Preamble
With this privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, the purposes for which we process them, and the extent to which they are processed within the framework of our application.
Date: August 24, 2023
Table of Contents
- Preamble
- Data Controller
- Overview of Processing Activities
- Relevant Legal Bases
- Security Measures
- Transmission of Personal Data
- Deletion of Data
- Rights of the Affected Individuals
- Use of Cookies
- Business Services
- Payment Methods
- Provision of the Online Service and Web Hosting
- Blogs and Publication Media
- Contact and Inquiry Management
- Web Analysis, Monitoring, and Optimization
- Online Marketing
- Customer Reviews and Rating Procedures
- Presence on Social Networks (Social Media)
- Plugins and Embedded Features and Content
- Cookie Management
- Changes and Updates to the Privacy Policy
Data Controller
Irfan Ozturk
Key Legal Foundations
Relevant Legal Bases under the GDPR: Below is a summary of the GDPR legal bases that we use to process personal data. Please be aware that in addition to the GDPR provisions, national data protection laws may apply in your or our country of residence. If there are any specific legal bases applicable in individual cases, we’ll inform you in our privacy policy.
- Consent (Art. 6 Para. 1 S. 1 lit. a GDPR) – The individual has given their consent to process their personal data for one or multiple specific purposes.
- Contract Performance and Preliminary Inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR) – Data processing is necessary for the performance of a contract where the individual is a party, or to carry out pre-contractual actions upon the individual’s request.
- Legal Obligation (Art. 6 Para. 1 S. 1 lit. c GDPR) – Processing is required to fulfill a legal obligation to which the responsible party is subject.
- Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR) – Processing is necessary for the legitimate interests of the responsible party or a third party, unless the individual’s interests or fundamental rights and freedoms, which require personal data protection, prevail.
National Data Protection Regulations in Germany: In addition to the GDPR, Germany has its national data protection laws. This includes the Federal Data Protection Act (BDSG), which specifically addresses rights like access, deletion, and objection. It also covers the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making, including profiling. State data protection laws may also apply.
Note on the Applicability of GDPR and Swiss DSG: These privacy notes serve to inform both under the Swiss Federal Data Protection Act (Swiss DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that due to broader applicability and clarity, GDPR terms are used. However, when the Swiss DSG applies, the legal meaning of the terms will still be determined by the Swiss DSG.
Overview of Processing
The following summary outlines the types of data processed, the purposes of their processing, and the individuals affected.
Types of Processed Data
- Inventory data.
- Payment data.
- Location data.
- Contact details.
- Content data.
- Contract data.
- Usage data.
- Meta, communication, and procedural data.
- Event Data (Facebook).
Categories of Affected Individuals
- Customers.
- Prospects.
- Communication partners.
- Users.
- Business and contract partners.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Contact requests and communication.
- Security measures.
- Reach measurement.
- Tracking.
- Office and organizational procedures.
- Conversion measurement.
- Management and response to inquiries.
- Feedback.
- Marketing.
- User-related profiles.
- Provision of our online services and user-friendliness.
- Information technology infrastructure.
Security Measures
In compliance with legal requirements, and considering the current state of technology, implementation costs, the nature and scope of processing, and potential risks to individual rights and freedoms, we’ve implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures especially focus on ensuring the confidentiality, integrity, and availability of data. We control both physical and electronic access to the data and monitor data entry, sharing, and separation. We’ve also set up procedures to ensure the rights of affected individuals, data deletion, and timely responses to data breaches. Moreover, when developing or choosing hardware, software, or procedures, we prioritize data protection through technology design and privacy-friendly default settings.
To protect the data you transmit through our online platform, we use TLS encryption. You can recognize such encrypted connections by the “https://” prefix in your browser’s address bar.
Transmission of Personal Data
As part of our data processing activities, we might transfer data to other entities, companies, or individuals. This could include IT service providers or content providers integrated into a website. In such cases, we adhere to legal requirements and ensure that agreements are in place with data recipients to protect your data.
Data Deletion
We delete data in line with legal requirements, especially when the consent for processing is withdrawn or when the data is no longer necessary. If data isn’t deleted due to other legal obligations, its processing will be restricted. For instance, data that needs to be retained for legal, commercial, or tax reasons will be stored but not processed for other purposes.
Rights of Data Subjects
If you’re a data subject, the GDPR grants you several rights, particularly those outlined in Articles 15 to 21:
- Right to Object: You can object to data processing based on specific situations. This includes objecting to data processing for direct marketing purposes or any profiling related to it.
- Right to Withdraw Consent: You can revoke your consent at any time.
- Right to Access: You can request confirmation if your data is being processed and access specific details about it.
- Right to Rectification: You can ask for your data to be updated or corrected if it’s inaccurate.
- Right to Erasure and Restriction of Processing: You can request your data to be deleted or its processing to be limited based on legal grounds.
- Right to Data Portability: You can ask for a copy of your data in a standard format or its transfer to another service provider.
- Right to Lodge a Complaint: If you believe your data is being processed against GDPR provisions, you can file a complaint with a relevant authority.
Use of Cookies
Cookies are small text files or other storage markers that store information on devices and read information from them. For instance, they can save a user’s login status, shopping cart contents in an e-shop, accessed content, or used features of an online service. Cookies can serve various purposes, such as ensuring functionality, security, and user convenience of online services, as well as analyzing visitor traffic.
Regarding Consent: We deploy cookies in compliance with legal standards. We obtain prior consent from users unless legally exempted. Explicit consent isn’t necessary when storing and reading information, including cookies, is essential for providing a requested online service. Typically, essential cookies relate to displaying and operating the online service, load balancing, security, storing user preferences, or other main and auxiliary functions of the requested online service. We clearly communicate any revocable consent to users, detailing the specific cookie usage.
Legal Basis for Data Processing: The legal basis upon which we process users’ personal data using cookies depends on whether we seek user consent. If users consent, the processing is based on their declared consent. Otherwise, data processed via cookies is based on our legitimate interests (e.g., efficient operation and usability enhancement of our online service) or when fulfilling our contractual obligations. We provide further clarification on the purposes of our cookie processing throughout this privacy policy or during our consent and processing procedures.
Storage Duration: Concerning storage duration, cookies are categorized as:
- Temporary Cookies (Session Cookies): These cookies are deleted once a user exits an online service and closes their device or application.
- Permanent Cookies: These cookies remain stored even after the device is closed. For instance, they can save login status or preferred content for returning users. Unless we provide explicit details about the type and duration of cookie storage, users should assume cookies are permanent with a storage duration of up to two years.
General Notes on Revocation and Objection (“Opt-Out”): Users can revoke their given consents and object to processing as per legal guidelines. For instance, users can restrict cookie usage in their browser settings (though this might limit our online service’s functionality). Users can also object to cookies used for online marketing via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
- Legal Bases: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR). Consent (Art. 6 Para. 1 S. 1 lit. a GDPR).
Additional Information on Processing Procedures, Methods, and Services:
- Processing of Cookie Data Based on Consent: We utilize a cookie consent management procedure where users’ consents for cookie usage and associated processing are obtained, managed, and revoked. The consent declaration is stored to avoid repeated queries and to legally document the consent. Storage can be server-side and/or in a cookie (an “Opt-In-Cookie” or using similar technologies) to associate the consent with a user or their device. Unless specified, the following applies: Consent storage duration can be up to two years. A pseudonymous user identifier is created and stored with the consent time, scope details (e.g., cookie categories and/or service providers), browser, system, and used device; Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR).
Business Services
We process data from our contractual and business partners, such as clients and potential clients (collectively referred to as “contractual partners”), within the context of contractual relationships and similar legal agreements. This also encompasses associated actions and communication with these partners, for instance, to address inquiries.
This data processing ensures we meet our contractual obligations. This includes, but is not limited to, delivering agreed-upon services, updating responsibilities, and addressing any service disruptions or warranties. Additionally, we process this data to safeguard our rights, manage associated administrative tasks, and organize our business operations. We also process data based on our legitimate interests in maintaining proper business operations and implementing protective measures to guard our partners and our business against misuse, potential threats to their data, secrets, information, and rights (e.g., involving telecommunication, transportation, and other auxiliary services, subcontractors, banks, legal and tax consultants, payment service providers, or financial authorities). As per legal guidelines, we only share contractual partner data with third parties when necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, such as for marketing purposes, within this privacy policy.
We specify which data is essential for the aforementioned purposes to our contractual partners during or prior to data collection, for instance, in online forms, through distinct markers (e.g., colors) or symbols (e.g., asterisks), or in person.
We delete data after the expiration of legal warranty periods and similar obligations. This typically occurs after 4 years unless the data is stored in a customer account, for instance, for as long as it needs to be retained for legal archiving purposes. The legal retention period for tax-relevant documents and commercial books, inventories, opening balances, annual financial statements, and other related documents is ten years. For received commercial and business letters and reproductions of sent commercial and business letters, it’s six years. This period starts at the end of the calendar year in which the last entry was made, the inventory, opening balance, annual financial statement, or management report was prepared, the commercial or business letter was received or sent, or the booking voucher was created.
If we employ third-party providers or platforms to deliver our services, the terms and conditions and privacy notices of these third-party providers or platforms apply in relation to the users.
- Types of Processed Data: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., contract subject, duration, customer category); usage data (e.g., visited websites, interest in content, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Customers; potential clients. Business and contractual partners.
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; contact requests and communication; office and organizational procedures; management and response to inquiries; conversion measurement (measuring the effectiveness of marketing efforts). User-related profile creation.
- Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Legal obligation (Art. 6 Para. 1 S. 1 lit. c GDPR). Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Additional Information on Processing Procedures, Methods, and Services:
- Customer Account: Customers can create an account within our online services (e.g., customer or user account). If account registration is required, customers are informed, as well as about the necessary details for registration. Customer accounts are private and cannot be indexed by search engines. During registration and subsequent logins and account usage, we store customers’ IP addresses and access times to verify the registration and prevent potential misuse of the account. If an account is terminated, its data is deleted post-termination unless it needs to be retained for other purposes or due to legal reasons (e.g., internal storage of customer data, order processes, or invoices). Customers are responsible for securing their data upon account termination; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR).
- Economic Analyses and Market Research: For business reasons and to identify market trends and preferences, we analyze data related to business transactions, contracts, inquiries, etc. This analysis aims to evaluate business operations, marketing, and market research. We may consider profiles of registered users and their details. These analyses are solely for our benefit and are not disclosed externally unless they are anonymous with aggregated values. We respect users’ privacy and process data for analysis purposes as pseudonymously and anonymously as possible; Legal Bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
- Shop and E-Commerce: We process customer data to facilitate the selection, purchase, or order of products, goods, and associated services, as well as their payment and delivery. If necessary for order execution, we employ service providers, especially postal, freight, and shipping companies. For payment processes, we engage banks and payment service providers. We clearly indicate the required details during the order or similar purchase process; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR).
- Technical Services: We process customer data to enable the selection, purchase, or commissioning of chosen services or works, along with related activities, and their payment and provision. We inform customers about the necessary details during the contract, order, or similar agreement process. If we access information from end customers, employees, or other individuals, we process it in compliance with legal and contractual provisions; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR).
Payment Methods
In the context of contractual and other legal relationships, due to legal obligations or based on our legitimate interests, we offer efficient and secure payment options to the concerned individuals. To facilitate this, we collaborate with banks, credit institutions, and other service providers, collectively referred to as “Payment Service Providers.”
The data processed by these providers include personal details like name and address, banking details such as account or credit card numbers, passwords, TANs, checksums, and transaction-related information. This data is essential for executing transactions. However, the data entered is exclusively processed and stored by the payment service providers. This means we don’t receive any account or credit card-related details but only information confirming or denying the payment. In some cases, this data might be shared with credit agencies to verify identity and creditworthiness. For more details on this, we refer to the terms and conditions and privacy policies of the respective payment service providers.
For all payment transactions, the terms and conditions and privacy policies of the respective payment service providers apply. These can be accessed on their respective websites or transaction applications. We also refer to these for additional information and to exercise rights such as withdrawal, information requests, and other related rights.
- Types of Data Processed: Personal details (e.g., names, addresses); Payment details (e.g., bank details, invoices, payment history); Contractual data (e.g., contract subject, duration, customer category); Usage data (e.g., visited websites, content interest, access times); Metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Contact details (e.g., email, phone numbers).
- Affected Individuals: Customers. Prospects.
- Purpose of Processing: Provision of contractual services and fulfillment of contractual obligations.
- Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR).
Additional Information on Processing Procedures, Methods, and Services:
- Apple Pay: Payment services (technical integration of online payment methods); Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Apple Pay; Privacy Policy: Apple Privacy.
- Giropay: Payment services (technical integration of online payment methods); Provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Giropay; Privacy Policy: Giropay Privacy.
- Google Pay: Payment services (technical integration of online payment methods); Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Google Pay; Privacy Policy: Google Privacy.
- Mastercard: Payment services (technical integration of online payment methods); Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Mastercard; Privacy Policy: Mastercard Privacy.
- PayPal: Payment services (technical integration of online payment methods) such as PayPal, PayPal Plus, Braintree; Provider: PayPal (Europe) S.Ã r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: PayPal; Privacy Policy: PayPal Privacy.
- Stripe: Payment services (technical integration of online payment methods); Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Stripe; Privacy Policy: Stripe Privacy; Basis for Third Country Transfer: EU-US Data Privacy Framework (DPF).
- Visa: Payment services (technical integration of online payment methods); Provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, GB; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR); Website: Visa; Privacy Policy: Visa Privacy.
Online Service Provision and Web Hosting
We process user data to offer our online services. This includes processing the user’s IP address, essential for delivering our online content and features to the user’s browser or device.
- Types of Data Processed: Usage data (e.g., visited web pages, content interest, access times), meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Users (e.g., website visitors, online service users).
- Processing Purposes: Providing our online services and enhancing user experience; IT infrastructure (operation and provision of information systems and technical equipment like computers, servers, etc.); security measures; and fulfilling contractual obligations.
- Legal Basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Additional Information on Processing Activities and Procedures:
- Access Data and Log Files Collection: We log access to our online services in “server log files.” These logs may include the accessed web pages and files’ address and name, access date and time, transferred data volume, successful access notifications, user’s browser type and version, user’s operating system, the previously visited page (referrer URL), and typically IP addresses and the requesting provider. These server log files are used for security purposes, especially to prevent server overloads (particularly in the case of malicious attacks, known as DDoS attacks) and to ensure server load and stability.Legal Basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is exempted from deletion until the respective incident is fully clarified.
- 1&1 IONOS: Services related to the provision of IT infrastructure and associated services (e.g., storage space and/or computing capacities).Service Provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.Legal Basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).Website: https://www.ionos.dePrivacy Policy: https://www.ionos.de/terms-gtc/terms-privacyData Processing Agreement: We have entered into a Data Processing Agreement titled “Vereinbarung zur Auftragsverarbeitung” with IONOS. The document can be found at this address.
Blogs and Publication Platforms
We utilize blogs and similar online communication and publication tools (hereinafter referred to as “Publication Platforms”). Reader data is processed only to the extent necessary for the presentation of the platform, communication between authors and readers, or for security reasons. For further details, please refer to our data protection guidelines provided for visitors of our publication platforms.
- Types of Data Processed: Personal details (e.g., names, addresses); Contact information (e.g., email, phone numbers); Content data (e.g., online form entries); Usage data (e.g., visited web pages, content interest, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Individuals Affected: Users (e.g., website visitors, online service users).
- Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Feedback collection (e.g., via online forms); Enhancing user experience; Security measures. Management and response to inquiries.
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Additional Information on Processing Procedures and Methods:
- Comments and Contributions: When users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests. This is for our protection in case someone posts illegal content in comments (e.g., insults, prohibited political propaganda). In such cases, we may be held responsible and are therefore interested in the identity of the author. Moreover, we reserve the right to process user information for spam detection based on our legitimate interests. We also retain the right to store IP addresses during surveys to prevent multiple votes. Personal information, contact details, and content shared in comments and contributions will be stored by us indefinitely unless objected by the user.
Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Contact and Inquiry Management
When reaching out to us (e.g., via mail, contact form, email, phone, or social media) or during ongoing user and business relations, the information provided by the inquiring parties is processed as required to respond to the inquiries and any requested actions.
- Types of Data Processed: Contact information (e.g., email, phone numbers); Content data (e.g., online form entries); Usage data (e.g., visited web pages, content interest, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Individuals Affected: Communication partners.
- Purposes of Processing: Handling contact requests and communication; Managing and responding to inquiries; Feedback collection (e.g., via online forms); Enhancing user experience.
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR).
Additional Information on Processing Procedures and Methods:
- Contact Form: When users contact us through our contact form, email, or other communication channels, we process the data shared with us to address the concern raised.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR), Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis, often referred to as “reach measurement,” is employed to evaluate the traffic patterns of our online offerings. This can encompass behavior, interests, or demographic information about visitors, such as age or gender, in pseudonymous form. Through this analysis, we can identify peak usage times of our online services or its features and contents. Additionally, it allows us to pinpoint areas that require optimization.
Beyond web analysis, we also employ testing methods to assess and enhance different versions of our online offerings or its components.
Unless otherwise specified below, profiles, which are data sets consolidated from a single usage process, can be created. Information can be stored and retrieved from a browser or device. The collected data primarily includes visited web pages, utilized elements, and technical details like the browser used, computer system, and usage times. If users have consented to the collection of their location data to us or the providers of the services we use, location data may also be processed.
IP addresses of users are also stored. However, we employ an IP-masking technique (i.e., pseudonymization by truncating the IP address) to protect users. In general, clear data of users (e.g., email addresses or names) are not stored within the scope of web analysis, A/B testing, and optimization, but pseudonyms. This means neither we nor the software providers are aware of the actual identity of users, but only the information stored in their profiles for the respective procedures.
- Types of Data Processed: Usage data (e.g., visited web pages, content interest, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Users (e.g., website visitors, online service users).
- Purposes of Processing: Reach measurement (e.g., access statistics, detection of returning visitors); User profile creation. Enhancing user experience.
- Security Measures: IP masking (pseudonymization of the IP address).
- Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR). Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Additional Information on Processing Procedures and Methods:
- Google Analytics 4: We utilize Google Analytics to measure and analyze the usage of our online offerings based on a pseudonymous user identification number. This ID does not contain unique data like names or email addresses. It’s used to associate analysis information with a device, recognizing which content users have accessed within one or multiple usage processes, the search terms they’ve used, or how they’ve interacted with our online offering. Also, the time and duration of usage, user sources, and technical aspects of their devices and browsers are recorded. Pseudonymous profiles of users are created with information from the usage of various devices, possibly using cookies. Google Analytics does not log individual IP addresses for EU users. However, it provides rough geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is exclusively used for this derivation of geolocation data before being promptly deleted. They are not logged, are inaccessible, and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are processed on EU-based servers before the traffic is forwarded to Analytics servers for processing.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR)
- Website: Google Analytics
- Privacy Policy: Google Privacy
- Processing Agreement: Google Processor Terms
- Third-Country Transfer Basis: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (Google Processor Terms)
- Opt-Out: Opt-Out Plugin: Google Opt-Out, Ad Display Settings: Google Ad Settings
- Further Information: Google Privacy for Business Ad Services
- Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags via a single interface, integrating other services into our online offering (further details are provided in this privacy policy). The Tag Manager itself (which implements the tags) doesn’t create user profiles or store cookies. Google only learns the user’s IP address, which is necessary to run the Google Tag Manager.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR)
- Website: Google Marketing Platform
- Privacy Policy: Google Privacy
- Processing Agreement: Google Processor Terms
- Third-Country Transfer Basis: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (Google Processor Terms)
Online Marketing
We process personal data for online marketing purposes, which may particularly involve the marketing of advertising spaces or the presentation of advertising and other content (collectively referred to as “content”) based on potential user interests and the measurement of its effectiveness.
For these purposes, user profiles are created and stored in a file (commonly known as a “cookie”) or similar procedures are used to store information relevant to displaying the aforementioned content. This information may include viewed content, visited websites, utilized online networks, communication partners, and technical details such as the browser used, the computer system, and details about usage times and features. If users have consented, their location data may also be processed.
We also store users’ IP addresses. However, we employ available IP-masking techniques (i.e., pseudonymization by truncating the IP address) for user protection. Generally, within online marketing procedures, no clear data of users (e.g., email addresses or names) are stored, but pseudonyms. This means neither we nor the providers of online marketing procedures know the actual identity of users, but only the information stored in their profiles.
The information in the profiles is typically stored in cookies or using similar methods. These cookies can later be read on other websites that use the same online marketing procedure, analyzed for content display purposes, supplemented with additional data, and stored on the server of the online marketing procedure provider.
On rare occasions, clear data can be associated with profiles. This happens when users are members of a social network whose online marketing procedures we use, and the network links the users’ profiles with the aforementioned information. We ask users to note that they may have additional agreements with providers, e.g., consent during registration.
We generally only access aggregated information about the success of our advertisements. However, through conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, e.g., a contract conclusion with us. Conversion measurement is solely used to analyze the success of our marketing measures.
Unless otherwise stated, please assume that cookies used are stored for a period of two years.
- Types of Data Processed: Usage data (e.g., visited websites, content interest, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Users (e.g., website visitors, online service users).
- Purposes of Processing: Reach measurement (e.g., access statistics, detection of returning visitors); Tracking (e.g., interest/behavioral profiling, use of cookies); Marketing; User profile creation. Conversion measurement (measuring the effectiveness of marketing measures).
- Security Measures: IP masking (pseudonymization of the IP address).
- Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR). Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Opt-Out Options: We refer to the privacy notices of the respective providers and the opt-out options they provide. If no explicit opt-out option is provided, one option is to disable cookies in your browser settings. However, this may limit the functionality of our online offering. We also recommend the following opt-out options, which are offered collectively for specific areas: a) Europe: Your Online Choices b) Canada: Your Ad Choices Canada c) USA: About Ads d) Cross-regional: Opt Out About Ads
Additional Information on Processing Procedures and Methods:
- Google Ads and Conversion Measurement: We use online marketing procedures to place content and ads within the service provider’s advertising network (e.g., in search results, videos, websites, etc.) so they are displayed to users who presumably have an interest in the ads. Additionally, we measure the conversion of the ads, i.e., whether users have interacted with the ads and utilized the promoted offers (known as conversion). We only receive anonymous information and no personal details about individual users.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR)
- Website: Google Marketing Platform
- Privacy Policy: Google Privacy
- Third-Country Transfer Basis: EU-US Data Privacy Framework (DPF)
- Further Information: Types of processing and processed data: Google Privacy for Business Ad Services. Data processing terms between responsible parties and standard contractual clauses for third-country data transfers: Google Ads Controller Terms.
Customer Reviews and Rating Procedures
We participate in review and rating processes to evaluate, optimize, and promote our services. When users rate or provide feedback about us through the involved platforms or procedures, the terms of service and privacy policies of those providers also apply. Typically, providing a rating requires registration with the respective providers.
To ensure that the reviewers have genuinely availed of our services, we transmit the necessary data related to the customer and the service availed to the respective review platform (including name, email address, and order or item number) with the customer’s consent. This data is solely used to verify the user’s authenticity.
- Types of Data Processed: Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., visited websites, content interest, access times). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Customers, Users (e.g., website visitors, online service users).
- Purposes of Processing: Feedback collection (e.g., gathering feedback via online form). Marketing.
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR). Consent (Art. 6 Para. 1 S. 1 lit. a GDPR).
Additional Information on Processing Procedures and Services:
- Trusted Shops (Trustedbadge): This is a review platform. Within the shared responsibility between us and Trusted Shops, for data protection inquiries and to assert your rights, please primarily contact Trusted Shops using the contact options provided in their privacy information. However, you can always approach the responsible party of your choice. If necessary, your request will be forwarded to the other responsible party for a response. The Trustbadge is provided by a US-based CDN provider (Content-Delivery-Network). An appropriate level of data protection is ensured through standard data protection clauses and other contractual measures. When accessing the Trustbadge, the web server automatically saves a so-called server log file, which contains your IP address, date and time of access, transferred data volume, and the requesting provider (access data) and documents the access. The IP address is anonymized immediately after collection, ensuring the stored data cannot be attributed to you. The anonymized data is primarily used for statistical purposes and error analysis. If you’ve given consent, the Trustbadge accesses order information stored on your device post-order completion (order total, order number, potentially purchased product) and hashes your email address using a cryptographic one-way function. The hash value, along with the order information according to Art. 6 Para. 1 S. 1 lit. a GDPR, is then transmitted to Trusted Shops. This is to verify whether you’re already registered for Trusted Shops services. If you are, further processing will occur based on the contractual agreement between you and Trusted Shops. If you’re not registered for the services or haven’t given consent for automatic recognition via the Trustbadge, you’ll subsequently have the opportunity to manually register for service use or complete protection for your existing user contract. For this purpose, post-order, the Trustbadge accesses the following information stored on your device: order total, order number, and email address. This is necessary to offer you buyer protection. Data is only transmitted to Trusted Shops when you actively decide to complete buyer protection by clicking the designated button in the so-called Trustcard. If you choose to use the services, further processing is based on the contractual agreement with Trusted Shops according to Art. 6 Para. 1 lit. b GDPR, to finalize your registration for buyer protection, secure the order, and potentially send you review invitations via email. Trusted Shops employs service providers in hosting, monitoring, and logging areas. The legal basis is Art. 6 Para. 1 lit. f GDPR to ensure smooth operation. Processing can occur in third countries (USA and Israel). An appropriate level of data protection is ensured for the USA through standard data protection clauses and other contractual measures, and for Israel through an adequacy decision.
- Service Provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.
- Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
- Website: Trusted Shops
- Privacy Policy: Trusted Shops Privacy
- Trustpilot: This is a review platform.
- Service Provider: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark.
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
- Website: Trustpilot
- Privacy Policy: Trustpilot Privacy
Social Media Presence
We maintain an online presence on various social media platforms. We process user data on these platforms to communicate with active users and provide information about our services.
Please note that user data may be processed outside the European Union, which could pose potential risks for users, such as challenges in enforcing user rights.
Typically, social networks use user data for market research and advertising purposes. For instance, user behavior can be analyzed to create user profiles. These profiles can then be used to display ads both within and outside the networks that presumably align with users’ interests. This often involves storing cookies on users’ devices, which track user behavior and interests. Additionally, data can be stored in user profiles regardless of the devices users employ, especially if they are logged into the platform.
For detailed information on data processing and opt-out options, we recommend referring to the privacy policies of the respective social network providers.
In case of inquiries or when asserting user rights, it’s most effective to address them directly to the platform providers, as they have direct access to user data and can take immediate action. However, if you need assistance, feel free to contact us.
- Types of Data Processed: Contact information (e.g., email, phone numbers); Content data (e.g., online form entries); Usage data (e.g., websites visited, content interest, access times); Metadata and communication data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Affected Individuals: Users (e.g., website visitors, online service users).
- Purpose of Processing: Communication and contact requests; Feedback collection; Marketing.
- Legal Basis: Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Additional Information on Processing Methods and Services:
- Instagram: Social network; Provider: Meta Platforms Ireland Limited; Website: Instagram; Privacy Policy: Instagram Privacy.
- Facebook Pages: Social network profiles on Facebook; Provider: Meta Platforms Ireland Limited; Website: Facebook; Privacy Policy: Facebook Privacy; Data Transfer Basis: EU-US Data Privacy Framework (DPF).
- LinkedIn: Social network; Provider: LinkedIn Ireland Unlimited Company; Website: LinkedIn; Privacy Policy: LinkedIn Privacy; Opt-Out: LinkedIn Opt-Out.
- Pinterest: Social network; Provider: Pinterest Europe Limited; Website: Pinterest; Privacy Policy: Pinterest Privacy.
- X (Twitter): Social network; Provider: Twitter International Company; Privacy Policy: Twitter Privacy; Settings: Twitter Settings.
- YouTube: Social network and video platform; Provider: Google Ireland Limited; Website: YouTube; Privacy Policy: Google Privacy; Opt-Out: Google Ads Settings.
Plugins and Embedded Features and Content
We incorporate functional and content elements into our online offering, sourced from the servers of their respective providers (hereinafter referred to as “third-party providers”). Examples include graphics, videos, or city maps, uniformly referred to as “content.”
The integration of these elements requires third-party providers to process users’ IP addresses, as without them, they couldn’t send the content to users’ browsers. The IP address is essential for the presentation of this content. We strive to use content whose providers use the IP address solely for content delivery. Third-party providers might also use pixel tags (invisible graphics, also known as “Web Beacons”) for statistical or marketing purposes. These “Pixel-Tags” can evaluate metrics like website traffic. The pseudonymous data might be stored in users’ devices as cookies, containing details about the browser, operating system, referring websites, visit duration, and more about our online offering. This data can also be linked with information from other sources.
- Types of Data Processed: Usage data (e.g., websites visited, content interest, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Personal data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., online form entries); Location data; Event data (Facebook) (data related to actions, such as website visits, content interactions, app installations, product purchases, etc., processed for targeted content and advertising).
- Affected Individuals: Users (e.g., website visitors, online service users).
- Processing Purposes: Enhancing online platform usability; Marketing; Creating user profiles.
- Legal Bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR); Consent (Art. 6 Para. 1 S. 1 lit. a GDPR).
Further Information on Processing Activities, Procedures, and Services:
- Facebook-Plugins and Content: Information is provided about Facebook social plugins and content. These plugins and content can be images, videos, or texts that users can share within Facebook. Information about a special agreement made with Facebook and data security provisions is available.
- Google Fonts: Information is provided about the use of fonts provided by Google. These fonts are used for a user-friendly display of the website.
- Google Maps: Information is provided about the integration of maps provided by Google.
- Instagram-Plugins and Content: Information is provided about Instagram social plugins and content. These plugins and content can be images, videos, or texts that users can share within Instagram.
- YouTube-Videos: Information is provided about the integration of YouTube video content.
Cookie Management and Consent with ‘Real Cookie Banner
We utilize the “Real Cookie Banner” tool to oversee cookies, along with similar technologies like tracking pixels and web beacons. This ensures we obtain and manage user consents effectively. For an in-depth understanding of how “Real Cookie Banner” operates, please visit https://devowl.io/rcb/data-processing/.
The legal foundation for processing personal data in this regard is based on both Art. 6 (1) lit. c GDPR and Art. 6 (1) lit. f GDPR. Our primary objective is to efficiently manage the cookies and associated technologies, ensuring user consents are appropriately handled.
It’s important to note that providing personal data isn’t a contractual obligation, nor is it essential for entering into a contract. While you’re not mandated to share personal data, failing to do so means we won’t be able to manage your consents effectively.
Updates and Modifications to our Privacy Policy
We kindly request that you stay informed about the contents of our data protection statement. Should there be any alterations in our data processing methods, we will adjust the statement accordingly. If these changes require your collaboration (e.g., your consent) or any other individual notification, we will promptly inform you.
In this data protection statement, if we provide addresses and contact details of companies and organizations, please bear in mind that these addresses might change over time. We kindly ask that you verify the details before reaching out to us.