PRIVACY POLICY

The directory of processing activities includes a collection of general information relevant to all the processing procedures described below, as well as specific details about individual processing processes in which personal data (hereinafter also referred to as “data”) are processed. This structure serves to maintain clarity and provide precise information. The general information explains the basic principles and guidelines applicable to all processing activities, such as compliance with data protection principles, the legal bases for data processing, and the handling of the rights of the affected individuals. The specific part of the directory provides detailed information about individual processing processes, including the purpose of data processing, the categories of affected data, the recipients of the data, and, if applicable, the transfer of data to third countries. This directory serves as a central document to ensure the transparency and traceability of data processing and is an essential element in fulfilling documentation obligations under the General Data Protection Regulation (GDPR).

PREAMBLE

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all our processing of personal data, both in the context of providing our services and specifically on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as “online offerings”).

The terms used are non-gender-specific.

As of: April 28, 2024

TABLE OF CONTENTS

• Preamble

• Responsible party

• Overview of processing

• Relevant legal bases

• Security measures

• Transfer of personal data

• International data transfers

• General information on data storage and deletion

• Rights of the data subjects

• Provision of the online offering and web hosting

• Use of cookies

• Contact and inquiry management

• Changes and updates

• Definitions of terms

RESPONSIBLE PARTY

First name, Last name / Company

Street, House number

Postal code, City, Country

Email address: firstname.lastname@exampledomain.eu

OVERVIEW OF PROCESSING

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected individuals.

Types of processed data

• Inventory data

• Contact data

• Content data

• Usage data

• Meta, communication, and procedural data

• Log data

Categories of affected individuals

• Communication partners

• Users

Purposes of processing

• Communication

• Security measures

• Organizational and administrative procedures

• Feedback

• Provision of our online offering and user-friendliness

• IT infrastructure

RELEVANT LEGAL BASES

Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence may apply. If specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

CONSENT (Art. 6 (1) Sentence 1 lit. a) GDPR)

The data subject has given consent to the processing of their personal data for one or more specific purposes.

Contract fulfillment and pre-contractual inquiries (Art. 6 (1) Sentence 1 lit. b) GDPR)

The processing is necessary for the fulfillment of a contract to which the data subject is a party, or to carry out pre-contractual measures taken at the request of the data subject.

Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR)

The processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require protection of personal data, do not override these interests.

National data protection regulations in Germany

In addition to the GDPR, national data protection regulations apply in Germany, particularly the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, data transfer, and automated decision-making including profiling. Furthermore, state-specific data protection laws from individual federal states may apply.

Notice on the applicability of the GDPR and the Swiss DPA

This privacy notice is intended to inform you according to both the Swiss Federal Data Protection Act (Swiss DPA) and the General Data Protection Regulation (GDPR). Therefore, please note that due to broader territorial application and comprehensibility, the terms used in the GDPR are adopted. Specifically, instead of the terms used in the Swiss DPA, such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the terms used in the GDPR such as “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of these terms continues to be determined according to the Swiss DPA under its applicability.

SECURITY MEASURES

We implement appropriate technical and organizational measures, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying probabilities and extent of the threats to the rights and freedoms of natural persons, to ensure an adequate level of protection.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through controlling physical and electronic access to the data as well as access, input, transmission, availability protection, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also consider data protection already during the development or selection of hardware, software, and processes, in line with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS):

To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transferred between the website or app and the user’s browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator to users that their data is securely and encrypted during transmission.

TRANSMISSION OF PERSONAL DATA

In the course of processing personal data, it may be necessary to transfer or disclose these data to other entities, companies, legally independent organizational units, or persons. Recipients of these data can include, for example, service providers assigned IT tasks or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of the data to ensure the protection of your data.

INTERNATIONAL DATA TRANSFERS

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or the processing takes place as part of the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies, this will only occur in accordance with the legal requirements. If the level of data protection in the third country has been recognized through an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only occur if the level of data protection is ensured by other means, such as standard contractual clauses (Art. 46 (2) lit. c) GDPR), explicit consent, or in the case of contractual or legally required transmission (Art. 49 (1) GDPR). We will inform you of the basis for third-country data transfers with individual third-party providers, with adequacy decisions taking precedence. Information on third-country transfers and existing adequacy decisions can be found in the EU Commission’s information offer: EU Commission Data Protection.

EU-US Trans-Atlantic Data Privacy Framework:

Under the “Data Privacy Framework” (DPF), the EU Commission has recognized the data protection level for certain companies in the USA through an adequacy decision dated July 10, 2023. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce website: Data Privacy Framework (in English). We inform you in our privacy notice which service providers we use are certified under the Data Privacy Framework.

GENERAL INFORMATION ON DATA STORAGE AND DELETION

We delete personal data that we process in accordance with legal requirements once the underlying consents are revoked or when no further legal grounds for processing exist. This applies in cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require the retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information regarding the retention and deletion of data, specifically for certain processing procedures.

If multiple retention or deletion periods are given for a date, the longest period applies.

If a period does not explicitly begin on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective date of termination or other ending of the legal relationship.

Data that is no longer needed for its original purpose but is retained due to legal requirements or other reasons is processed solely for the reasons justifying its retention.

RIGHTS OF DATA SUBJECTS

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, specifically from Articles 15 to 21:

Right to object:

You have the right to object at any time to the processing of your personal data based on Art. 6 (1) lit. e or f GDPR, for reasons relating to your particular situation. This also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling related to direct marketing.

Right to withdraw consent:

You have the right to withdraw any consent you have given at any time.

Right to access:

You have the right to request confirmation as to whether personal data concerning you are being processed, and to request access to this data, along with further information and a copy of the data as required by law.

Right to rectification:

You have the right to request the completion of your personal data or the correction of inaccurate personal data.

Right to deletion and restriction of processing:

You have the right, under the legal provisions, to request the immediate deletion of your personal data or, alternatively, to request the restriction of processing your data.

Right to data portability:

You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller.

Right to lodge a complaint with a supervisory authority:

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement if you believe that the processing of your personal data violates the GDPR.

Here is the English translation of the provided privacy policy section:

PROVISION OF ONLINE SERVICES AND WEB HOSTING

We process user data to provide our online services. To this end, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta-, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved individuals); Log data (e.g., logfiles related to logins or data retrievals or access times).

Affected Individuals: Users (e.g., website visitors, online service users).

Purposes of Processing: Providing our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures.

Legal Basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR).

Further information on processing procedures, procedures, and services:

Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing power, and software that we rent or obtain from a server provider (also called a “web host”). Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR).

Collection of access data and logfiles: Access to our online services is logged in the form of “server logfiles.” Server logfiles may include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, successful retrieval message, browser type and version, operating system used by the user, referrer URL (previously visited page), and in most cases, IP addresses and the requesting provider. Server logfiles may be used for security purposes, e.g., to prevent server overload (especially in the case of malicious attacks, such as DDoS attacks), and to ensure server load and stability. Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR). Data retention: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is exempt from deletion until the matter is fully clarified.

USE OF COOKIES

Cookies are small text files or other storage notes that store and read information on devices. For example, to store login status in a user account, shopping cart content in an e-shop, accessed content, or functions used on an online service. Cookies can also be used for various purposes such as functionality, security, and comfort of online services as well as for analyzing visitor flows.

Consent Notes: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Specifically, consent is not required when storing and reading information, including cookies, is absolutely necessary to provide a telemedia service explicitly requested by the user (i.e., our online service). The revocable consent will be clearly communicated to users and includes information about the respective cookie usage.

Data Processing Legal Bases: The legal basis for processing users’ personal data using cookies depends on whether we request consent. If users accept, the legal basis for data processing is the expressed consent. Otherwise, data processed through cookies will be based on our legitimate interests (e.g., in the operational business of our online service and improving its usability) or, if necessary for fulfilling our contractual obligations.

Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (Session Cookies): These cookies are deleted once a user exits the online service and closes the device (e.g., browser or mobile application).

• Permanent Cookies: Permanent cookies remain stored even after the device is closed. They may store login status and display preferred content when the user revisits a website. The user data collected via cookies can also be used for reach measurement. Unless we provide explicit information about the type and duration of cookies (e.g., during consent gathering), users should assume that these cookies are permanent and can be stored for up to two years.

General Notes on Withdrawal and Opposition (Opt-out): Users can revoke their consents at any time and object to the processing according to legal requirements, including through their browser’s privacy settings.

Processed Data Types: Meta-, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved individuals).

Affected Individuals: Users (e.g., website visitors, online service users).

Legal Bases: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR); Consent (Art. 6 Para. 1 Sentence 1 lit. a) GDPR).

Further information on processing procedures, services, and systems:

Processing Cookie Data Based on Consent: We use a consent management solution that obtains, records, manages, and allows withdrawal of users’ consent for the use of cookies or other similar technologies. This procedure serves to obtain, log, manage, and withdraw consents, particularly related to the use of cookies and similar technologies for storing, reading, and processing information on users’ devices. Users have the ability to manage and revoke their consents. The consent declarations are stored to avoid repeated queries and to provide proof of consent as required by law.

Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a) GDPR).

CONTACT AND INQUIRY MANAGEMENT

When contacting us (e.g., by post, contact form, email, phone, or social media) or in the context of existing user and business relationships, the details of the inquiring individuals are processed as necessary to respond to the inquiries and any requested actions.

Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, including information about authorship or creation time); Usage data (e.g., page views, duration, click paths, usage intensity and frequency, device types, operating systems used, interactions with content and functions).

Affected Individuals: Communication partners.

Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online forms). Providing our online services and user-friendliness.

Legal Bases: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sentence 1 lit. b) GDPR).

Further information on processing procedures:

Contact Form: When contacting us via contact form, email, or other communication methods, we process the personal data provided to us for responding to and processing the respective inquiry. This typically includes details such as name, contact information, and any other information provided to us necessary for appropriate processing. We use this data exclusively for the specified purpose of communication.

Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR).

CHANGES AND UPDATES

We ask you to regularly review the content of our privacy policy. We will adjust the privacy policy once changes in the data processing we perform make this necessary. We will inform you when changes require your participation (e.g., consent) or otherwise require individual notification.

DEFINITIONS

In this section, you will find an overview of the terms used in this privacy policy. As far as legally defined, the legal definitions apply. The following explanations are primarily for understanding purposes.

Master Data: Master data includes essential information necessary for identifying and managing contract partners, user accounts, profiles, and similar assignments. These data may include personal and demographic information such as names, contact details (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, facilities, or systems.

Content Data: Content data includes information generated during the creation, editing, and publication of all types of content. This category of data can include text, images, videos, audio files, and other multimedia content published on various platforms and media.

Contact Data: Contact data refers to essential information that enables communication with individuals or organizations, including phone numbers, postal addresses, email addresses, and communication methods such as social media handles or instant messaging identifiers.

Meta-, Communication, and Procedural Data: Meta-, communication, and procedural data are categories containing information on how data is processed, transmitted, and managed. Metadata includes information about data itself, such as file size, creation date, author, and modification history. Communication data records information exchange between users via various channels (e.g., email, call logs, social media messages), including involved individuals, time stamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including transaction logs, audit logs, and activities tracking.

Usage Data: Usage data refers to information about how users interact with digital products, services, or platforms. This data includes various details about how users use applications, preferred features, time spent on pages, and navigation paths.

Personal Data: “Personal data” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, especially through assignment to an identifier such as a name, identification number, location data, online identifier (e.g., cookie), or specific features related to physical, physiological, genetic, mental, economic, cultural, or social identity.

Log Data: Log data refers to information about events or activities recorded in a system or network. These data typically include timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system.

Controller: The “controller” is the natural or legal person, authority, agency, or other entity that alone or jointly with others determines the purposes and means of processing personal data.

Processing: “Processing” refers to any operation or series of operations performed on personal data, whether or not by automated means. This includes actions such as collecting, evaluating, storing, transmitting, or deleting data.

Generated using the free privacy policy generator from Dr. Thomas Schwenke.