Privacy Policy

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of September 30st 2025

Alfred Pracht Lichttechnik GmbH
Am Seerain 3D-35232 Dautphetal-Buchenau
Telephone: +49 6466 9140-0
Email address: welcome@pracht.com

We have appointed a data protection officer for our company:

Feyzi Erdar

Data Protection Officer (TÜV)

Hainstr. 87, 35216 Biedenkopf, Germany

Telephone: +49 6461 / 9240202

Email: dsb-pracht@erdar.de

The following overview summarises the types of data processed and the purposes for which they are processed, and refers to the data subjects.

Types of data processed

• Inventory data.
• Employee data.
• Payment data.
• Location data.
• Contact details.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and procedural data.
• Social data.
• Applicant data.
• Image and/or video recordings.
• Audio recordings.
• Location history and movement profiles.
• Contact information (Facebook).
• Event data (Facebook).
• Log data.
• Performance and behaviour data.
• Member data.
• Working time data.
• Salary data.

Special categories of data

• Health data.
• Data on sex life or sexual orientation.
• Religious or philosophical beliefs.
• Trade union membership.
• Political opinions.

Categories of data subjects

• Service recipients and clients.
• Employees.
• Prospective customers.
• Communication partners.
• Users.
• Applicants.
• Competition and contest participants.
• Members.
• Business and contractual partners.
• Patients.
• Clients.
• Education and course participants.
• Participants.
• People depicted.
• Donors.
• Third parties.
• Whistleblowers.
• Customers.

Purposes of processing

• Provision of contractual services and fulfilment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organisational procedures.
• Remarketing.
• Conversion measurement.
• Click tracking.
• Target group formation.
• Affiliate tracking.
• A/B testing.
• Organisational and administrative procedures.
• Application procedures.
• Conducting prize draws and competitions.
• Server monitoring and error detection.
• Content delivery network (CDN).
• Feedback.
• Heat maps.
• Surveys and questionnaires.
• Marketing.
• Profiles with user-related information.
• Registration procedures.
• Cross-device tracking.
• Provision of our online services and user-friendliness.
• Assessment of creditworthiness and credit rating.
• Establishment and implementation of employment relationships.
• Information technology infrastructure.
• Fundraising.
• Public relations and information purposes.
• Whistleblower protection.
• Finance and payment management.
• Public relations.
• Sales promotion.
• Business processes and business management procedures.
• Artificial intelligence (AI).

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. Should more specific legal bases be relevant in individual cases, we will inform you of this in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Protection of vital interests (Art. 6 para. 1 sentence 1 lit. d) GDPR) - Processing is necessary to protect the vital interests of the data subject or another natural person.
• Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR) - Insofar as special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severe disability or ethnic origin) are requested from applicants in order to enable the controller or the data subject to exercise their rights under labour law and social security and social protection law and to fulfil their obligations in this regard, such data shall be processed in accordance with Art. 9(2)(b) GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR or for the purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector or for the management of systems and services in the health or social sector in accordance with Art. 9 (2) (h) GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9(2)(a) GDPR.
• Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR) - Processing is necessary for the purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector on the basis of Union law or the law of a Member State or on the basis of a contract with a health professional.
• Consent to the processing of special categories of personal data (Art. 9(2)(a) GDPR) - The data subject has expressly consented to the processing of the personal data referred to for one or more specified purposes.
• Processing of special categories of personal data for the protection of vital interests (Art. 9(2)(c) GDPR) - Processing is necessary to protect the vital interests of the data subject or another natural person and the data subject is physically or legally incapable of giving consent.
• Membership agreement (statutes) (Art. 6(1)(b) GDPR).

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act, new version, BDSG n. F.). The BDSG n. F. contains, in particular, special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transfer, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss DSG: This privacy policy serves to provide information in accordance with both the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are used due to their broader geographical application and comprehensibility. In particular, instead of the terms ‘processing’ of ‘personal data’, ‘overriding interest’ and ‘sensitive personal data’ used in the Swiss Data Protection Act, the terms “processing” of ‘personal data’, ‘legitimate interest’ and ‘special categories of data’ used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DSG within the scope of the Swiss DSG.

In accordance with legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons. 

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability and separation relating to it. Furthermore, we have established procedures to ensure that the rights of data subjects are exercised, data is deleted and responses are made to data threats. Furthermore, we take the protection of personal data into account during the development and selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

Securing online connections with TLS/SSL encryption technology (HTTPS): We use TLS/SSL encryption technology to protect user data transmitted via our online services from unauthorised access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transferred securely and encrypted.

As part of our processing of personal data, it may happen that this data is transferred to or disclosed to other departments, companies, legally independent organisational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data. 

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU) and the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies or companies, this is only done in accordance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of data protection is otherwise ensured, in particular by standard contractual clauses (Art. 46(2)(c) GDPR), express consent or in the case of contractual or legally required transfers (Art. 49(1) GDPR). In addition, we will inform you of the basis for third-country transfers for individual providers from third countries, whereby adequacy decisions take precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. Within the framework of the so-called "Data Privacy Framework" (DPF), the European Commission has also recognised the level of data protection for certain companies from the USA as secure within the framework of the adequacy decision of 10 July 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in our data protection notice which service providers we use are certified under the Data Privacy Framework. 

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data. 

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection information contains additional information on the storage and deletion of data that applies specifically to certain processing procedures.

If there are several specifications regarding the storage period or deletion periods for a piece of data, the longest period shall always apply.

If a period does not expressly begin on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the date on which the termination or other termination of the legal relationship takes effect.

We process data that is no longer stored for its originally intended purpose but is retained due to legal requirements or other reasons exclusively for the reasons that justify its retention.

Further information on processing procedures, methods and services:

• Storage and deletion of data: The following general periods apply to storage and archiving under German law:

◦ 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the work instructions and other organisational documents necessary for their understanding, accounting documents and invoices (Section 147 (3) in conjunction with (1) Nos. 1, 4 and 4a AO, § 14b (1) UStG, § 257 (1) No. 1 and 4, (4) HGB).

◦ 6 years - Other business documents: commercial or business letters received, copies of commercial or business letters sent, other documents relevant to taxation, e.g. hourly wage slips, operating accounts, calculation documents, price labels, but also payroll documents, insofar as they are not already accounting documents, and cash register receipts (Section 147 (3) in conjunction with (1) No. 2, 3, 5 AO, Section 257 (1) No. 2 and 3, (4) HGB).

◦ 3 years – Data required to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and customary industry practices, is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

• Right to withdraw consent: You have the right to withdraw your consent at any time.

• Right to information: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with the legal requirements.

• Right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased immediately or, alternatively, in accordance with legal requirements, to request a restriction on the processing of the data.

• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request that it be transferred to another controller.

• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data relating to you violates the GDPR. 

Distribution takes place via digital and traditional channels, including email distribution lists, websites and social media. Maintaining contact details includes collecting and updating data on media contacts and other relevant interest groups. The organisation of press conferences and events involves planning and executing these events, managing invitations and coordinating event logistics. Interaction with the media and stakeholders takes place through direct communication with journalists, bloggers and other opinion leaders, responding to enquiries and providing information. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR), membership agreement (Articles of Association) (Art. 6(1)(b) GDPR).We process the data of our customers, interested parties, business partners or other persons (collectively referred to as "data subjects") if we have a business relationship with them and perform our tasks and are recipients of services and benefits. In addition, we process the data of data subjects on the basis of our legitimate interests, e.g. in the case of administrative tasks or public relations work.

The data processed in this context, the type, scope and purpose of the processing and the necessity of the processing are determined by the underlying contractual relationship, which also determines the necessity of any data provided (we also point out any data that is required).

We delete data that is no longer required for the fulfilment of our statutory and business purposes. This is determined in accordance with the respective tasks and contractual relationships. We store the data for as long as it may be relevant for business transactions and with regard to any warranty or liability obligations based on our legitimate interest in their regulation. The necessity of storing the data is reviewed regularly; otherwise, the statutory storage obligations apply.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of the contract, term, customer category); payment data (e.g. bank details, invoices, payment history). Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Customers; interested parties; communication partners; donors, third parties.

• Purposes of processing: Communication; organisational and administrative procedures; public relations and information purposes; business processes and business management procedures.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Membership agreement (Articles of Association) (Art. 6(1)(b) GDPR). Legal obligation (Art. 6(1)(c) GDPR).

Further information on processing operations, procedures and services: 

• Customer management: Procedures required for customer management include the acquisition and admission of new members, the development and implementation of strategies for member retention, and ensuring effective communication with members. These processes involve the careful collection and maintenance of member data, the regular updating of member information, and the management of membership fees, including invoicing and billing; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR), membership agreement (statutes) (Art. 6(1)(b) GDPR).

• Events and organisational operations: Planning, implementation and follow-up of events, as well as the general operation of statutory activities. Planning includes the collection and processing of participant data, coordination of logistical requirements and setting the event agenda. Implementation includes managing participant registration, updating participant information during the event and recording attendance and participant activities. Follow-up includes analysing participant data to evaluate the success of the event, preparing reports and archiving relevant information about the event. General organisational operations include managing member data, communicating with members and interested parties, and organising internal meetings and sessions; legal basis: legitimate interests (Art. 6(1)(f) GDPR), membership agreement (statutes) (Art. 6(1)(b) GDPR).

• Public relations: Procedures include the creation and distribution of information materials, the maintenance of contact details for press and media relations, and the organisation and implementation of press conferences and public events. The creation of information materials involves the collection and preparation of information for press releases, newsletters, reports and other publications. 

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as ‘contractual partners’), within the framework of contractual and comparable legal relationships and associated measures, and with regard to communication with contractual partners (or pre-contractual), for example to respond to enquiries.

We use this data to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purposes of administrative tasks associated with these obligations and company organisation. We also process the data on the basis of our legitimate interests in both proper and economic business management and in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfil legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, within the framework of this data protection declaration.

We inform contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special markings (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for archiving purposes for legal reasons (e.g. for tax purposes, usually ten years). We delete data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications and, as a rule, after the end of the order.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Content data (e.g. textual or pictorial messages and posts as well as information relating to them, such as details of authorship or time of creation); Log data (e.g. log files relating to logins or the retrieval of data or access times. ); Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, references and other information relating to a specific position or voluntarily provided by applicants about themselves or their qualifications). Employee data (information about employees and other persons in an employment relationship).

• Special categories of personal data: Health data; data on sex life or sexual orientation; religious or ideological beliefs; trade union membership. Political opinions.

• Data subjects: Service recipients and clients; interested parties; business and contractual partners; communication partners; clients; third parties; education and course participants; applicants; patients; employees (e.g. employees, applicants, temporary staff and other employees). Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; Communication; Office and organisational procedures; Organisational and administrative procedures; Business processes and business management procedures; Conversion measurement (measurement of the effectiveness of marketing measures). Artificial intelligence (AI).

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR); Protection of vital interests (Art. 6(1)(d) GDPR); Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR); Consent to the processing of special categories of personal data (Art. 9(2)(a) GDPR) Processing of special categories of personal data for the protection of vital interests (Art. 9(2)(c) GDPR).

Further information on processing operations, procedures and services:

• Online shop, order forms, e-commerce and delivery: We process our customers' data in order to enable them to select, purchase or order the selected products, goods and related services, as well as to pay for and deliver or execute them. If necessary for the execution of an order, we use service providers, in particular postal, freight forwarding and shipping companies, to carry out the delivery or execution for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such during the ordering or comparable purchase process and includes the information required for delivery or provision and billing, as well as contact information for any necessary consultation.

 Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR). • Automotive industry and vehicle technology: We process the data of our customers and clients to enable them to develop, produce and supply vehicles and vehicle technologies, as well as related services.

 The necessary information includes the information required for project implementation and billing, as well as contact information for necessary coordination. Insofar as we obtain access to information from end customers, employees or other persons, we process this information in accordance with the legal and contractual requirements; Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Data analysis: We process the data of our customers and clients in order to provide them with data analysis, evaluation and consulting services as well as related services. The necessary information includes the information required for analysis, evaluation and billing, as well as contact information for necessary coordination. If we receive access to information from end customers, employees or other persons, we process this information in accordance with legal and contractual requirements. Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

 • Marketing and advertising: We process the data of our customers and clients (hereinafter referred to collectively as ‘customers’) in order to offer marketing services such as market research, advertising campaigns, content creation and social media management. The required information is marked as such when the order is placed and includes the information necessary for service provision and billing, as well as contact information for any necessary consultations. If we obtain access to information about end customers, employees or other persons, we process this information in accordance with legal and contractual requirements.

Procedures required in the context of marketing and advertising measures include the creation of marketing strategies and campaigns, the design of advertising materials and content, the selection of advertising channels and platforms, the performance of market analyses and target group surveys, and the measurement of success and analysis of marketing measures. In addition, they include the management and maintenance of customer and prospect data, the segmentation of target groups, the sending of newsletters and promotional emails, the tracking of online marketing activities, and cooperation with external service providers in the field of marketing and advertising.

These procedures serve to develop effective marketing strategies for our customers, design advertising measures tailored to specific target groups, measure and analyse the success of marketing activities, and ensure the efficient management of customer contacts and information. Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Craft services: We process the data of our customers and clients (hereinafter referred to collectively as ‘customers’) in order to enable them to select, purchase or commission the selected services or works and related activities, as well as to enable payment and delivery or execution or provision thereof.

The required information is marked as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for delivery and billing, as well as contact information for any necessary consultations; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

• IT services: We process the data of our customers and clients to enable them to plan, implement and support IT solutions and related services. The necessary information is identified as such in the context of the order, project or comparable contract conclusion and includes the information required for service provision and billing, as well as contact information for the purpose of any necessary consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process this information in accordance with the legal and contractual requirements.

The processing procedures include project management and documentation, which cover all phases from the initial requirements analysis to the completion of the project. This includes the creation and management of project schedules, budgets and resource allocations. Data processing also supports change management, in which changes in the project process are documented and tracked to ensure compliance and transparency.

Another process is customer relationship management (CRM), which involves recording and analysing customer interactions and feedback in order to improve service quality and efficiently address individual customer needs. In addition, the processing process includes technical support and troubleshooting, which involves recording and processing support requests, troubleshooting and regular maintenance.

Furthermore, reporting and performance analysis are carried out, whereby performance indicators are recorded and evaluated in order to assess the effectiveness of the IT solutions provided and to continuously optimise them. All these processes are designed to ensure high customer satisfaction and compliance with all relevant requirements. Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

 • DeepL: AI-powered grammar and spelling checker that uses advanced algorithms to analyse texts in different languages and suggest corrections; service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.deepl.com/de. Privacy policy: https://www.deepl.com/de/privacy.

 • Project and development services: We process the data of our customers and clients (hereinafter referred to collectively as ‘customers’) in order to enable them to select, purchase or commission the selected services or works and related activities, as well as to pay for and make available or execute or provide them.

The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for service provision and billing, as well as contact information for the purpose of any necessary consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process this in accordance with the legal and contractual requirements; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

 • Technical services: We process the data of our customers and clients (hereinafter referred to collectively as ‘customers’) in order to enable them to select, purchase or commission the selected services or works and related activities, as well as to pay for and make available or execute or provide them.

The required information is marked as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for service provision and billing, as well as contact information for any necessary consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process this information in accordance with the legal and contractual requirements; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Personal data of service recipients and clients – including customers, clients or, in special cases, patients or business partners and other third parties – is processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting and project management.

The data collected is used to fulfil contractual obligations and to design operational processes efficiently. This includes the processing of business transactions, the management of customer relationships, the optimisation of sales strategies and the safeguarding of internal invoicing and financial processes. In addition, the data supports the protection of the rights of the controller and facilitates administrative tasks and the organisation of the company.

Personal data may be passed on to third parties if this is necessary to fulfil the aforementioned purposes or legal obligations. The data is deleted after the expiry of the statutory retention periods or when the purpose of the processing no longer applies. This also includes data that must be stored for longer periods due to tax and legal documentation requirements.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Log data (e.g. log files relating to logins or the retrieval of data or access times); Creditworthiness data (e.g. credit score received, estimated probability of default, risk rating based on this, historical payment behaviour). Employee data (information on employees and other persons in an employment relationship).

• Special categories of personal data: Health data.

• Data subjects: Service recipients and clients; interested parties; communication partners; business and contractual partners; customers; third parties; users (e.g. website visitors, users of online services); clients; patients. Employees (e.g. employees, applicants, temporary staff and other staff).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and business management procedures; security measures; provision of our online services and user-friendliness; communication; marketing; sales promotion; public relations; assessment of creditworthiness and credit rating; financial and payment management. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Legal obligation (Art. 6(1)(c) GDPR).

Further information on processing procedures, methods and services:

• Customer management and customer relationship management (CRM): Procedures required in the context of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection regulations, measures to promote customer loyalty and retention, effective customer communication, complaint management and customer service with regard to data protection, data management and analysis to support customer relations, administration of CRM systems, secure account management, customer segmentation and target group formation); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Contact management and maintenance: Procedures necessary for the organisation, maintenance and security of contact information (e.g. setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees in the effective use of contact management software, regularly reviewing communication history and adjusting contact strategies); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

 • Customer account: Customers can create an account within our online offering (e.g. customer or user account, or ‘customer account’ for short). If registration of a customer account is required, customers will be informed of this and of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins and use of the customer account, we store the IP addresses of customers along with the times of access in order to verify registration and prevent any misuse of the customer account. If the customer account has been terminated, the customer account data will be deleted after the termination date, unless it is stored for purposes other than provision in the customer account or must be stored for legal reasons (e.g. internal storage of customer data, order processes or invoices). It is the responsibility of customers to back up their data when cancelling their customer account; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• General payment transactions: Procedures necessary for the execution of payment transactions, the monitoring of bank accounts and the control of payment flows (e.g. creation and verification of transfers, processing of direct debits, checking of account statements, monitoring of incoming and outgoing payments, return debit management, account reconciliation, cash management); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Bookkeeping, accounts payable, accounts receivable: Procedures required for recording, processing and checking business transactions in the area of accounts payable and accounts receivable (e.g. creation and checking of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, handling of dunning procedures, account reconciliation in the context of receivables and payables, accounts payable and accounts receivable accounting); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Financial accounting and taxes: Procedures required for the recording, management and control of financially relevant business transactions and for the calculation, reporting and payment of taxes (e.g. account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of reminders, account reconciliation, tax advice, preparation and submission of tax returns, processing of tax matters); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Purchasing: Procedures required for the procurement of goods, raw materials or services (e.g. supplier selection and evaluation, price negotiations, order placement and monitoring, delivery verification and control, invoice verification, order management, warehouse management, creation and maintenance of purchasing guidelines); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Sales: Procedures necessary for the planning, implementation and control of measures for the marketing and sale of products or services (e.g. customer acquisition, preparation and tracking of quotations, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Marketing, advertising and sales promotion: Procedures required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

• Economic analyses and market research: The available data on business transactions, contracts, enquiries, etc. is analysed for business purposes and to identify market trends and the wishes of contractual partners and users. The group of data subjects may include contractual partners, interested parties, customers, visitors and users of the controller's online offering. The analyses are carried out for the purposes of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). Where available, profiles of registered users, including their details on the services used, are taken into account. The analyses are used exclusively by the controller and are not disclosed externally, unless they are anonymous analyses with summarised, i.e. anonymised, values. In addition, the privacy of users is taken into account; for analysis purposes, the data is pseudonymised as far as possible and, where feasible, processed anonymously (e.g. as aggregated data); legal basis: legitimate interests (Art. 6(1)(f) GDPR).

• Public relations: Procedures required in the context of public relations (e.g. development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organisation of press conferences and public events, crisis communication, creation of content for social media and company websites, corporate branding support); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

• Guest Wi-Fi: Procedures required for the setup, operation, maintenance and monitoring of a wireless network for guests (e.g. installation and configuration of Wi-Fi access points, creation and management of guest access, monitoring of network connection, ensuring network security, troubleshooting connection problems, updating network software, compliance with data protection regulations); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (hereinafter referred to as "services") in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economical management of our business operations and internal organisation. 

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation). Contract data (e.g. subject matter of the contract, term, customer category).

• Special categories of personal data: Health data.

• Data subjects: Patients; service recipients and clients; interested parties; business and contractual partners; communication partners; members. Employees (e.g. employees, applicants, temporary staff and other staff).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and business management procedures; communication. Profiles with user-related information (creation of user profiles).

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

• DATEV: Software for accounting, communication with tax advisors and authorities, and document storage; service provider: DATEV eG, Paumgartnerstr. 6 - 14, 90429 Nuremberg, Germany; legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.datev.de/web/de/mydatev/datev-cloud-anwendungen/; Privacy policy: https://www.datev.de/web/de/m/ueber-datev/datenschutz/. Data processing agreement: Provided by the service provider.

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device. 

Our web hosting provider is:

1blu GmbH, Riedemannweg 60, D-13627 Berlin; website: https://www.1blu.de

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Log data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g. textual or image messages and posts, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; content delivery network (CDN); reach measurement (e.g. access statistics, recognition of returning visitors); Conversion measurement (measurement of the effectiveness of marketing measures). Server monitoring and error detection.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the websites and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to prevent server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server utilisation and stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

• Content delivery network: We use a "content delivery network" (CDN). A CDN is a service that helps deliver content from an online offering, especially large media files such as graphics or programme scripts, faster and more securely with the help of regionally distributed servers connected via the internet; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the terminal device used. Legal basis: consent (Art. 6(1)(a) GDPR).The term "cookies" refers to functions that store and read information on users' end devices. Cookies can also be used for various purposes, such as to ensure the functionality, security and convenience of online services and to analyse visitor traffic. We use cookies in accordance with legal requirements. To this end, we obtain the consent of users in advance where necessary. If consent is not necessary, we rely on our legitimate interests. This applies if the storage and retrieval of information is essential in order to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of cookies and which cookies are used. 

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

• Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).

• Permanent cookies: Permanent cookies remain stored even after the terminal device is closed. This allows, for example, the log-in status to be stored and preferred content to be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to the processing in accordance with the legal requirements, including by means of their browser's privacy settings.

• Types of data processed: Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Users (e.g. website visitors, users of online services).

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures and services:

• Processing of cookie data on the basis of consent: We use a consent management solution that obtains users' consent to the use of cookies or to the procedures and providers specified in the consent management solution. This procedure is used to obtain, log, manage and revoke consent, in particular with regard to the use of cookies and similar technologies that are used to store, read and process information on users' end devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers specified in the consent management procedure. Users also have the option of managing and revoking their consent. The declarations of consent are stored in order to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a specific user or their device. If no specific information on the providers of consent management services is available, the following general information applies: The duration of storage of the consent is up to two years. 

We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to further develop it. We may also contact users in compliance with legal requirements if communication is necessary for the purposes of administration or use of the application. For further information on the processing of user data, please refer to the data protection information in this privacy policy.

 Legal basis: The processing of data required for the provision of the application's functionalities serves to fulfil contractual obligations. This also applies if the provision of the functions requires authorisation from users (e.g. approval of device functions). If the processing of data is not necessary for the provision of the application's functionalities, but serves the security of the application or our business interests (e.g. collection of data for the purpose of optimising the application or for security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked for their consent to the processing of their data, the data covered by the consent will be processed on the basis of that consent.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, term, customer category); Image and/or video recordings (e.g. photographs or video recordings of a person); Audio recordings; Location data (information about the geographical position of a device or person). Location history and movement profiles (collection of location data and position changes over a certain period of time).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures. Provision of our online services and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

• Commercial use: We process the data of users of our application, registered users and any test users (hereinafter referred to collectively as ‘users’) in order to be able to provide them with our contractual services and, on the basis of legitimate interests, to ensure the security of our application and to be able to further develop it. The required information is marked as such in the context of the conclusion of the usage, order, purchase or comparable contract and may include the information required for the provision of services and for any billing, as well as contact information for the purpose of any consultations; Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

• Storage of a universal and unique identifier (UUID): The application stores a so-called universal and unique identifier (UUID) for the purpose of analysing the use and functionality of the application and storing user settings. This identifier is generated when the application is installed (but is not linked to the device, i.e. it is not a device identifier in this sense), remains stored between the start of the application and its updates, and is deleted when users remove the application from their device.

• Storage of a pseudonymous identifier: We use a pseudonymous identifier so that we can provide the application and ensure its functionality. The identifier is a mathematical value (i.e. no clear data such as names are used) that is assigned to a device and/or the installation of the application on it. This identifier is generated when this application is installed, remains stored between the start of the application and its updates, and is deleted when users remove the application from the device.

• Device permissions for access to functions and data: The use of our application or its functionalities may require users to grant permissions to access certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user's device and software. Users can contact us if they require further explanation. Please note that refusing or revoking the respective permissions may affect the functionality of our application.

• Access to the camera and stored recordings: When using our application, image and/or video recordings (including audio recordings) of users (and other persons captured in the recordings) are processed by accessing the camera functions or stored recordings. Access to the camera functions or stored recordings requires authorisation from the user, which can be revoked at any time. The processing of image and/or video recordings serves only to provide the respective functionality of our application, in accordance with its description to users or its typical and expected functionality.

• Use of microphone functions: When using our application, the microphone functions and audio recordings captured with its help are processed. The use of microphone functions requires authorisation from users, which can be revoked at any time. The use of microphone functions and audio data is only for the purpose of providing the respective functionality of our application, in accordance with its description to users, or its typical and expected functionality.

• Processing of stored contacts: When using our application, the contact information of persons (name, email address, telephone number) stored in the device's contact directory is processed. The use of contact information requires the user's consent, which can be revoked at any time. The use of contact information serves only to provide the respective functionality of our application, in accordance with its description to users, or its typical and expected functionality. Users are advised that permission to process contact information must be granted and, in particular, requires the consent of natural persons or legal permission.

• Use of contact data for contact matching purposes: The contact data stored in the device's contact directory can be used to check whether these contacts also use our application. For this purpose, the contact data of the respective contacts (including telephone numbers, email addresses and names) is uploaded to our server and used solely for the purpose of matching.

• Processing of location data: When using our application, the location data collected by the device used or otherwise entered by the user is processed. The use of location data requires the user's consent, which can be revoked at any time. The use of location data serves only to provide the respective functionality of our application, in accordance with its description to users or its typical and expected functionality.

• Location history and movement profiles: Based on the location data collected when using our application, a location history is created, which shows the geographical movements of the devices used over a period of time (and may allow conclusions to be drawn about the movement profile of the users). The location history is used solely to provide the respective functionality of our application, in accordance with its description to users and its typical and expected mode of operation.

Purchasing applications via app stores

Our application is obtained via special online platforms operated by other service providers (so-called ‘app stores’). In this context, the data protection information of the respective app stores applies in addition to our data protection information. This applies in particular with regard to the procedures used on the platforms for reach measurement and interest-based marketing, as well as any costs incurred.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Service recipients and clients. Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; marketing. Provision of our online offering and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

• Apple App Store: App and software sales platform; service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.apple.com/de/app-store/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

• Google Play: App and software sales platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://play.google.com/store/apps?hl=de. Privacy policy: https://policies.google.com/privacy.

• Microsoft Store: App and software sales platform; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR) ; Website: https://www.microsoft.com/de-de/store/b/sale; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter. Basis for third country transfers: Data Privacy Framework (DPF).

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account on the basis of contractual obligation fulfilment. The data processed includes, in particular, login information (user name, password and email address).

When using our registration and login functions and the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests and those of the users in protection against misuse and other unauthorised use. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so. 

Users can be informed by email about processes that are relevant to their user account, such as technical changes.

Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; organisational and administrative procedures. Provision of our online services and user-friendliness.

Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Deletion after termination.

Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

Registration with pseudonyms: Users may use pseudonyms as user names instead of their real names; legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

User profiles are not public: User profiles are not publicly visible or accessible.

User profiles are public: User profiles are publicly visible and accessible.

Setting the visibility of profiles: Users can use settings to determine the extent to which their profiles are visible or accessible to the public or only to certain groups of people; legal basis: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Two-factor authentication: Two-factor authentication provides an additional layer of security for your user account and ensures that only you can access your account, even if someone else knows your password. To do this, you must perform an additional authentication measure (e.g. enter a code sent to a mobile device) in addition to your password. We will inform you about the procedure we use; legal basis: performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Deletion of data after termination: When users have terminated their user account, their data relating to the user account will be deleted, subject to legal permission, obligation or consent of the users; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

No obligation to retain data: It is the responsibility of users to back up their data before the end of the contract upon termination. We are entitled to irretrievably delete all user data stored during the term of the contract; legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Single sign-on registration

‘Single sign-on’ or ‘single sign-on registration’ or ‘authentication’ refers to procedures that allow users to log in to our online offering using a user account with a single sign-on provider (e.g. a social network). The prerequisite for single sign-on authentication is that users are registered with the respective single sign-on provider and enter the required access data in the online form provided for this purpose, or are already logged in with the single sign-on provider and confirm the single sign-on login via a button.

Authentication takes place directly with the respective single sign-on provider. As part of this authentication process, we receive a user ID with the information that the user is logged in with this user ID at the respective single sign-on provider and an ID (known as a ‘user handle’) that cannot be used by us for any other purpose. Whether additional data is transmitted to us depends solely on the single sign-on procedure used, the data releases selected during authentication, and the data that users have released in the privacy or other settings of their user account with the single sign-on provider. Depending on the single sign-on provider and the user's choice, this may be different data, but it is usually the email address and user name. We cannot see the password entered with the single sign-on provider as part of the single sign-on process, nor do we store it.

Users are asked to note that the information we store about them can be automatically synchronised with their user account with the single sign-on provider, but that this is not always possible or actually done. If, for example, users' email addresses change, they must change them manually in their user account with us.

We may use single sign-on registration, if agreed with users, within the scope of or prior to the fulfilment of the contract, insofar as users have been asked to process it within the scope of consent, and otherwise use it on the basis of our legitimate interests and the interests of users in an effective and secure login system.

If users decide that they no longer wish to use the link to their user account with the single sign-on provider for the single sign-on procedure, they must remove this link within their user account with the single sign-on provider. If users wish to delete their data from our system, they must cancel their registration with us.

Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers) ; usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved). Event data (Facebook) (‘Event data’ is information that is sent to the provider Meta via meta pixels (whether via apps or other channels), for example, and relates to individuals or their actions. This data includes details of website visits, interactions with content and functions, app installations and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. ‘Event data’ is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted.

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; registration procedures; provision of our online services and user-friendliness; marketing. Profiles with user-related information (creation of user profiles).

Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Deletion after termination.

Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

Apple Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

Auth0: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Auth0, Inc, 10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://auth0.com/; Privacy policy: https://www.okta.com/privacy-policy/. Basis for third country transfers: Data Privacy Framework (DPF).

Facebook Single Sign-On: Authentication service of the Facebook platform; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third country transfers: Data Privacy Framework (DPF).

Google Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.de; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Opt-out option: Settings for the display of advertisements: https://myadcenter.google.com/.

Instagram Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations. - Together with Meta Platforms Ireland Limited, we are jointly responsible for the collection or receipt in the context of a transfer (but not the further processing) of ‘event data’ that Facebook collects or receives in the context of a transfer for the following purposes using the Instagram single sign-on login procedure carried out on our online offering: a) Displaying content and advertising information that matches the presumed interests of users; b) Delivering commercial and transaction-related messages (e.g. contacting users via Facebook Messenger); c) Improving ad delivery and personalising features and content (e.g. improving the recognition of which content or advertising information is presumed to match the interests of users). We have entered into a special agreement with Facebook (‘Addendum for Controllers’, https://www.facebook.com/legal/controller_addendum), which specifically regulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e. users can, for example, send requests for information or deletion directly to Facebook). Note: When Facebook provides us with metrics, analyses and reports (which are aggregated, i.e. no information about individual users is received and they are anonymous to us), this processing is not carried out within the framework of joint responsibility, but on the basis of a data processing agreement (‘Data Processing Terms ’, https://www.facebook.com/legal/terms/dataprocessing) , the ‘Data Security Terms’ (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of standard contractual clauses ("Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.

Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/.

Microsoft Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.microsoft.com/de-de/security/business/identity-access/azure-active-directory-single-sign-on; privacy policy: https://privacy.microsoft.com/de-de/privacystatement; basis for third country transfers: Data Privacy Framework (DPF). Further information: https://www.microsoft.com/de-de/trust-center.

OneLogin Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: OneLogin Inc., 848 Battery Street, San Francisco, CA 94111, USA; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.onelogin.com/de; privacy policy: https://www.oneidentity.com/legal/privacy.aspx. Basis for third country transfers: Data Privacy Framework (DPF).

OpenID Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: OpenID Foundation, 2400 Camino Ramon, Suite 375, San Ramon, CA 94583, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) ; Website: https://openid.net; Privacy policy: https://openid.net/policies/. Basis for third country transfers: Data Privacy Framework (DPF).

Snap Login Kit: With the help of the Snap Login Kit, we offer users the option of logging in to our online offering with their Snapchat login details; Service provider: Snap Inc., 3000 31st Street, Santa Monica, California 90405, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://kit.snapchat.com/; Privacy policy: https://www.snap.com/de-DE/privacy/privacy-policy; Data processing agreement: https://snap.com/de-DE/terms/data-processing-agreement. Basis for third country transfers: Standard contractual clauses (https://www.snap.com/de-DE/terms/standard-contractual-clauses).

X Single sign-on: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://x.com; Privacy policy: https://x.com/privacy, (Settings: https://x.com/personalization); Data processing agreement: https://privacy.x.com/en/for-our-partners/global-dpa. Basis for third country transfers: Standard contractual clauses (https://privacy.x.com/en/for-our-partners/global-dpa).

Yahoo! Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations; Service provider: Oath (EMEA) Limited, 5-7 Point Square, North Wall Quay, Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://developer.yahoo.com/sign-in-with-yahoo/. Privacy policy: https://legal.yahoo.com/ie/de/yahoo/privacy/index.html.

When contacting us (e.g. by post, contact form, email, telephone or social media) and within the framework of existing user and business relationships, the information provided by the enquiring persons is processed to the extent necessary to respond to contact enquiries and any requested measures. Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Contract data (e.g. subject matter of the contract, term, customer category). Payment data (e.g. bank details, invoices, payment history). Special categories of personal data: Health data. Data relating to sex life or sexual orientation. Data subjects: Communication partners; service recipients and clients; interested parties; business and contractual partners. Users (e.g. website visitors, users of online services). Purposes of processing: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness; provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; marketing. Conversion measurement (measurement of the effectiveness of marketing measures). Storage and deletion: deletion in accordance with the information in the section ‘General information on data storage and deletion’; 10 years – AO/HGB (retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the work instructions and other organisational documents necessary for their understanding, accounting documents and invoices (Section 147 (3) in conjunction with (1) No. 1, 4 and 4a AO, Section 14b (1) UStG, Section 257 (1) No. 1 and 4, (4) HGB).). 6 years – AO/HGB (Other business documents: commercial or business letters received, copies of commercial or business letters sent, other documents, insofar as they are relevant for taxation, e.g. hourly wage slips, operating accounts, calculation documents, price labels, but also payroll documents, insofar as they are not already accounting documents, and cash register receipts (§ 147 (3) in conjunction with (1) No. 2, 3, 5 AO, Section 257 (1) No. 2 and 3, (4) HGB). Legal basis: Legitimate interests (Art. 6 (1) (1) (f) GDPR). Contract fulfilment and pre-contractual enquiries (Art. 6 (1) (1) (b) GDPR). Further information on processing procedures, processes and services: Contact form: When you contact us via our contact form, by e-mail or other means of communication, we process the personal data you provide in order to respond to and process your enquiry. This usually includes information such as your name, contact details and, if necessary, other information that you provide and that is necessary for the appropriate processing of your enquiry. We use this data exclusively for the stated purpose of establishing contact and communication; legal bases: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Communication via messenger We use messengers for communication purposes and therefore ask you to note the following information on the functionality of messengers, encryption, the use of communication metadata and your options for objection. You can also contact us by alternative means, e.g. by telephone or email. Please use the contact options provided to you or the contact options specified within our online offering. In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we would like to point out that the communication content (i.e. the content of the message and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure that the message content is encrypted. However, we also point out to our communication partners that although the messenger providers cannot view the content, they can find out that and when communication partners are communicating with us, as well as technical information about the device used by the communication partners and, depending on the settings of their device, location information (so-called metadata). Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for consent and you contact us on your own initiative, for example, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and fulfilment of our communication partners' needs for communication via messenger. Furthermore, we would like to point out that we will not transfer the contact details provided to us to Messenger without your consent. Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via Messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion guidelines (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any questions from the communication partners, if no reference to a previous conversation is to be expected and the deletion does not conflict with any legal retention obligations. Reservation of reference to other communication channels: To ensure your security, we ask for your understanding that we may not be able to respond to enquiries via Messenger for certain reasons. This applies to situations in which, for example, contract details must be treated as particularly confidential or a response via messenger does not meet formal requirements. In such cases, we recommend that you use more suitable communication channels. Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved). Data subjects: Communication partners. Purposes of processing: Communication. Direct marketing (e.g. by e-mail or post). Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Legal basis: Consent (Art. 6(1)(a) GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR). Further information on processing operations, procedures and services: Apple iMessage: Send and receive text messages, voice messages and video calls. Have group conversations. Share files, photos, videos and locations. Secure communication through end-to-end encryption. Synchronise messages across multiple devices. Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.Instagram: Sending messages via the social network Instagram; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/.Facebook-Messenger: sending and receiving text messages, making voice and video calls, creating group chats, sharing files and media, transmitting location information, synchronising contacts, encrypting messages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third country transfers: Data Privacy Framework (DPF). Microsoft Teams: Chat, audio and video conferencing, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.microsoft.com/de-de/microsoft-365; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for third country transfers: Data Privacy Framework (DPF). WhatsApp Business: Text messages, voice and video calls, sending images, videos and documents, group chat function, end-to-end encryption for increased security; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.whatsapp.com/; privacy policy: https://www.whatsapp.com/legal. Basis for third-country transfers: Data Privacy Framework (DPF) Push notifications With the consent of users, we can send users so-called ‘push notifications’. These are messages that are displayed on users' screens, devices or in browsers, even when our online service is not currently being actively used. To sign up for push notifications, users must confirm the query from their browser or device to receive push notifications. This consent process is documented and stored. Storage is necessary in order to recognise whether users have consented to receiving push notifications and to be able to prove consent. For these purposes, a pseudonymous browser identifier (known as a ‘push token’) or the device ID of a terminal device is stored. Push notifications may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant to the use of our online services) and are otherwise sent on the basis of user consent, unless specifically mentioned below. Users can change their push notification settings at any time using the notification settings of their respective browsers or end devices. Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved). Location data (information about the geographical position of a device or person). Data subjects: Communication partners. Purposes of processing: Communication; provision of our online offering and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); direct marketing (e.g. by email or post); Conversion measurement (measurement of the effectiveness of marketing measures); target group formation. Marketing. Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Deletion after termination. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR). Further information on processing procedures, methods and services: Push notifications with advertising content: The push notifications we send may contain advertising information. Advertising push notifications are processed on the basis of the user's consent. If the content of the promotional push notifications is specifically described in the context of consent to receive them, the descriptions are decisive for the consent of the users. In addition, our newsletters contain information about our services and us; legal basis: consent (Art. 6(1)(a) GDPR). Location-based push notifications: The push notifications we send may be displayed depending on the user's location, based on the location data transmitted by the device used; legal basis: consent (Art. 6(1)(a) GDPR). Analysis and performance measurement: We evaluate push notifications statistically and can thus identify whether and when push notifications were displayed and clicked on. This information is used to improve our push notifications technically on the basis of the technical data or the target groups and their retrieval behaviour or retrieval times. This analysis also includes determining whether the push notifications are opened, when they are opened and whether users interact with their content or buttons. For technical reasons, this information can be assigned to individual push message recipients. However, it is neither our intention nor, if used, that of the push message service provider to monitor individual users. Rather, the evaluations serve to identify the usage habits of our users and to adapt our push messages to them or to send different push messages according to the interests of our users. The evaluation of push notifications and the measurement of success are based on the express consent of users, which is given when they agree to receive push notifications. Users can object to the analysis and measurement of success by unsubscribing from push notifications. Unfortunately, it is not possible to separately revoke the analysis and success measurement; legal basis: consent (Art. 6(1)(a) GDPR). WhatsApp Business: push notifications; service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.whatsapp.com/; privacy policy: https://www.whatsapp.com/legal. Basis for third-country transfers: Data Privacy Framework (DPF)

• OpenAI API: An AI API that provides developers with access to a variety of powerful language and image models, including GPT-4 and DALL-E. The OpenAI API enables complex tasks such as text generation, language processing and image analysis to be integrated into applications; Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://openai.com/product; Privacy policy: https://openai.com/de/policies/eu-privacy-policy; Data processing agreement: https://openai.com/policies/data-processing-addendum; Basis for third country transfers: Standard contractual clauses (https://openai.com/policies/data-processing-addendum). Opt-out option: https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our interest in using AI are listed below. In accordance with the term "AI system" as defined in Article 3(1) of the AI Regulation, we understand AI to mean a machine-based system that is designed for varying degrees of autonomous operation, can be adaptable after its introduction, and produces results such as predictions, content, recommendations or decisions from the inputs received that can influence physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human control, purpose limitation, data minimisation, integrity and confidentiality. We ensure that the processing of personal data is always carried out on a legal basis. This can be either the consent of the persons concerned or a legal permission. 

When using external AI systems, we carefully select their providers (hereinafter "AI providers"). In accordance with our legal obligations, we ensure that AI providers comply with the applicable regulations. We also observe our obligations when using or operating the AI services we purchase. The processing of personal data by us and the AI providers is carried out exclusively on the basis of consent or legal authorisation. In doing so, we attach particular importance to transparency, fairness and maintaining human control over AI-supported decision-making processes.

We implement appropriate and robust technical and organisational measures to protect the data processed. These measures ensure the integrity and confidentiality of the data processed and minimise potential risks. We conduct regular reviews of AI providers and their services to ensure ongoing compliance with current legal and ethical standards.

• Types of data processed: Content data (e.g. textual or image-based messages and posts, as well as information relating to them, such as details of authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

• Data subjects: Users (e.g. website visitors, users of online services). Third parties.

• Purposes of processing: Artificial intelligence (AI).

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• DeepL: Translation of texts into different languages and provision of synonyms and contextual examples. Support in correcting and improving texts in different languages; Service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.deepl.com; Privacy policy: https://www.deepl.com/de/privacy. Data processing agreement: Provided by the service provider.

• Microsoft Copilot: Enables the creation and editing of texts, spreadsheets and presentations. Provides support for data analysis, task automation and integration with various Microsoft Office applications. Uses machine learning to improve workflows and provide context-sensitive suggestions; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-copilot/organizations; Privacy policy: https://www.microsoft.com/de-de/privacy/privacystatement; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third country transfers: Data Privacy Framework (DPF).

• Data subjects: Communication partners; users (e.g. website visitors, users of online services); persons depicted; service recipients and clients. Interested parties.

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures. Provision of our online services and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

• GoToMeeting: Conference and communication software; service provider: LogMeIn Ireland Limited, Bloodstone Building Block C 70, Sir John Rogerson's Quay Dublin 2, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.gotomeeting.com/de-de; Privacy policy: https://www.logmein.com/legal/privacy; Data processing agreement: https://www.logmein.com/de/legal#other-agreements (data processing addendum). Basis for third country transfers: Data Privacy Framework (DPF).

• Microsoft Teams: Audio and video conferencing, chat, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter. Basis for third country transfers: Data Privacy Framework (DPF).

• Slack: Messenger and conference software; service provider: Slack Technologies Limited, Level 1, Block A Nova Atria North, Sandyford Business District, Dublin 18, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://slack.com/intl/de-de/; Privacy policy: https://slack.com/intl/de-de/legal; Data processing agreement: https://slack.com/intl/de-de/terms-of-service/data-processing. Basis for third country transfers: Data Privacy Framework (DPF).We use platforms and applications from other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conferences"). We comply with legal requirements when selecting conference platforms and their services. 

Data processed by conference platforms: When participants take part in a conference, the conference platforms process the personal data of the participants as described below. The scope of the processing depends, on the one hand, on what data is required for a specific conference (e.g. access data or real names) and, on the other hand, on what optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the conference platforms may also process participant data for security purposes or service optimisation. The data processed includes personal data (first name, surname), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants' end devices, their operating system, the browser and its technical and language settings, information on the content of communication processes, i.e. entries in chats as well as audio and video data, and the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users on the conference platforms, additional data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, participants will be informed of this in advance and, where necessary, asked for their consent.

Data protection measures taken by participants: For details on how your data is processed by the conference platforms, please refer to their data protection information and select the security and data protection settings that are optimal for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing housemates, locking doors and, where technically possible, using the function to blur the background). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

Information on legal bases: If, in addition to the conference platforms, we also process user data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, in the case of processing conversation results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person); Sound recordings; Log data (e.g. log files relating to logins or the retrieval of data or access times); Contract data (e.g. subject matter of the contract, term, customer category). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

We use software services accessible via the Internet and executed on the servers of their providers (so-called ‘cloud services’, also referred to as ‘software as a service’) for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).

In this context, personal data may be processed and stored on the providers' servers if it is part of communication processes with us or is otherwise processed by us as described in this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents. The providers of cloud services also process usage data and metadata, which they use for security purposes and to optimise their services.

If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

Data subjects: Interested parties; communication partners; business and contractual partners. Users (e.g. website visitors, users of online services).

Purposes of processing: Office and organisational procedures; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); provision of contractual services and fulfilment of contractual obligations. Provision of our online services and user-friendliness.

Storage and deletion: deletion in accordance with the information in the section ‘General information on data storage and deletion’.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

Adobe Creative Cloud: Cloud storage, cloud infrastructure services and cloud-based application software, including for photo editing, video editing, graphic design and web development; Service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.adobe.com/de/creativecloud.html; Privacy policy: https://www.adobe.com/de/privacy.html; Data processing agreement: Provided by the service provider. Basis for third country transfers: Data Privacy Framework (DPF).

Apple iCloud: Cloud storage service; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third country transfers: Data Privacy Framework (DPF).

Newsletters and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter referred to as ‘newsletters’) exclusively with the consent of the recipients or on a legal basis. If the content of the newsletter is specified during registration, this content is decisive for the consent of the users. To subscribe to our newsletter, it is usually sufficient to provide your email address. However, in order to offer you a personalised service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of potential defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a block list (so-called ‘blocklist’) for this purpose alone.

The registration process is logged on the basis of our legitimate interests for the purpose of proving that it has been carried out correctly. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.

Contents:

Information about us, our services, promotions and offers.

Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Event data (Facebook) (‘Event data’ is information that is sent to the provider Meta via meta pixels (whether via apps or other channels) and relates to persons or their actions. This data includes details of website visits, interactions with content and functions, app installations and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. ‘Event data’ is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted. Content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation).

Special categories of personal data: Health data.

Data subjects: Communication partners; service recipients and clients; interested parties; users (e.g. website visitors, users of online services). Business and contractual partners.

Purposes of processing: Direct marketing (e.g. by email or post); reach measurement (e.g. access statistics, recognition of returning visitors); Conversion measurement (measurement of the effectiveness of marketing measures); click tracking; marketing; profiles with user-related information (creation of user profiles); communication; provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; feedback (e.g. collection of feedback via online form); provision of our online services and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).

Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter at the end of each newsletter or you can use one of the contact options listed above, preferably email.

Further information on processing procedures, methods and services:

Measurement of opening and click rates: The newsletters contain a so-called ‘web beacon’, i.e. a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. During this retrieval, technical information such as details about your browser and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used to technically improve our newsletter based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until it is deleted. The evaluations serve to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening and click rates, the storage of the measurement results in the users' profiles and their further processing are based on the consent of the users. Unfortunately, it is not possible to revoke the performance measurement separately; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information will be deleted. Legal basis: consent (Art. 6(1)(a) GDPR).

Prerequisite for the use of free services: Consent to the sending of mailings may be made a prerequisite for the use of free services (e.g. access to certain content or participation in certain promotions). If users wish to use the free service without subscribing to the newsletter, we ask them to contact us.

Reminder emails regarding the ordering process: If users do not complete an ordering process, we may remind them of the ordering process by email and send them a link to continue it. This function can be useful, for example, if the purchase process could not be continued due to a browser crash, mistake or forgetfulness. The emails are sent on the basis of consent, which users can revoke at any time; legal basis: consent (Art. 6(1)(a) GDPR).

Sending via SMS: Electronic notifications can also be sent as SMS text messages (or are sent exclusively via SMS if the authorisation to send, e.g. consent, only covers sending via SMS); legal basis: consent (Art. 6(1)(a) GDPR).

Maileon: Email marketing, automation of marketing processes, collection, storage and management of contact data, measurement of campaign performance, recording and analysis of recipients' interaction with content, personalisation of content; Service provider: XQueue GmbH, Christian-Pleß-Str. 11-13, 63069 Offenbach am Main; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); Website: https://maileon.com/; Privacy policy: https://maileon.com/de/datenschutz; Data processing agreement: https://maileon.com/app/uploads/2023/10/AV_Muster_DE-aktuell.pdf;

We process personal data for advertising communication purposes, which may be carried out via various channels, such as email, telephone, post or fax, in accordance with legal requirements. 

Recipients have the right to revoke their consent at any time or to object to advertising communication at any time.

After revocation or objection, we store the data necessary to prove previous authorisation for contact or sending up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defence against claims. On the basis of the legitimate interest in permanently observing the revocation or objection of users, we also store the data necessary to avoid renewed contact (e.g. depending on the communication channel, the email address, telephone number, name).

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Communication partners.

• Purposes of processing: Direct marketing (e.g. by email or post); marketing. Sales promotion.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

We process personal data of participants in prize draws and competitions only in compliance with the relevant data protection regulations, insofar as the processing is contractually necessary for the provision, conduct and processing of the competition, the participants have consented to the processing, or the processing serves our legitimate interests (e.g. the security of the competition or the protection of our interests against misuse by possibly recording IP addresses when competition entries are submitted). 

If participants' entries are published as part of the competitions (e.g. as part of a vote or presentation of the competition entries or winners, or reporting on the competition), we would like to point out that the names of the participants may also be published in this context. Participants may object to this at any time.

If the competition takes place within an online platform or social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and data protection provisions of the respective platforms shall also apply. In such cases, we would like to point out that we are responsible for the information provided by participants in the context of the competition and that any enquiries regarding the competition should be directed to us.

Participants' data will be deleted as soon as the competition or contest has ended and the data is no longer required to inform the winners or because no further enquiries regarding the competition are to be expected. In principle, participants' data will be deleted no later than 6 months after the end of the competition. The data of the winners may be retained for longer, e.g. in order to answer queries about the prizes or to fulfil the prize obligations; in this case, the retention period depends on the type of prize and is, for example, up to three years for goods or services, e.g. in order to be able to process warranty claims. Furthermore, participants' data may be stored for longer, e.g. in the form of reports on the competition in online and offline media.

If data was also collected for other purposes in the context of the competition, its processing and storage period are governed by the data protection information for this use (e.g. in the case of a newsletter subscription in the context of a competition).

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Competition and contest participants.

• Purposes of processing: Conducting competitions and contests.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Fulfilment of contract and pre-contractual enquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

We conduct surveys and questionnaires to collect information for the purpose communicated in each survey or questionnaire. The surveys and questionnaires we conduct (hereinafter referred to as "questionnaires") are evaluated anonymously. Personal data is only processed to the extent necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user's browser or using a cookie to enable the survey to be resumed). 

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Participants; service recipients and clients; interested parties. Users (e.g. website visitors, users of online services).

• Purposes of processing: Feedback (e.g. collecting feedback via online form); surveys and questionnaires (e.g. surveys with input options, multiple-choice questions); tracking (e.g. interest/behaviour-based profiling, use of cookies); click tracking; A/B testing; Heat maps (mouse movements by users, which are summarised into an overall picture); profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• 2Ask: Conducting online surveys; Service provider: orbiz Software GmbH, Robert-Gerwig-Str. 4, 78467 Konstanz, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); website: https://www.2ask.com/. Privacy policy: https://www.2ask.com/2ask-datenschutz.

Web analysis (also known as ‘reach measurement’) is used to evaluate visitor traffic to our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what times our online offering or its functions or content are used most frequently, or invite reuse. It also enables us to identify areas that require optimisation. 

In addition to web analytics, we may also use testing procedures to test and optimise different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, may be created for these purposes and information may be stored in a browser or on a terminal device and then read out. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); Meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved). Content data (e.g. textual or image-based messages and posts, as well as information relating to them, such as details of authorship or time of creation).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Remarketing; target group formation; reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness; A/B testing; feedback (e.g. collection of feedback via online form); Heat maps (mouse movements by users, which are summarised into an overall picture); IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); click tracking; marketing; tracking (e.g. interest/behaviour-based profiling, use of cookies). Conversion measurement (measurement of the effectiveness of marketing measures).

Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).

Security measures: IP masking (pseudonymisation of the IP address).

Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

Google Analytics: We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It is used to assign analysis information to a terminal device in order to identify which content users have accessed within one or more usage processes, which search terms they have used, which they have accessed again or with which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their terminal devices and browsers.

Pseudonymous user profiles are created using information from the use of various devices, whereby cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU data traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible and is not used for any other purpose. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymisation of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Information on consent recipients and cookie-free analysis: Information on consent recipients: The consent given by users in a consent dialogue (also known as ‘cookie opt-in/consent’, ‘cookie banner’, etc.) serves several purposes. On the one hand, it helps us fulfil our obligation to obtain consent for the storage and retrieval of information on and from the user's device (in accordance with ePrivacy guidelines). Secondly, it covers the processing of users' personal data in accordance with data protection regulations. This consent also applies to Google, as the company is required by the Digital Markets Act to obtain consent for personalised services. We therefore share the status of the consent given by users with Google. Our consent management software informs Google whether consent has been given or not. The aim is to ensure that the consent or non-consent of users is taken into account when using Google Analytics and when integrating functions and external services. This allows user consent and revocation within the scope of Google Analytics and other Google services in our online offering to be dynamically adjusted depending on the user's selection.

Cookie-free analysis: We use the extended implementation of the consent mode of Google Analytics. This means that if users do not give their consent to the storage and reading of information on their end devices, in particular with regard to cookies, no cookies or comparable information will be stored on the users' devices. Likewise, no user profiles will be created.

In this case, Google's code generates a random identification number on the user's device and transmits it to Google (known as a ‘ping’). The identification is not stored in the browser, in apps or on other user devices. This identification number is unique for each website visit, so that the behaviour or interests of users are not tracked across devices or pages. Only a minimum amount of information about user activity is sent. This includes information about consent status and information for conversion measurement, i.e. whether a user was directed to our online offering by a Google advertisement.

In addition, the following information may be transmitted, if available: a) Function-related information such as headers (technical details transmitted by the browser), b) timestamp (date and time of access), c) user agent (information about the browser and device used, only on the web), d) referrer URL (the URL of the page from which the user came), e) summarised/pseudonymous information: This includes an indication of whether the current or a previous page in the user's navigation history contains information about the ad click in the URL (e.g. GCLID/DCLID, special tracking codes from Google), a random number generated each time a page is loaded, and information about the consent management platform used by the website owner (e.g. developer ID); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy policy: https://policies.google.com/privacy.

Google Analytics (server-side use): We use Google Analytics to measure and analyse the use of our online services by users. Although user data is processed, it is not transmitted directly from the user's device to Google. In particular, the user's IP address is not transmitted to Google. Instead, the data is first transmitted to our server, where the user's data records are assigned to our internal user identification number. The subsequent transmission from our server to Google takes place only in this pseudonymised form. The identification number does not contain any unique data such as names or email addresses. It is used to assign analysis information to a device in order to identify which content users have accessed within one or more usage processes, which search terms they have used, which they have accessed again or with which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers. Pseudonymous user profiles are created with information from the use of various devices, whereby cookies may be used. In Analytics, data on geographical location is provided at a higher level by collecting the following metadata based on IP search: ‘city’ (and the derived latitude and longitude of the city), ‘continent’, ‘country’, “region”, ‘subcontinent’ (and the ID-based equivalents); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF). Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Target group formation with Google Analytics: We use Google Analytics to present advertisements placed via Google's advertising services and those of its partners to users who have already shown an interest in our online offering or who have certain characteristics (e.g. interests in specific topics or products, which are determined based on the websites they visit). We transmit this data to Google as part of what is known as ‘remarketing’ or ‘Google Analytics Audiences’. The aim of using remarketing audiences is to ensure that our advertisements match the potential interests of users as closely as possible; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com; legal basis: https://business.safety.google/adsprocessorterms/; privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and standard contractual clauses for third country transfers of data: https://business.safety.google/adsprocessorterms.

No collection of detailed location and device data (Google Analytics function): No detailed location and device data is collected (further information: https://support.google.com/analytics/answer/12017362).

Google Tag Manager: We use Google Tag Manager, a Google software that allows us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that serve to record and analyse visitor activity. This technology helps us to improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, store cookies with user profiles or perform independent analyses. Its function is limited to simplifying and streamlining the integration and management of tools and services that we use on our website. Nevertheless, when using Google Tag Manager, the IP address of the user is transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place if services are integrated via Tag Manager. For more detailed information about these services and their data processing, please refer to the following sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement:

https://business.safety.google/adsprocessorterms. Basis for third country transfers: Data Privacy Framework (DPF).

Google Tag Manager (server-side use): Google Tag Manager is an application that allows us to manage so-called website tags via an interface and thus integrate other services into our online offering (see also the further information in this privacy policy). The Tag Manager itself (which implements the tags) does not store user profiles or cookies. The integration of the other services takes place on the server side. This means that user data is not transmitted directly from their device to the respective service or Google. In particular, the user's IP address is not transmitted to the other service. Instead, the data is first transmitted to our server, where the user data records are assigned to our internal user identification number. The subsequent transmission of the data from our server to the servers of the respective service providers only takes place in this pseudonymised form. The user identification number does not contain any unique data such as names or email addresses; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF). Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as ‘content’) based on the potential interests of users, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called ‘cookie’) or similar procedures are used to store information about the user that is relevant for the presentation of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of the online marketing process, but rather pseudonyms. This means that neither we nor the providers of the online marketing process know the actual identity of the users, but only the information stored in their profiles.

The statements in the profiles are usually stored in cookies or by means of similar procedures. These cookies can later be read on other websites that use the same online marketing process, analysed for the purpose of displaying content, supplemented with further data and stored on the server of the online marketing process provider.

In exceptional cases, it is possible to assign clear data to the profiles, primarily if the users are members of a social network, for example, whose online marketing method we use and which links the user profiles with the aforementioned information. Please note that users can enter into additional agreements with the providers, for example by giving their consent during registration.

We only receive access to summarised information about the success of our advertisements. However, we can use conversion measurements to check which of our online marketing methods have led to a conversion, i.e. for example, the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.

Unless otherwise stated, please assume that the cookies used will be stored for a period of two years.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Information on revocation and objection:

We refer you to the data protection information of the respective providers and the options for objection (so-called ‘opt-out’) specified for the providers. If no explicit opt-out option has been specified, you have the option of disabling cookies in your browser settings. However, this may restrict the functions of our online offering. We therefore also recommend the following opt-out options, which are offered in summary form for the respective regions:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) USA: https://www.aboutads.info/choices.

d) Cross-regional: https://optout.aboutads.info.

Types of data processed: Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Event data (Facebook) (‘Event data’ is information that is sent to the provider Meta via Meta Pixel (whether via apps or other channels) and relates to persons or their actions. This data includes details about website visits, interactions with content and functions, app installations and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. ‘Event data’ is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted.) ; Contact information (Facebook) (‘Contact information’ is data that (clearly) identifies data subjects, such as names, email addresses and telephone numbers, which can be transmitted to Facebook, e.g. via Facebook pixels or uploads for matching purposes for the purpose of creating custom audiences; after matching for the purpose of creating target groups, the contact information is deleted); Inventory data (e.g. full name, residential address, contact information, customer number, etc.). Contact details (e.g. postal and email addresses or telephone numbers).

Data subjects: Users (e.g. website visitors, users of online services); interested parties; service recipients and clients. Communication partners.

Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behaviour-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness; remarketing; direct marketing (e.g. by email or post); click tracking; cross-device tracking (cross-device processing of user data for marketing purposes); communication. A/B testing.

Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).

Security measures: IP masking (pseudonymisation of the IP address).

Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

Meta pixels and target group formation (custom audiences): With the help of the meta pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Meta is able to identify visitors to our online offering as a target group for the display of advertisements (so-called ‘meta ads’). Accordingly, we use the Meta pixel to display the Meta ads we place only to those users on Meta platforms and within the services of Meta's cooperating partners (so-called ‘Audience Network’ https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products, which can be seen from the websites visited) that we transmit to Meta (so-called ‘custom audiences’). With the help of the Meta pixel, we also want to ensure that our Meta ads correspond to the potential interest of users and do not have a nuisance effect. With the help of the Meta pixel, we can also track the effectiveness of Meta ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta ad (so-called ‘conversion measurement’); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Event user data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint responsibility agreement (‘Addendum for Controllers’, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Extended matching for Meta Pixel: In addition to the processing of event data in connection with the use of Meta Pixel (or comparable functions, e.g. in apps), contact information (data identifying individual persons, such as names, email addresses and telephone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information serves to form target groups (so-called ‘custom audiences’) for the display of content and advertising information tailored to the presumed interests of users. The collection, transmission and comparison with data available at Meta does not take place in plain text, but as so-called ‘hash values’, i.e. mathematical representations of the data (this method is used, for example, when storing passwords). After the comparison for the purpose of forming target groups, the contact information is deleted; legal basis: Consent (Art. 6(1)(a) GDPR); Privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third country transfers: Data Privacy Framework (DPF). Further information: https://www.facebook.com/legal/terms/data_security_terms.

Meta - Target group formation via data upload: Formation of target groups for marketing purposes - We transfer contact information (names, email addresses and telephone numbers) in list form to Meta for the purpose of forming target groups (so-called ‘custom audiences’) for the display of content and advertising information based on the presumed interests of users. The transfer and comparison with data available at Meta does not take place in plain text, but as so-called ‘hash values’, i.e. mathematical representations of the data (this method is used, for example, when storing passwords). After matching for the purpose of creating target groups, the contact information is deleted; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers: Data Privacy Framework (DPF).

Facebook advertisements: Placement of advertisements within the Facebook platform and evaluation of the advertising results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-out option: We refer to the data protection and advertising settings in the user's profile on the Facebook platforms, as well as to Facebook's consent procedure and contact options for exercising information and other data subject rights, as described in Facebook's privacy policy; Further information: User event data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint responsibility agreement (‘Addendum for Controllers’, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Google Ad Manager: We use the ‘Google Ad Manager’ service to place ads on the Google advertising network (e.g. in search results, in videos, on websites, etc.) . Google Ad Manager is characterised by the fact that advertisements are displayed in real time based on the presumed interests of users. This allows us to display advertisements for our online offering to users who may have a potential interest in our offering or who have previously shown interest in it, as well as to measure the success of the advertisements; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Data processing terms for Google advertising products: Information about the services Data processing terms between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms. If Google acts as a processor, data processing terms for Google advertising products and standard contractual clauses for third-country data transfers: https://business.safety.google/adsprocessorterms.

Google Ads and conversion measurement: Online marketing methods for placing content and advertisements within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who are likely to be interested in the advertisements. In addition, we measure the conversion of the advertisements, i.e. whether users have taken the opportunity to interact with the advertisements and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR); website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.

Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology that adds users who use an online service to a pseudonymous remarketing list so that ads can be displayed to users on other online services based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.

Enhanced conversions for Google Ads: When users click on our Google ads and then use the advertised service (known as a ‘conversion’), the data entered by the user, such as their email address, name, home address or telephone number, may be transmitted to Google. The hash values are then matched with the users' existing Google accounts in order to better evaluate and improve the users' interaction with the ads (e.g. clicks or views) and thus their performance; legal basis: consent (Art. 6(1)(a) GDPR). Website: https://support.google.com/google-ads/answer/9888656.

Google Adsense with personalised ads: We integrate the Google Adsense service, which enables us to place personalised ads within our online offering. Google Adsense analyses user behaviour and uses this data to display targeted advertising tailored to the interests of our visitors. We receive financial compensation for each ad placement or other types of use of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information about the services Data processing terms between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.

Google Adsense with non-personalised ads: We use the Google Adsense service to place non-personalised ads on our website. These ads are not based on individual user behaviour, but are selected based on general characteristics such as the content of the page or your approximate geographical location. We receive remuneration for the display or other use of these ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information about the services Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

Instagram advertisements: Placement of advertisements within the Instagram platform and evaluation of advertising results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/; Basis for third country transfers: Data Privacy Framework (DPF); Opt-out option: We refer to the data protection and advertising settings in the user's profile on the Instagram platform and in the context of Instagram's consent procedure and Instagram's contact options for exercising information and other data subject rights in Instagram's privacy policy; Further information: User event data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and target group formation on the basis of the joint responsibility agreement (‘Addendum for Controllers’, https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

LinkedIn Insight Tag: Code that is loaded when a user visits our online offering and tracks the user's behaviour and conversions and stores them in a profile (possible uses: measuring campaign performance, optimising ad delivery, building custom and similar audiences); Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy, cookie policy: https://www.linkedin.com/legal/cookie_policy; Data processing agreement: https://www.linkedin.com/legal/l/dpa; Basis for third country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

We participate in review and rating processes in order to evaluate, optimise and promote our services. If users rate us via the participating rating platforms or processes or provide feedback in any other way, the general terms and conditions or terms of use and privacy policies of the providers also apply. As a rule, the rating also requires registration with the respective providers. 

To ensure that the persons making the ratings have actually used our services, we transmit the necessary data regarding the customer and the service used to the respective rating platform (including name, email address and order number or item number) with the customer's consent. This data is used solely to verify the authenticity of the user.

• Types of data processed: Contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Service recipients and clients. Users (e.g. website visitors, users of online services).

• Purposes of processing: Feedback (e.g. collecting feedback via online form). Marketing.

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures and services:

• Google customer reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.google.com/; privacy policy: https://policies.google.com/privacy; basis for third country transfers: Data Privacy Framework (DPF); Further information: When collecting customer reviews, an identification number and the time of the business transaction to be reviewed are processed. In the case of review requests sent directly to customers, the customer's email address and country of residence are also processed, as well as the review details themselves; Further information on the types of processing and the data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

• kununu: review platform; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.kununu.com/de. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users, as it could, for example, make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of users. The latter may in turn be used to place advertisements within and outside the networks that are presumed to correspond to the interests of the users. For this reason, cookies are usually stored on users' computers, in which the usage behaviour and interests of users are stored. In addition, data can also be stored in the usage profiles independently of the devices used by users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer you to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be most effectively asserted with the providers. Only the latter have access to the user data and can take appropriate measures and provide information directly. If you still require assistance, please contact us.

• Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved). Inventory data (e.g. full name, residential address, contact information, customer number, etc.).

• Data subjects: Users (e.g. website visitors, users of online services). Members.

• Purposes of processing: Communication; feedback (e.g. collecting feedback via online form); public relations; provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); public relations and information purposes. Marketing.

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing procedures, methods and services:

• Instagram: Social network that allows users to share photos and videos, comment on and favourite posts, send messages, and subscribe to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.instagram.com; privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

• Facebook pages: Profiles within the Facebook social network – Together with Meta Platforms Ireland Limited, we are responsible for the collection (but not the further processing) of data from visitors to our Facebook page (known as a ‘fan page’). This data includes information about the types of content that users view or interact with, or the actions they take (see ‘Things you and others do and provide’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device Information’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analytics services, known as ‘Page Insights’, to page operators so that they can gain insights into how people interact with their pages and the content associated with them. We have entered into a special agreement with Facebook (‘Page Insights Information’, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically regulates the security measures Facebook must observe and in which Facebook has agreed to comply with the rights of data subjects (i.e. users can, for example, send requests for information or deletion directly to Facebook). The rights of users (in particular, the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the ‘Information on Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF).

• Facebook groups: We use the ‘Groups’ feature of the Facebook platform to create interest groups within which Facebook users can connect with each other or with us and exchange information. In doing so, we process the personal data of the users of our groups to the extent necessary for the purpose of group use and moderation. Our guidelines within the groups may contain further specifications and information on the use of the respective group. This data includes first and last names, published or privately shared content, as well as values relating to group membership status or group-related activities, such as joining or leaving the group, and the time stamps for the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or the actions they take (see ‘Things you and others do and provide’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device Information’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analytics services, known as ‘Insights’, to group operators so that they can gain insights into how people interact with their groups and the content associated with them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF).

• Facebook events: Event profiles within the Facebook social network – We use the ‘Events’ function of the Facebook platform to draw attention to events and dates, to get in touch with users (participants and interested parties) and to exchange information. In doing so, we process the personal data of users of our event pages to the extent necessary for the purpose of the event page and its moderation. This data includes first and last names, published or privately communicated content, participation status, and the time of the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or the actions they take (see ‘Things you and others do and provide’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device Information’ in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analytics services, known as ‘Insights’, to event organisers so that they can gain insights into how people interact with their event pages and related content; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF).

• LinkedIn: Social network – Together with LinkedIn Ireland Unlimited Company, we are responsible for the collection (but not the further processing) of visitor data used to generate the ‘Page Insights’ (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. Details about the devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job title, country, industry, hierarchy level, company size and employment status. Information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

We have entered into a special agreement with LinkedIn Ireland (‘Page Insights Joint Controller Addendum’, https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates the security measures that LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can, for example, submit requests for information or deletion directly to LinkedIn). The rights of users (in particular the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• YouTube: Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

• Xing: Social network; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.xing.com/. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as ‘third-party providers’). These may be graphics, videos or city maps (hereinafter referred to collectively as ‘content’).

 The integration always requires that the third-party providers of this content process the IP address of the users, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or these functions. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time and other information about the use of our online offering, but may also be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved); Location data (information about the geographical position of a device or person); Event data (Facebook) (‘Event data’ is information that is sent to the provider Meta via meta pixels (whether via apps or other channels), for example, and relates to persons or their actions. This data includes details about website visits, interactions with content and functions, app installations and product purchases. Event data is processed with the aim of creating target groups for content and advertising messages (custom audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. ‘Event data’ is deleted by Meta after a maximum of two years, and the target groups formed from it disappear when our Meta user accounts are deleted.); Contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of our online services and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behaviour-based profiling, use of cookies); target group formation; marketing; provision of contractual services and fulfilment of contractual obligations; profiles with user-related information (creation of user profiles). Feedback (e.g. collection of feedback via online form).

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’. Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).

• Legal basis: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods and services:

• Integration of third-party software, scripts or frameworks (e.g. jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g. function libraries that we use for the purpose of displaying or improving the user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and may process it for the purpose of transmitting the software to the users' browsers, for security purposes, and for the evaluation and optimisation of their offerings. - We integrate software into our online offering that we retrieve from other providers' servers (e.g. function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect the IP address of the users and may process it for the purpose of transmitting the software to the users' browser, for security purposes, and for the evaluation and optimisation of their offer; legal basis: legitimate interests (Art. 6 (1) (f) GDPR).

• Google Fonts (provision on our own server): Provision of font files for the purpose of user-friendly presentation of our online offering; service provider: Google Fonts are hosted on our server; no data is transmitted to Google; legal basis: legitimate interests (Art. 6(1)(f) GDPR).

• Google Fonts (procurement from Google server): Procurement of fonts (and symbols) for the purpose of technically secure, maintenance-free and efficient use of fonts and symbols with regard to topicality and loading times, their uniform display and consideration of possible licensing restrictions. The IP address of the user is communicated to the font provider so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CCS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analysed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wishes to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must customise the font that is generated for the respective browser type. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These summarised usage statistics are published on the Google Fonts ‘Analytics’ page. Finally, the referral URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations can be generated based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://fonts.google.com/; privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.

• Font Awesome (hosted on our own server): Display of fonts and icons; Service provider: The Font Awesome icons are hosted on our server; no data is transmitted to the provider of Font Awesome; Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

• Google Maps: We integrate maps from the ‘Google Maps’ service provided by Google. The data processed may include, in particular, IP addresses and location data of users; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: consent (Art. 6(1)(a) GDPR); website: https://mapsplatform.google.com/; privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

• Google Maps APIs and SDKs: Interfaces to Google's map and location services, which allow, for example, the completion of address entries, location determination, distance calculations or the provision of additional information on locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).

• reCAPTCHA: We integrate the ‘reCAPTCHA’ function in order to be able to recognise whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called ‘bots’). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, cookies in some circumstances, and results of manual recognition processes (e.g. answering questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.google.com/recaptcha/; privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

• YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

• YouTube videos: Videos stored on YouTube are embedded within our online offering. These YouTube videos are integrated via a special domain using the ‘youtube-nocookie’ component in what is known as ‘extended data protection mode’. In ‘extended data protection mode’, only information that includes your IP address and details about your browser and device can be stored on your device in cookies or using comparable methods that YouTube requires for the output, control and optimisation of the video display until the video is started. As soon as you play the videos, additional information may be processed by YouTube for the analysis of usage behaviour, storage in the user profile and personalisation of content and advertisements. The storage period for cookies can be up to two years; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Further information: https://support.google.com/youtube/answer/171780?hl=de-DE#zippy=%2Cturn-on-privacy-enhanced-mode%2Cerweiterten-datenschutzmodus-aktivieren.

We use services, platforms and software from other providers (hereinafter referred to as ‘third-party providers’) for the purposes of organising, managing, planning and providing our services. We comply with legal requirements when selecting third-party providers and their services.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection information of the respective third-party providers.

Types of data processed: Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); contact data (e.g. postal and email addresses or telephone numbers); inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contract data (e.g. subject matter of the contract, term, customer category). Payment data (e.g. bank details, invoices, payment history).

Data subjects: Communication partners; users (e.g. website visitors, users of online services); business and contractual partners; Employees (e.g. employees, applicants, temporary staff and other staff); Prospective customers. Third parties.

Purposes of processing: Communication; Provision of contractual services and fulfilment of contractual obligations; Office and organisational procedures; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Organisational and administrative procedures; feedback (e.g. collecting feedback via online forms); surveys and questionnaires (e.g. surveys with input options, multiple-choice questions); profiles with user-related information (creation of user profiles); reach measurement (e.g. access statistics, recognition of returning visitors); Marketing; provision of our online offering and user-friendliness; establishment and implementation of employment relationships (processing of employee data in the context of establishing and implementing employment relationships); artificial intelligence (AI); tracking (e.g. interest/behaviour-based profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures). A/B testing.

Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures and services:

Adobe Document Cloud: Cloud storage, cloud infrastructure services and cloud-based application software for creating, editing, signing and sharing PDF documents; Service provider: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.adobe.com/de/creativecloud.html; privacy policy: https://www.adobe.com/de/privacy.html; Data processing agreement: Provided by the service provider. Basis for third country transfers: Data Privacy Framework (DPF).

Asana: Project management – organisation and management of teams, groups, workflows, projects and processes; Service provider: Asana, Inc, 1550 Bryant Street, Suite 200, San Francisco, CA 94103, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://asana.com; Privacy policy: https://asana.com/de/terms#privacy-policy; Data processing agreement: https://asana.com/de/terms#data-processing. Basis for third-country transfers: Data Privacy Framework (DPF).

Corporate Benefits: Provision of employee benefits and additional services for employees (so-called corporate benefits); Service provider: corporate benefits Deutschland GmbH, Schiffbauerdamm 40, 10117 Berlin, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.corporate-benefits.de/. Privacy policy: https://www.corporate-benefits.de/datenschutz.

DocuSign: Electronic signing of documents, sending documents for signature, tracking the status of documents, storage of signed documents; Service provider: DocuSign, Inc., 221 Main Street Suite 1000 San Francisco, CA 94105, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.docusign.com/; Privacy policy: https://www.docusign.com/privacy; Data processing agreement: https://www.docusign.com/legal/terms-and-conditions/data-protection-attachment; Basis for third country transfers: Standard contractual clauses (https://www.docusign.com/legal/terms-and-conditions/data-protection-attachment). Further information: Processing as a processor and controller is also carried out on the basis of approved binding internal data protection regulations that ensure a level of data protection in line with the requirements of the GDPR (Binding Corporate Rules, Art. 47 GDPR): https://www.docusign.com/trust/privacy/binding-corporate-rules.

Google Gemini: AI-powered system designed to provide advanced language and image processing capabilities. It uses machine learning to understand and generate natural language and analyse images, offering versatile applications in various fields; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third country transfers: Data Privacy Framework (DPF); Further information: https://support.google.com/gemini/answer/13594961?hl=de&visit_id=638473537021340956-3230753019&.rd=1.

WeTransfer: Transfer of files via the Internet; Service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://wetransfer.com. Privacy policy: https://wetransfer.com/legal/privacy.

In the context of employment relationships, personal data is processed with the aim of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions that are necessary for the management of employee relations.

Data processing covers various aspects, ranging from contract initiation to contract termination. This includes the organisation and administration of daily working hours, the management of access rights and authorisations, and the handling of personnel development measures and employee appraisals. Processing also serves the purpose of accounting and administering wage and salary payments, which are critical aspects of contract execution.

In addition, data processing takes into account the legitimate interests of the responsible employer, such as ensuring safety in the workplace or collecting performance data for the evaluation and optimisation of operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes, where this is necessary for operational or legal purposes.

This data is always processed in compliance with the applicable legal framework, with the aim of creating and maintaining a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, anonymising or deleting data after the processing purpose has been fulfilled or in accordance with statutory retention periods.

• Types of data processed: Employee data (information on employees and other persons in an employment relationship); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, term, customer category); Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Social data (data subject to social secrecy and processed, for example, by social security institutions, social welfare institutions or pension authorities); Log data (e.g. log files relating to logins or the retrieval of data or access times); Performance and behaviour data (e.g. performance and behaviour aspects such as performance reviews, feedback from superiors, training participation, compliance with company guidelines, self-assessments and behaviour assessments); Working time data (e.g. start of working time, end of working time, actual working time, target working time, break times, overtime, holiday days, special leave days, sick days, absences, home office days, business trips); Salary data (e.g. basic salary, bonus payments, premiums, tax class information, allowances for night work/overtime, tax deductions, social security contributions, net pay amount); Image and/or video recordings (e.g. photographs or video recordings of a person); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Special categories of personal data: Health data; Religious or philosophical beliefs. Trade union membership.

• Data subjects: Employees (e.g. employees, applicants, temporary staff and other employees).

• Purposes of processing: Establishment and implementation of employment relationships (processing of employee data in the context of establishing and implementing employment relationships); business processes and business management procedures; security measures; provision of contractual services and fulfilment of contractual obligations; public relations. Office and organisational procedures.

• Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR). Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

Further information on processing procedures, methods and services:

• Working time recording: Methods for recording employees' working hours include both manual and automated methods, such as the use of time clocks, time recording software or mobile apps. Activities such as entering arrival and departure times, break times, overtime and absences are carried out. Verification and validation of the recorded working hours includes comparison with work schedules or shift schedules, checking absences and approval of overtime by supervisors. Reports and analyses are generated based on the recorded working hours to provide timesheets, overtime reports and absence statistics for management and the human resources department; legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Authorisation management: Procedures required for the definition, management and control of access rights and user roles within a system or organisation (e.g. creation of authorisation profiles, role- and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Special categories of personal data: Special categories of personal data are processed in the context of the employment relationship or to fulfil legal obligations. The special categories of personal data processed include data relating to the health, trade union membership or religious affiliation of employees. This data may be passed on to health insurance companies, for example, or processed for the purpose of assessing the fitness for work of employees, for occupational health management or for providing information to the tax office; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Sources of the processed data: Personal data obtained in the context of the application and/or employment relationship of the employees is processed. In addition, personal data from other sources is collected if required by law. These may include tax authorities for tax-related information, the respective health insurance company for information on incapacity to work, third parties such as employment agencies or publicly accessible sources such as professional social networks in the context of application procedures; legal bases: Legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Video surveillance: The surveillance of employees serves to ensure the security of the company, the protection of property and the safety of employees. Various procedures and data processing steps are carried out for this purpose.

First, surveillance cameras are installed and positioned after a location analysis to identify security-relevant areas. The cameras are then installed in suitable locations, whereby information about the surveillance can be provided by attaching signs or warning notices.

Regular checks are carried out to ensure that the cameras are working properly and that there are no failures that could compromise security.

The actual surveillance is carried out by making video recordings to capture and document potential security incidents. These recordings are then evaluated and analysed to identify suspicious activity and respond appropriately.

All recorded video data is archived in accordance with legal requirements and data protection guidelines. It should be noted that the data is deleted after a maximum of 96 hours, unless there is a specific case of suspicion that requires longer storage in order to clarify the facts or ensure the security of the company.

In addition, data deletion measures are implemented as soon as the retention periods have expired or the data is no longer required in order to comply with data protection guidelines and protect the privacy of employees. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

• Purposes of data processing: Employees' personal data is primarily processed for the establishment, implementation and termination of the employment relationship. In addition, the processing of this data is necessary to fulfil legal obligations in the area of tax and social security law. In addition to these primary purposes, employee data is also used to fulfil regulatory and supervisory requirements, to optimise electronic data processing processes and to compile internal or cross-company data, possibly including statistical data. Furthermore, employee data may be processed for the assertion of legal claims and for defence in legal disputes; legal bases: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Transfer to the works council: Transfer to the works council - The procedures for transferring information to the works council involve compiling relevant data and information and transferring it to the works council. This includes the transfer of information on personnel matters, working conditions, working hours, remuneration and other topics that are of interest to the works council in specific cases, in accordance with the statutory provisions and the provisions of the works agreements. The data collected includes information about employees, working hours, remuneration and other work-related aspects that are relevant to the works council; Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR) , legitimate interests (Art. 6(1)(f) GDPR), processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

• Transfer of employee data: Employee data is only processed internally by those departments that need it to fulfil operational, contractual and legal obligations.

Data is only transferred to external recipients if this is required by law or if the employees concerned have given their consent. Possible scenarios for this include requests for information from authorities or in the case of asset accumulation benefits. Furthermore, the controller may forward personal data to other recipients to the extent necessary to fulfil its contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance funds, pension insurance institutions, pension providers and other social insurance institutions c) Authorities, courts (e.g. tax authorities, labour courts, other supervisory authorities in the context of fulfilling reporting and information obligations) d) Tax and legal advisors e) Third-party debtors in the event of wage and salary garnishments f) Other bodies to which legally binding declarations must be made.

In addition, data may be passed on to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples of this include information in the sender field of emails or letterheads and the creation of profiles on external platforms; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Transfer of employee data to third countries: Employee data is only transferred to third countries, i.e. countries outside the European Union (EU) and the European Economic Area (EEA), if this is necessary for the fulfilment of the employment relationship, is required by law or if employees have given their consent. Employees will be informed separately about the details, if required by law; legal basis: legitimate interests (Art. 6(1)(f) GDPR).

• Business trips and travel expense accounting: Procedures required for the planning, execution and accounting of business trips (e.g. booking travel, organising accommodation and transport, managing travel expense advances, submitting and checking travel expense reports, checking and posting the costs incurred, complying with travel guidelines, handling travel expense management); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Payroll accounting and payroll administration: Procedures required for the calculation, payment and documentation of wages, salaries and other remuneration of employees (e.g. recording of working hours, calculation of deductions and allowances, payment of taxes and social security contributions, preparation of payroll statements, maintenance of payroll accounts, reporting to the tax office and social security institutions) ; Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR).

• Deletion of employee data: Employee data is deleted in accordance with German law if it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or the interests of the employer. The following retention and archiving obligations must be observed in this regard:

◦ General personnel documents - General personnel documents (such as employment contracts, employment references, supplementary agreements) are retained for up to three years after the end of the employment relationship (Section 195 of the German Civil Code (BGB)).

Tax-relevant documents - Tax-relevant documents in the personnel file are retained for six years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).

Information on remuneration and working hours – Information on remuneration and working hours for (accident) insured persons with proof of earnings is retained for five years (Section 165 I 1, IV 2 SGB VII).

◦ Payroll lists, including lists for special payments - Payroll lists, including lists for special payments, are retained for ten years if a booking receipt is available (Section 147 AO, Section 257 HGB).

◦ Payroll lists for interim, final and special payments – Payroll lists for interim, final and special payments are retained for six years (Section 147 AO, Section 257 HGB).

◦ Employee insurance documents – Employee insurance documents, provided that accounting documents are available, are retained for ten years (Section 147 AO, Section 257 HGB).

◦ Contribution statements to social security institutions – Contribution statements to social security institutions are retained for ten years (Section 165 SGB VII).

Payroll accounts – Payroll accounts are retained for six years (Section 41 I 9 EStG).

◦ Applicant data – Retained for a maximum of six months from receipt of the rejection.

◦ Working time records (for more than 8 hours on working days) – Retained for two years (Section 16 II Working Time Act (ArbZG)).

◦ Application documents (after online job advertisement) - These are kept for three to a maximum of six months after receipt of the rejection (Section 26

◦ Federal Data Protection Act (BDSG) as amended, Section 15 IV General Equal Treatment Act (AGG)).

◦ Certificates of incapacity for work (AU) - These are kept for up to five years (Section 6 I of the Expense Compensation Act (AAG)).

◦ Documents relating to occupational pension schemes - These are kept for 30 years (Section 18a of the Act on the Improvement of Occupational Pension Schemes (BetrAVG)).

◦ Employee illness data – Retained for twelve months after the onset of the illness if the absences do not exceed six weeks in a year.

◦ Maternity protection documents – Retained for two years (Section 27 (5) MuSchG).

Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR), Processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

• Deletion of employee data: Employee data is deleted in accordance with Austrian law if it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or the interests of the employer. The following retention and archiving obligations must be observed in this regard:

◦ Data relating to income tax and social security contributions pursuant to Section 132(1) of the Federal Tax Code (BAO) – 7 years. Start of the period – from the end of the calendar year relevant to the data.

◦ Limitation period for the obligation to pay social security contributions pursuant to Section 68 of the General Social Security Act (ASVG) (limitation period for assessment) – 3 or 5 years. Start of the period – generally on the due date of the contributions, or in the case of failure to report, from the date of reporting.

◦ Retention periods in social security – 7 years according to the Austrian Commercial Code (UGB).

◦ Entitlement to holiday according to § 4 (5) UrlG – 2 years from the end of the holiday year in which the holiday was taken. Start of limitation period - 2 years after the end of the holiday year in which the holiday was accrued.

◦ Entitlement to holiday compensation under Section 1486(5) of the Austrian Civil Code (ABGB) - 3 years. Start of limitation period - From the date on which the final settlement claims are due, i.e. the last working day.

◦ Records and reports on accidents at work pursuant to Section 16 of the Austrian Occupational Safety and Health Act (ASchG) – at least 5 years. Start of limitation period – from the date of the accident at work.

◦ Records on the provision of temporary workers pursuant to Section 13(3) of the Austrian Temporary Employment Act (AÜG) – 5 years. Start of limitation period – the date on which the last remuneration claim of the temporary worker becomes due.

◦ Register of young people pursuant to Section 26(2) of the KJBG (Youth Employment Act) – 2 years. Start of the period – when the register is newly created, two years after the last entry.

◦ Claims for compensation due to discriminatory termination of employment pursuant to Sections 15(1a) and 29(1a) of the Equal Treatment Act (GlBG) and Section 7k(1) in conjunction with (2)(3) of the Employment Termination Act (BEinstG) – 6 months. Start of period – From the date of receipt of the termination.

◦ Claims for compensation by the employer or employee arising from premature termination of the employment relationship pursuant to Section 34 AngG or Section 1162d ABGB – 6 months. Start of limitation period – from the date on which the claims become due, usually from the date of receipt of the notice of termination.

◦ Entitlement to the issuance of a service certificate pursuant to Section 1478 ABGB (Austrian Civil Code) – 30 years. Start of the period – upon termination of the employment relationship.

◦ Claims for compensation due to discriminatory rejection of an application pursuant to Sections 15 (1) and 29 (1) GlbG and Section 7k (1) in conjunction with (2) Z 1 BEinstG – 6 months. Start of the period – from the date on which the rejection was received or 7 months from the date of receipt of the application.

◦ Claims for compensation for any interview costs pursuant to Section 1486(5) ABGB (Austrian Civil Code) – 3 years. Start of limitation period – the day on which the costs were incurred.

◦ Liability for severance pay claims and company pensions after a transfer of business pursuant to Section 6(2) AVRAG (Austrian Employment Promotion Act) – 5 years. Start of limitation period – date of the transfer of business.

◦ Claims for compensation due to discriminatory rejection of a promotion in accordance with Sections 15 (1) and 29 (1) GlbG and Section 7k (1) in conjunction with (2) Z 1 BEinstG – 6 months. Start of the period – from the date on which the rejection of the promotion was received.

◦ Claims for compensation due to discriminatory disadvantage in terms of remuneration, voluntary social benefits, training and further education measures or other working conditions pursuant to Sections 15 (1) and 29 (1) GlbG and Section 7k (1) in conjunction with (2) (5) BEinstG – 3 years. Start of the period - the point in time at which the right could first have been exercised and the objective possibility to take legal action exists.

◦ Claims for compensation due to discriminatory harassment pursuant to Sections 15 (1) and 29 (1) GlbG and Section 7k (1) in conjunction with (2) Z 4 BEinstG - 1 year. Start of the period - From the time the discrimination became known.

◦ Claims for compensation for discriminatory rejection of an application pursuant to Sections 15 (1) and 29 (1) GlbG and Section 7k (1) in conjunction with (2) (1) BEinstG - 6 months. Start of limitation period - From the date on which the rejection was received or 7 months from the date of receipt of the application.

◦ Claims for compensation for sexual harassment pursuant to Section 15(1) GlbG - 3 years. Start of limitation period - From the date on which the discrimination became known.

◦ Claims for compensation for any interview costs pursuant to Section 1486(5) ABGB (Austrian Civil Code) – 3 years. Start of the limitation period – the day on which the costs were incurred.

◦ Claims by the employee for remuneration or reimbursement of expenses and by the employer for advances granted in this regard pursuant to Section 1486(5) ABGB (Austrian Civil Code) – 3 years. Start of the limitation period – from the date on which the respective claims become due.

◦ Limitation period for prosecution for underpayment pursuant to Section 31 (1) VStG in conjunction with Section 29 (4) LSD-BG – 3 years. Start of the limitation period – from the date on which the remuneration becomes due.

◦ Claims for damages by the employer against the employee arising from employee liability in cases of slight negligence pursuant to Section 6 DHG – 6 months. The limitation period begins on the day on which the claims can be asserted.

◦ Claims for damages by the employer against the employee arising from employee liability in cases of gross negligence or intent, as well as other claims for damages by the employer pursuant to Section 1489 ABGB (Austrian Civil Code) – 3 years or 30 years. Start of the limitation period – in the case of a short limitation period, from the time the damage and the party responsible for the damage become known; in the case of a long limitation period, from the time the damage occurs.

• Deletion of employee data: Employee data in Switzerland is deleted when it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or the interests of the employer. The following retention and archiving obligations must be observed:

◦ 10 years – retention period for books and records, annual financial statements, inventories, annual reports, opening balance sheets, accounting documents and invoices, as well as all necessary work instructions and other organisational documents (Art. 958f of the Swiss Code of Obligations (CO)).

◦ 10 years – Data required for the consideration of potential claims for damages or similar contractual claims and rights, as well as for the processing of related enquiries, based on past business experience and customary industry practices, shall be stored for the statutory limitation period of ten years, unless a shorter period of five years is applicable, which is relevant in certain cases (Art. 127, 130 CO). Claims become time-barred after five years for rent, lease and capital interest payments and other periodic payments, for the supply of food, for catering and hospitality debts, and for craft services, retail sales of goods, medical care, professional work by solicitors, legal agents, lawyers and notaries, and from the employment relationship of employees (Art. 128 OR).

• Personnel file management: Procedures required for the organisation, updating and management of employee data and documents (e.g. recording of personnel master data, storage of employment contracts, references and certificates, updating of data in the event of changes, compilation of documents for employee appraisals, archiving of personnel files, compliance with data protection regulations) ; Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR) , legitimate interests (Art. 6(1)(f) GDPR), processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

• Personnel development, performance evaluation and employee appraisals: Procedures necessary in the area of employee promotion and development, as well as in the assessment of their performance and in the context of employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, preparation of performance evaluations, conducting target agreement and feedback meetings, career planning and talent management, succession planning) ; Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR), processing of special categories of personal data relating to health, employment and social security (Art. 9(2)(h) GDPR).

• Obligation to provide data: The controller informs employees that the provision of their data is necessary. This is generally the case if the data is necessary for the establishment and performance of the employment relationship or if its collection is required by law. The provision of data may also be necessary if employees assert claims or are entitled to claims. The implementation of these measures or the fulfilment of services depends on the provision of this data (e.g. the provision of data for the purpose of receiving wages). Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Publication and disclosure of employee data: Employee data will only be published or disclosed to third parties if this is necessary for the performance of work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers in accordance with an agreement or agreed job description, or if the scope of duties includes representative functions. This may also be the case if, in the course of performing their duties, employees are presented or communicate with the public, such as in the case of photographs taken for public relations purposes. Otherwise, employee data will only be published with their consent or on the basis of the employer's legitimate interests, for example in the case of stage or group photographs taken during a public event. Legal basis: fulfilment of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Applicants. Employees (e.g. employees, applicants, temporary staff and other staff).

• Purposes of processing: Application process (justification and possible subsequent implementation and possible subsequent termination of the employment relationship).

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, processes and services:

• Personio: Services related to personnel management, employee recruitment (search for employees, communication, application process, contract negotiations); Service provider: Personio SE & Co. KG Seidlstraße 3 80335 Munich, Germany; Legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.personio.de. Privacy policy: https://www.personio.de/datenschutzerklaerung.

• Stepstone: Services related to employee recruitment (search for employees, communication, application process, contract negotiations); Service provider: StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.stepstone.de. Privacy policy: https://www.stepstone.de/Ueber-StepStone/Rechtliche-Hinweise/datenschutzerklaerung/.

• Xing: Job search and application-related services within the Xing platform; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.xing.com. Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.The application process requires applicants to provide us with the information necessary for their assessment and selection. The information required is specified in the job description or, in the case of online forms, in the information provided there.

As a rule, the required information includes personal details such as name, address, contact details and proof of the qualifications necessary for the position. We will be happy to provide additional information on what details are required upon request.

Where available, applicants are welcome to submit their applications via our online form, which is encrypted using the latest technology. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not encrypted when sent over the internet. Although emails are usually encrypted during transmission, this is not the case on the servers from which they are sent and received. We therefore cannot accept any responsibility for the security of your application during transmission between the sender and our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send us their application by post.

Processing of special categories of data: If special categories of personal data (Art. 9 (1) GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants or provided by them, these will be processed so that the controller or the data subject can exercise their rights under labour law and social security and social protection law and fulfil their obligations in this regard, in the case of the protection of vital interests of applicants or other persons or for the purposes of preventive healthcare or occupational medicine, for the assessment of the employee's working capacity, for medical diagnosis, for healthcare or social care provision or treatment, or for the management of health or social care systems and services. 

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job vacancy is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, the data will be deleted at the latest after a period of six months so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence in accordance with the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements will be archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, references and other information provided by applicants in relation to a specific position or voluntarily provided by applicants about themselves or their qualifications); 

This section provides information on how we handle data from individuals who submit reports (whistleblowers) and from affected and involved parties within the scope of our whistleblower procedure. Our goal is to provide a straightforward and secure way to report possible misconduct by us, our employees or service providers, especially for actions that violate laws or ethical guidelines. We also ensure that reports are processed and handled appropriately.

Legal basis (Germany): Insofar as we process data to fulfil our legal obligations in accordance with the Whistleblower Protection Act (HinSchG), the legal basis for the processing is Article 6(1)(c) GDPR and, in the case of special categories of personal data, Article 9(2)(g) GDPR, Section 22 BDSG, in each case in conjunction with Section 10 HinSchG. This refers to the obligation to set up and operate an internal whistleblower reporting office, to fulfil its legal tasks and, in the case of the use of data collected in the reporting procedure, to take further investigations or labour law measures against persons who have been found guilty of a violation.

Insofar as we process data (in particular in the event of established misconduct) within the scope of or in preparation for legal defence, this is done on the basis of our legitimate interests in acting in a legally compliant and ethical manner in accordance with Art. 6 (1) (f) GDPR.

If you have given us your consent to process personal data for specific purposes, the processing is carried out on the basis of Art. 6 (1) (a) GDPR and, in the case of special categories of personal data, Art. 9 (2) (a) GDPR. An example of this would be the disclosure of the identity of the whistleblower or the preparation of a verbatim transcript during a personal meeting. Consent that has been given can be revoked at any time with effect for the future.

Legal basis (Austria): Insofar as we process data to fulfil our legal obligations in accordance with the Whistleblower Protection Act (HSchG), the legal basis for the processing is Article 6(1)(c) GDPR and, in the case of special categories of personal data, Article 9(2)(g) GDPR, in each case in conjunction with Section 8 HSchG. 9 (2) (g) GDPR, in each case in conjunction with § 8 HSchG. This refers to the obligation to set up and operate an internal whistleblower reporting office, to fulfil its legal tasks and, in the case of the use of data collected in the reporting procedure, to take further investigations or labour law measures against persons who have been found guilty of a violation.

 Insofar as we process data (in particular in the event of established misconduct) within the scope of or in preparation for legal defence, this is done on the basis of our legitimate interests in acting in a legally compliant and ethical manner in accordance with Art. 6 (1) (f) GDPR.

If you have given us your consent to process personal data for specific purposes, the processing is carried out on the basis of Art. 6 (1) (a) GDPR and, in the case of special categories of personal data, Art. 9 (2) (a) GDPR. An example of this would be the disclosure of the identity of the whistleblower or the preparation of a verbatim transcript during a personal meeting. Consent that has been given can be revoked at any time with effect for the future.

Legal basis: Insofar as we process data to fulfil our legal obligations in accordance with the applicable whistleblower protection law, the legal basis for the processing is Article 6(1)(c) GDPR and, in the case of special categories of personal data, Article 9(2)(g) GDPR, in each case in conjunction with the relevant law. This refers to the obligation to set up and operate an internal whistleblower reporting office, to fulfil its statutory tasks and, in the case of the use of data collected in the reporting procedure, to take further investigations or labour law measures against persons who have been found guilty of a violation.

Insofar as we process data (in particular in the event of established misconduct) within the scope of or in preparation for legal defence, this is done on the basis of our legitimate interests in acting in a legally compliant and ethical manner in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.

If you have given us your consent to process personal data for specific purposes, the processing is carried out on the basis of Art. 6 (1) (a) GDPR and, in the case of special categories of personal data, Art. 9 (2) (a) GDPR. An example of this would be the disclosure of the identity of the whistleblower or the preparation of a verbatim transcript during a personal meeting. Consent that has been given can be revoked at any time with effect for the future.

Types of data processed:

We may collect various data in the course of receiving and processing reports and in the subsequent whistleblower procedure. This includes, in particular, the data provided by a whistleblower, such as:

• Name, contact details and location of the person making the report,

• Names and details of any witnesses or persons affected by the report,

• Names and details of the persons against whom the report is directed,

• Details of the alleged misconduct,

• Other relevant details, if provided by the whistleblower.

For the purposes of fact-finding and further proceedings, we also process the following personal data:

• Unique identification of the report,

• Contact details of the person making the report, if provided,

• Personal data of persons mentioned in the report, if provided,

• Personal data of persons indirectly affected by the fact-finding, if applicable,

• Personal data of persons from other companies involved (e.g. in the context of legal advice), if relevant,

• Other data related to the matter.

Special categories of personal data:

We may collect special types of personal data in the course of our activities, particularly if these are provided by a whistleblower. These include:

• Health-related data of a person,

• Data on the racial or ethnic origin of persons,

• Information about a person's religious or philosophical beliefs,

• Information about a person's sexual orientation.

This data will only be processed if it is relevant to the handling of the respective report and has been expressly provided by the whistleblower.

Use of our online forms: Please note that it is possible to submit reports anonymously. To ensure the security of your data when using our online forms, we recommend that you access them in your browser's “incognito mode”. To open an incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) §On a Mac: Open your browser and press Command+Shift+N; c)§On mobile devices: Switch to private mode via the tab menu.

When you visit our website in normal mode, your browser automatically sends certain information to our server, such as your browser type and version, and the date and time of your visit. This also includes the IP address of your device. This data is temporarily stored in a log file and automatically deleted after 30 days at the latest.

The IP address is processed for technical and administrative purposes related to establishing a connection to our website. It ensures the security, stability and functionality of the whistleblower form and is an important part of our measures to ensure confidential reporting.

The processing of the logged data is based on Article 6(1)(f) GDPR. Our legitimate interest here lies in the need for security and the necessity to ensure the technical requirements for smooth and trouble-free reporting.

Providing your name: You have the option of submitting reports anonymously. However, unless prohibited by national legislation, we recommend that you provide your name and contact details. This enables us to follow up on the report more effectively and, if necessary, contact you directly.

If you provide your name and contact details, your identity will be treated as strictly confidential. Exceptions to this confidentiality only apply if we are legally obliged to disclose your identity. This may be necessary to protect or defend our rights or the rights of our employees, customers, suppliers or business partners. Another exception is if it is determined that the allegations were made with malicious intent.

Provision of data to third parties: We will only pass on data relating to the reports submitted to third parties under certain circumstances. This will happen either a) if you have given us your express consent to do so, or b) if there is a legal obligation to disclose the data. Possible third parties include public authorities, government, regulatory or tax authorities if disclosure is necessary to comply with a legal or regulatory obligation. In addition, we may engage solicitors and other professional advisers in accordance with legal requirements. They are authorised to investigate suspected misconduct and take necessary action following an investigation, such as initiating disciplinary or legal proceedings. In addition, carefully selected and monitored service providers may receive data for these purposes (e.g. operators of a web-based reporting system). However, these service providers are contractually obliged to comply with the applicable data protection regulations within the framework of commissioned data processing.

Data retention and deletion: Personal data will only be processed for as long as is necessary to fulfil the processing purposes described above. If this data is no longer necessary for the purposes mentioned, it will be deleted. In certain situations, however, the data may be retained for longer in order to comply with legal requirements, as long as this is necessary and proportionate. In such cases, the data will be deleted as soon as it is no longer required for these purposes.

Technical and organisational measures: We have implemented the necessary contractual, technical and organisational measures to ensure the security of all data we process. This data is processed exclusively for the specified purposes. The incoming information is processed by authorised persons who have access to the relevant information and carry out the subsequent verification of the facts. Our employees are specially trained and instructed to carry out the fact checks properly and are obliged to maintain the strictest confidentiality.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); employee data (information about employees and other persons in an employment relationship); contact data (e.g. postal and e-mail addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

• Data subjects: Employees (e.g. employees, applicants, temporary staff and other staff); third parties. Whistleblowers.

• Purposes of processing: Whistleblower protection. Provision of our online services and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.

• Legal basis: Consent (Art. 6(1)(a) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

We ask that you regularly review the content of our privacy policy. We will amend the privacy policy as soon as changes to our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information for companies and organisations in this privacy policy, please note that the addresses may change over time and we ask you to check the details before contacting them. 

This section provides an overview of the terms used in this privacy policy. Where the terms are defined by law, their legal definitions apply. The following explanations are primarily intended to aid understanding.

• A/B testing: A/B testing is used to improve the user-friendliness and performance of online offerings. This involves presenting users with different versions of a website or its elements, such as input forms, which may differ in terms of the placement of content or the labelling of navigation elements. The behaviour of users, e.g. longer visits to the website or more frequent interaction with the elements, can then be used to determine which of these websites or elements are more likely to meet the needs of users.

• Affiliate tracking: Affiliate tracking involves logging links that linking websites use to refer users to websites with product or other offers. The operators of the linking websites can receive a commission if users follow these so-called affiliate links and then take advantage of the offers (e.g. purchase goods or use services). This requires providers to be able to track whether users who are interested in certain offers subsequently take advantage of them at the instigation of the affiliate links. For affiliate links to function, it is therefore necessary to add certain values that become part of the link or are stored elsewhere, e.g. in a cookie. These values include, in particular, the originating website (referrer), the time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as advertising material ID, partner ID and categorisations.

• Employees: Employees are persons who are in an employment relationship, whether as staff, salaried employees or in similar positions. An employment relationship is a legal relationship between an employer and an employee that is established by an employment contract or agreement. It includes the employer's obligation to pay the employee remuneration while the employee performs his or her work. The employment relationship comprises various phases, including the establishment, in which the employment contract is concluded, the execution, in which the employee performs their work, and the termination, when the employment relationship ends, whether through dismissal, termination agreement or otherwise. Employee data is all information relating to these persons and in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, holiday entitlements, health data and performance appraisals.

• Inventory data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, facilities or systems by enabling unique identification and communication.

• Credit information: Automated decisions are based on automatic data processing without human intervention (e.g. in the case of automatic rejection of a purchase on account, an online credit application or an online application process without any human intervention). According to Art. 22 GDPR, such automated decisions are only permissible if the data subjects consent, if they are necessary for the performance of a contract or if national laws permit such decisions.

• Content Delivery Network (CDN): A ‘Content Delivery Network’ (CDN) is a service that helps deliver content from an online offering, especially large media files such as graphics or programme scripts, faster and more securely using regionally distributed servers connected via the Internet.

• Cross-device tracking: Cross-device tracking is a form of tracking in which information about users' behaviour and interests is collected across devices in so-called profiles by assigning users an online identifier. This allows user information to be analysed for marketing purposes, regardless of the browsers or devices used (e.g. mobile phones or desktop computers). For most providers, the online identifier is not linked to clear data such as names, postal addresses or email addresses.

• Heat maps: ‘Heat maps’ are users' mouse movements that are combined into an overall picture, which can be used, for example, to identify which website elements are preferred and which website elements users prefer less.

• Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data can include text, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates.

• Click tracking: Click tracking allows us to monitor the movements of users within an entire online offering. Since the results of these tests are more accurate when user interaction can be tracked over a certain period of time (e.g., so that we can find out whether a user likes to return), cookies are usually stored on users' computers for these testing purposes.

• Contact details: Contact details are essential information that enables communication with individuals or organisations. They include telephone numbers, postal addresses and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.

• Conversion measurement: Conversion measurement (also known as ‘visit action evaluation’) is a method used to determine the effectiveness of marketing measures. To do this, a cookie is usually stored on users' devices within the websites where the marketing measures are carried out and then retrieved again on the target website. This allows us to track whether the advertisements we place on other websites have been successful.

• Artificial intelligence (AI): The purpose of processing data using artificial intelligence (AI) includes the automated analysis and processing of user data to identify patterns, make predictions and improve the efficiency and quality of our services. This includes the collection, cleansing and structuring of data, the training and application of AI models, and the continuous review and optimisation of results, and is carried out exclusively with the consent of users or on the basis of legal permissions.

• Performance and behavioural data: Performance and behavioural data refers to information related to how individuals perform tasks or behave in a specific context, such as in an educational, work or social environment. This data may include metrics such as productivity, efficiency, work quality, attendance and compliance with policies or procedures. Behavioural data could include interactions with colleagues, communication styles, decision-making processes, and responses to various situations. These types of data are often used for performance evaluations, training and development measures, and decision-making within organisations.

• Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about how data is processed, transmitted and managed. Meta data, also known as data about data, includes information that describes the context, origin and structure of other data. It can include details such as file size, creation date, document author, and change history. Communication data captures the exchange of information between users across various channels, such as email correspondence, call logs, social media messages, and chat histories, including the individuals involved, timestamps, and transmission routes. Procedural data describes the processes and procedures within systems or organisations, including workflow documentation, transaction and activity logs, and audit logs used to track and verify operations.

• Member data: Member data includes information relating to individuals who are part of an organisation, association, online service or other group. This data is used to manage memberships, facilitate communication and provide services or benefits associated with membership. Member data may include personal identification information, contact information, information on membership status and duration, membership fees, participation in events and activities, and preferences and interests. It may also include data on the use of the organisation's services. This data is collected and processed in compliance with data protection regulations and is used for administrative purposes as well as to promote member engagement and satisfaction.

• Usage data: Usage data refers to information that tracks how users interact with digital products, services, or platforms. This data includes a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages, and how they navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content and improving products or services.

 In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings. Personal data: ‘Personal data’ is any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

• Profiles with user-related information: The processing of ‘profiles with user-related information’, or ‘profiles’ for short, includes any type of automated processing of personal data that consists of using this personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information regarding demographics, behaviour and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.

• Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used to analyse system problems, monitor security or generate performance reports.

• Reach measurement: Reach measurement (also known as web analytics) is used to evaluate visitor traffic to an online offering and can include the behaviour or interests of visitors in certain information, such as website content. With the help of reach analysis, operators of online offerings can, for example, identify at what time users visit their websites and what content they are interested in. This enables them to better tailor the content of their websites to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more accurate analyses of the use of an online offering.

• Remarketing: ‘Remarketing’ or ‘retargeting’ refers to, for example, noting which products a user has shown interest in on a website for advertising purposes in order to remind the user of these products on other websites, e.g. in advertisements.

• Server monitoring and error detection: With the help of server monitoring and error detection, we ensure the availability and integrity of our online offering and use the processed data to technically optimise our online offering. Performance, utilisation and comparable technical values are processed, which provide information about the stability and any anomalies in our online offering. In the event of errors and anomalies, individual requests from users of our online offering are recorded in order to identify and rectify the sources of the problems.

• Location data: Location data is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WLAN or similar technical means and functions for location determination. Location data is used to indicate the geographically determinable position of the respective device on Earth. Location data can be used, for example, to display map functions or other location-dependent information.

• Location history and movement profiles: Location history (also known as ‘movement profile’) refers to the collection of location data over a certain period of time. Location history allows conclusions to be drawn about the geographical movements (i.e. changes in position) of devices or their users.

• Tracking: ‘Tracking’ refers to the tracking of user behaviour across multiple online services. As a rule, information about behaviour and interests is stored in cookies or on the servers of the providers of tracking technologies with regard to the online services used (known as profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.

• Controller: The ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Processing: ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, whether it is collection, evaluation, storage, transmission or deletion.

• Contract data: Contract data is specific information relating to the formalisation of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged or sold. This category of data is essential for the management and fulfilment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of services or products agreed upon, price agreements, payment terms, termination rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.

• Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction dates, verification numbers and billing information. Payment data may also include information about payment status, chargebacks, authorisations and fees.

• Custom audiences: Custom audiences refer to target groups that are determined for advertising purposes, e.g. for displaying advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be concluded that this user is interested in advertisements for similar products or the online shop where they viewed the products. The term ‘lookalike audiences’ (or similar target groups) is used when content that is considered suitable is displayed to users whose profiles or interests are presumed to correspond to those of the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom audiences and lookalike audiences.