free shipping from a purchase value of 49 euros in germany.

Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) we process, the purposes for which we process it, and the scope of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our websites, in mobile applications, and on external online platforms, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).
The terms used are not gender-specific.

Last Update: 14. November 2023

Table of contents

Preamble

  • Controller
  • Overview of processing operations
  • Relevant legal bases
  • Security Precautions
  • Erasure of data
  • Rights of Data Subjects
  • Use of Cookies
  • Business services
  • Payment Procedure
  • Provision of online services and web hosting
  • Registration, Login and User Account
  • Contact and Inquiry Management
  • Newsletter and Electronic Communications
  • Commercial communication by E-Mail, Postal Mail, Fax or Telephone
  • Online Marketing
  • Profiles in Social Networks (Social Media)
  • Plugins and embedded functions and content


Controller

Johanna Tänzer / TNZR Clothing
Longericher Straße 175
50739 Cologne, Germany
Email address:
info@tnzr-clothing.de
Legal Notice:
https://www.tnzr-clothing.de/impressum/

Overview of processing operations

The following table summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.

Categories of Processed Data

  • Inventory data.
  • Payment information.
  • Contact Information.
  • Table of Contents.
  • Contract details.
  • Usage data.
  • Meta data, communication data, and procedural data.
  • Event details (Facebook).

Categories of Data Subjects

  • Customers.
  • Prospective buyers.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Contact Requests and Communication.
  • Safety measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Conversion tracking.
  • Target Audience Identification.
  • Managing and responding to inquiries.
  • Feedback.
  • Marketing.
  • Profiles containing user-specific information.
  • Provision of our online services and user-friendliness.
  • Information Technology Infrastructure.

Relevant legal bases

Relevant legal bases according to the GDPR:** In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

  • Consent (Art. 6(1), first sentence, subparagraph (a) of the GDPR) – The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or for several specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, subparagraph (b) of the GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Art. 6(1), first sentence, subparagraph (c) of the GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR) – Processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data take precedence.

National data protection regulations in Germany:** In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making, including profiling. Furthermore, data protection laws of the individual federal states may apply.

Applicable Legal Bases Under the Swiss Data Protection Act: If you are located in Switzerland, we process your data in accordance with the Federal Act on Data Protection (the “Swiss DPA” for short). This also applies if our processing of your data otherwise affects you in Switzerland and you are affected by such processing. Unlike the GDPR, for example, the Swiss Data Protection Act does not generally require that a legal basis for the processing of personal data be specified. We process personal data only if the processing is lawful, carried out in good faith, and proportionate (Art. 6, paras. 1 and 2 of the Swiss Data Protection Act). Furthermore, we collect personal data only for specific purposes that are identifiable to the data subject and process it only in a manner consistent with those purposes (Art. 6(3) of the Swiss DSG).

Note on the Applicability of the GDPR and the Swiss Data Protection Act (DSG): This privacy policy serves to provide information in accordance with both the Swiss Federal Act on Data Protection (Swiss DSG) and the General Data Protection Regulation (GDPR). For this reason, please note that, due to their broader geographical scope and clarity, the terms used in the GDPR are employed here. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “personal data requiring special protection,” we use the terms “processing” of “personal data,” as well as “legitimate interest” and “special categories of data,” as used in the GDPR. However, the legal meaning of these terms continues to be determined in accordance with the Swiss Data Protection Act (DSG) within the scope of its application.

Security Precautions

We implement technical and organizational measures appropriate to the circumstances and the purposes of the processing, as well as to the varying likelihoods and severity of threats to the rights and freedoms of natural persons, in accordance with legal requirements and taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihoods and severity of threats to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability, and maintaining data segregation. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the erasure of data, and responses to data breaches. Furthermore, we take the protection of personal data into account from the very beginning of the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and through privacy-friendly default settings.
TLS/SSL Encryption (https): To protect user data transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing Internet connections by encrypting the data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) appears in the URL when a website is secured by an SSL/TLS certificate.

Erasure of data

The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose). If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person. In the context of our information on data processing, we may provide users with further information on the deletion and retention of data that is specific to the respective processing operation.

Rights of Data Subjects

  • Rights of Data Subjects Under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 through 21 of the GDPR:• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw your consent at any time.
  • Right of Access: You have the right to request confirmation as to whether your personal data is being processed, as well as access to that data, additional information, and a copy of the data in accordance with legal requirements.
  • Right to Rectification: In accordance with legal requirements, you have the right to request that data concerning you be completed or that inaccurate data concerning you be corrected.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without delay or, alternatively, to request a restriction on the processing of such data in accordance with legal requirements.
  • Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request that it be transferred to another data controller.
  • Complaint to a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority—in particular, a supervisory authority in the Member State where you habitually reside— the supervisory authority of your place of work or the location of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.
    Rights of Data Subjects Under the Swiss Data Protection Act (DSG):
    As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss Data Protection Act (DSG):
  • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary to enable you to exercise your rights under this law and to ensure transparent data processing.
  • Right to Data Disclosure or Portability: You have the right to request that we provide you with the personal data you have provided to us in a commonly used electronic format.
  • Right to Rectification: You have the right to request the rectification of any inaccurate personal data concerning you.
  • Right to Object, Erasure, and Destruction: You have the right to object to the processing of your data and to request that your personal data be erased or destroyed.

Use of Cookies

  • Cookies are small text files or other storage mechanisms that store information on end devices and retrieve information from them. For example, to store a user’s login status in an account, the contents of a shopping cart in an online store, the content accessed, or the features used on a website. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic.
    Information on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless such consent is not required by law. In particular, consent is not required if the storage and retrieval of information—including cookies—are strictly necessary to provide users with a telemedia service (i.e., our online service) that they have expressly requested. Strictly necessary cookies generally include cookies with functions that serve to display and ensure the operability of the online service, load balancing, security, the storage of user preferences and selections, or similar purposes related to the provision of the main and secondary functions of the online service requested by users. Revocable consent is clearly communicated to users and includes information regarding the specific use of cookies. Information on legal bases under data protection law: The legal basis under data protection law on which we process users’ personal data using cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing their data is their expressed consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g., the business operation of our online service and improving its usability) or, if this occurs in the context of fulfilling our contractual obligations, when the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which we process cookies in this Privacy Policy or as part of our consent and processing procedures. Retention period: With regard to the retention period, we distinguish between the following types of cookies:
  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile app).
  • Persistent cookies: Persistent cookies remain stored even after the device is turned off. This allows, for example, the user’s login status to be saved or preferred content to be displayed immediately when the user visits a website again. Similarly, user data collected via cookies may be used to measure website reach. Unless we provide users with explicit information regarding the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are persistent and may be stored for up to two years.
    General Information on Withdrawal and Objection (so-called “Opt-Out”): Users may withdraw the consent they have provided at any time and object to processing in accordance with legal requirements. To do so, users may, among other things, restrict the use of cookies in their browser settings (although this may also limit the functionality of our online service). An objection to the use of cookies for online marketing purposes can also be submitted via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
  • Legal Basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR). Consent (Art. 6(1), first sentence, subparagraph (a) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Processing of Cookie Data Based on Consent: We use a cookie consent management process through which users can grant, manage, and revoke their consent to the use of cookies, as well as to the processing activities and providers specified within the cookie consent management process. The declaration of consent is stored so that users do not have to be asked for consent again and so that we can provide proof of consent in accordance with legal requirements. Storage may occur on the server and/or in a cookie (a so-called opt-in cookie, or using comparable technologies) to enable the consent to be associated with a user or their device. Subject to specific information provided by cookie management service providers, the following applies: Consent may be stored for up to two years. In this process, a pseudonymous user identifier is generated and stored along with the time of consent, details regarding the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, operating system, and device used; Legal basis: Consent (Art. 6(1)(a) GDPR).
  • BorlabsCookie: Cookie consent management; Service provider: Processed on servers and/or computers under the provider’s own data protection responsibility; Website: https://de.borlabs.io/borlabs-cookie/. Additional information: An individual user ID, language, types of consent, and the time the consent was given are stored on the server and in a cookie on the user’s device.

Business services

We process data from our contractual and business partners, such as customers and prospective customers (collectively referred to as “contractual partners”) in the context of contractual and similar legal relationships, as well as related measures, and in the context of communication with contractual partners (or on a pre-contractual basis), e.g., to respond to inquiries.

We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.

We inform our contractual partners of which data is required for the aforementioned purposes either before or during the data collection process—for example, in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or in person.
We delete the data after the expiration of statutory warranty obligations and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving purposes.

The statutory retention period for documents relevant under tax law, as well as for ledgers, inventories, opening balance sheets, annual financial statements, the work instructions necessary for understanding these documents, and other organizational documents and accounting vouchers is ten years; for received business and commercial correspondence and copies of sent business and commercial correspondence, it is six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance sheet, annual financial statements, or management report was prepared, the commercial or business letter was received or sent, or the accounting voucher was created, or the record was made, or the other documents were created.

If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.

  • Types of data processed: Customer information (e.g., names, addresses); payment information (e.g., bank account information, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., websites visited, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Customers; prospective customers; business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; contact requests and communication; office and organizational procedures; management and response to inquiries.
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, lit. b) of the GDPR); Legal obligation (Art. 6(1), first sentence, lit. c) of the GDPR). Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Customer Account: Customers can create an account within our online service (e.g., customer or user account, referred to as “customer account” for short). If registration of a customer account is required, customers will be notified of this as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process, as well as subsequent logins and use of the customer account, we store customers’ IP addresses along with the times of access in order to verify registration and prevent any misuse of the customer account. If the customer account is terminated, the data associated with the account will be deleted after the termination date, unless it is retained for purposes other than those related to the customer account or must be retained for legal reasons (e.g., internal storage of customer data, order processes, or invoices). It is the customers’ responsibility to back up their data upon termination of the customer account; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1), sentence 1, lit. b) GDPR).
  • Watchlist/Wish List: Customers can create a product/wish list. In this case, the products are stored for the purpose of fulfilling our contractual obligations until the account is deleted, unless the customer removes the product list entries or we expressly inform the customer of different retention periods; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • Shop and E-Commerce: We process our customers’ data to enable them to select, purchase, or order the products, goods, and related services of their choice, as well as to facilitate payment and delivery or fulfillment. If necessary to fulfill an order, we engage service providers—in particular postal, freight, and shipping companies—to carry out the delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payments. The required information is identified as such during the ordering process or a comparable purchase process and includes the details necessary for delivery, provision, and billing, as well as contact information to facilitate any necessary communication; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), sentence 1, lit. b) GDPR).

Payment Procedure

In the context of contractual and other legal relationships, in accordance with legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, engage not only banks and credit institutions but also other service providers (collectively, “payment service providers”).

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e. we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check identity and creditworthiness. Please refer to the terms and conditions and data protection information of the payment service providers.

The terms and conditions and data protection information of the respective payment service providers apply to the payment transactions and can be accessed within the respective websites or transaction applications. We also refer to these for further information and the assertion of revocation, information and other data subject rights.

  • Types of data processed: Master data (e.g., names, addresses); payment data (e.g., bank account information, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., websites visited, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status); Contact data (e.g., email, phone numbers).
  • Affected individuals: Customers. Prospective customers.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, subparagraph (b) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
  • PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, lit. b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Provision of online services and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.

  • Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status); Content data (e.g., entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Legal basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Provision of Online Services on Our Own/Dedicated Server Hardware: To provide our online services, we use server hardware that we operate, as well as the associated storage space, computing capacity, and software; Legal basis: Legitimate interests (Art. 6(1), first sentence, lit. f) of the GDPR).
  • Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called “server log files.” Server log files may include the address and name of the web pages and files accessed, the date and time of the request, the amount of data transferred, a notification of a successful request, the browser type and version, the user’s operating system, the referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files may be used, on the one hand, for security purposes—for example, to prevent server overload (particularly in the event of malicious attacks, known as DDoS attacks)—and, on the other hand, to ensure server capacity and stability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and is then deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
  • Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, we process the addresses of the recipients and senders, as well as other information related to email transmission (e.g., the providers involved) and the content of the respective emails. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails are generally not sent in encrypted form over the Internet. Although emails are typically encrypted during transmission, they are not encrypted on the servers from which they are sent and received (unless a so-called end-to-end encryption method is used). We therefore cannot assume any responsibility for the transmission of emails between the sender and our server; Legal basis: Legitimate interests (Art. 6(1), sentence 1, lit. f) GDPR).

Registration, Login and User Account

Users can create a user account. Within the scope of registration, the required mandatory information is communicated to the users and processed for the purposes of providing the user account on the basis of contractual fulfilment of obligations. The processed data includes in particular the login information (name, password and an e-mail address).
Within the scope of using our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users may be informed by e-mail of information relevant to their user account, such as technical changes.

  • Types of data processed: Master data (e.g., names, addresses); contact information (e.g., email addresses, phone numbers); content data (e.g., entries in online forms); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Providing contractual services and fulfilling contractual obligations; security measures; managing and responding to inquiries; providing our online services and ensuring user-friendliness.
  • Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, subparagraph (b) of the GDPR). Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Registration with Pseudonyms: Users may use pseudonyms as usernames instead of their real names; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, lit. b) of the GDPR).
  • User profiles are not public: User profiles are not visible to the public and cannot be accessed.

Contact and Inquiry Management

When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

  • Types of data processed: Contact information (e.g., email, phone numbers); content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Affected individuals: Communication partners.
  • Purposes of processing: Contact requests and communication; managing and responding to inquiries; feedback (e.g., collecting feedback via an online form); providing our online services and ensuring user-friendliness.
  • Legal basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, subparagraph (b) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the matter raised; Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1), first sentence, lit. b) of the GDPR), Legitimate Interests (Art. 6(1), first sentence, lit. f) of the GDPR).

Newsletter and Electronic Communications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) only with the recipients’ consent or when permitted by law. If the content of a newsletter is specifically described during the sign-up process, that description is decisive for the user’s consent. In addition, our newsletters contain information about our services and our company.
To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name—so we can address you personally in the newsletter—or additional information, if such information is necessary for the purposes of the newsletter.

Double opt-in procedure: The registration to our newsletter takes place in general in a so-called Double-Opt-In procedure. This means that you will receive an e-mail after registration asking you to confirm your registration. This confirmation is necessary so that no one can register with external e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes storing the login and confirmation times as well as the IP address. Likewise the changes of your data stored with the dispatch service provider are logged.
Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for erasure may be made at any time, provided that the prior existence of consent is confirmed at the same time. In the event of obligations to permanently honor objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The registration process is logged based on our legitimate interests for the purpose of verifying that it was carried out properly. To the extent that we engage a service provider to send emails, this is done based on our legitimate interests in an efficient and secure email delivery system.
Contents:

Information about us, our services, promotions and offers.

  • Types of data processed: Personal information (e.g., names, addresses); contact information (e.g., email addresses, phone numbers); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Affected individuals: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email or mail).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR).
  • Opt-Out Option: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or opt out of receiving future issues. You will find a link to unsubscribe from the newsletter at the end of each newsletter, or you can use one of the contact options listed above—preferably email—to do so.

Commercial communication by E-Mail, Postal Mail, Fax or Telephone

We process personal data for the purposes of promotional communication, which may be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with the legal requirements. The recipients have the right to withdraw their consent at any time or to object to the advertising communication at any time.

After revocation or objection, we store the data required to prove the past authorization to contact or send up to three years from the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on the legitimate interest to permanently observe the revocation, respectively objection of the users, we further store the data necessary to avoid a renewed contact (e.g. depending on the communication channel, the e-mail address, telephone number, name).

  • Types of data processed: Master data (e.g., names, addresses); contact information (e.g., email addresses, phone numbers).
  • Affected individuals: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email or mail)
  • Legal basis: Consent (Art. 6(1), first sentence, subparagraph (a) of the GDPR). Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).

Web Analysis, Monitoring and Optimization

Web analytics (also known as “audience measurement”) is used to analyze visitor traffic to our online platform and may include pseudonymized data on visitor behavior, interests, or demographic information, such as age or gender. With the help of reach analysis, we can, for example, determine at what times our online platform, its features, or its content are used most frequently, or encourage repeat visits. We can also identify which areas require optimization.

In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online services or their components.

Unless otherwise stated below, profiles, that is data summarized for a usage process or user, may be created for these purposes and stored in a browser or terminal device (so-called “cookies”) or similar processes may be used for the same purpose. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data or profiles to us or to the providers of the services we use, these may also be processed, depending on the provider.

The IP addresses of the users are also stored. However, we use any existing IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect the user. In general, within the framework of web analysis, A/B testing and optimisation, no user data (such as e-mail addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (Creating user profiles).
  • Security measures: IP Masking (Pseudonymization of the IP address).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR).

Further information on processing methods, procedures and services used:

  • Matomo: Matomo is software that is used for the purposes of web analysis and reach measurement. As part of the use of Matomo, cookies are generated and stored on the user’s terminal device. User data collected through the use of Matomo is processed only by us and is not shared with third parties. The cookies are stored for a maximum period of 13 months: https://matomo.org/faq/general/faq_146/; Legal Basis: Consent (Article 6 (1) (a) GDPR). Retention period: The cookies have a maximum storage period of 13 months.
  • Use of Cloudflare Turnstile: This website uses Cloudflare Turnstile in its forms. Cloudflare Turnstile is a CAPTCHA-free bot protection service provided by Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA). Turnstile analyzes user behavior (e.g., browser data, mouse movements, device information) in the background to distinguish automated access from human users—without displaying a traditional CAPTCHA. In doing so, data is transferred to Cloudflare servers, which may also be located outside the EU/EEA. Data processing is based on Art. 6(1)(f) of the GDPR (legitimate interest in security and the protection of our forms against misuse). Cloudflare is certified under the EU-U.S. Data Privacy Framework, which ensures an adequate level of protection. For more information on data protection at Cloudflare, please visit: https://www.cloudflare.com/privacypolicy/.

Online Marketing

We process personal data for online marketing purposes, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on users’ potential interests, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a “cookie”), or similar methods are used to store user information relevant to the display of the aforementioned content. This information may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical details such as the browser and computer system used, along with information on usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

The IP addresses of the users are also stored. However, we use provided IP masking procedures (i.e. pseudonymisation by shortening the IP address) to ensure the protection of the user’s by using a pseudonym. In general, within the framework of the online marketing process, no clear user data (such as e-mail addresses or names) is secured, but pseudonyms. This means that we, as well as the providers of online marketing procedures, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or similar memorizing procedures. These cookies can later, generally also on other websites that use the same online marketing technology, be read and analyzed for purposes of content display, as well as supplemented with other data and stored on the server of the online marketing technology provider.

Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users in the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g. by consenting as part of a registration process.

As a matter of principle, we only gain access to summarised information about the performance of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us. The conversion measurement is used alone for the performance analysis of our marketing activities.

Unless otherwise stated, we kindly ask you to consider that cookies used will be stored for a period of two years.

  • Types of Data Processed: Usage data (e.g., websites visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); Event data (Facebook) (“Event data” refers to data that may be transmitted by us to Facebook—for example, via Facebook Pixel (through apps or other means)—and that relates to individuals or their actions; This data includes, for example, information about website visits, interactions with content, features, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences); Event data does not include the actual content (such as comments posted), login information, or contact information (i.e., no names, email addresses, or phone numbers). Event data is deleted by Facebook after a maximum of two years; the target audiences created from this data are deleted when our Facebook account is deleted.
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Audience measurement (e.g., traffic statistics, identification of returning visitors); tracking (e.g., interest-based/behavioral profiling, use of cookies); Marketing; profiles containing user-related information (creation of user profiles); conversion tracking (measuring the effectiveness of marketing measures); audience targeting. Provision of our online services and user-friendliness.
  • Security measures: IP Masking (Pseudonymization of the IP address).
  • Legal Basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR). Consent (Art. 6(1), first sentence, subparagraph (a) of the GDPR).
  • Option to Opt Out: Please refer to the privacy policies of the respective providers and the opt-out options specified by them. If no explicit opt-out option has been provided, you have the option of disabling cookies in your browser settings. However, this may limit certain features of our online service. We therefore also recommend the following opt-out options, which are summarized and organized by category:
  • a) Europe: https://www.youronlinechoices.eu.
    b) Canada: https://www.youradchoices.ca/choices.
    c) USA: https://www.aboutads.info/choices.
    d) Cross-regional: https://optout.aboutads.info.Weitere Information on processing activities, procedures, and services: Facebook Ads: Placement of ads within the Facebook platform and analysis of ad performance; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for transfers to third countries: EU-US Data Privacy Framework (DPF); Option to Object (Opt-Out): We refer to the privacy and advertising settings in users’ profiles on the Facebook platform, as well as to Facebook’s consent procedures and contact options for exercising the right to access and other data subject rights as outlined in Facebook’s Privacy Policy; Further Information: User event data—i.e., behavioral and interest data—is processed for the purposes of targeted advertising and audience targeting based on the Joint Controller Agreement (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company, Meta Platforms, Inc., in the United States (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Instagram Ads: Placing ads on the Instagram platform and analyzing ad performance; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy; Basis for third-country transfer: EU-US Data Privacy Framework (DPF); Right to object (opt-out): We refer to the privacy and advertising settings in users’ profiles on the Instagram platform, as well as to Instagram’s consent procedures and contact options for exercising the right to access and other data subject rights as outlined in Instagram’s Privacy Policy; Additional Information: User event data—i.e., behavioral and interest data—is processed for the purposes of targeted advertising and audience targeting based on the joint controller agreement (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transfer of data to the parent company, Meta Platforms, Inc., in the United States (based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Profiles in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

Please note that this may involve the processing of user data outside the European Union. This may pose risks to users, as it could, for example, make it more difficult to enforce their rights.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behavior and the resulting interests. These user profiles can in turn be used, for example, to display advertisements both within and outside the networks that are presumed to correspond to users’ interests. For these purposes, cookies are typically stored on users’ computers, in which their usage behavior and interests are recorded. Furthermore, data may also be stored in the usage profiles regardless of the devices used by users (particularly if users are members of the respective platforms and are logged in to them).

For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.

Also in the case of requests for information and the exercise of rights of data subjects, we point out that these can be most effectively pursued with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, please do not hesitate to contact us.

  • Types of data processed: Contact information (e.g., email, phone numbers); content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; feedback (e.g., collecting feedback via an online form). Marketing.
  • Legal basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).
    Further information on processing methods, procedures and services used:
  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1), first sentence, lit. f) of the GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.

Plugins and embedded functions and content

We incorporate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as “content”).

This integration always requires that the third-party providers of this content process users’ IP addresses, since they would not be able to send the content to users’ browsers without the IP address. The IP address is therefore necessary for displaying this content or these features. We strive to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These “pixel tags” allow information—such as visitor traffic on the pages of this website—to be analyzed.

The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, the time of the visit, and other details regarding the use of our online service, as well as be linked to such information from other sources.

  1. Processed data types: Usage data (e.g. websites visited, interest in content, access times). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
  2. Data subjects: Users (e.g. website visitors, users of online services).
  3. Purposes of processing: Providing our online services and ensuring user-friendliness; marketing. Profiles containing user-related information (creation of user profiles).
  4. Legal basis: Legitimate interests (Art. 6(1), first sentence, subparagraph (f) of the GDPR).
    Further information on processing methods, procedures and services used:
  5. Google Fonts (Retrieved from Google’s server): Retrieval of fonts (and icons) for the purpose of ensuring technically secure, maintenance-free, and efficient use of fonts and icons in terms of up-to-date content and loading times, their consistent display, and compliance with any applicable licensing restrictions. The font provider is provided with the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the delivery of the fonts depending on the devices used and the technical environment. This data may be processed on a server belonging to the font provider in the United States—When users visit our website, their browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and, subsequently, the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the User-Agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the webpage on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user-agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wishes to load. This data is logged so that Google can determine how often a specific font family is requested. With the Google Fonts Web API, the user-agent must match the font generated for the respective browser type. The user-agent is primarily logged for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to Google, it does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for transfers to third countries: EU-U.S. Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • Instagram Plugins and Content: Instagram Plugins and Content – This may include, for example, content such as images, videos, or text, as well as buttons that allow users to share content from this online service within Instagram. – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt, as part of a transfer (but not the further processing), of “event data” which Facebook collects via Instagram features (e.g., content embedding features) executed on our online service or receives as part of a transfer for the following purposes:
    a) Displaying content and advertising information that matches users’ presumed interests;
    b) Delivery of commercial and transaction-related messages (e.g., contacting users via Facebook Messenger);
    c) Improving ad delivery and personalizing features and content (e.g., improving the ability to identify which content or advertising information is likely to match users’ interests). We have entered into a special agreement with Facebook (“Addendum for Controllers,” https://www.facebook.com/legal/controller_addendum), which specifically outlines the security measures Facebook must adhere to (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to uphold the rights of data subjects (i.e., users can, for example, submit requests for information or deletion directly to Facebook).

Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated—i.e., do not contain information about individual users and are anonymous to us), this processing does not take place under joint controllership but rather on the basis of a data processing agreement (“Data Processing Terms” https://www.facebook.com/legal/terms/dataprocessing) , the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the U.S., on the basis of standard contractual clauses (“Facebook-EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum).

Users’ rights (in particular the right to access, erasure, objection, and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1), first sentence, lit. f) of the GDPR);

Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.