Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter referred to as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all of our personal data processing activities, both in the context of providing our services and particularly on our websites, mobile applications, as well as within external online presences such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of: August 25, 2024

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Relevant Legal Grounds
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Special Notes on Applications (Apps)
• Acquiring Applications via App Stores
• Registration, Login, and User Account
• Community Features
• Single Sign-On Login
• Contact and Inquiry Management
• Chatbots and Chat Functions
• Push Notifications
• Cloud Services
• Newsletters and Electronic Notifications
• Surveys and Questionnaires
• Web Analytics, Monitoring, and Optimization
• Online Marketing
• Customer Reviews and Rating Procedures
• Presences on Social Networks (Social Media)
• Plugins and Embedded Features and Content
• Management, Organization, and Support Tools
• Changes and Updates
• Glossary

Controller

Gladys Slawina Cirtu
Gerda-Krüger-Nieland-Str. 77
76149 Karlsruhe

Email address: g.cirtu@softyio.com

Imprint: https://spooky-app.com/impressum

Overview of Processing Activities

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected persons.

Types of Processed Data

• Inventory data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Image and/or video recordings.
• Location history and movement profiles.
• Log data.

Categories of Affected Persons

• Service recipients and clients.
• Prospective clients.
• Communication partners.
• Users.
• Business and contractual partners.
• Participants.
• Third parties.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Conversion measurement.
• Target audience formation.
• Organizational and administrative procedures.
• Feedback.
• Surveys and questionnaires.
• Marketing.
• Profiles with user-related information.
• Registration process.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Business processes and economic procedures.

Relevant Legal Grounds

Relevant Legal Grounds under the GDPR: Below is an overview of the legal grounds of the GDPR on which we process personal data. Please note that in addition to the GDPR provisions, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal grounds are relevant in individual cases, we will inform you about them in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Contract fulfillment and pre-contractual requests (Art. 6(1)(b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legitimate interests (Art. 6(1)(f) GDPR) - The processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require protection of personal data, do not override those interests.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG), which contains specific provisions on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Relevant Legal Grounds under the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Data Protection Act (Swiss DPA). Unlike the GDPR, the Swiss DPA does not generally require specifying a legal basis for the processing of personal data, and the processing is carried out in good faith, lawfully, and proportionally (Art. 6(1) and (2) of the Swiss DPA). Furthermore, personal data is only collected for a specific, identifiable purpose and processed only in a manner compatible with that purpose (Art. 6(3) of the Swiss DPA).

Note on the Applicability of the GDPR and Swiss DPA: These privacy notices serve both for information under the Swiss DPA and the General Data Protection Regulation (GDPR). Therefore, please note that due to the broader geographical application and clarity, the terms of the GDPR are used. Specifically, instead of the terms "processing" of "personal data," "overriding interest," and "special categories of personal data" used in the Swiss DPA, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are applied. However, the legal meaning of the terms will still be determined according to the Swiss DPA within its scope.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of technology, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, ensuring availability, and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. Additionally, we consider data protection already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted through our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.

Transmission of Personal Data

In the course of our processing of personal data, it may be necessary for us to transmit or disclose these data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we adhere to legal requirements and enter into appropriate contracts or agreements with the recipients of your data to protect your data.

Data transmission within the corporate group: We may transmit personal data to other companies within our corporate group or grant them access to this data. If this transmission is for administrative purposes, it is based on our legitimate business interests or is required for the fulfillment of our contractual obligations, or if consent from the data subjects or a legal permission is in place.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing occurs as part of the use of services of third parties or the disclosure or transmission of data to other persons, entities, or companies, this will only take place in compliance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of protection is ensured through other means, such as standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in cases of contractual or legally required transfers (Art. 49(1) GDPR). Additionally, we will inform you of the basis for transfers to third countries by individual third-party providers, with adequacy decisions being the primary basis. Information on third-country transfers and existing adequacy decisions can be found in the EU Commission's information offering: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as safe for certain companies in the USA under the adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/ (in English). We will inform you in the privacy policy which of our service providers are certified under the Data Privacy Framework.

Disclosure of Personal Data Abroad: According to the Swiss DPA, we only disclose personal data abroad if adequate protection of the affected individuals is guaranteed (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal data protection regulations recognized in advance by the FDPIC or a relevant data protection authority of another country.

According to Art. 16 of the Swiss DPA, exceptions to the disclosure of data abroad may be permitted if certain conditions are met, including consent of the data subject, contract performance, public interest, protection of life or physical integrity, publicly available data, or data from a legally prescribed register. These disclosures always comply with legal requirements.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with the legal provisions once the underlying consents are withdrawn or no further legal grounds for processing exist. This applies to cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on the retention and deletion of data, which applies specifically to certain processing activities.

In cases where multiple retention periods or deletion deadlines apply to a date, the longest period is decisive.

If a deadline does not explicitly start on a specific date and is at least one year, it will automatically start at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the time the termination or other conclusion of the legal relationship becomes effective.

Data that is no longer needed for the original purpose but is retained for legal reasons or other purposes will only be processed for the reasons that justify its retention.

Further Notes on Processing Activities, Procedures, and Services:

• Data Retention and Deletion: The following general periods apply for the retention and archiving of data under German law:
  • 10 years - Retention period for books and records, financial statements, inventories, management reports, opening balance sheets, as well as the necessary work instructions and other organizational documents, accounting records, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 & 4, para. 4 HGB).
  • 6 years - Other business documents: received business or commercial correspondence, copies of sent business or commercial correspondence, other documents that are relevant for taxation, such as time sheets, cost accounting sheets, calculation documents, price markings, as well as payroll records, unless they are already accounting records, and cash receipts (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 & 3, para. 4 HGB).
  • 3 years - Data necessary for considering potential warranty and compensation claims or similar contractual claims and rights, as well as to handle related inquiries, based on previous business experience and industry practices, stored for the regular statutory limitation period of three years (§§ 195, 199 BGB).
• Data Retention and Deletion: The following general periods apply for the retention and archiving of data under Swiss law:
  • 10 years - Retention period for books and records, financial statements, inventories, management reports, opening balance sheets, accounting records, and invoices, as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (OR)).
  • 10 years - Data that is necessary to consider potential claims for damages or similar contractual claims and rights, as well as for processing related inquiries, based on previous business experience and common industry practices, stored for the statutory limitation period of ten years, unless a shorter period of five years is applicable, which is relevant in specific cases (Art. 127, 130 OR). After five years, claims for rent, lease, and capital interest, as well as other periodic payments, from the supply of food, catering, and pub debts, as well as from craftwork, small sales of goods, medical services, professional work by lawyers, legal agents, procurators, and notaries, and from employment contracts, expire (Art. 128 OR).

Rights of Data Subjects

Rights of Data Subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, particularly as outlined in Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object to the processing of your personal data, based on Article 6(1)(e) or (f) GDPR, for reasons arising from your particular situation; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.
• Right to Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to access this data as well as further information and copies of the data in accordance with legal requirements.
• Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of your personal data or the rectification of inaccurate personal data concerning you.
• Right to Deletion and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate deletion of your personal data, or alternatively, to request the restriction of processing of the data in accordance with legal requirements.
• Right to Data Portability: You have the right, in accordance with legal requirements, to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request the transmission of this data to another controller.
• Complaint to Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, particularly in the member state of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Rights of Data Subjects under the Swiss DPA:

As a data subject, you are entitled to the following rights under the provisions of the Swiss DPA:

• Right to Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary for exercising your rights under this law and ensuring transparent data processing.
• Right to Data Retrieval or Transfer: You have the right to request the retrieval of the personal data you provided to us in a commonly used electronic format.
• Right to Rectification: You have the right to request the correction of inaccurate personal data concerning you.
• Right to Object, Deletion, and Destruction: You have the right to object to the processing of your data, as well as to request that your personal data be deleted or destroyed.

Provision of the Online Offering and Web Hosting

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Types of Processed Data: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Log data (e.g., logfiles regarding logins or data retrievals or access times). Content data (e.g., textual or pictorial messages and posts, as well as related information such as authorship or creation time).
• Affected Persons: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures. Provision of contractual services and fulfillment of contractual obligations.
• Retention and Deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".
• Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

Further Notes on Processing Activities, Procedures, and Services:

• Provision of Online Offering on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web host"); Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).
• Collection of Access Data and Logfiles: Access to our online offering is logged in the form of so-called "server logfiles". Server logfiles may include the address and name of retrieved web pages and files, the date and time of retrieval, the amount of data transmitted, messages about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and in most cases, IP addresses and the requesting provider. Server logfiles can be used for security purposes, for example, to avoid server overload (particularly in the case of malicious attacks such as DDoS attacks), and to ensure the proper functioning and stability of the servers; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).Data Deletion: Logfile information is stored for a maximum period of 30 days and is then deleted or anonymized. Data that needs to be retained for evidentiary purposes is excluded from deletion until the respective incident is fully resolved.
• Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients and senders, as well as further information concerning email sending (e.g., involved providers), and the content of the emails are processed. The aforementioned data can also be processed for spam detection purposes. Please note that emails are generally not encrypted when transmitted over the internet. While emails are encrypted during transmission, they are not encrypted on the servers from which they are sent and received (unless end-to-end encryption is used). Therefore, we cannot take responsibility for the transmission of emails between the sender and the recipient on our server; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).
• 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service Provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy; Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/. Basis for Third Country Transfers: Switzerland - Adequacy Decision (Germany).

Use of Cookies

Cookies are small text files or other storage notes that store and retrieve information on end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or used functions of an online offering. Cookies may also be used for various purposes, such as for functionality, security, and convenience of online offerings, as well as for generating visitor traffic analyses.

Consent Notes: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Specifically, consent is not necessary if storing and retrieving information, including cookies, is strictly necessary to provide the user with a telemedia service (i.e., our online offering) that they have explicitly requested. The revocable consent will be clearly communicated to users, including the information regarding the specific cookie usage.

Notes on Legal Grounds for Data Protection: The legal basis on which we process personal data using cookies depends on whether we ask for consent. If users accept, the legal basis for processing their data is the consent provided. Otherwise, data processed via cookies is handled based on our legitimate interests (e.g., in the business operation of our online offering and improving its usability), or if this is required for fulfilling our contractual obligations, when the use of cookies is necessary to meet our contractual obligations. We clarify the purposes for which cookies are used within this privacy policy or as part of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted after a user leaves the online offering and closes their device (e.g., browser or mobile application).
• Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be saved, and preferred content can be directly displayed when the user visits a website again. User data collected via cookies can also be used for reach measurement. Unless we provide specific information on the type and storage duration of cookies (e.g., during consent collection), users should assume that these are permanent and the storage duration can be up to two years.

General Notes on Withdrawal and Objection (Opt-out): Users can withdraw their consent at any time and also object to processing in accordance with legal requirements, including through the privacy settings of their browser.

• Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
• Affected Persons: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness.
• Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR). Consent (Art. 6(1) sentence 1 lit. a) GDPR).

Further Notes on Processing Activities, Procedures, and Services:

• Processing of Cookie Data Based on Consent: We use a consent management solution, where the consent of users is obtained for the use of cookies or the procedures and providers mentioned in the consent management solution. This process serves to collect, log, manage, and withdraw consent, particularly regarding the use of cookies and similar technologies that store, retrieve, and process information on users' end devices. As part of this process, users' consent is obtained for the use of cookies and the associated information processing, including the specific processes and providers mentioned in the consent management process. Users also have the option to manage and withdraw their consent. The consent statements are stored to avoid repeated queries and to prove consent according to legal requirements. The storage is done server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign consent to

  Special Notes on Applications (Apps)

  We process the data of users of our application as far as necessary to provide the users with the application and its functionalities, to monitor its security, and to further develop it. We may also contact users in compliance with legal requirements if communication is necessary for the administration or use of the application. Otherwise, we refer to the privacy policy in this declaration regarding the processing of user data.

  Legal Grounds: The processing of data required for providing the functionalities of the application serves the fulfillment of contractual obligations. This also applies when the provision of functions requires user authorization (e.g., granting access to device functions). If processing data for providing the functionalities of the application is not necessary but serves the security of the application or our legitimate business interests (e.g., collecting data for the optimization of the application or security purposes), it is carried out based on our legitimate interests. If users are explicitly asked for consent to process their data, the processing of the data covered by the consent is carried out based on that consent.

  • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Image and/or video recordings (e.g., photographs or video recordings of a person); Location data (information on the geographic location of a device or person); Location history and movement profiles (collection of location data and positional changes over a period); Content data (e.g., textual or pictorial messages and posts as well as related information, such as authorship or creation time); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers). Contract data (e.g., contract subject, term, customer category).
  • Affected Persons: Users (e.g., website visitors, users of online services); Business and contract partners; Third parties; Communication partners. Recipients and clients.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Provision of our online offering and user-friendliness; Organizational and administrative procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Business processes and commercial procedures; Communication; Reach measurement (e.g., access statistics, identification of returning visitors). Direct marketing (e.g., via email or postal mail).
  • Retention and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
  • Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR). Consent (Art. 6(1) sentence 1 lit. a) GDPR).

  Further Notes on Processing Activities, Procedures, and Services:

  • Storage of a Universal and Unique Identifier (UUID): The application stores a so-called universal and unique identifier (UUID) for purposes of analyzing the use and functionality of the application, as well as storing user settings. This identifier is generated during the installation of the application (but is not linked to the device, so no device identification in this sense), remains stored between application launches and updates, and is deleted when users remove the application from their device.
  • Device Permissions for Access to Features and Data: The use of our application or its functionalities may require users' permissions to access specific device functions or data stored on or accessible via the devices. By default, these permissions must be granted by the users and can be revoked at any time in the device settings. The exact procedure for controlling app permissions may depend on the user's device and software. If clarification is needed, users may contact us. Please note that denying or revoking the respective permissions may affect the functionality of our application.
  • Access to the Camera and Stored Recordings: As part of the use of our application, image and/or video recordings (including audio recordings) of the user (and other persons captured in the recordings) are processed by accessing the camera functions or stored recordings. Access to the camera functions or stored recordings requires a permission from the users that can be revoked at any time. The processing of image and/or video recordings is only for providing the respective functionality of our application as described to users or its typical and expected operation.
  • Processing of Stored Contacts: As part of using our application, the contact information stored in the device’s contact directory (name, email address, phone number) is processed. Using the contact information requires user permission, which can be revoked at any time. The contact information is used solely for providing the respective functionality of our application as described to users or its typical and expected operation. Users are informed that permission for processing contact information must be granted, and especially for natural persons, their consent or legal authorization is required.
  • Use of Contact Data for Contact Matching: The contact data stored in the device’s contact directory may be used to check if these contacts also use our application. For this purpose, the contact data of the respective contacts (including phone numbers, email addresses, and names) is uploaded to our server and used only for the purpose of matching.
  • Processing of Location Data: As part of using our application, location data collected by the device or otherwise entered by the users is processed. The use of location data requires user permission, which can be revoked at any time. The use of location data is solely for providing the respective functionality of our application as described to users or its typical and expected operation.
  • Location History and Movement Profiles: Based on the location data collected as part of using our application, a location history is created, showing the geographical movements of the devices used over a period (and potentially inferring a movement profile of the users). The location history is used only for providing the respective functionality of our application as described to users or its typical and expected operation.
  • Cloud Firestore: Storage and synchronization of data in real-time between clients and the cloud. Offline access to data. Support for complex queries, transactions, and automatic scaling. Data security through integrated security rules and authentication methods; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/storage; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • Cloud Storage for Firebase: Storing and retrieving user data, including files like images and videos. Synchronization of data across different devices. Managing access rights and security rules for files. Integration with other Firebase services to support app development; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/storage; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • Firebase Authentication: User authentication, account management, password reset, email/password login, login with third-party providers like Google or Facebook, multi-factor authentication, session management, and monitoring suspicious activities; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/auth; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • Firebase Cloud Messaging: Sending cross-platform messages and notifications; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://firebase.google.com/terms/data-processing-terms. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • Firebase: Google Firebase is a platform for app developers (short "Apps") for mobile devices and websites. Google Firebase offers a variety of features for testing apps, monitoring their functionality, and optimizing them (as shown on the following overview page: https://firebase.google.com/products-build). These features include, among other things, the storage of apps including personal data of app users, such as content created by them or information about their interaction with the apps (so-called "cloud computing"). Google Firebase also provides interfaces that allow interaction between app users and other services, e.g., authentication via services like Facebook, Twitter, or an email/password combination; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR); Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
  • AdMob: Platform for displaying advertising content in mobile applications; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR); Website: https://admob.google.com/home/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: Processing by Google as Controller: https://business.safety.google/adscontrollerterms/.
  • Google Analytics: We use Google Analytics to measure and analyze the usage of our online offerings based on a pseudonymous user identification number. This identification number does not contain any specific data such as names or email addresses. It is used to assign analysis information to an end device to recognize which content users have accessed within one or multiple sessions, what search terms they used, revisited, or interacted with our online offerings. Also, the time of usage, its duration, and the sources of users referring to our online offerings and

    Acquiring Applications via App Stores

    The acquisition of our application takes place through specific online platforms operated by other service providers, known as "app stores". In this context, in addition to our privacy policy, the privacy policies of the respective app stores apply. This is particularly relevant with regard to the procedures used on the platforms for reach measurement and interest-based marketing, as well as any costs involved.

    • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., contract subject, term, customer category); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
    • Affected Persons: Recipients and clients. Users (e.g., website visitors, users of online services).
    • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Marketing. Provision of our online offering and user-friendliness.
    • Retention and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
    • Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

    Further Notes on Processing Activities, Procedures, and Services:

    • Apple App Store: App and software sales platform; Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/app-store/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
    • Google Play: App and software sales platform; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://play.google.com/store/apps?hl=de; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: Switzerland - Adequacy Decision (Ireland).

    Registration, Login, and User Account

    Users can create a user account. During registration, users are informed of the required mandatory fields, which are processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The data processed includes, in particular, the login information (username, password, and email address).

    As part of using our registration and login features, as well as the use of the user account, we store the IP address and the time of the respective user action. This storage is done based on our legitimate interests, as well as those of the users in protecting against abuse and other unauthorized uses. This data is generally not shared with third parties unless required to assert our claims or there is a legal obligation to do so.

    Users may be informed via email about activities related to their user account, such as technical changes.

    • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or pictorial messages and posts as well as related information, such as authorship or creation time); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Log data (e.g., logfiles regarding logins or data retrievals or access times.).
    • Affected Persons: Users (e.g., website visitors, users of online services).
    • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Organizational and administrative procedures. Provision of our online offering and user-friendliness.
    • Retention and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion". Deletion after termination.
    • Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

    Further Notes on Processing Activities, Procedures, and Services:

    • Registration with Pseudonyms: Users may use pseudonyms instead of their real names as usernames; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • User Profiles are Public: User profiles are publicly visible and accessible.
    • Deletion of Data After Termination: If users terminate their user account, their data regarding the user account will be deleted, subject to legal permission, obligations, or user consent; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • No Retention Obligation for Data: It is the users' responsibility to back up their data before the contract ends upon termination. We are entitled to irreversibly delete all data stored during the contractual period; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).

    Community Features

    The community features we provide allow users to engage in conversations or exchanges with each other. Please note that the use of community features is only permitted in compliance with applicable laws, our terms and guidelines, and the rights of other users and third parties.

    • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
    • Affected Persons: Users (e.g., website visitors, users of online services).
    • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures. Provision of our online offering and user-friendliness.
    • Retention and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
    • Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

    Further Notes on Processing Activities, Procedures, and Services:

    • User Contributions are Public: User-created posts and content are publicly visible and accessible; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • Storage of Data for Security Purposes: User posts and other inputs are processed for community and conversation purposes and, subject to legal obligations or permissions, not shared with third parties. A disclosure obligation may arise, particularly in the case of unlawful posts, for the purpose of legal action. Please note that, in addition to the content of posts, their timestamp and users' IP addresses are stored. This is done to take appropriate measures to protect other users and the community; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • Right to Delete Content and Information: Deleting posts, content, or information from users is permissible after a proper evaluation if there are concrete indications that they violate legal rules, our guidelines, or the rights of third parties; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • Restricted Deletion of Conversation Contributions: Out of consideration for other users, conversation contributions from the user remain stored even after termination and account deletion, so that conversations, comments, advice, etc., between and among users do not lose or reverse their meaning. Usernames are deleted or pseudonymized if they were not pseudonyms. Users may request the complete deletion of conversation contributions at any time; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).
    • Protection of Personal Data: Users decide

      Single Sign-On Registration

      "Single Sign-On" or "Single Sign-On Registration or Authentication" refers to processes that allow users to log in to a provider of Single Sign-On services (e.g., a social network), including on our online offering, using a single account. The requirement for Single Sign-On authentication is that users are registered with the respective Single Sign-On provider and enter the necessary login details in the provided online form, or are already logged in with the Single Sign-On provider and confirm the Single Sign-On login via a button.

      The authentication occurs directly with the respective Single Sign-On provider. As part of such authentication, we receive a user ID with the information that the user is logged in under this user ID with the respective Single Sign-On provider and an ID that we cannot use for other purposes (called "User Handle"). Whether additional data is transmitted depends solely on the Single Sign-On method used, the chosen data releases during authentication, and also on which data users have made available in their privacy or other settings in their user account with the Single Sign-On provider. Depending on the Single Sign-On provider and the user's choices, this may include data such as the email address and username. The password entered in the Single Sign-On process at the Single Sign-On provider is neither visible to us nor stored by us.

      Users are advised to note that their stored details with us may automatically be synchronized with their user account with the Single Sign-On provider, but this is not always possible or actually occurs. For example, if users' email addresses change, they must manually update them in their user account with us.

      We may use the Single Sign-On login, if agreed with users, as part of or before contract fulfillment, provided users have been asked to process their data in accordance with their consent, and otherwise, we use it based on our legitimate interests and the users' interests in an effective and secure login system.

      If users decide not to use the linking of their user account with the Single Sign-On provider for the Single Sign-On process, they must unlink this connection within their user account with the Single Sign-On provider. If users wish to delete their data with us, they must cancel their registration with us.

      • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
      • Affected Persons: Users (e.g., website visitors, users of online services).
      • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Login procedures. Provision of our online offering and user-friendliness.
      • Retention and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion". Deletion after termination.
      • Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Apple Single Sign-On: Authentication services for user logins, providing Single Sign-On features, managing identity information and application integrations; Service Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
      • Google Single Sign-On: Authentication services for user logins, providing Single Sign-On features, managing identity information and application integrations; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://www.google.de; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Opt-Out Option: Settings for ad display: https://myadcenter.google.com/.
      • Firebase Authentication: User authentication, account management, password reset, email/password login, login with third-party providers like Google or Facebook, multi-factor authentication, session management, and monitoring suspicious activities; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/auth; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Contact and Inquiry Management

      When contacting us (e.g., via mail, contact form, email, phone, or social media), as well as in the context of existing user and business relationships, the details of the inquiring persons are processed to the extent necessary to respond to the contact inquiries and any requested actions.

      • Processed Data Types: Personal data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, along with the information related to them, such as author details or creation date); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
      • Affected Persons: Communication partners. Users (e.g., website visitors, users of online services).
      • Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online forms); Provision of our online offering and user-friendliness. Surveys and questionnaires (e.g., surveys with input options, multiple-choice questions).
      • Retention and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion".
      • Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to answer and address the specific inquiry. This generally includes details such as name, contact information, and any additional information provided to us that is necessary for appropriate handling. We use this data exclusively for the purpose of contact and communication; Legal Grounds: Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).
      • Jotform: Creation, publication, and integration of online forms, as well as data collection; Service Provider: Jotform Inc., 4 Embarcadero Center, Suite 78, San Francisco CA 9411 USA; Website: https://www.jotform.com/; Privacy Policy: https://www.jotform.com/privacy/; Data Processing Agreement: https://eu.jotform.com/gdpr-compliance/. Basis for Third-Country Transfers: EU/EEA - Standard Contractual Clauses (Provided by the service provider), Switzerland - Standard Contractual Clauses (Provided by the service provider).

      Chatbots and Chat Functions

      We offer online chats and chatbot functions as a communication option (together referred to as "chat services"). A chat refers to an online conversation conducted in real-time. A chatbot refers to software that answers users' questions or informs them via messages. When using our chat functions, we may process your personal data.

      If you use our chat services within an online platform, your identification number within the respective platform will also be stored. We may also collect information about which users interact with our chat services and when. Additionally, we store the content of your conversations through the chat services and log registration and consent processes to be able to prove them according to legal requirements.

      We inform users that the respective platform provider may find out when and if users communicate with our chat services, as well as technical details about the user's device and, depending on the device settings, also location data (so-called metadata), which may be collected for the purpose of optimizing the respective services and for security purposes. The platform providers may also use the metadata of the communication via chat services (e.g., the information about who communicated with whom) according to their policies, which we refer to for further information, for marketing purposes or to display targeted advertisements to users.

      If users consent to receive regular messages from a chatbot, they can always unsubscribe from these messages in the future. The chatbot will inform users how and with which terms they can unsubscribe. By unsubscribing from chatbot messages, users' data will be deleted from the recipient directory.

      We use the above-mentioned details to operate our chat services, for example, to address users personally, respond to their inquiries, transmit any requested content, and also to improve our chat services (e.g., to "teach" chatbots answers to frequently asked questions or identify unanswered inquiries).

      Notes on Legal Grounds: We use the chat services based on consent when we have previously obtained permission from users to process their data in the context of our chat services (this applies in cases where users are asked for consent, e.g., to allow a chatbot to send them regular messages). If we use chat services to respond to users' inquiries about our services or our company, this is done for contractual and pre-contractual communication. Otherwise, we use chat services based on our legitimate interests in optimizing the chat services, their cost-effectiveness, and enhancing the user experience.

      Revocation, Objection, and Deletion: You can revoke any consent given at any time or object to the processing of your data within our chat services.

      • Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, along with the information related to them, such as author details or creation date); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
      • Affected Persons: Communication partners. Users (e.g., website visitors, users of online services).
      • Purposes of Processing: Communication. Provision of our online offering and user-friendliness.
      • Retention and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion".
      • Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Firebase Cloud Messaging: Sending cross-platform messages and information; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://firebase.google.com/terms/data-processing-terms. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Push Notifications

      With the consent of the users, we may send so-called "push notifications" to users. These are messages displayed on the screens, devices, or in browsers of users, even when our online service is not actively being used.

      To sign up for push notifications, users must confirm the request of their browser or device to receive the push notifications. This consent process is documented and stored. The storage is necessary to recognize whether users have agreed to receive push notifications and to be able to prove consent. For these purposes, a pseudonymous identifier of the browser (so-called "push token") or the device ID of an end device is stored.

      The push notifications may be necessary to fulfill contractual obligations (e.g., technical and organizational information relevant to the use of our online services) and otherwise, unless specifically mentioned below, are sent based on the users' consent. Users may change the reception of push notifications at any time using the notification settings of their respective browsers or end devices.

      • Processed Data Types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties). Location data (information about the geographical location of a device or a person).
      • Affected Persons: Communication partners.
      • Purposes of Processing: Communication; Provision of our online offering and user-friendliness; Reach measurement (e.g., access statistics, recognition of returning visitors). Direct marketing (e.g., by email or mail).
      • Retention and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion". Deletion after termination.
      • Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Push Notifications with Advertising Content: The push notifications we send may include advertising information. The advertising push notifications are processed based on users' consent. If the consent to receive advertising push notifications includes specific descriptions of their content, these descriptions are decisive for the users' consent. Otherwise, our newsletters contain information about our services and us; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).
      • Location-Based Sending of Push Notifications: The push notifications we send may be displayed based on the users' location, using the location data transmitted by the end device used; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).
      • Analysis and Success Measurement: We statistically analyze push notifications and can determine whether and when push notifications were displayed and clicked. This information is used to technically improve our push notifications based on technical data or the target audience and their retrieval behavior or retrieval times. This analysis also includes determining whether the push notifications are opened, when they are opened, and whether users interact with their content or buttons. While this information can be assigned to the individual push notification recipients for technical reasons, it is neither our intention nor, if applicable, that of the push notification service provider, to observe individual users. The evaluations are intended to help us recognize users' usage habits and adjust our push notifications accordingly or send different push notifications based on users' interests.
        
        The evaluation of push notifications and success measurement are carried out based on the users' explicit consent, which is granted when agreeing to receive push notifications. Users may object to the analysis and success measurement by unsubscribing from the push notifications. Unfortunately, a separate revocation of the analysis and success measurement is not possible; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).

      Cloud Services

      We use internet-accessible software services (so-called "cloud services," also referred to as "Software as a Service") provided on the servers of their providers for the storage and management of content (e.g., document storage and management, document sharing, and publishing content and information with certain recipients or to the public).

      In this context, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as outlined in this privacy statement. These data may include, in particular, master data and contact details of the users, data related to processes, contracts, other procedures, and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.

      If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users' devices for web analytics purposes or to remember users' settings (e.g., in the case of media control).

      • Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or image-based messages and posts and the related information, such as author details or creation date); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
      • Affected Persons: Interested parties; Communication partners; Business and contractual partners; Users (e.g., website visitors, online service users). Third parties.
      • Purposes of Processing: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Organizational and administrative procedures. Business processes and economic procedures.
      • Retention and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion".
      • Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: https://cloud.google.com/privacy.
      • Cloud Firestore: Real-time data storage and synchronization between clients and the cloud. Offline data access. Support for complex queries, transactions, and automatic scaling. Data security through integrated security rules and authentication methods; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/storage; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Cloud Storage for Firebase: Storing and retrieving user data, including files like images and videos. Synchronization of data across devices. Management of access rights and security rules for files. Integration with other Firebase services to support app development; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Grounds: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR); Website: https://firebase.google.com/products/storage; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Newsletters and Electronic Notifications

      We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") solely with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during the sign-up process, these contents are crucial for the users' consent. For newsletter registration, providing your email address is usually sufficient. However, in order to offer you a personalized service, we may ask for your name for personalized addressing in the newsletter or further information if necessary for the purpose of the newsletter.

      Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests, before deleting them, in order to demonstrate consent previously given. The processing of this data is limited to the purpose of potential defense against claims. A specific deletion request is always possible if the existence of prior consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blacklist ("blocklist").

      The logging of the registration process is carried out based on our legitimate interests for the purpose of proving its proper completion. If we use a service provider to send emails, this is done based on our legitimate interests in an efficient and secure sending system.

      Contents:

      Information about us, our services, promotions, and offers.

      • Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions).
      • Affected Persons: Communication partners. Users (e.g., website visitors, users of online services).
      • Purposes of Processing: Direct marketing (e.g., by email or mail). Provision of contractual services and fulfillment of contractual obligations.
      • Retention and Deletion: 3 years - Contractual claims (AT) (data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries based on prior business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB)). 10 years - Contractual claims (CH) (data necessary to consider potential damage compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on prior business experience and common industry practices, are stored for the statutory limitation period of ten years, unless a shorter period of 5 years applies, which is relevant in certain cases (Art. 127, 130 OR)).
      • Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).
      • Objection (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further reception. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or you can use one of the contact options provided above, preferably by email, for this purpose.

      Further Notes on Processing Activities, Procedures, and Services:

      • Measurement of Open and Click Rates: The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from our or its server when the newsletter is opened, if we use a mailing service provider. As part of this retrieval, technical information such as browser and system details, as well as your IP address and the time of the retrieval, is collected. This information is used to technically improve our newsletter based on the technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletters were opened and which links were clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to recognize the reading habits of our users and adapt our content to them or send different content based on the interests of our users. The measurement of open and click rates and the storage of the measurement results in the users' profiles, as well as their further processing, is carried out based on the users' consent. A separate revocation of success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or opposed. In that case, the stored profile information will be deleted; Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).
      • Condition for Access to Free Services: Consent to the sending of mailings may be made a condition for accessing free services (e.g., access to certain content or participation in certain promotions). If users wish to access the free service without subscribing to the newsletter, we ask them to contact us.
      • Sending via SMS: The electronic notifications can also be sent as SMS text messages (or are only sent via SMS if the sending permission, e.g., consent, only includes sending via SMS); Legal Grounds: Consent (Art. 6(1) sentence 1 lit. a) GDPR).

      Surveys and Questionnaires

      We conduct surveys and questionnaires to collect information for the respective communicated survey or questionnaire purpose. The surveys and questionnaires we conduct (hereinafter referred to as "surveys") are evaluated anonymously. The processing of personal data occurs only to the extent necessary to provide and technically conduct the surveys (e.g., processing the IP address to display the survey in the user's browser or using a cookie to allow resumption of the survey).

      • Processed Data Types: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information such as author and creation date). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
      • Affected Persons: Participants.
      • Purpose of Processing: Feedback (e.g., collecting feedback via online forms). Surveys and questionnaires (e.g., surveys with input options, multiple-choice questions).
      • Storage and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion".
      • Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Procedures, Methods, and Services:

      • Google Form: Creation and evaluation of online forms, surveys, feedback forms, etc.; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.google.de/intl/de/forms; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • SurveyMonkey: Conducting online surveys; Service Provider: SurveyMonkey Inc., 1 Curiosity Way, San Mateo, California 94403, USA; Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://de.surveymonkey.com/; Privacy Policy: https://de.surveymonkey.com/mp/policy/privacy-policy/?ut_source=footer. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF).
      • Typeform: Creation of forms and surveys, and management of participant contributions; Service Provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain; Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.typeform.com/; Privacy Policy: https://admin.typeform.com/to/dwk6gt/; Data Processing Agreement: https://admin.typeform.com/to/dwk6gt/. Basis for Third-Country Transfers: Switzerland - Adequacy Decision (Spain).
      • Zoho Survey: Online surveys and questionnaires; Service Provider: Zoho Corporation GmbH, Trinkausstr. 7, 40213 Düsseldorf, Germany; Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.zoho.com/de/survey/; Terms and Conditions: https://www.zoho.com/survey/; Privacy Policy: https://www.zoho.com/de/privacy.html?lb=de; Data Processing Agreement: https://www.zoho.com/gdpr.html. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Germany).

      Web Analytics, Monitoring, and Optimization

      Web analytics (also called "reach measurement") is used to evaluate visitor flows to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With reach analysis, for example, we can determine when our online offering or its functions or contents are used most frequently or invite reuse. It also allows us to identify areas that need optimization.

      In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online offering or its components.

      Unless otherwise stated below, profiles, i.e., data compiled into a usage event, may be created for these purposes, and information may be stored and then read in a browser or on a device. The collected information includes, in particular, visited websites and used elements, as well as technical details such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data, either directly with us or with the providers of the services we use, the processing of location data is also possible.

      Furthermore, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data about users (e.g., email addresses or names) is stored in the context of web analytics, A/B testing, and optimization, only pseudonyms. This means that neither we nor the providers of the software used know the actual identity of users, but only the data stored in their profiles for the respective procedures.

      Legal Basis Notes: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information about the use of cookies in this privacy policy.

      • Processed Data Types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
      • Affected Persons: Users (e.g., website visitors, online service users).
      • Purpose of Processing: Reach measurement (e.g., access statistics, detection of returning visitors); profiles with user-related information (creating user profiles). Providing our online offering and user-friendliness.
      • Storage and Deletion: Deletion according to the details in the section "General Information on Data Storage and Deletion". Storing cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
      • Security Measures: IP masking (pseudonymization of the IP address).
      • Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

      Further Notes on Processing Procedures, Methods, and Services:

      • Firebase: Google Firebase is a platform for developers of mobile applications (apps) and websites. Google Firebase provides a variety of features for testing apps, monitoring their functionality, and optimizing them (as shown on the overview page: https://firebase.google.com/products-build). The features include, among other things, storing apps including personal data of app users, such as content created by them or information about their interaction with the apps (known as "cloud computing"). Google Firebase also provides interfaces that allow interaction between app users and other services, such as authentication via services like Facebook, Twitter, or via an email-password combination; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Website: https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analysis information to an end device to determine which content users have accessed within one or more usage events, which search terms they used, revisited, or interacted with our online offering. The time of use, its duration, and the sources of users who refer to our online offering, as well as technical aspects of their end devices and browsers, are also stored.
        Pseudonymous user profiles with information from the use of different devices are created, and cookies may be used. Google Analytics does not log and store individual IP addresses for EU users. However, Google Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for deriving geolocation data before being immediately deleted. They are not logged, are not accessible, and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security Measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://myadcenter.google.com/personalizationoff. Further Information: https://business.safety.google/adsservices/ (Types of processing and processed data).
      • Google Tag Manager: We use Google Tag Manager, a software from Google that allows us to centrally manage website tags via an interface. Tags are small code elements on our website that are used to capture and analyze visitor activities. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not perform independent analyses. Its function is limited to simplifying and making the integration and management of the tools and services we use on our website more efficient. However, when using Google Tag Manager, the users' IP addresses are transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set. This data processing only occurs when services are integrated through the Tag Manager. For more precise information about these services and their data processing, we refer to the further sections of this privacy policy; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
        https://business.safety.google/adsprocessorterms. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Online Marketing

      We process personal data for the purpose of online marketing, which can particularly include the marketing of advertising space or the display of advertising and other content (referred to as "content") based on potential interests of users, as well as the measurement of their effectiveness.

      For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar methods are used, through which relevant information about the user for the display of the aforementioned content is stored. This may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical details such as the used browser, the computer system, as well as details on usage times and used features. If users have consented to the collection of their location data, these may also be processed.

      In addition, the IP addresses of the users are stored. However, we use available IP-masking methods (i.e., pseudonymization by truncating the IP address) for user protection. In general, no identifiable user data (such as email addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that neither we nor the providers of the online marketing processes know the actual identity of the users, but only the information stored in their profiles.

      The data in the profiles are generally stored in cookies or similar methods. These cookies can later generally also be read on other websites that use the same online marketing process, analyzed for the purpose of displaying content, supplemented with other data, and stored on the server of the online marketing service provider.

      Exceptionally, it is possible to assign identifiable data to profiles, primarily when users are members of a social network whose online marketing process we use, and the network connects user profiles with the aforementioned information. Please note that users may enter into additional agreements with the providers, such as consenting during registration.

      We generally only have access to aggregated information about the success of our advertisements. However, we may check which of our online marketing processes led to a so-called conversion, i.e., for example, a contract conclusion with us. Conversion measurement is used solely for the success analysis of our marketing measures.

      Unless otherwise specified, please assume that the cookies used are stored for a period of two years.

      Legal Basis Notes: If we ask users for their consent to use third-party providers, the legal basis for data processing is the user's consent. Otherwise, the data of users is processed based on our legitimate interests (i.e., the interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

      Notes on Withdrawal and Objection:

      We refer to the privacy policies of the respective providers and the objection options provided by the providers (so-called "Opt-Out"). If no explicit Opt-Out option is provided, there is the option to disable cookies in your browser settings. However, this may limit the functionality of our online offering. We therefore also recommend the following Opt-Out options, which are offered collectively for the respective regions:

      a) Europe: https://www.youronlinechoices.eu.

      b) Canada: https://www.youradchoices.ca/choices.

      c) USA: https://www.aboutads.info/choices.

      d) Cross-region: https://optout.aboutads.info.

      • Processed Data Types: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, time stamps, identification numbers, involved individuals).
      • Data Subjects: Users (e.g. website visitors, users of online services).
      • Purposes of Processing: Reach measurement (e.g. access statistics, recognition of recurring visitors); Tracking (e.g. interest/behavior-based profiling, use of cookies); Audience targeting; Marketing; Profiles with user-related information (creating user profiles); Conversion measurement (measuring the effectiveness of marketing campaigns). Providing our online offer and user-friendliness.
      • Storage and Deletion: Deletion as stated in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored for a period of two years on the devices of users).
      • Security Measures: IP masking (pseudonymization of the IP address).
      • Legal Grounds: Consent (Art. 6 (1) S. 1 lit. a) DSGVO). Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).

      Additional Notes on Processing, Procedures, and Services:

      • Google Ad Manager: We use the service "Google Ad Manager" to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.). The Google Ad Manager is characterized by displaying ads in real-time based on presumed interests of users. This allows us to display ads for our online offering to users who may have a potential interest in our offer or have shown interest before, and to measure the success of the ads; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More Information: Types of processing and processed data: https://business.safety.google/adsservices/; Data processing conditions for Google advertising products: Information on the services, data processing conditions between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms. If Google acts as a data processor, data processing conditions for Google advertising products and standard contractual clauses for third-country transfers of data: https://business.safety.google/adsprocessorterms.
      • AdMob: Platform for displaying advertising content in mobile applications; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Consent (Art. 6 (1) S. 1 lit. a) DSGVO); Website: https://admob.google.com/home/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). More Information: Processing by Google as a controller: https://business.safety.google/adscontrollerterms/.
      • Google Ads and Conversion Measurement: Online marketing procedure for the purpose of placing content and ads within the advertising network of the service provider (e.g., in search results, in videos, on websites, etc.), so that they are displayed to users who are presumed to have an interest in the ads. Furthermore, we measure the conversion of the ads, i.e., whether users interacted with the ads and used the advertised offers (so-called conversions). However, we only receive anonymous information and no personal data about individual users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Consent (Art. 6 (1) S. 1 lit. a) DSGVO), Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More Information: Types of processing and processed data: https://business.safety.google/adsservices/. Data processing conditions between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

      Customer Reviews and Rating Procedures

      We participate in review and rating procedures to evaluate, optimize, and promote our services. When users rate us through the involved review platforms or procedures or provide feedback in other ways, the general terms and conditions and privacy notices of the providers also apply. Typically, rating also requires registration with the respective providers.

      To ensure that the reviewing individuals have actually used our services, we transmit, with the consent of the customers, the required data regarding the customer and the service used to the respective review platform (including name, email address, and order number or item number). This data is used solely for verifying the authenticity of the user.

      • Processed Data Types: Contract data (e.g., contract subject, duration, customer category); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved individuals).
      • Affected Persons: Service recipients and clients. Users (e.g., website visitors, users of online services).
      • Purposes of Processing: Feedback (e.g., collecting feedback via online form). Marketing.
      • Legal Grounds: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).

      Additional Notes on Processing, Procedures, and Services:

      • Review Widget: We integrate "review widgets" into our online offering. A widget is a functional and content element embedded in our online offering that displays variable information. It can be displayed, for example, as a seal or a similar element, sometimes also referred to as a "badge." While the corresponding content of the widget is displayed within our online offering, it is fetched from the servers of the respective widget provider at that moment. This is the only way to always display the current content, especially the latest review. A data connection must be established from the webpage called within our online offering to the widget provider's server, and the widget provider receives certain technical data (access data, including IP address) required for delivering the widget content to the user's browser. Furthermore, the widget provider receives information about the user's visit to our online offer. This information may be stored in a cookie and used by the widget provider to identify which online offers participating in the review procedure the user has visited. The information may be stored in a user profile and used for advertising or market research purposes; Legal Grounds: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).
      • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and opinions; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Grounds: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland); More Information: As part of the customer review collection, an identification number and the time of the business transaction to be reviewed, along with the email address of the customer and their country of residence, as well as the review details themselves, are processed; further details on the types of processing and the processed data: https://business.safety.google/adsservices/. Data processing conditions for Google advertising products: Information on the services, data processing conditions between controllers, and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

      Presences on Social Networks (Social Media)

      We maintain online presences within social networks and process user data within this context to communicate with users active there or offer information about us.

      We would like to point out that user data may be processed outside the European Union. This may present risks to users, for example, because the enforcement of user rights could be more difficult.

      Furthermore, user data is typically processed within social networks for market research and advertising purposes. For example, based on usage behavior and resulting user interests, usage profiles may be created. These profiles may then be used to display advertisements within and outside of the networks, which are presumed to align with the users' interests. As a result, cookies are typically stored on users' devices, which store usage behavior and user interests. Additionally, data may be stored in the usage profiles regardless of the devices used by the users (especially if they are members of the respective platforms and logged in there).

      For a detailed presentation of the respective processing forms and the opt-out options, we refer to the privacy statements and information provided by the operators of the respective networks.

      Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only they have access to the user data and can take the appropriate actions and provide information directly. However, if you need assistance, you can contact us.

      • Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information such as authorship or creation time). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
      • Affected Persons: Users (e.g., website visitors, online service users).
      • Purposes of Processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
      • Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
      • Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).

      Further Notes on Processing, Procedures, and Services:

      • Instagram: Social network, enables sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Facebook Pages: Profiles within the Facebook social network - We are jointly responsible with Meta Platforms Ireland Limited for collecting (but not further processing) data from visitors to our Facebook page (so-called "fanpage"). This data includes information about the types of content users view or interact with, or actions they take (see "Things You and Others Do and Provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How Do We Use This Information?", Facebook collects and uses information to provide analysis services, so-called "Page Insights," to page operators so they can gain insights into how people interact with their pages and content connected to them. We have entered into a special agreement with Facebook ("Information About Page Insights," https://www.facebook.com/legal/terms/page_controller_addendum), which specifically regulates what security measures Facebook must adhere to, and in which Facebook has agreed to fulfill data subject rights (i.e., users can directly send requests for information or deletion to Facebook). The rights of users (especially the right to access, deletion, objection, and complaint to the competent supervisory authority) are not limited by the agreements with Facebook. For more information, see the "Information About Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is solely the responsibility of Meta Platforms Ireland Limited, especially with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Facebook Groups: We use the "Groups" feature of the Facebook platform to create interest groups where Facebook users can interact with each other or with us and exchange information. In doing so, we process personal data of the users of our groups to the extent necessary for the use of the group and its moderation. Our policies within the groups may include further provisions and information regarding the use of the respective group. This data includes information about first and last names, as well as published or privately shared content, as well as values related to group membership status or group-related activities, such as joining or leaving the group, as well as the time stamps for the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content users view or interact with, or actions they take (see "Things You and Others Do and Provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How Do We Use This Information?", Facebook also collects and uses information to provide analytics services, so-called "Insights," for group administrators to gain insights into how people interact with their groups and the content connected to them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Facebook Events: Event profiles within the Facebook social network - We use the "Events" feature of the Facebook platform to promote events and dates, and to interact with users (participants and interested parties) and exchange information. In doing so, we process personal data of the users of our event pages to the extent necessary for the purpose of the event page and its moderation. This data includes information about first and last names, as well as published or privately shared content, as well as values related to participation status and time stamps for the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content users view or interact with, or actions they take (see "Things You and Others Do and Provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How Do We Use This Information?", Facebook also collects and uses information to provide analytics services, so-called "Insights," for event organizers to gain insights into how people interact with their event pages and the content connected to them; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Plug-ins and Embedded Features and Content

      We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as "third parties"). These may include, for example, graphics, videos, or maps (collectively referred to as "content").

      Embedding always requires the third-party providers of this content to process the users' IP address, as they could not send the content to their browser without the IP address. The IP address is thus necessary for the display of these contents or functions. We strive to use only those contents whose respective providers apply the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also called "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and the operating system, referring websites, visit times, and other usage details of our online offer, but can also be combined with such information from other sources.

      Notes on Legal Basis: If we ask users for their consent to use third-party providers, the legal basis for data processing is the permission granted. Otherwise, user data will be processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to refer you to the information regarding the use of cookies in this privacy policy.

      • Processed Data Types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons). Location data (information about the geographic position of a device or person).
      • Affected Persons: Users (e.g., website visitors, online service users).
      • Purposes of Processing: Providing our online offerings and user-friendliness; providing contractual services and fulfilling contractual obligations; marketing. Profiles with user-related information (creating user profiles).
      • Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion". Cookies can be stored for up to 2 years (unless otherwise specified, cookies and similar storage methods can be stored on users' devices for a period of up to two years).
      • Legal Basis: Consent (Art. 6 (1) S. 1 lit. a) DSGVO). Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).

      Further Notes on Processing Procedures, Methods, and Services:

      • Incorporation of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering, which we retrieve from servers of other providers (e.g., functional libraries we use for displaying or enhancing the user-friendliness of our online offering). The respective providers collect the users' IP addresses and may process them for the purpose of delivering the software to the users' browsers, as well as for security purposes and for evaluating and optimizing their services. Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).
      • Google Fonts (Hosting on Own Server): Provision of font files for user-friendly display of our online offering; Service provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).
      • Google Fonts (Fetched from Google Server): Fetching fonts (and symbols) for the purpose of secure, maintenance-free, and efficient use of fonts and symbols regarding updates, loading times, uniform presentation, and considering potential copyright restrictions. The font provider is notified of the user's IP address to enable the fonts to be displayed in the user's browser. Additionally, technical data (language settings, screen resolution, operating system, used hardware) are transmitted, which are necessary to provide the fonts based on the devices and technical environment used. These data may be processed on a server of the font provider in the USA. When visiting our online offering, users' browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for fetching the fonts). The Google Fonts Web API provides the users with the cascading style sheets (CSS) from Google Fonts, and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user-agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the website where the Google font should be displayed). IP addresses are not logged or stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user-agent, and referrer URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font families the user wants to load. These data are logged to allow Google to determine how often a specific font family is requested. In the Google Fonts Web API, the user-agent is used to adjust the font generated for the respective browser type. The user-agent is primarily logged for debugging purposes and used to generate aggregated usage statistics, which measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. Google states that it does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Further Information: https://developers.google.com/fonts/faq/privacy?hl=de.
      • Font Awesome (Hosting on Own Server): Display of fonts and icons; Service provider: Font Awesome icons are hosted on our server, no data is transmitted to Font Awesome provider; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).
      • Google Maps: We integrate maps from the "Google Maps" service provider. The processed data may include IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Art. 6 (1) S. 1 lit. a) DSGVO); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Google Maps APIs and SDKs: Interfaces to Google's map and location services, which allow, for example, address input, location determination, distance calculations, or providing additional information about locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Art. 6 (1) S. 1 lit. a) DSGVO); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).
      • Instagram Plugins and Content: Instagram plugins and content - This may include content such as images, videos, or texts and buttons with which users can share content of this online offering within Instagram. - We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt of "event data" within an integration (but not further processing) of data collected or received through functions of Instagram (e.g., embedding content), executed on our online offering, for the following purposes: a) Displaying content and advertising information that matches the users' potential interests; b) Sending commercial and transaction-related messages (e.g., contacting users via Facebook Messenger); c) Improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information likely matches users' interests). We have entered into a special agreement with Facebook ("Addendum for Controllers", https://www.facebook.com/legal/controller_addendum), which specifically regulates what security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill data subject rights (i.e., users can directly send requests for information or deletion to Facebook). Note: When Facebook provides us with metrics, analytics, and reports (which are aggregated, i.e., they do not contain individual user information and are anonymous for us), this processing does not occur within the framework of joint responsibility but is based on a data processing agreement ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing), "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and with regard to processing in the USA based on Standard Contractual Clauses ("Facebook EU Data Transfer Addendum," https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (especially the rights to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for Third-Country Transfers: Switzerland - Adequacy Decision (Ireland).
      • reCAPTCHA: We integrate the "reCAPTCHA" feature to identify whether inputs (e.g., in online forms) are made by humans and not by automatically acting machines (so-called "bots"). Processed data may include IP addresses, information about operating systems, devices, or browsers used, language settings, location, mouse movements, keyboard strokes, dwell time on websites, previously visited websites, interactions with reCAPTCHA on other websites, potentially cookies, as well as results from manual recognition processes (e.g., answering questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland). Opt-Out Option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad display settings: https://myadcenter.google.com/personalizationoff.

      Management, Organization, and Tools

      We use services, platforms, and software from other providers (hereinafter referred to as "third parties") for purposes of organization, management, planning, and providing our services. When selecting third-party providers and their services, we comply with legal requirements.

      In this context, personal data may be processed and stored on the servers of the third-party providers. This may involve various data that we process according to this privacy policy. These data may include, in particular, master data and contact data of users, data related to transactions, contracts, other processes, and their content.

      If users are referred to third-party providers or their software or platforms during communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask you to review the privacy notices of the respective third-party providers.

      • Processed Data Types: Content data (e.g., textual or visual messages and posts, as well as related information such as author and time of creation); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
      • Affected Persons: Communication partners; users (e.g., website visitors, online service users). Service recipients and clients.
      • Purposes of Processing: Providing contractual services and fulfilling contractual obligations; office and organizational procedures. Providing our online offering and user-friendliness.
      • Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion."
      • Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO).

      Further Notes on Processing Procedures, Methods, and Services:

      • Google Translate: Translation of content and inputs into other languages; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate interests (Art. 6 (1) S. 1 lit. f) DSGVO); Website: https://translate.google.com/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for Third-Country Transfers: EU/EEA - Data Privacy Framework (DPF), Switzerland - Adequacy Decision (Ireland).

      Changes and Updates

      We ask you to regularly check the contents of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing we carry out require it. We will inform you when changes require your participation (e.g., consent) or other individual notification.

      If we provide addresses and contact information for companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to verify the details before making contact.

      Definitions

      This section provides an overview of the terms used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are mainly intended to aid understanding.

      • Master Data: Master data includes essential information needed for the identification and management of contractual partners, user accounts, profiles, and similar assignments. These data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birthdates, and specific identifiers (user IDs). Master data forms the foundation for any formal interaction between individuals and services, institutions, or systems, enabling unique assignment and communication.
      • Content Data: Content data includes information generated during the creation, editing, and publishing of all types of content. This category can include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content but also includes metadata providing information about the content itself, such as tags, descriptions, author information, and publication dates.
      • Contact Data: Contact data is essential information that enables communication with individuals or organizations. It includes, among other things, phone numbers, postal addresses, and email addresses, as well as communication tools like social media handles and instant messaging identifiers.
      • Conversion Measurement: Conversion measurement (also called "visit action evaluation") is a process used to determine the effectiveness of marketing measures. A cookie is typically stored on users' devices within the websites where marketing measures occur, and is then retrieved on the target website. For example, we can track whether the ads we placed on other websites were successful.
      • Meta, Communication, and Procedural Data: Meta, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. It can include details such as file size, creation date, the author of a document, and modification histories. Communication data captures the exchange of information between users via different channels, such as email traffic, call logs, social network messages, and chat histories, including involved persons, timestamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used to track and verify processes.
      • Usage Data: Usage data refers to information capturing how users interact with digital products, services, or platforms. These data include a wide range of information showing how users use applications, what features they prefer, how long they stay on specific pages, and the paths they navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in detecting trends, preferences, and potential issues within digital offerings.
      • Personal Data: "Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
      • Profiles with User-Related Information: The processing of "profiles with user-related information," or simply "profiles," involves any automated processing of personal data where such data is used to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may involve various information related to demographics, behavior, and interests, such as interactions with websites and their content, etc.). Profiling often uses cookies and web beacons.
      • Log Data: Log data refers to information about events or activities that have been recorded in a system or network. These data typically include details such as timestamps, IP addresses, user actions, error messages, and other information related to the use or operation of a system. Log data is often used for analyzing system issues, monitoring security, or generating performance reports.
      • Reach Measurement: Reach measurement (also called web analytics) is used to evaluate the visitor flows of an online offering and can include the behavior or interests of visitors regarding specific information, such as website content. With reach analysis, operators of online offerings can, for example, identify when users visit their websites and which content they are interested in. This enables them to better tailor the content of the websites to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis, allowing repeated visitors to be recognized and providing more accurate analysis of the usage of an online offering.
      • Location Data: Location data is generated when a mobile device (or any device with location-determining capabilities) connects to a cell tower, Wi-Fi, or similar technical means and location functions. Location data indicates the geographical position of the device on the earth's surface. Location data can be used, for example, to display map functions or other location-dependent information.
      • Location History and Movement Profiles: Location history (also called "movement profile") refers to the collection of location data over a period of time. The location history allows conclusions to be drawn about the geographic movements (i.e., position changes) of devices or their users.
      • Tracking: Tracking refers to the ability to track users' behavior across multiple online offerings. Typically, behavior and interest information regarding the online offerings used is stored in cookies or on the servers of the tracking technology providers (known as profiling). This information can then be used, for example, to display ads to users that are likely to match their interests.
      • Data Controller: The "data controller" is the natural or legal person, authority, organization, or other entity that alone or jointly determines the purposes and means of processing personal data.
      • Processing: "Processing" refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes virtually any handling of data, including collecting, evaluating, storing, transmitting, or deleting.
      • Contract Data: Contract data are specific information related to the formalization of an agreement between two or more parties. They document the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of agreed services or products, price agreements, payment terms, termination rights, extension options, and specific conditions or clauses. They serve as the legal foundation for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
      • Payment Data: Payment data includes all information needed to process payment transactions between buyers and sellers. These data are essential for e-commerce, online banking, and other forms of financial transactions. They include details such as credit card numbers, bank account information, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.
      • Audience Building: Audience building (English: "Custom Audiences") refers to identifying target audiences for advertising purposes, e.g., displaying advertisements. For example, based on a user's interest in specific products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or the online shop where they viewed the products. "Lookalike Audiences" refers to users who are displayed content believed to be of interest based on profiles or interests likely matching those to which the profiles were created. Cookies and web beacons are generally used for custom and lookalike audience building.