Privacy Policy

Introduction and Overview

We have drafted this privacy policy (Version 13.11.2024-112669137) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (referred to as data) we, as the controller – and our commissioned processors (e.g., providers) – process, will process in the future, and what legal options you have. The terms used are to be understood as gender-neutral.
In short: We provide you with comprehensive information about the data we process about you.

Privacy policies usually sound very technical and use legal jargon. This privacy policy, however, aims to describe the most important aspects as simply and transparently as possible. To enhance transparency, technical terms are explained in a user-friendly manner, links to further information are provided, and graphics are used. We use clear and simple language to inform you that we only process personal data in the course of our business activities when there is a corresponding legal basis. This is certainly not possible if one provides overly concise, unclear, and legally technical explanations, which are often standard online when it comes to data protection. I hope you find the following explanations interesting and informative, and perhaps discover some information you weren't aware of.
If you still have questions, please contact the responsible party listed below or in the imprint, follow the provided links, and consult additional information on third-party websites. Our contact details can, of course, also be found in the imprint.

Scope

This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information as defined in Art. 4 No. 1 GDPR, such as a person's name, email address, and postal address. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy includes:

• all online presences (websites, online shops) that we operate
• Social media presences and email communication
• mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas where personal data is systematically processed within the company via the channels mentioned. Should we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Bases

In the following Privacy Policy, we provide you with transparent information on the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, which allow us to process personal data. Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We process your data only if at least one of the following conditions applies:

1. Consent (Article 6, Paragraph 1, Letter a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered into a contact form.
2. Contract (Article 6, Paragraph 1, Letter b GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase agreement with you, we require personal information beforehand.
3. Legal Obligation (Article 6, Paragraph 1, Letter c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to retain invoices for accounting purposes. These generally contain personal data.
4. Legitimate Interests (Article 6, Paragraph 1, Letter f GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and economically efficiently. This processing therefore constitutes a legitimate interest.

Further conditions such as the processing of data in the public interest, the exercise of public authority, and the protection of vital interests generally do not apply to us. Should such a legal basis nevertheless be relevant, it will be indicated at the appropriate point.

In addition to the EU regulation, national laws also apply:

• In Austria this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), short for DSG.
• In Germany applies the Federal Data Protection Act, short for BDSG.

If further regional or national laws apply, we will inform you about them in the following sections.

Contact Details of the Controller

Should you have any questions regarding data protection or the processing of personal data, you will find the contact details of the responsible person or entity below:
Moritz Unterkofler
Email: office@uko-microshops.com
Phone: +43 (0) 5 90 88 – 400
Imprint: https://uko-microshops.com/impressum/

Storage Duration

Our general criterion is that we only store personal data for as long as it is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased, for example, for accounting purposes.

If you wish to have your data deleted or revoke your consent to data processing, your data will be deleted as quickly as possible, unless there is a legal obligation to store it.

We will inform you about the specific duration of each data processing activity below, if we have further information.

Rights under the General Data Protection Regulation

In accordance with Articles 13 and 14 GDPR, we inform you about the following rights that you have to ensure fair and transparent data processing:

• Under Article 15 GDPR, you have a right to information about whether we process your data. If this is the case, you have the right to receive a copy of the data and to be informed of the following:
  • for what purpose we carry out the processing;
  • the categories, i.e., the types of data, that are processed;
  • who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
  • how long the data will be stored;
  • the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
  • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
  • the origin of the data, if we did not collect it from you;
  • whether profiling is carried out, i.e., whether data is automatically evaluated to create a personal profile of you.
• Under Article 16 GDPR, you have a right to rectification of data, which means that we must correct data if you find errors.
• Under Article 17 GDPR, you have the right to erasure ("right to be forgotten"), which specifically means that you may request the erasure of your data.
• Under Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it further.
• Under Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a common format upon request.
• Under Article 21 GDPR, you have a right to object, which, if exercised, will lead to a change in processing.
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then examine as quickly as possible whether we can legally comply with this objection.
  • If data is used for direct marketing, you can object to this type of data processing at any time. We may no longer use your data for direct marketing thereafter.
  • If data is used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling thereafter.
• Under Article 22 GDPR, you have the right, in certain circumstances, not to be subject to a decision based solely on automated processing (e.g., profiling).
• According to Article 77 GDPR, you have the right to lodge a complaint. This means you can complain to the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights – do not hesitate to contact the responsible body listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. For Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Austrian Data Protection Authority

Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Wien
Phone no.: +43 1 52 152-0
Email address: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Data Transfer to Third Countries

We only transfer or process data to countries outside the scope of the GDPR (third countries) if you consent to this processing or if another legal permission exists. This applies in particular when processing is legally required or necessary for the fulfillment of a contractual relationship, and in any case only to the extent generally permitted. Your consent is, in most cases, the most important reason for us to process data in third countries. The processing of personal data in third countries such as the USA, where many software manufacturers offer services and have their server locations, can mean that personal data is processed and stored in unexpected ways.

We explicitly point out that, according to the opinion of the European Court of Justice, an adequate level of protection for data transfer to the USA currently only exists if a US company processing personal data of EU citizens in the USA is an active participant in the EU-US Data Privacy Framework. More information can be found at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Data processing by US services that are not active participants in the EU-US Data Privacy Framework may result in data not being processed and stored anonymously. Furthermore, US government authorities may potentially access individual data. In addition, collected data may be linked with data from other services of the same provider, provided you have a corresponding user account. Where possible, we try to use server locations within the EU, if offered.
We will inform you in more detail about data transfers to third countries at the appropriate points in this privacy policy, where applicable.

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within our capabilities, for third parties to infer personal information from our data.

Art. 25 GDPR speaks here of “data protection by design and by default” and means that one always considers security and implements appropriate measures for both software (e.g., forms) and hardware (e.g., server room access). In the following, we will, if necessary, elaborate on specific measures.

TLS Encryption with https

TLS, encryption, and https sound very technical, and they are. We use HTTPS (Hypertext Transfer Protocol Secure stands for "secure hypertext transfer protocol") to transmit data securely against eavesdropping on the internet.
This means that the complete transmission of all data from your browser to our web server is secured – no one can "eavesdrop".

With this, we have introduced an additional layer of security and fulfill data protection by design (Article 25 Paragraph 1 GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the internet, we can ensure the protection of confidential data.
You can recognize the use of this data transmission security by the small padlock icon

in the top left of the browser, to the left of the internet address (e.g., examplepage.de), and by the use of the https scheme (instead of http) as part of our internet address.
If you want to know more about encryption, we recommend searching Google for “Hypertext Transfer Protocol Secure wiki” to find good links to further information.

Communication

Communication Summary???? Data Subjects: Everyone who communicates with us via phone, email, or online form???? Processed Data: e.g., phone number, name, email address, data entered into forms. More details can be found under the respective contact method used???? Purpose: Handling communication with customers, business partners, etc.???? Storage Duration: Duration of the business case and legal requirements⚖️ Legal Basis: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. b GDPR (Contract), Art. 6 para. 1 lit. f GDPR (Legitimate Interests)

If you contact us and communicate via phone, email, or online form, personal data may be processed.

The data will be processed for the handling and processing of your inquiry and the related business transaction. The data will be stored for as long as necessary or as required by law.

Data Subjects

All individuals who contact us via the communication channels we provide are affected by the aforementioned processes.

Phone

If you call us, call data will be pseudonymized and stored on the respective end device and with the telecommunications provider used. Furthermore, data such as name and phone number may subsequently be sent via email and stored for answering inquiries. The data will be deleted as soon as the business case has been concluded and legal requirements permit.

Email

If you communicate with us via email, data may be stored on the respective end device (computer, laptop, smartphone,...) and data will be stored on the email server. The data will be deleted as soon as the business case has been concluded and legal requirements permit.

Online Forms

If you communicate with us via an online form, data will be stored on our web server and, if necessary, forwarded to one of our email addresses. The data will be deleted as soon as the business case has been concluded and legal requirements permit.

Legal Grounds

The processing of data is based on the following legal grounds:

• Art. 6 para. 1 lit. a GDPR (Consent): You give us consent to store your data and continue to use it for purposes related to the business case;
• Art. 6 para. 1 lit. b GDPR (Contract): There is a necessity for the fulfillment of a contract with you or a processor, such as the telephone provider, or we must process the data for pre-contractual activities, such as preparing an offer;
• Art. 6 para. 1 lit. f GDPR (Legitimate Interests): We want to conduct customer inquiries and business communication in a professional manner. This requires certain technical facilities such as email programs, Exchange servers, and mobile network operators to enable efficient communication.

Data Processing Agreement (DPA)

In this section, we would like to explain what a data processing agreement is and why it is needed. Because the word "Auftragsverarbeitungsvertrag" (data processing agreement) is quite a mouthful, we will often use only the acronym DPA in this text. Like most companies, we do not work alone but also use the services of other companies or individuals. By involving various companies or service providers, we may transfer personal data for processing. These partners then act as processors, with whom we conclude a contract, the so-called data processing agreement (DPA). The most important thing for you to know is that the processing of your personal data is carried out exclusively according to our instructions and must be regulated by the DPA.

Who are Processors?

As a company and website owner, we are responsible for all data we process from you. In addition to controllers, there can also be so-called processors. This includes every company or person who processes personal data on our behalf. More precisely, and according to the GDPR definition: any natural or legal person, public authority, agency or other body which processes personal data on our behalf is considered a processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

For a better understanding of the terminology, here is an overview of the three roles in the GDPR:

Data Subject (You as a customer or interested party) → Controller (we as the company and client) → Processor (service providers such as web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have concluded a DPA with our partners who act as processors. This agreement primarily stipulates that the processor will process the data exclusively in accordance with the GDPR. The contract must be concluded in writing, although in this context, electronic contract conclusion is also considered "written". The processing of personal data only takes place on the basis of this contract. The contract must contain the following:

• Binding to us as the controller
• Obligations and rights of the controller
• Categories of data subjects
• Type of personal data
• Nature and purpose of data processing
• Subject matter and duration of data processing
• Location of data processing

Furthermore, the contract contains all obligations of the processor. The most important obligations are:

• to ensure data security measures
• to implement appropriate technical and organizational measures to protect the rights of the data subject
• to maintain a record of processing activities
• to cooperate with the data protection supervisory authority upon request
• to conduct a risk analysis in relation to the personal data received
• Sub-processors may only be engaged with the written permission of the controller

What such a DPA looks like in practice, you can see, for example, at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. A sample contract is presented here.

Cookies

Cookies Summary???? Affected parties: Website visitors???? Purpose: depends on the respective cookie. More details can be found below or from the software provider that sets the cookie.???? Processed data: Depends on the specific cookie used. More details can be found below or from the software provider that sets the cookie.???? Storage duration: depends on the respective cookie, can vary from hours to years⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate interests)

What are cookies?

Our website uses HTTP cookies to store user-specific data. Below, we explain what cookies are and why they are used, to help you better understand the following privacy policy.

Whenever you browse the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.

One thing is undeniable: cookies are truly useful little helpers. Almost all websites use cookies. More precisely, they are HTTP cookies, as there are also other types of cookies for different applications. HTTP cookies are small files that our website stores on your computer. These cookie files are automatically placed in the cookie folder, essentially the "brain" of your browser. A cookie consists of a name and a value. When defining a cookie, one or more additional attributes must be specified.

Cookies store certain user data, such as language or personal page settings. When you revisit our site, your browser transmits this "user-related" information back to our site. Thanks to cookies, our website knows who you are and provides you with the settings you are accustomed to. In some browsers, each cookie has its own file, while in others, such as Firefox, all cookies are stored in a single file.

The following graphic illustrates a possible interaction between a web browser, such as Chrome, and the web server. The web browser requests a website and receives a cookie back from the server, which the browser then reuses whenever another page is requested.

There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, while third-party cookies are created by partner websites (e.g., Google Analytics). Each cookie must be evaluated individually, as each stores different data. The expiration time of a cookie also varies from a few minutes to several years. Cookies are not software programs and do not contain viruses, Trojans, or other "malware." Cookies also cannot access information on your PC.

For example, cookie data can look like this:

Name: _ga
Value: GA1.2.1326744211.152112669137-9
Purpose: Distinguishing website visitors
Expiration date: after 2 years

A browser should be able to support these minimum sizes:

• At least 4096 bytes per cookie
• At least 50 cookies per domain
• At least 3000 cookies in total

What types of cookies are there?

The specific cookies we use depend on the services utilized and will be clarified in the following sections of the privacy policy. At this point, we would like to briefly discuss the different types of HTTP cookies.

There are 4 types of cookies:

Strictly Necessary Cookies
These cookies are essential to ensure the basic functionality of the website. For example, these cookies are needed when a user adds a product to their shopping cart, then navigates to other pages, and only later proceeds to checkout. Thanks to these cookies, the shopping cart is not emptied, even if the user closes their browser window.

Performance Cookies
These cookies collect information about user behavior and whether the user receives any error messages. Additionally, these cookies are used to measure website loading times and behavior across different browsers.

Preference Cookies
These cookies enhance user-friendliness. For example, they store entered locations, font sizes, or form data.

Advertising Cookies
These cookies are also known as targeting cookies. They are used to deliver individually tailored advertising to the user. This can be very practical, but also very annoying.

Typically, when you visit a website for the first time, you are asked which of these cookie types you wish to allow. And, of course, this decision is also stored in a cookie.

If you want to learn more about cookies and are not afraid of technical documentation, we recommend https://datatracker.ietf.org/doc/html/rfc6265, the Request for Comments from the Internet Engineering Task Force (IETF) titled "HTTP State Management Mechanism".

Purpose of Cookie Processing

The purpose ultimately depends on the specific cookie. More details can be found below or from the manufacturer of the software that sets the cookie.

What data is processed?

Cookies serve many different purposes. Unfortunately, it's not possible to generalize what data is stored in cookies, but we will inform you about the processed or stored data within the scope of the following privacy policy.

Cookie Storage Duration

The storage duration depends on the respective cookie and will be specified further below. Some cookies are deleted after less than an hour, while others can remain stored on a computer for several years.

You also have control over the storage duration. You can manually delete all cookies at any time via your browser (see also "Right to object" below). Furthermore, cookies based on consent will be deleted at the latest after you withdraw your consent, whereby the lawfulness of storage until then remains unaffected.

Right to object – how to delete cookies?

You decide how and whether you want to use cookies. Regardless of which service or website the cookies originate from, you always have the option to delete, disable, or partially allow cookies. For example, you can block third-party cookies but allow all other cookies.

If you want to find out which cookies have been stored in your browser, or if you want to change or delete cookie settings, you can find this in your browser settings:

Chrome: Delete, enable, and manage cookies in Chrome

Safari: Manage cookies and website data with Safari

Firefox: Delete cookies to remove data that websites have stored on your computer

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete and manage cookies

If you generally don't want cookies, you can configure your browser to always inform you when a cookie is about to be set. This way, you can decide for each individual cookie whether to allow it or not. The procedure varies depending on the browser. It's best to search for instructions on Google using terms like "delete cookies Chrome" or "disable cookies Chrome" if you're using a Chrome browser.

Legal Basis

The so-called "Cookie Guidelines" have been in place since 2009. They stipulate that storing cookies requires your consent (Article 6 para. 1 lit. a GDPR). However, there are still very different reactions to these guidelines within EU countries. In Austria, this guideline was implemented in Section 165 para. 3 of the Telecommunications Act (2021). In Germany, the Cookie Guidelines were not implemented as national law. Instead, this guideline was largely implemented in Section 15 para. 3 of the Telemedia Act (TMG), which has been replaced by the Digital Services Act (DDG) since May 2024.

For strictly necessary cookies, even if consent is not given, there are legitimate interests (Article 6 para. 1 lit. f GDPR), which are mostly economic in nature. We want to provide website visitors with a pleasant user experience, and certain cookies are often absolutely necessary for this.

Unless strictly necessary cookies are used, this only occurs with your consent. The legal basis in this regard is Art. 6 para. 1 lit. a GDPR.

In the following sections, you will be informed in more detail about the use of cookies, provided that the software used employs cookies.

Application Data

Application Data Summary???? Data Subjects: Users who apply for a job with us???? Purpose: Handling of an application process???? Processed Data: Name, address, contact details, email address, phone number, qualification certificates (references/transcripts), possibly special categories of data.???? Storage Duration: in case of a successful application, until the end of the employment relationship. Otherwise, the data will be deleted after the application process or stored for a certain period with your consent.⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (Consent), legitimate interest (Art. 6 para. 1 lit. f GDPR), Art. 6 para. 1 lit. b GDPR (Contract), Art. 9 para. 2 lit. a. GDPR (Processing of special categories)

What is application data?

You can apply for a job with our company by email, online form, or via a recruiting tool. All data we receive and process from you as part of an application is considered application data. In doing so, you always disclose personal data such as your name, date of birth, address, and phone number.

Why do we process application data?

We process your data so that we can conduct a proper selection process for the advertised position. Additionally, we are happy to keep your application documents in our application archive. This is because it often happens that collaboration for advertised positions doesn't work out for various reasons, but we are impressed by you and your application and can very well imagine future cooperation. Provided you give us your consent, we will archive your documents so that we can easily contact you for future roles within our company.

We guarantee that we handle your data with particular care and always process it only within the legal framework. Within our company, your data will also only be forwarded to individuals directly involved with your application. In short: your data is safe with us!

What data is processed?

For example, if you apply to us by email, we naturally receive personal data, as mentioned above. Even an email address is considered personal data. However, during an application process, only data relevant to our decision on whether or not we want to welcome you to our team will be processed.

The exact data processed primarily depends on the job advertisement. However, it usually includes names, date of birth, contact details, and qualification certificates. If you submit your application via an online form, the data will be transmitted to us encrypted. If you send us your application by email, this encryption does not occur. Therefore, we cannot assume responsibility for the transmission method. However, once the data is on our servers, we are responsible for the lawful handling of your data.

During an application process, in addition to the data mentioned above, information regarding your health or ethnic origin may also be requested, so that both we and you can exercise rights related to labor law, social security, and social protection, while simultaneously fulfilling the corresponding obligations. These data are special categories of data.

Here is a list of possible data we receive and process from you:

• Name
• Contact address
• Email address
• Phone number
• Date of birth
• Information derived from cover letter and resume
• Qualification documents (e.g., certificates)
• Special categories of data (e.g., ethnic origin, health data, religious beliefs)
• Usage data (websites visited, access data, etc.)
• Metadata (IP address, device information)

How long will the data be stored?

If we hire you as a team member in our company, your data will be further processed for the purpose of the employment relationship and retained by us at least until the termination of the employment relationship. All application documents will then be placed in your employee file.

If we do not offer you the position, you decline our offer, or you withdraw your application, we may retain your data for up to 6 months after the conclusion of the application process based on legitimate interest (Art. 6 para. 1 lit. f GDPR). After this period, both your electronic data and all data from physical application documents will be completely deleted or destroyed. We retain your data, for example, so that we can answer any follow-up questions or provide evidence of the application in the event of a legal dispute. If a legal dispute arises and we may still need the data after the 6-month period, we will only delete the data when there is no longer a reason for retention. If there are legal retention obligations to fulfill, we must generally store the data for longer than 6 months.

Furthermore, we may retain your data for longer if you have given specific consent for this. For example, we do this if we can envision a future collaboration with you. In such cases, it is helpful to have your data archived so we can easily reach you. In this scenario, the data will be placed in our applicant pool. Of course, you can withdraw your consent for the longer retention of your data at any time. If no withdrawal occurs and you do not provide new consent, your data will be deleted after 2 years at the latest.

Legal Basis

Legal bases for the processing of your data are Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. b GDPR (Contract or pre-contractual measures), Art. 6 para. 1 lit. f GDPR (Legitimate interests), and Art. 9 para. 2 lit. a GDPR (Processing of special categories).

If we include you in our applicant tool, this occurs on the basis of your consent (Art. 6 para. 1 lit. a GDPR). We inform you that your consent to be included in our applicant pool is voluntary, has no impact on the application process, and you have the option to withdraw your consent at any time. The lawfulness of processing until the time of withdrawal remains unaffected.

In the event of protecting vital interests, data processing is carried out in accordance with Art. 9 para. 2 lit. c GDPR. For the purposes of healthcare, occupational medicine, medical diagnosis, the provision of care or treatment in the health or social sector, or the management of systems and services in the health or social sector, the processing of personal data is carried out in accordance with Art. 9 para. 2 lit. h GDPR. If you voluntarily provide special categories of data, processing is based on Art. 9 para. 2 lit. a GDPR.

Web Hosting Introduction

Web Hosting Summary???? Data subjects: Website visitors???? Purpose: Professional hosting of the website and ensuring its operation???? Processed data: IP address, time of website visit, browser used, and other data. More details can be found below or with the respective web hosting provider.???? Storage duration: Depends on the respective provider, but usually 2 weeks⚖️ Legal bases: Art. 6 para. 1 lit. f GDPR (Legitimate interests)

What is web hosting?

When you visit websites today, certain information – including personal data – is automatically generated and stored, and this applies to this website as well. This data should be processed as sparingly as possible and only with justification. By 'website,' we mean the entirety of all web pages on a domain, i.e., everything from the homepage to the very last subpage (like this one). By 'domain,' we mean, for example, example.de or sampleexample.com.

If you want to view a website on a computer, tablet, or smartphone, you use a program called a web browser. You probably know some web browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. We simply refer to them as browsers or web browsers.

To display the website, the browser must connect to another computer where the website's code is stored: the web server. Operating a web server is a complex and demanding task, which is why it is usually handled by professional providers. These providers offer web hosting, ensuring reliable and error-free storage of website data. That's a lot of technical terms, but please bear with us, it gets even better!

When your browser establishes a connection on your computer (desktop, laptop, tablet, or smartphone) and during data transfer to and from the web server, personal data may be processed. On the one hand, your computer stores data, and on the other hand, the web server must also store data for a certain period to ensure proper operation.

A picture is worth a thousand words, so the following graphic illustrates the interplay between the browser, the internet, and the hosting provider.

Why do we process personal data?

The purposes of data processing are:

1. Professional website hosting and operational security
2. to maintain operational and IT security
3. Anonymous evaluation of access behavior to improve our offering and, if necessary, for law enforcement or the pursuit of claims

What data is processed?

Even while you are currently visiting our website, our web server, which is the computer where this website is stored, typically automatically stores data such as

• the complete internet address (URL) of the accessed website
• Browser and browser version (e.g., Chrome 87)
• the operating system used (e.g., Windows 10)
• the address (URL) of the previously visited page (referrer URL) (e.g., https://www.beispielquellsite.de/vondabinichgekommen/)
• the hostname and IP address of the accessing device (e.g., COMPUTERNAME and 194.23.43.121)
• Date and time
• in files, known as web server log files

How long is data stored?

As a rule, the aforementioned data is stored for two weeks and then automatically deleted. We do not share this data; however, we cannot rule out that this data may be accessed by authorities in the event of unlawful conduct.

In short: Your visit is logged by our provider (the company that hosts our website on special computers (servers)), but we do not share your data without consent!

Legal Basis

The lawfulness of processing personal data within the scope of web hosting arises from Art. 6 para. 1 lit. f GDPR (safeguarding legitimate interests), as the use of professional hosting with a provider is necessary to present the company securely and user-friendly on the internet and, if necessary, to pursue attacks and claims arising therefrom.

Typically, there is a data processing agreement between us and the hosting provider in accordance with Art. 28 et seq. GDPR, which ensures compliance with data protection and guarantees data security.

Web Analytics Introduction

Web Analytics Privacy Policy Summary???? Data Subjects: Website visitors???? Purpose: Evaluation of visitor information to optimize the web offering.???? Processed Data: Access statistics, including data such as access locations, device data, access duration and time, navigation behavior, click behavior, and IP addresses. More details can be found with the respective Web Analytics Tool used.???? Storage Duration: depends on the Web Analytics Tool used⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate Interests)

What is Web Analytics?

On our website, we use software to evaluate the behavior of website visitors, known as Web Analytics or Web Analysis. This involves collecting data that the respective analytics tool provider (also called a tracking tool) stores, manages, and processes. This data is used to create analyses of user behavior on our website and is made available to us as website operators. In addition, most tools offer various testing options. For example, we can test which offers or content are most popular with our visitors. For this, we show you two different offers for a limited period. After the test (a so-called A/B test), we know which product or content our website visitors find more interesting. For such testing procedures, as well as for other analytics procedures, user profiles can also be created and data stored in cookies.

Why do we use Web Analytics?

With our website, we have a clear goal in mind: we want to deliver the best web offering on the market for our industry. To achieve this goal, we aim to provide the best and most interesting content while also ensuring that you feel completely comfortable on our website. With the help of web analysis tools, we can closely examine the behavior of our website visitors and then improve our web offering for both you and us accordingly. For example, we can determine the average age of our visitors, where they come from, when our website is most visited, or which content or products are particularly popular. All this information helps us optimize the website and thus perfectly adapt it to your needs, interests, and wishes.

What data is processed?

Exactly what data is stored naturally depends on the analysis tools used. However, typically, data such as which content you view on our website, which buttons or links you click, when you access a page, which browser you use, which device (PC, tablet, smartphone, etc.) you use to visit the website, or which computer system you use, is stored. If you have consented to the collection of location data, this may also be processed by the web analysis tool provider.

In addition, your IP address is also stored. According to the General Data Protection Regulation (GDPR), IP addresses are personal data. However, your IP address is usually stored pseudonymously (i.e., in an unrecognizable and shortened form). For the purpose of testing, web analysis, and web optimization, no direct data such as your name, age, address, or email address is generally stored. All such data, if collected, is stored pseudonymously. This way, you cannot be identified as a person.

The following example schematically illustrates how Google Analytics works as an example of client-based web tracking using JavaScript code.

How long the respective data is stored always depends on the provider. Some cookies store data for only a few minutes or until you leave the website, while other cookies can store data for several years.

Duration of Data Processing

We will inform you about the duration of data processing below, provided we have further information. Generally, we process personal data only for as long as it is absolutely necessary for the provision of our services and products. If legally required, for example in the case of accounting, this storage period may be exceeded.

Right to Object

You also have the right and the option to withdraw your consent to the use of cookies or third-party providers at any time. This can be done either via our cookie management tool or through other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating, or deleting cookies in your browser.

Legal Basis

The use of web analytics requires your consent, which we have obtained through our cookie popup. According to Art. 6 para. 1 lit. a GDPR (Consent), this consent forms the legal basis for the processing of personal data, as may occur when collected by web analytics tools.

In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors to technically and economically improve our offerings. With the help of web analytics, we can identify website errors, detect attacks, and enhance economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate Interests). Nevertheless, we only use these tools if consent has been given.

Since web analytics tools use cookies, we also recommend reading our general privacy policy on cookies. To find out exactly what data about you is stored and processed, you should read the privacy policies of the respective tools.

Information on specific web analytics tools can be found – if available – in the following sections.

Facebook Conversions API Privacy Policy

We use Facebook Conversions API, a server-side event tracking tool, on our website. The service provider is the American company Meta Platforms Inc. For the European region, Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is responsible.

Facebook processes your data, among other places, in the USA. Facebook, or Meta Platforms, is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data of EU citizens to the USA. More information can be found at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

In addition, Facebook uses so-called Standard Contractual Clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template clauses provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Facebook commits to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses, among other places, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Facebook Data Processing Terms, which refer to the Standard Contractual Clauses, can be found at https://www.facebook.com/legal/terms/dataprocessing.

You can find more information about the data processed through the use of Facebook Conversions API in the Privacy Policy at https://www.facebook.com/about/privacy.

Facebook Pixel Privacy Policy

We use the Facebook Pixel from Facebook on our website. For this purpose, we have implemented a code on our website. The Facebook Pixel is a snippet of JavaScript code that loads a collection of functions with which Facebook can track your user actions, provided you have reached our website via Facebook Ads. For example, if you purchase a product on our website, the Facebook Pixel is triggered and stores your actions on our website in one or more cookies. These cookies allow Facebook to match your user data (customer data such as IP address, user ID) with the data from your Facebook account. Facebook then deletes this data again. The collected data is anonymous and not visible to us and can only be used for advertising campaigns. If you are a Facebook user and logged in, your visit to our website will automatically be assigned to your Facebook user account.

We only want to show our services or products to people who are genuinely interested in them. With the help of the Facebook Pixel, our advertising measures can be better tailored to your wishes and interests. This way, Facebook users (provided they have allowed personalized advertising) will see relevant ads. Furthermore, Facebook uses the collected data for analysis purposes and its own advertisements.

Below, we show you the cookies set by integrating the Facebook Pixel on a test page. Please note that these are only example cookies. Different cookies are set depending on your interaction with our website.

Name: _fbp
Value: fb.1.1568287647279.257405483-6112669137-7
Purpose: Facebook uses this cookie to display advertising products.
Expiry date: after 3 months

Name: fr
Value: 0aPf312HOS5Pboo2r..Bdeiuf…1.0.Bdeiuf.
Purpose: This cookie is used to ensure the Facebook Pixel functions correctly.
Expiry date: after 3 months

Name: comment_author_50ae8267e2bdf1253ec1a5769f48e062112669137-3
Value: Author's name
Purpose: This cookie stores the text and name of a user who, for example, leaves a comment.
Expiry date: after 12 months

Name: comment_author_url_50ae8267e2bdf1253ec1a5769f48e062
Value: https%3A%2F%2Fwww.testseite…%2F (Author's URL)
Purpose: This cookie stores the URL of the website that the user enters into a text field on our website.
Expiry date: after 12 months

Name: comment_author_email_50ae8267e2bdf1253ec1a5769f48e062
Value: Author's email address
Purpose: This cookie stores the user's email address, provided they have submitted it on the website.
Expiry date: after 12 months

Note: The cookies mentioned above relate to individual user behavior. Changes by Facebook, particularly regarding cookie usage, can never be ruled out.

If you are logged in to Facebook, you can change your ad settings yourself at https://www.facebook.com/adpreferences/advertisers/. If you are not a Facebook user, you can generally manage your interest-based online advertising at https://www.youronlinechoices.com/de/praferenzmanagement/. There, you have the option to deactivate or activate providers.

Facebook also processes your data in the USA, among other places. Facebook, or Meta Platforms, is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

In addition, Facebook uses so-called Standard Contractual Clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are model templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Facebook commits to upholding the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision by the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses, among other places, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Facebook's Data Processing Terms, which refer to the Standard Contractual Clauses, can be found at https://www.facebook.com/legal/terms/dataprocessing.

If you want to learn more about Facebook's data protection, we recommend the company's own data policies at https://www.facebook.com/privacy/policy.

Facebook Automatic Advanced Matching Privacy Policy

As part of the Facebook Pixel function, we have also activated Automatic Advanced Matching. This pixel function allows us to send hashed emails, names, gender, city, state, postal code, and date of birth or phone number as additional information to Facebook, provided you have supplied us with this data. This activation enables us to tailor advertising campaigns on Facebook even more precisely to people who are interested in our services or products.

Google Analytics Privacy Policy

Google Analytics Privacy Policy Summary???? Affected parties: Website visitors???? Purpose: Evaluation of visitor information to optimize the website offering.???? Processed data: Access statistics, which include data such as access locations, device data, access duration and time, navigation behavior, and click behavior. More details can be found further down in this privacy policy.???? Storage duration: individually configurable, Google Analytics 4 stores data for 14 months by default⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate interests)

What is Google Analytics?

On our website, we use the analytics tracking tool Google Analytics, specifically Google Analytics 4 (GA4), from the American company Google Inc. For the European region, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics collects data about your activities on our website. Through a combination of various technologies such as cookies, device IDs, and login information, you as a user can be identified across different devices. This allows your actions to be analyzed across platforms.

For example, if you click on a link, this event is stored in a cookie and sent to Google Analytics. With the help of the reports we receive from Google Analytics, we can better adapt our website and our service to your needs. Below, we will delve deeper into the tracking tool and primarily inform you about what data is processed and how you can prevent it.

Google Analytics is a tracking tool used for analyzing our website's traffic. The basis for these measurements and analyses is a pseudonymous user identification number. This number does not contain personal data such as name or address, but serves to assign events to an end device. GA4 uses an event-based model that captures detailed information on user interactions such as page views, clicks, scrolling, and conversion events. Additionally, GA4 incorporates various machine learning functions to better understand user behavior and certain trends. GA4 relies on modeling with the help of machine learning functions. This means that based on the collected data, missing data can also be extrapolated to optimize analysis and provide forecasts.

To enable Google Analytics to function, a tracking code is embedded in our website's code. When you visit our website, this code records various events that you perform on our site. GA4's event-based data model allows us as website operators to define and track specific events to analyze user interactions. This means that in addition to general information like clicks or page views, special events important to our business can also be tracked. Such special events might include, for example, submitting a contact form or purchasing a product.

As soon as you leave our website, this data is sent to the Google Analytics servers and stored there.

Google processes the data, and we receive reports on your user behavior. These reports may include, among others, the following:

• Audience reports: Audience reports help us get to know our users better and understand more precisely who is interested in our service.
• Ad reports: Ad reports make it easier for us to analyze and improve our online advertising.
• Acquisition reports: Acquisition reports provide us with helpful information on how to attract more people to our service.
• Behavior reports: These show us how you interact with our website. We can track your journey through our site and which links you click.
• Conversion reports: A conversion is an action you take as a result of a marketing message. For example, when you go from being just a website visitor to a buyer or newsletter subscriber. These reports help us understand how effective our marketing efforts are with you. Our goal is to increase our conversion rate.
• Real-time reports: These tell us immediately what is happening on our website right now. For example, we can see how many users are currently reading this text.

In addition to the analysis reports mentioned above, Google Analytics 4 also offers the following features, among others:

• Event-based data model: This model captures very specific events that can occur on our website. For example, playing a video, purchasing a product, or signing up for our newsletter.
• Advanced analysis features: These features allow us to better understand your behavior on our website or certain general trends. For example, we can segment user groups, perform comparative analyses of target audiences, or track your journey or path on our website.
• Predictive modeling: Based on collected data, machine learning can extrapolate missing data to predict future events and trends. This can help us develop better marketing strategies.
• Cross-platform analysis: Data collection and analysis are possible from both websites and apps. This allows us to analyze user behavior across platforms, provided, of course, that you have consented to data processing.

Why do we use Google Analytics on our website?

Our goal with this website is clear: we want to offer you the best possible service. The statistics and data from Google Analytics help us achieve this goal.

The statistically evaluated data gives us a clear picture of our website's strengths and weaknesses. On the one hand, we can optimize our site so that interested people can find it more easily on Google. On the other hand, the data helps us better understand you as a visitor. This allows us to know precisely what we need to improve on our website to offer you the best possible service. The data also helps us implement our advertising and marketing measures more individually and cost-effectively. After all, it only makes sense to show our products and services to people who are genuinely interested in them.

What data does Google Analytics store?

Using a tracking code, Google Analytics creates a random, unique ID linked to your browser cookie. This allows Google Analytics to recognize you as a new user and assign you a user ID. The next time you visit our site, you will be recognized as a "returning" user. All collected data is stored together with this user ID. This is what makes it possible to evaluate pseudonymous user profiles.

To analyze our website with Google Analytics, a Property ID must be inserted into the tracking code. The data is then stored in the corresponding property. For every newly created property, the Google Analytics 4 property is set by default. Data retention periods vary depending on the property used.

Your interactions, such as those identified by cookies, app instance IDs, user IDs, or custom event parameters, are measured across platforms, provided you have given your consent. Interactions refer to all types of actions you perform on our website. If you also use other Google systems (e.g., a Google account), data generated via Google Analytics may be linked with third-party cookies. Google does not share Google Analytics data unless we, as the website operator, approve it. Exceptions may occur if legally required.

According to Google, no IP addresses are logged or stored in Google Analytics 4. However, Google uses IP address data to derive location data and deletes it immediately afterwards. Therefore, all IP addresses collected from users in the EU are deleted before the data is stored in a data center or on a server.

Since Google Analytics 4 focuses on event-based data, the tool uses significantly fewer cookies compared to previous versions (like Google Universal Analytics). Nevertheless, there are some specific cookies used by GA4. These include, for example:

Name: _ga
Value: 2.1326744211.152112669137-5
Purpose: By default, analytics.js uses the _ga cookie to store the user ID. Its primary purpose is to distinguish between website visitors.
Expiration date: after 2 years

Name: _gid
Value: 2.1687193234.152112669137-1
Purpose: This cookie also serves to distinguish between website visitors.
Expiration date: after 24 hours

Name: _gat_gtag_UA_<property-id>
Value: 1
Purpose: Used to throttle the request rate. If Google Analytics is deployed via Google Tag Manager, this cookie is named _dc_gtm_ <property-id>.
Expiration date: after 1 minute

Note: This list cannot claim to be exhaustive, as Google frequently changes its cookie selection. GA4 also aims to improve data protection. Therefore, the tool offers several options for controlling data collection. For example, we can set the storage duration ourselves and also manage data collection.

Here's an overview of the main types of data collected with Google Analytics:

Heatmaps: Google creates what are known as heatmaps. Heatmaps show exactly which areas you click on, providing us with information about where you navigate on our site.

Session Duration: Google defines session duration as the time you spend on our site without leaving it. If you are inactive for 20 minutes, the session automatically ends.

Bounce Rate: A bounce occurs when you view only one page on our website and then leave our website.

Account Creation: If you create an account or place an order on our website, Google Analytics collects this data.

Location: IP addresses are not logged or stored in Google Analytics. However, location data derivations are used shortly before the IP address is deleted.

Technical Information: Technical information includes, among other things, your browser type, your internet service provider, or your screen resolution.

Source: Google Analytics, and naturally we, are also interested in which website or advertisement led you to our site.

Further data includes contact details, any ratings, media playback (e.g., if you play a video via our site), sharing content via social media, or adding items to your favorites. This list is not exhaustive and serves only as a general guide to data storage by Google Analytics.

How long and where is the data stored?

Google has its servers distributed worldwide. You can read exactly where Google's data centers are located here: https://www.google.com/about/datacenters/locations/?hl=de

Your data is distributed across various physical storage media. This has the advantage that the data can be retrieved faster and is better protected against manipulation. Each Google data center has corresponding emergency programs for your data. For example, if Google's hardware fails or natural disasters cripple servers, the risk of service interruption at Google remains low.

The data retention period depends on the properties used. The storage duration is always set individually for each property. Google Analytics offers us four options for controlling the storage duration:

• 2 months: this is the shortest retention period.
• 14 months: by default, data in GA4 is stored for 14 months.
• 26 months: data can also be stored for 26 months.
• Data is only deleted when we manually delete it

There is also an option for data to be deleted only if you do not visit our website within the chosen period. In this scenario, the retention period is reset each time you revisit our website within the specified timeframe.

Once the defined period has elapsed, data is deleted once a month. This retention period applies to your data linked to cookies, user identification, and advertising IDs (e.g., DoubleClick domain cookies). Reporting results are based on aggregated data and are stored independently of user data. Aggregated data is the consolidation of individual data into a larger unit.

How can I delete my data or prevent its storage?

According to the data protection law of the European Union, you have the right to access, update, delete, or restrict your data. By using the browser add-on to deactivate Google Analytics JavaScript (analytics.js, gtag.js), you can prevent Google Analytics 4 from using your data. You can download and install the browser add-on at https://tools.google.com/dlpage/gaoptout?hl=de. Please note that this add-on only disables data collection by Google Analytics.

If you wish to disable, delete, or manage cookies in general, you will find the corresponding links to the instructions for the most common browsers in the "Cookies" section.

Legal Basis

The use of Google Analytics requires your consent, which we obtained via our cookie pop-up. This consent, according to Art. 6 para. 1 lit. a GDPR (Consent), constitutes the legal basis for the processing of personal data, as may occur when collected by web analytics tools.

In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors to technically and economically improve our offering. With the help of Google Analytics, we identify website errors, detect attacks, and improve our economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate Interests). Nevertheless, we only use Google Analytics if you have provided your consent.

Google processes your data, among other locations, in the USA. Google is an active participant in the EU-US Data Privacy Framework, which governs the proper and secure transfer of personal data from EU citizens to the USA. You can find more information at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Furthermore, Google uses so-called Standard Contractual Clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template clauses provided by the EU Commission and are designed to ensure that your data adheres to European data protection standards even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Google commits to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses, among others, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Google Ads Data Processing Terms, which reference the Standard Contractual Clauses, are available at https://business.safety.google/intl/de/adsprocessorterms/.

We hope we have provided you with the most important information regarding Google Analytics data processing. If you wish to learn more about the tracking service, we recommend these two links: https://marketingplatform.google.com/about/analytics/terms/de/ and https://support.google.com/analytics/answer/6004245?hl=de.

If you wish to learn more about data processing, please refer to the Google Privacy Policy at https://policies.google.com/privacy?hl=de.

Data Processing Agreement (DPA) Google Analytics

We have entered into a Data Processing Agreement (DPA) with Google, in accordance with Article 28 of the General Data Protection Regulation (GDPR). You can read about what a DPA is and, more importantly, what it must contain, in our general section on "Data Processing Agreements (DPA)".

This contract is legally mandated because Google processes personal data on our behalf. It clarifies that Google may only process data received from us according to our instructions and must adhere to the GDPR. The link to the data processing terms is available at https://business.safety.google/intl/de/adsprocessorterms/

Google Analytics Demographics and Interests Reports

We have enabled the advertising features in Google Analytics. The Demographics and Interests Reports provide data on age, gender, and interests. This allows us to gain a better understanding of our users – without being able to attribute this data to individual persons. You can learn more about the advertising features at https://support.google.com/analytics/answer/3450482?hl=de_AT&utm_id=ad.

You can stop the use of your Google account activities and information by unchecking the box under “Ad Settings” at https://adssettings.google.com/authenticated.

Google Analytics IP Anonymization

We have implemented IP address anonymization for Google Analytics on this website. This feature was developed by Google to enable this website to comply with applicable data protection regulations and recommendations from local data protection authorities that prohibit the storage of full IP addresses. The anonymization or masking of the IP occurs as soon as the IP addresses arrive in the Google Analytics data collection network and before any storage or processing of the data takes place.

You can find more information about IP anonymization at https://support.google.com/analytics/answer/2763052?hl=de.

Google Tag Manager Privacy Policy

Google Tag Manager Privacy Policy Summary???? Data Subjects: Website visitors???? Purpose: Organization of individual tracking tools???? Data Processed: Google Tag Manager itself does not store any data. The data is collected by the tags of the web analytics tools used.???? Storage Duration: depends on the web analytics tool used⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate Interests)

What is Google Tag Manager?

For our website, we use Google Tag Manager from Google Inc. For the European region, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This Tag Manager is one of many helpful marketing products from Google. Through Google Tag Manager, we can centrally embed and manage code snippets from various tracking tools that we use on our website.

In this privacy policy, we want to explain in more detail what Google Tag Manager does, why we use it, and in what form data is processed.

Google Tag Manager is an organizational tool that allows us to centrally integrate and manage website tags via a single interface. Tags are small code snippets that, for example, record (track) your activities on our website. For this purpose, JavaScript code snippets are inserted into our page's source code. These tags often originate from Google's internal products like Google Ads or Google Analytics, but tags from other companies can also be integrated and managed through the Manager. Such tags perform various tasks. They can collect browser data, feed data to marketing tools, embed buttons, set cookies, and even track users across multiple websites.

Why do we use Google Tag Manager for our website?

As the saying goes: organization is half the battle! And that, of course, also applies to maintaining our website. To make our website as effective as possible for you and everyone interested in our products and services, we need various tracking tools, such as Google Analytics. The data collected by these tools shows us what interests you most, where we can improve our services, and to whom else we should present our offers. For this tracking to work, we need to embed corresponding JavaScript codes into our website. Theoretically, we could embed each code snippet from individual tracking tools separately into our source code. However, this would be quite time-consuming and it's easy to lose track. That's why we use Google Tag Manager. We can easily embed the necessary scripts and manage them from one central location. Additionally, Google Tag Manager offers an easy-to-use interface and requires no programming knowledge. This helps us keep our tag jungle organized.

What data is stored by Google Tag Manager?

The Tag Manager itself is a domain that does not set cookies and does not store data. It acts merely as an "administrator" for the implemented tags. The individual tags of the various web analytics tools collect the data. The data is essentially routed through the Google Tag Manager to the individual tracking tools and is not stored by the Tag Manager itself.

However, the situation is quite different with the integrated tags of various web analytics tools, such as Google Analytics. Depending on the analytics tool, various data about your web behavior is usually collected, stored, and processed with the help of cookies. For this, please read our privacy policies for the individual analytics and tracking tools we use on our website.

In the Tag Manager account settings, we have allowed Google to receive anonymized data from us. However, this data pertains only to the use and utilization of our Tag Manager, not to your data stored via the code snippets. We enable Google and others to receive selected data in anonymized form. Thus, we agree to the anonymous sharing of our website data. Despite extensive research, we could not ascertain precisely which aggregated and anonymous data is forwarded. In any case, Google deletes all information that could identify our website. Google combines this data with hundreds of other anonymous website data to create user trends as part of benchmarking measures. Benchmarking involves comparing one's own results with those of competitors. Based on the collected information, processes can be optimized.

How long and where is the data stored?

If Google stores data, it is stored on Google's own servers. These servers are distributed worldwide, with most located in America. You can find precise information on the locations of Google's servers at https://www.google.com/about/datacenters/locations/?hl=de.

For information on how long individual tracking tools store your data, please refer to our specific privacy policies for each tool.

How can I delete my data or prevent data storage?

The Google Tag Manager itself does not set cookies; instead, it manages tags from various tracking websites. In our privacy policies for the individual tracking tools, you will find detailed information on how to delete or manage your data.

Please note that when using this tool, your data may also be stored and processed outside the EU. Most third countries (including the USA) are currently not considered secure under European data protection law. Therefore, data may not simply be transferred, stored, and processed in insecure third countries unless there are appropriate safeguards (such as EU standard contractual clauses) between us and the non-European service provider.

Legal Basis

The use of Google Tag Manager requires your consent, which we obtain through our cookie pop-up. According to Art. 6 para. 1 lit. a GDPR (Consent), this consent forms the legal basis for processing personal data, as may occur when collected by web analytics tools.

In addition to your consent, we have a legitimate interest in analyzing website visitor behavior to technically and economically improve our offerings. The Google Tag Manager helps us enhance our efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate Interests). However, we only use the Google Tag Manager if you have given your consent.

Google also processes your data in the USA, among other places. Google is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. More information can be found at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

In addition, Google uses so-called Standard Contractual Clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template clauses provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Google commits to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses, among others, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

You can find the Google Ads Data Processing Terms, which refer to the Standard Contractual Clauses, at https://business.safety.google/intl/de/adsprocessorterms/.

If you want to learn more about Google Tag Manager, we recommend the FAQs at https://support.google.com/tagmanager/?hl=de#topic=3441530.

You can read about what data Google generally collects and how it uses this data at https://policies.google.com/privacy?hl=de.

Data Processing Agreement (DPA) Google Tag Manager

In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have concluded a Data Processing Agreement (DPA) with Google. You can read more about what a DPA is and, more importantly, what it must contain, in our general section "Data Processing Agreement (DPA)".

This contract is legally required because Google processes personal data on our behalf. It clarifies that Google may only process data received from us according to our instructions and must comply with the GDPR. You can find the link to the Data Processing Agreement (DPA) at https://business.safety.google/adsprocessorterms/.

Blogs and Publication Media Introduction

Blogs and Publication Media Privacy Policy Summary???? Affected parties: Website visitors???? Purpose: Presentation and optimization of our services, as well as communication between website visitors, security measures, and administration???? Processed data: Data such as contact details, IP address, and published content. More details can be found with the tools used.???? Storage duration: depends on the tools used⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate Interests), Art. 6 para. 1 sentence 1 lit. b. GDPR (Contract)

What are blogs and publication media?

On our website, we use blogs and other communication tools that allow us to communicate with you and you with us. In this process, your data may also be stored and processed by us. This may be necessary to display content appropriately, ensure communication functions, and enhance security. In our privacy text, we generally address what data of yours may be processed. Exact details on data processing always depend on the tools and functions used. You can find precise information about data processing in the privacy notices of the individual providers.

Why do we use blogs and publication media?

Our main goal with our website is to offer you interesting and engaging content, and at the same time, your opinions and content are also important to us. Therefore, we want to create a good interactive exchange between us and you. We can achieve this with various blogs and publication options. For example, you can write comments on our content, comment on other comments, or even, in some cases, write your own posts.

What data is processed?

The exact data processed always depends on the communication functions we use. Very often, IP address, username, and published content are stored. This is primarily done to ensure security, prevent spam, and to take action against illegal content. Cookies may also be used for data storage. These are small text files stored with information in your browser. More details on the collected and stored data can be found in our individual sections and in the privacy policy of the respective provider.

Duration of Data Processing

We will inform you about the duration of data processing below, provided we have further information. For example, post and comment functions store data until you revoke data storage. Generally, personal data is stored only for as long as it is absolutely necessary for the provision of our services.

Right to object

You also have the right and the option at any time to withdraw your consent for the use of cookies or third-party communication tools. This can be done either via our cookie management tool or through other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating, or deleting cookies in your browser.

Since cookies may also be used in publication media, we also recommend our general privacy policy on cookies. To find out exactly what data of yours is stored and processed, you should read the privacy policies of the respective tools.

Legal Basis

We primarily use communication tools based on our legitimate interests (Art. 6 para. 1 lit. f GDPR) in fast and effective communication with you or other customers, business partners, and visitors. Insofar as the use serves the processing or initiation of contractual relationships, the legal basis is also Art. 6 para. 1 sentence 1 lit. b GDPR.

Certain processing activities, particularly the use of cookies and comment or messaging functions, require your consent. If and to the extent that you have consented to your data being processed and stored by integrated publication media, this consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Most communication functions we use set cookies in your browser to store data. Therefore, we recommend that you carefully read our privacy text on cookies and review the privacy policy or cookie guidelines of the respective service provider.

Information on specific tools can be found – if available – in the following sections.

Online Marketing Introduction

Online Marketing Privacy Policy Summary???? Affected parties: Website visitors???? Purpose: Evaluation of visitor information to optimize the website offering.???? Processed data: Access statistics, including data such as access locations, device data, access duration and time, navigation behavior, click behavior, and IP addresses. Personal data such as name or email address may also be processed. More details can be found with the respective online marketing tool used.???? Storage duration: depends on the online marketing tools used⚖️ Legal bases: Art. 6 para. 1 lit. a GDPR (Consent), Art. 6 para. 1 lit. f GDPR (Legitimate interests)

What is online marketing?

Online marketing refers to all measures carried out online to achieve marketing goals such as increasing brand awareness or closing a deal. Furthermore, our online marketing measures aim to draw people's attention to our website. To be able to show our offerings to many interested people, we therefore engage in online marketing. This usually involves online advertising, content marketing, or search engine optimization. To use online marketing efficiently and effectively, personal data is also stored and processed. This data helps us, on the one hand, to show our content only to those who are genuinely interested, and on the other hand, to measure the success of our online marketing campaigns.

Why do we use online marketing tools?

We want to show our website to everyone interested in our offerings. We understand that this is not possible without deliberate measures, which is why we engage in online marketing. Various tools facilitate our online marketing efforts and constantly provide data-driven suggestions for improvement. This allows us to target our campaigns more precisely to our audience. The ultimate purpose of these online marketing tools is therefore to optimize our offerings.

What data is processed?

For our online marketing to function and for the success of our campaigns to be measured, user profiles are created, and data is stored, for example, in cookies (which are small text files). This data allows us not only to display traditional advertisements but also to present our content directly on our website in a way that best suits you. Various third-party tools offer these functions and accordingly collect and store your data. For example, these cookies store which web pages you have visited on our website, how long you viewed these pages, which links or buttons you clicked, or from which website you came to us. Additionally, technical information may also be stored, such as your IP address, the browser you use, the device from which you visit our website, or the time you accessed and left our website. If you have consented to us determining your location, we may also store and process this information.

Your IP address is stored in pseudonymized form (i.e., shortened). Unique data that directly identifies you as a person, such as your name, address, or email address, is also stored only in pseudonymized form within the scope of advertising and online marketing procedures. Therefore, we cannot identify you as an individual; we only have the pseudonymized information stored in the user profiles.

Under certain circumstances, these cookies may also be used, analyzed, and employed for advertising purposes on other websites that utilize the same advertising tools. The data may then also be stored on the servers of the advertising tool providers.

In exceptional cases, unique data (names, email addresses, etc.) may also be stored in user profiles. This happens, for example, if you are a member of a social media channel that we use for our online marketing activities, and the network links previously collected data with the user profile.

With all advertising tools we use that store your data on their servers, we only ever receive aggregated information and never data that identifies you as an individual. The data merely shows how effective advertising campaigns were. For example, we see which measures prompted you or other users to visit our website and purchase a service or product. Based on these analyses, we can improve our advertising offerings in the future and tailor them even more precisely to the needs and wishes of interested individuals.

Duration of Data Processing

We will inform you about the duration of data processing below, if we have further information. Generally, we only process personal data for as long as it is strictly necessary to provide our services and products. Data stored in cookies is retained for varying periods. Some cookies are deleted as soon as you leave the website, while others may remain in your browser for several years. You will usually find precise information about the individual cookies used by each provider in their respective privacy policies.

Right to Object

You also have the right and the option to withdraw your consent to the use of cookies or third-party providers at any time. This can be done either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating, or deleting cookies in your browser. The lawfulness of processing until withdrawal remains unaffected.

Since online marketing tools can generally use cookies, we also recommend our general privacy policy on cookies. To find out exactly what data about you is stored and processed, you should read the privacy policies of the respective tools.

Legal basis

If you have consented to the use of third-party providers, the legal basis for the corresponding data processing is this consent. According to Art. 6 para. 1 lit. a GDPR (Consent), this consent constitutes the legal basis for the processing of personal data, as may occur when collected by online marketing tools.

Furthermore, we have a legitimate interest in measuring online marketing activities in an anonymized form to optimize our offerings and measures with the help of the data obtained. The corresponding legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate Interests). Nevertheless, we only use the tools if you have given your consent.

Information on specific online marketing tools can be found – if available – in the following sections.

Explanation of Terms Used

We always strive to formulate our privacy policy as clearly and understandably as possible. However, this is not always easy, especially with technical and legal topics. It often makes sense to use legal terms (e.g., personal data) or certain technical expressions (e.g., cookies, IP address). However, we do not want to use them without explanation. Below you will find an alphabetical list of important terms used that we may not have sufficiently addressed in the previous privacy policy. If these terms are taken from the GDPR and are definitions, we will also list the GDPR texts here and, if necessary, add our own explanations.

Processor

Definition of Terms according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Explanation: As a company and website owner, we are responsible for all data we process from you. In addition to the controllers, there can also be so-called processors. This includes any company or person who processes personal data on our behalf. Processors can therefore include, in addition to service providers such as tax advisors, also hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

Definition of Terms according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Explanation: Typically, on websites, such consent is obtained via a cookie consent tool. You're probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner whether you agree to or consent to data processing. Often, you can also make individual settings and thus decide for yourself which data processing you allow and which you do not. If you do not consent, no personal data about you may be processed. In principle, consent can, of course, also be given in writing, i.e., not via a tool.

Health data

Definition of Terms according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"data concerning health" means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Explanation: Health data therefore includes all stored information concerning your own health. These are often data also noted in a patient file. This includes, for example, which medications you use, X-rays, your entire medical history, or generally your vaccination status.

Personal Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Explanation: Personal data therefore refers to all data that can identify you as a person. This typically includes data such as:

• Name
• Address
• Email address
• Postal address
• Phone number
• Date of birth
• Identification numbers such as social security number, tax identification number, national ID card number, or matriculation number
• Bank details such as account number, credit information, account balances, and much more.

According to the European Court of Justice (ECJ), your IP address also constitutes personal data. IT experts can use your IP address to determine at least the approximate location of your device and, subsequently, you as the account holder. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called "special categories" of personal data, which are particularly worthy of protection. These include:

• racial and ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data such as data extracted from blood or saliva samples
• biometric data (i.e., information about psychological, physical, or behavioral characteristics that can identify a person).
  health data
• data concerning sexual orientation or sex life

Profiling

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

„profiling“ any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Explanation: Profiling involves collecting various pieces of information about a person to learn more about them. In the web sector, profiling is often used for advertising purposes or credit checks. Web and advertising analytics programs, for example, collect data about your behavior and interests on a website. This creates a specific user profile, which can then be used to target advertising to a specific audience.

Controller

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

„controller“ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Explanation: In our case, we are responsible for processing your personal data and are therefore the "controller". If we transfer collected data to other service providers for processing, these are "processors". For this, a "data processing agreement (DPA)" must be signed.

Processing

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note: When we refer to processing in our privacy policy, we mean any type of data processing. As mentioned above in the original GDPR explanation, this includes not only the collection but also the storage and processing of data.

Concluding Remarks

If you're reading these lines, you've truly 'battled' your way through our entire privacy policy, or at least scrolled this far. As you can see from its length, we take the protection of your personal data very seriously.
It is important to us to inform you about the processing of personal data to the best of our knowledge and belief. In doing so, we not only want to tell you what data is processed but also explain the reasons behind using various software programs. Privacy policies usually sound very technical and legalistic. However, since most of you are neither web developers nor lawyers, we wanted to take a different linguistic approach and explain the matter in simple and clear language. Of course, this is not always possible due to the subject matter. Therefore, the most important terms are explained in more detail at the end of the privacy policy.
If you have any questions about data protection on our website, please do not hesitate to contact us or the responsible authority. We hope to welcome you back to our website soon.

All texts are copyrighted.

‍