on certain pages and how they navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. It is particularly valuable for analyzing user behavior, optimizing user experience, personalizing content and improving products or services. It also plays a key role in identifying trends, preferences and potential problem areas.

Personal data:
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier (e.g. a cookie) or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Profiles with user-related information:
The processing of “profiles with user-related information” (or simply “profiles”) includes any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person. Depending on the type of profiling, this may involve analyzing or predicting aspects such as demographics, behavior and interests (e.g. interactions with websites and their content, interest in certain products, click behavior or location). Cookies and web beacons are often used for profiling purposes.

Log data:
Log data consists of information about events or activities recorded within a system or network. This data typically includes timestamps, IP addresses, user actions, error messages and other details about system usage or operation. Log data is often used for troubleshooting, security monitoring and performance analysis.

Reach measurement:
Reach measurement (also known as web analytics) is used to evaluate visitor flows of an online offering and may include behavior or interests of visitors in specific information such as website content. With the help of reach analysis, operators of online services can, for example, determine when users visit their websites and which content interests them. This allows them to better tailor website content to user needs. Pseudonymous cookies and web beacons are often used for this purpose.

Tracking:
“Tracking” refers to the ability to trace user behavior across multiple online offerings. Typically, behavioral and interest-related information is stored in cookies or on the servers of tracking technology providers (so-called profiling). This information may then be used, for example, to display advertisements to users that are likely to match their interests.

Controller:
The “controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processing:
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes practically any handling of data, such as collection, evaluation, storage, transmission or deletion.

Contract data:
Contract data refers to specific information related to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged or sold. This category includes identification of the contractual parties as well as specific terms and conditions such as contract duration, type of services or products, pricing agreements, payment terms, termination rights, renewal options and special clauses. Contract data serves as the legal basis of the relationship between the parties and is essential for enforcing rights and obligations and resolving disputes.

Payment data:
Payment data includes all information required to process payment transactions between buyers and sellers. This data is essential for e-commerce, online banking and other financial transactions. It may include credit card numbers, bank account details, payment amounts, transaction data, verification codes and billing information. Payment data may also include information about payment status, chargebacks, authorizations and fees.

Target group formation:
Target group formation (so-called “custom audiences”) refers to defining target groups for advertising purposes, for example to display advertisements. Based on a user’s interest in certain products or topics, it may be inferred that the user is interested in similar products or services. “Lookalike audiences” are audiences whose profiles or interests are similar to those of existing users. Cookies and web beacons are typically used for creating such audiences.