This Privacy Policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offering and the related websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering"). With regard to the terminology used, such as "personal data" or its "processing", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

 

Responsible party:

Name/Co.:                      Hecht & Barsch GmbH

Street No.:                      Benzstraße 46-50

ZIP code, City, Country:   12277, Berlin, Germany

Commercial register/No.:  HRB 175767 B

Managing Directors:          Daniel Andriani & Toni Wehn

Phone number:                 +49 (0)30 41 73 41 80

Email address:                  info@luredrop.de

 

Types of processed data:

☒ Inventory data (e.g., names, addresses).

☒ Contact data (e.g., email, phone numbers).

☒ Content data (e.g., text entries, photographs, videos).

☒ Payment data (e.g., bank details, payment history).

☒ Usage data (e.g., visited websites, interest in content, access times).

☒ Meta/communication data (e.g., device information, IP addresses).

 

Processing of special categories of data (Art. 9 para. 1 GDPR):

☒ No special categories of data are processed.

 

Categories of persons affected by the processing:

☒ Customers

☒ Visitors and users of the online offering.

Hereinafter, we refer to the affected persons collectively as "users".

 

Purpose of processing:

☒ Provision of the online offering, its content, and functions.

☒ Performance of contractual services, service, and customer care.

☒ Response to contact requests and communication with users.

☒ Marketing, advertising, and market research.

 

Status: 23.05.2018

 

1. Relevant Legal Basis

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not mentioned in the Privacy Policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR; the legal basis for processing for the fulfillment of our services and the execution of contractual measures as well as responding to inquiries is Art. 6 para. 1 lit. b GDPR; the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c GDPR; and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

1. Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our Privacy Policy. We will adjust the Privacy Policy as soon as the changes in our data processing make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

1.  Security Measures

3.1.        In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; these measures include ensuring the confidentiality, integrity, and availability of data through control of physical access to the data, as well as access, input, transmission, ensuring availability, and separation of the data. Furthermore, we have procedures in place to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Moreover, we consider the protection of personal data during the development, or selection of hardware, software, and procedures, according to the principle of data protection through technology design and through privacy-friendly default settings (Art. 25 GDPR).

3.2.        Security measures include, in particular, the encrypted transmission of data between your browser and our server.

1. Collaboration with Processors and Third Parties

4.1.        If, in the context of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this will only be done based on legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is required to fulfill the contract in accordance with Art. 6 para. 1 lit. b GDPR), if you have consented, a legal obligation provides for this, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).

4.2.        If we commission third parties with the processing of data based on a so-called "processing contract", this is done on the basis of Art. 28 GDPR.

1. Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using the services of third parties or disclosing or transferring data to third parties, this only takes place if it is done to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special conditions of Art. 44 et seq. GDPR are met. This means that the processing takes place, for example, based on special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g., for the USA through the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "Standard Contractual Clauses").

1. Rights of Data Subjects

6.1.        You have the right to request confirmation as to whether data concerning you is being processed, and to obtain information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.

6.2.        You have the right to request the completion of the data concerning you or the correction of incorrect data concerning you in accordance with Art. 16 GDPR.

6.3.        In accordance with Art. 17 GDPR, you have the right to request that relevant data be deleted immediately, or alternatively, in accordance with Art. 18 GDPR, to request a restriction of the processing of the data.

6.4.        You have the right to request that the data concerning you that you have provided to us be received in accordance with Art. 20 GDPR and to request its transfer to other controllers.

6.5.        You also have the right to file a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.

1. Right of Withdrawal

You have the right to revoke consents granted in accordance with Art. 7 para. 3 GDPR with effect for the future.

1. Right to Object

You can object to the future processing of data concerning you at any time in accordance with Art. 21 GDPR. The objection may be particularly directed against processing for direct marketing purposes.

1. Cookies and Right to Object in Direct Advertising

We use temporary and permanent cookies, i.e., small files that are stored on users' devices (for an explanation of the term and function, see the last section of this Privacy Policy). Some cookies serve security purposes or are necessary for the operation of our online offering (e.g., for the display of the website) or to store the user’s decision when confirming the cookie banner. In addition, we or our technology partners use cookies for reach measurement and marketing purposes, which users are informed about in the course of this Privacy Policy.

A general objection to the use of cookies for online marketing purposes can be explained on a variety of services, particularly in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by disabling them in the settings of the browser. Please note that not all functions of this online offering may be available in that case.

1. Deletion of Data

10.1.     The data processed by us will be deleted or restricted in their processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion is not precluded by legal retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

10.2.     Germany: According to legal requirements, the retention takes place in particular for 6 years according to § 257 para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, booking documents, etc.) as well as for 10 years according to § 147 para. 1 AO (books, records, management reports, booking documents, commercial and business letters, documents relevant for taxation, etc.).

1. Provision of Contractual Services

11.1.     We process inventory data (e.g., names and addresses as well as contact data of users), contract data (e.g., services used, names of contact persons, payment information) to fulfill our contractual obligations and services in accordance with Art. 6 para. 1 lit b. GDPR. The mandatory entries in online forms are required for the conclusion of the contract.

11.2.     Users can optionally create a user account, where they can particularly view their orders. In the course of registration, users will be informed of the required mandatory information. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with regard to the user account, subject to its retention being necessary for commercial or tax reasons in accordance with Art. 6 para. 1 lit. c GDPR. It is the responsibility of the users to back up their data before the end of the contract. We are entitled to irretrievably delete all of the user's data stored during the contract term.

11.3.     As part of registration and re-registrations as well as the use of our online services, we store the IP address and the time of the respective user action. The storage takes place based on our legitimate interests, as well as the users' protection against misuse and other unauthorized use. A transfer of this data to third parties does not take place unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR.

11.4.     We process usage data (e.g., the websites of our online offering visited, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile, to show the user, e.g., product information based on their previously used services.

11.5.     The deletion takes place after the expiration of statutory warranty and comparable obligations; the necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiration (end of commercial (6 years) and tax law (10 years) retention obligation); information in the customer account remains until its deletion.

1. Contact

12.1.     When contacting us (e.g., via contact form, email, telephone, or social media), the user's information is processed for handling the contact request and its processing in accordance with Art. 6 para. 1 lit. b) GDPR.

12.2.     The user's information may be stored in a customer relationship management system ("CRM System") or comparable request organization.

12.3.     We delete the requests if they are no longer necessary. We review the necessity every two years; we store inquiries from customers who have a customer account permanently and refer to the information about the customer account for deletion. In the case of statutory archiving obligations, the deletion takes place after their expiration (end of commercial (6 years) and tax law (10 years) retention obligation).

However, this is not the case for the support and service provided by Shopware. When Shopware accesses customer IT systems, which may also contain real data from end customers, this is not done with the intent to retrieve personal data from end customers. The purpose of Shopware’s access is to perform technical tests or maintenance tasks to identify potential technical causes of deviations from the desired behavior of the shop software or to configure the shop software technically according to the customer's specifications.

Therefore, Shopware's remote access to customer IT systems does not constitute data processing under Art. 28 GDPR."

12.4.     We delete inquiries when they are no longer required. We check their necessity every two years; inquiries from customers who have a customer account are stored permanently, and we refer to the customer account details for deletion. In case of legal archiving obligations, deletion takes place after the expiry (end of commercial (6 years) and tax law (10 years) retention obligations).

1. Comments and Contributions

13.1.     When users leave comments or other contributions, their IP addresses are stored for 7 days based on our legitimate interests in accordance with Art. 6 para. 1 lit. f. GDPR.

13.2.     This is done for our security, in case someone leaves illegal content in comments and contributions (insults, prohibited political propaganda, etc.). In such cases, we may be held liable for the comment or contribution and are therefore interested in the identity of the author.

1. Data Processing Agreement

We signed the following data processing agreement with our web hoster on 23.5:

"Agreement on Data Processing"

(Version 3.1, dated 10.05.2018)

 

1 General Provisions

1.1 
The contractor processes personal data on behalf of the client based on the main contract concluded between the parties. In accordance with Art. 28 para. 2 GDPR (General Data Protection Regulation), a data processing agreement is required for the processing of personal data on behalf of the client, namely this agreement, which governs the rights and obligations of the parties in connection with data processing.

1.2 
This agreement applies to all activities related to the aforementioned main contract, in which employees, representatives, or organs of the contractor or third parties commissioned by the contractor may come into contact with the personal data of the client.

1.3 
The processing of personal data by the contractor takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior written consent of the client and may only take place if the special conditions of Art. 44 et seq. GDPR are met. If a subcontractor is to be engaged, these requirements also apply to the subcontractor.

1.4 
Further details on the scope, nature, and purpose of data collection, processing, or use are set out in the main contract.

1.5 
Types of data: The types of data possible in the digital contract process include master data, address data, communication data (e.g., telephone, email), appointment data, billing data, contract data, bank account data, planning data, customer history, information from credit agencies, sensitive data (e.g., health data, religious affiliation), and others.

1.6 
Categories of data subjects: The categories of data subjects possible in the digital contract process include employees, customers/prospective customers, subscribers, sales representatives, pensioners, relatives, suppliers/service providers, contacts, and others.

2 Rights and Obligations of the Contractor

2.1 
The contractor and any person under the contractor’s authority who has access to personal data may only collect, process, or use this personal data within the scope of the assignment and the client’s instructions, unless they are legally obliged to process the data.

2.2 
The contractor and any person under the contractor’s authority who has access to personal data may only collect, process, or use this personal data within the scope of the assignment and the client’s instructions, unless they are legally obliged to process the data. If a data subject contacts the contractor directly in this regard, the contractor will immediately inform the client of this request.

2.3 
The contractor undertakes to comply with all necessary technical and organizational measures (Art. 28 para. 3 sentence 2 lit. c in conjunction with Art. 32 GDPR) and to document these measures and provide them to the client for review. The measures taken must achieve a level of protection appropriate to the risk in terms of confidentiality, integrity, availability, and resilience of systems. This includes taking into account the state of the art, the costs of implementation, the nature, scope, and purposes of the processing, and the varying likelihood and severity of the risks to the rights and freedoms of natural persons. The result must be documented (see Art. 28 para. 3 lit. c, 32 GDPR, in particular in connection with Art. 5 para. 1, para. 2 GDPR). These measures are attached to this agreement as Annex 1. Since technical and legal circumstances are subject to change, the parties are aware that adjustments to the measures may be necessary. Therefore, the contractor will regularly review and, if necessary, adjust the effectiveness of the technical and organizational measures taken. The contractor is permitted to implement alternative adequate measures. The client may request an updated version of the technical and organizational measures taken by the contractor at any time.

2.4 
The contractor supports the client in complying with the obligations referred to in Articles 32 to 36 GDPR (security of processing, reporting obligations in the event of data breaches, data protection impact assessments, or prior consultations). The contractor may claim remuneration for these support services, which are not included in the service description.

2.5 
The contractor ensures that the employees involved in the processing of the client’s data are bound to confidentiality and have been informed of the relevant data protection regulations before beginning the processing (Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR).

2.6 
The contractor confirms that a company data protection officer has been appointed. His contact details are as follows: RA Daniel Rink, Rink Rechtsanwaltsgesellschaft mbH, Expo Plaza 1, 30539 Hannover.

2.7 
The client and the contractor cooperate with the supervisory authority at the request of the authority in the performance of their duties.

2.8 
The contractor informs the client immediately if there is any suspicion of data protection violations or other irregularities in the processing of the client’s data. The contractor will also inform the client immediately if a supervisory authority takes action against the contractor, insofar as this concerns this contract. This also applies if a competent authority investigates the processing of personal data in connection with data processing by the contractor as part of an administrative or criminal investigation.

2.9 
The contractor regularly checks internal processes and technical and organizational measures to ensure that the processing in its area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the rights of data subjects.

2.10 
Copies of data may not be made without the client’s knowledge. Exceptions include backup copies, provided they are necessary to ensure proper data processing, as well as data required for compliance with legal retention obligations.

2.11 
Data carriers provided and any copies made thereof remain the property of the client. The contractor ensures that data and data carriers are returned to the client or destroyed in compliance with data protection regulations after the end of the data processing assignment. Proof of deletion must be provided upon request.

2.12 
After completion of the agreed work or earlier upon request by the client – no later than the end of the main contract – all documents, processing, and usage results, as well as data sets received in connection with the data processing assignment, must be handed over to the client or destroyed in compliance with data protection regulations. The protocol of the deletion must be provided upon request.

2.13 
Documentation that serves as evidence of proper data processing in accordance with the assignment must be retained by the contractor for the respective retention periods, even after the agreed work has been completed. The contractor may hand them over to the client at the end of the agreed work to discharge himself.

3 Rights and Obligations of the Client

3.1 
The client has the right at any time to issue additional instructions regarding the nature, scope, and method of data processing to the contractor. The client issues all instructions in writing or by email. The client will immediately confirm verbal instructions in writing or by email. Authorized employees of the client will be communicated in the course of the main contract.

3.2 
The contractor will immediately notify the client if the contractor believes that an instruction from the client violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the person responsible at the client’s premises.

3.3 
The client must immediately and fully inform the contractor if the client identifies any errors or irregularities in the contractor’s work during the review of the results of the assignment concerning data protection regulations.

3.4 
The client is responsible for fulfilling the information obligations arising from the GDPR.

3.5 
If the client is obliged under applicable data protection laws to provide information regarding the collection, processing, or use of data to a data subject, the contractor will assist the client in providing this information.

3.6 
The client has the right, in consultation with the contractor, to conduct audits or have them carried out by a third party. The client has the right to verify compliance with this agreement within the contractor’s business operations through random inspections, which should usually be announced in advance. The audit rights may not be exercised by third parties, and they are limited by the contractor’s trade or business secrets. The client will document the results of each inspection. The contractor may claim compensation for enabling the client to conduct the audits.

4 Subcontracting Relationships

4.1 
The contractor may only engage subcontractors for the activities specified in 1.1 after prior explicit written consent from the client. No subcontracting relationships existed at the time of the contract’s conclusion. The client agrees to the engagement of these specified subcontractors, provided that there is a contractual agreement in accordance with Art. 28 paras. 2-4 GDPR. This only applies to subcontracting relationships that relate to the provision of the main service. Auxiliary services (e.g., telecommunications services, postal/transport services, maintenance, and user services, data carrier disposal) are excluded.

4.2 
If subcontractors are engaged by the contractor, the contractor must carefully select the subcontractor and, before engaging the subcontractor, check whether the agreements between the client and the contractor can be fulfilled. In particular, the contractor must ensure, both before and regularly during the contract’s duration, that the subcontractor has implemented the necessary technical and organizational measures to protect personal data and has appointed a company data protection officer if required.

5 Duration and Termination

5.1 
The client may terminate this data processing agreement at any time without notice if the contractor commits a serious breach of the provisions of this contract, cannot or will not comply with the client’s instructions, or refuses the client’s right to access in breach of the contract.

5.2 
Notwithstanding the above provisions regarding the duration of the contract, the obligation to maintain data secrecy, confidentiality, and agreed retention periods continues beyond the end of the contract.

6 Final Provisions

6.1 
If the client’s data held by the contractor is endangered by seizure or confiscation, by insolvency or settlement proceedings, or by other events or measures taken by third parties, the contractor must immediately inform the client of this. The contractor will also immediately inform all parties responsible in this context that the sovereignty and ownership of the data lie exclusively with the client as the controller under the General Data Protection Regulation.

6.2 
The right to withhold performance in accordance with § 273 BGB (German Civil Code) is excluded in relation to the processed data and associated data carriers.

6.3 
There are no collateral agreements. All collateral agreements must be made in writing. This also applies to the waiver of the requirement for written form."

1. Collection of Access Data and Log Files

15.1.     We collect data on every access to the server on which this service is located (so-called server log files) based on our legitimate interests under Art. 6 para. 1 lit. f. GDPR. Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

15.2.     Log file information is stored for a maximum of seven days for security reasons (e.g., to investigate misuse or fraud) and is then deleted. Data that needs to be retained for evidence purposes is exempt from deletion until the respective incident has been fully resolved.

1. Online Presence on Social Media

16.1.     We maintain online presences within social networks and platforms based on our legitimate interests under Art. 6 para. 1 lit. f. GDPR to communicate with customers, interested parties, and users who are active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.

16.2.     Unless otherwise specified in our Privacy Policy, we process user data when they communicate with us within social networks and platforms, e.g., post on our online presences or send us messages.

1. Cookies & Reach Measurement

17.1.     Cookies are pieces of information transmitted from our web server or third-party web servers to users’ web browsers and stored there for later retrieval. Cookies can be small files or other forms of information storage.

17.2.     Users are informed about the use of cookies in the context of pseudonymous reach measurement in this Privacy Policy.

17.3.     If users do not want cookies to be stored on their computers, they are asked to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Disabling cookies may result in limited functionality of this online offering.

17.4.     You can object to the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

1. Google Analytics

18.1.        We use Google Analytics, a web analytics service provided by Google LLC (“Google”), based on our legitimate interests (i.e., our interest in analyzing, optimizing, and economically operating our online offering under Art. 6 para. 1 lit. f. GDPR). Google uses cookies. The information generated by the cookie about users' use of the online offering is generally transmitted to and stored by Google on servers in the USA.

18.2.        Google is certified under the Privacy Shield agreement and thus guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

18.3.        Google uses this information on our behalf to evaluate users’ use of our online offering, compile reports on activities within this online offering, and provide us with other services related to the use of this online offering and the internet. Pseudonymous usage profiles of users can be created from the processed data.

18.4.        We use Google Analytics to display ads placed by Google and its partners to users who have shown interest in our online offering or who exhibit specific characteristics (e.g., interest in particular topics or products based on the websites visited) that we transmit to Google (so-called "Remarketing" or "Google Analytics Audiences"). With the help of Remarketing Audiences, we want to ensure that our ads correspond to the potential interest of users and are not bothersome.

18.5.        We use Google Analytics only with IP anonymization enabled. This means that Google truncates the IP address of users within member states of the European Union or other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

18.6.        The IP address transmitted by the user’s browser will not be merged with other Google data. Users can prevent the storage of cookies by selecting the appropriate settings in their browser software. Users can also prevent Google from collecting and processing the data generated by the cookie related to their use of the online offering by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Additionally, it is possible to prevent tracking by clicking on this link:

In this case, an opt-out cookie will be set to prevent future data collection by Google Analytics on this website in your browser. Please note that this opt-out cookie only applies to data collection by Google Analytics on our website in your browser. If you delete the cookie in your browser settings, you will need to reinstall this opt-out cookie.

18.7.        For more information on how Google uses data and settings and opt-out options, visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners ("How Google uses information from sites or apps that use our services"), https://policies.google.com/technologies/ads ("How Google uses cookies for advertising purposes"), https://adssettings.google.com/authenticated ("Control the information Google uses to show you ads").

18.8.        Furthermore, personal data will be anonymized or deleted after 50 months.

1. Google Remarketing Services

19.1.        We use the marketing and remarketing services (collectively referred to as "Google Marketing Services") of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), based on our legitimate interests (i.e., our interest in analyzing, optimizing, and economically operating our online offering under Art. 6 para. 1 lit. f. GDPR).

19.2.        Google is certified under the Privacy Shield agreement and thus guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

19.3.        Google Marketing Services allow us to display advertisements for and on our website more specifically so that users are only presented with ads that potentially match their interests. If, for example, a user is shown ads for products in which they have expressed interest on other websites, this is called “remarketing.” For these purposes, Google will execute a code when our website or other websites where Google Marketing Services are active are accessed, and so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) will be incorporated into the website. Using these tags, a unique cookie, i.e., a small file, will be saved on the user’s device (instead of cookies, similar technologies may also be used). The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file records which websites the user visits, what content they are interested in, and what offers they clicked on, as well as technical information about the browser and operating system, referring websites, visit time, and other details about the use of the online offering. The user’s IP address is also recorded, although within the scope of Google Analytics, it is noted that the IP address is truncated within member states of the European Union or other contracting states to the Agreement on the European Economic Area and only in exceptional cases transmitted in full to a Google server in the USA and truncated there. The IP address will not be merged with other data from the user within other Google offerings. The information mentioned above may also be combined by Google with such information from other sources. If the user subsequently visits other websites, personalized ads based on their interests may be displayed to them.

19.4.        User data is processed pseudonymously in the context of Google Marketing Services. That is, Google does not store and process, for example, the name or email address of the users but processes the relevant data cookie-based within pseudonymous user profiles. From Google's perspective, ads are not managed and displayed for a specific, identifiable person but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has explicitly allowed Google to process the data without pseudonymization. The information collected about users through Google Marketing Services is transmitted to Google and stored on Google's servers in the USA.

19.5.        The Google Marketing Services we use include the online advertising program “Google AdWords.” In the case of Google AdWords, each AdWords customer receives a different “conversion cookie.” Cookies can therefore not be tracked across AdWords customers’ websites. The information obtained using the cookie is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are informed of the total number of users who clicked on their ad and were redirected to a conversion tracking-tagged page. However, they do not receive information that personally identifies users.

19.6.        We may use the Google Marketing Service "DoubleClick" to include third-party advertisements. DoubleClick uses cookies to enable Google and its partner websites to serve ads based on users’ visits to this website or other websites on the internet.

19.7.       We may use the Google Marketing Service “AdSense” to display third-party advertisements. AdSense uses cookies to enable Google and its partner websites to serve ads based on users’ visits to this website or other websites on the internet.

19.8.       We may also use the "Google Optimizer" service. Google Optimizer allows us to track the effects of various changes to a website (e.g., changes to input fields, design, etc.) through so-called "A/B testing". For these test purposes, cookies are placed on users' devices. Only pseudonymous data is processed for these purposes.

19.9.        Furthermore, we may use the “Google Tag Manager” to integrate and manage Google analytics and marketing services on our website.

19.10.     For more information on how Google uses data for marketing purposes, visit the overview page at: https://policies.google.com/technologies/ads. Google’s Privacy Policy is available at https://policies.google.com/privacy.

19.11.     If you wish to opt-out of interest-based advertising through Google Marketing Services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/authenticated.

1. Facebook Custom Audiences and Facebook Marketing Services

20.1.        Within our online offering, the "Facebook Pixel" of the social network Facebook, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used based on our legitimate interests in analysis, optimization, and economic operation of our online offering for these purposes.

20.2.        Facebook is certified under the Privacy Shield agreement, offering a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

21.3.        When a user accesses a function of this online offering that contains such a plugin, their device establishes a direct connection with Facebook's servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offering. Usage profiles of the users can be created from the processed data. Therefore, we have no influence on the scope of the data that Facebook collects with the help of this plugin and inform users based on our knowledge.

21.4.        By integrating the plugins, Facebook receives information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can associate the visit with their Facebook account. If users interact with the plugins, for example, by pressing the Like button or leaving a comment, the corresponding information is transmitted directly from their device to Facebook and stored there. If a user is not a member of Facebook, there is still a possibility that Facebook will obtain and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.

21.5.        Users can find more information on the purpose and scope of data collection and the further processing and use of data by Facebook, as well as their rights and settings options to protect their privacy, in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

21.6.        If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their Facebook member data, they must log out of Facebook and delete their cookies before using our online offering. Further settings and objections to the use of data for advertising purposes can be made in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are platform-independent, i.e., they apply to all devices, such as desktop computers or mobile devices.

1. Amazon Affiliate Program

22.1.        We participate in the Amazon EU affiliate program based on our legitimate interests (i.e., interest in the economic operation of our online offering in accordance with Art. 6 para. 1 lit. f. GDPR). This program was designed to provide a medium for websites to earn advertising fees by placing ads and links to Amazon.de. Amazon uses cookies to track the origin of orders. Among other things, Amazon can recognize that you clicked on the affiliate link on this website.

22.2.        For more information on how Amazon uses data, please refer to the company's privacy policy: http://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=3312401.

1. Newsletter

23.1.        The following notes inform you about the content of our newsletter, as well as the registration, shipping, and statistical evaluation procedures, and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.

23.2.        Newsletter content: We only send newsletters, emails, and other electronic notifications with promotional information (hereinafter referred to as "newsletters") with the consent of the recipients or based on a legal permission. If the content of the newsletter is specifically described during the subscription process, it is decisive for the user's consent. Otherwise, our newsletters contain information about our products, offers, promotions, YouTube videos, trade show visits, and blog posts.

23.3.        Double opt-in and logging: The subscription to our newsletter is done in a so-called double opt-in procedure. This means you will receive an email after registration asking you to confirm your subscription. This confirmation is necessary so that no one can subscribe with someone else’s email address. The registrations for the newsletter are logged to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored with the email service provider are also logged.

23.4.        Email service provider: The newsletter is sent using "MailChimp," a newsletter distribution platform operated by the US-based Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy policy of the email service provider here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

23.5.        According to its own information, the email service provider may also use this data in pseudonymous form, i.e., without assigning it to a user, to optimize or improve its own services, e.g., for technical optimization of the delivery and presentation of the newsletters or for statistical purposes to determine from which countries the recipients come. However, the email service provider does not use the data of our newsletter recipients to write to them themselves or to pass it on to third parties.

23.6.        Registration data: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to provide a name for personalized communication in the newsletter.

23.7.        Performance measurement - The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from the email service provider's server when the newsletter is opened. During this retrieval, technical information such as information about the browser and your system, as well as your IP address and time of retrieval, are initially collected. This information is used to improve the technical services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. Statistical evaluations also include determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the email service provider to observe individual users. The evaluations serve us rather to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

23.8.        The dispatch of the newsletter and performance measurement is based on the recipient’s consent in accordance with Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 para. 2 no. 3 UWG or based on legal permission in accordance with § 7 para. 3 UWG.

23.9.        Logging the registration process is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR and serves as proof of consent to receive the newsletter.

23.10.     Unsubscribe/Withdrawal - Newsletter recipients can unsubscribe from our newsletter at any time, i.e., revoke their consent. A link to unsubscribe from the newsletter can be found at the end of each newsletter. At the same time, their consent to performance measurement expires. Unfortunately, a separate withdrawal of performance measurement is not possible; in this case, the entire newsletter subscription must be canceled. Upon unsubscribing from the newsletter, personal data will be deleted unless its retention is legally required or justified, in which case processing will be limited to these exceptional purposes. We may store the unsubscribed email addresses for up to three years based on our legitimate interests before we delete them for newsletter distribution purposes, in order to provide evidence of previously given consent. The processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

1. Integration of Third-Party Services and Content

24.1.        Within our online offering, we use content or service offerings from third-party providers based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering in accordance with Art. 6 para. 1 lit. f GDPR) to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always requires that the third-party providers of this content perceive the IP address of the users, as they would not be able to send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content. We endeavor to only use such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering, as well as being linked to such information from other sources.

24.2.        The following provides an overview of third-party providers and their content, along with links to their privacy policies, which provide further information on data processing and, in some cases already mentioned here, opt-out options (so-called "opt-outs"):

-        If our customers use third-party payment services (e.g., PayPal or Sofortüberweisung), the terms and privacy policies of the respective third-party providers apply, which are available within the respective websites or transaction applications.

-        External fonts from Google, LLC., https://www.google.com/fonts (“Google Fonts”). The integration of Google Fonts is carried out by a server call to Google (usually in the USA). Privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

-        Maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

-        Videos from the "YouTube" platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

-        Within our online offering, functions of the Google+ service are integrated. These functions are provided by the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged into your Google+ account, you can link the content of our pages to your Google+ profile by clicking the Google+ button. This allows Google to associate your visit to our pages with your user account. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data as well as their use by Google+. Privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

-        Within our online offering, functions of the Instagram service are integrated. These functions are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to our pages with your user account. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or their use by Instagram. Privacy policy: http://instagram.com/about/legal/privacy/.  

-        Within our online offering, we use the marketing functions (so-called "LinkedIn Insight Tag") of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time one of our pages containing LinkedIn functions is accessed, a connection is established to LinkedIn's servers. LinkedIn is informed that you visited our website with your IP address. With the help of the LinkedIn Insight Tag, we can analyze the success of our campaigns within LinkedIn or determine target groups for these based on the interaction of users with our online offering. If you are registered with LinkedIn, LinkedIn can associate your interaction with our online offering with your user account. If you click the "Recommend Button" of LinkedIn and are logged into your LinkedIn account, LinkedIn can associate your visit to our website with you and your user account. LinkedIn is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Privacy policy: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

-     We use social plugins of the social network Pinterest, operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA ("Pinterest"). When you access a page containing such a plugin, your browser establishes a direct connection to Pinterest's servers. The plugin transmits log data to Pinterest's server in the USA. This log data may include your IP address, the address of the visited websites that also contain Pinterest functions, the type and settings of your browser, the date and time of the request, your use of Pinterest, and cookies. Privacy policy: https://about.pinterest.com/de/privacy-policy.

-        Within our online offering, functions of the service or platform Twitter may be integrated (hereinafter referred to as "Twitter"). Twitter is a service offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include displaying our posts within Twitter within our online offering, linking to our profile on Twitter, and interacting with the posts and functions of Twitter, as well as measuring whether users arrive at our online offering through the Twitter ads we place (so-called conversion measurement). Twitter is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.

-        We use social plugins of the social network Tumblr, operated by Tumblr, Inc., 35 East 21st Street, 10E, New York, NY 10010, USA ("Tumblr"). When you access a page containing such a plugin, your browser establishes a direct connection to Tumblr's servers. The plugin transmits log data to Tumblr's server in the USA. This log data may include your IP address, the address of the visited websites that also contain Tumblr functions, the type and settings of your browser, the date and time of the request, your use of Tumblr, and cookies. Privacy policy: https://www.tumblr.com/policy/en/privacy.

-        We use functions of the XING network. The provider is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Each time one of our pages containing XING functions is accessed, a connection is established to XING's servers. As far as we know, no personal data is stored in the process. In particular, no IP addresses are stored or user behavior evaluated. Privacy policy: https://www.xing.com/app/share?op=data_protection.

-        Web analysis and optimization using the Hotjar service provided by Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe. Hotjar allows us to track movements on websites where Hotjar is used (so-called heatmaps). For example, it can show how far users scroll and which buttons users click on how often. Technical data such as the selected language, system, screen resolution, and browser type are also collected. This may create temporary profiles of users while visiting our website. Hotjar also allows us to collect feedback directly from the users of the website. This gives us valuable insights to make our websites faster and more user-friendly. Privacy policy: https://www.hotjar.com/privacy.  Opt-Out: https://www.hotjar.com/opt-out.

-        External code of the JavaScript framework “jQuery”, provided by the third-party provider jQuery Foundation, https://jquery.org.

-  As part of the "YPC-FANS" contest, personal data of contest participants will be collected and stored via the third-party service Google Forms. We point out that we, as the provider of the contest, have no knowledge of the content of the transmitted data or their use by Google. Privacy policy: https://policies.google.com/privacy