Privacy Policy

Last updated: December 1st, 2024

Controller

2nd wind GmbH

Isarwinkel 10

81379 Munich

Authorized representative: Alan Zacher

Email: info@2nd-wind.de

Legal Notice: Imprint

Overview of Processing Activities

The following overview summarizes the types of data processed, their purposes, and the affected persons.

Types of Processed Data

  • Inventory data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Log data.

Categories of Affected Persons

  • Service recipients and contractors.
  • Interested parties.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Educational and course participants.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Audience measurement.
  • Tracking.
  • Office and organizational procedures.
  • Target group formation.
  • Organizational and administrative procedures.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offerings and user-friendliness.
  • IT infrastructure.
  • Public relations.
  • Sales promotion.
  • Business processes and economic procedures.

Relevant Legal Bases

Relevant Legal Bases under GDPR: Below is an overview of the GDPR legal bases for processing personal data. Please note that, in addition to GDPR, national data protection regulations in your or our country of residence may apply. Specific legal bases will be provided in the privacy policy when applicable.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for specific purposes.
  • Contractual obligations (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract with the data subject or for pre-contractual measures requested by the data subject.
  • Legal obligations (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary to fulfill a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, provided these are not overridden by the interests or rights of the data subject.

National Data Protection Regulations in Germany: In addition to GDPR, Germany has national data protection laws, particularly the Federal Data Protection Act (BDSG). This includes specific provisions on the right to access, deletion, objection, and the processing of special categories of personal data, as well as automated decision-making including profiling. State-specific data protection laws may also apply.

Note on GDPR and Swiss Data Protection Act: These privacy notices apply to both GDPR and the Swiss Data Protection Act (DSG). The terminology of the GDPR is used for broader applicability, but terms from the Swiss DSG retain their legal meaning under Swiss law.

Transfer of Personal Data

During personal data processing, it may be transmitted to or disclosed to other entities, companies, legally independent organizations, or individuals. Recipients may include IT service providers or service/content providers integrated into a website. Contracts or agreements ensuring data protection are established in such cases.

Data transfers within the organization: We may transfer personal data within our organization for administrative purposes or based on legitimate business interests, provided legal permissions or consent from the data subject are in place.

International Data Transfers

Processing data in third countries: If we process data in a third country (outside the EU/EEA) or involve third-party services, it is done in accordance with legal requirements. If the EU recognizes adequate protection levels in a third country (Art. 45 GDPR), transfers are based on this. Transfers otherwise occur with safeguards like standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or contractually/legal necessity (Art. 49 para. 1 GDPR). Details are provided in the privacy notices for each third-party service.

More information about adequacy decisions and the “Data Privacy Framework” (DPF) for US companies certified by the EU Commission (July 10, 2023) is available at:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.
US-certified companies under the DPF are listed at:
https://www.dataprivacyframework.gov/.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal basis for processing exists. This applies in cases where the original purpose of processing ceases to exist, or the data is no longer needed. Exceptions to this rule apply when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax-related reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our data protection notices contain additional information on the retention and deletion of data specific to certain processing procedures.

When multiple retention periods or deletion deadlines are specified for a particular piece of data, the longest period always takes precedence.

If a period does not explicitly start on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the effective date of termination or other termination of the legal relationship.

Data that is no longer needed for its original purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Further Notes on Processing Procedures, Methods, and Services:

  • Retention and Deletion of Data: The following general retention periods apply under German law:
    • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balances, and the instructions and other organizational documents necessary to understand them, booking receipts, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
    • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, e.g., timesheets, business calculation sheets, pricing records, payroll documents not classified as booking receipts, and cash register receipts (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).
    • 3 years – Data necessary to account for potential warranty and compensation claims or similar contractual claims and associated inquiries based on past business experiences and usual industry practices are retained for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, particularly those arising from Articles 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, for reasons related to your particular situation, to the processing of personal data concerning you, which is carried out under Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw any consent granted at any time.
  • Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain access to this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to Rectification: You have the right to demand the completion or rectification of incorrect data concerning you in accordance with legal requirements.
  • Right to Erasure and Restriction of Processing: You have the right to demand the immediate deletion of data concerning you or, alternatively, to request a restriction of processing under the conditions provided by law.
  • Right to Data Portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller.
  • Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data of our contractual and business partners, such as customers and prospects (hereinafter referred to as “contractual partners”), within the context of contractual and similar legal relationships and associated measures, as well as in terms of communication with the contractual partners (or pre-contractual), for instance, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligation to provide agreed services, any update obligations, and remedies for warranty and other performance issues. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations, as well as organizational purposes. Additionally, we process the data based on our legitimate interests in proper and economically efficient business management and security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the limits of applicable law, we disclose the data of contractual partners only to the extent necessary for the aforementioned purposes or to comply with legal obligations. Further forms of processing, such as for marketing purposes, are disclosed to the contractual partners within this privacy policy.

We inform contractual partners of the data required for the aforementioned purposes before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., typically after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for statutory archiving purposes (usually ten years for tax purposes). Data disclosed to us as part of an order by the contractual partner will be deleted in accordance with the specifications and generally after the end of the order.

  • Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank account details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers). Contract data (e.g., contract subject, duration, customer category).
  • Affected Persons: Service recipients and clients; Prospects; Business and contract partners. Education and training participants.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative processes. Business processes and economic procedures.
  • Retention and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion”.
  • Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Processes, and Services:

  • Agency Services: We process the data of our customers as part of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Educational and Training Services: We process the data of participants in our educational and training programs (collectively referred to as “trainees”) to provide our training services to them. The type, scope, purpose, and necessity of data processing are determined by the underlying contractual and training relationship. Processing forms include performance evaluation and evaluation of our services as well as those of the instructors. In the course of our activities, we may also process special categories of data, including information about the health of the trainees and data revealing ethnic origin, political opinions, religious or philosophical beliefs. If necessary, we obtain the explicit consent of the trainees for such data and process special categories of data only when required for the provision of training services, health care purposes, social protection, or the protection of the vital interests of the trainees; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Craft Services: We process the data of our customers and clients (collectively referred to as “customers”) to enable them to select, acquire, or commission the chosen services or works, as well as related activities, their payment, and delivery or execution. The required information is marked as such in the context of the order, purchase, or similar contract conclusion and includes the data needed for delivery and billing as well as contact information to clarify queries if necessary; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Project and Development Services: We process the data of our customers and clients (collectively referred to as “customers”) to enable them to select, acquire, or commission the chosen services or works, as well as related activities, their payment, and provision or execution. The required information is marked as such in the context of the order, purchase, or similar contract conclusion and includes the data needed for service delivery and billing as well as contact information to clarify queries if necessary. If we gain access to information about end customers, employees, or other individuals, we process it in accordance with legal and contractual requirements; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Offering Software and Platform Services: We process the data of our users, registered and potential test users (collectively referred to as “users”), to provide our contractual services and based on legitimate interests to ensure the security of our offerings and to further develop them. The required information is marked as such in the context of the order, purchase, or similar contract conclusion and includes the data needed for service delivery and billing as well as contact information to clarify queries if necessary; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Technical Services: We process the data of our customers and clients (collectively referred to as “customers”) to enable them to select, acquire, or commission the chosen services or works, as well as related activities, their payment, and provision or execution. The required information is marked as such in the context of the order, purchase, or similar contract conclusion and includes the data needed for service delivery and billing as well as contact information to clarify queries if necessary. If we gain access to information about end customers, employees, or other individuals, we process it in accordance with legal and contractual requirements; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Provision of Online Offerings and Web Hosting

We process users’ data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the contents and functions of our online services to the user’s browser or device.

  • Processed data types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices used, and operating systems, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals). Log data (e.g., log files regarding logins or data retrieval or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Retention and deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion”.
  • Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further notes on processing activities, procedures, and services:

  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. These server log files may include the address and name of the accessed web pages and files, date and time of access, data volumes transferred, messages about successful retrieval, browser type and version, user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to avoid server overloads (especially in the case of abusive attacks, such as DDoS attacks), and to ensure server utilization and stability; Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidence purposes is excluded from deletion until the respective incident is fully resolved.
  • Mittwald: Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany; Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Website: https://www.mittwald.de; Privacy Policy: https://www.mittwald.de/datenschutz. Data Processing Agreement: https://www.mittwald.de/faq/service-informationen/faq/datenschutz-alles-wichtige-zur-dsgvo.

Use of Cookies

The term “cookies” refers to functions that store and read information on users’ devices. Cookies can also serve different purposes, such as ensuring the functionality, security, and comfort of online offerings and analyzing visitor flows. We use cookies in compliance with legal regulations. To this end, we obtain users’ consent in advance where required. Where consent is not necessary, we rely on our legitimate interests. This applies when storing and reading information is essential to explicitly requested content and functionality. This includes storing settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of consent and the cookies used.

Notes on data protection legal bases: Whether we process personal data with the help of cookies depends on consent. If consent exists, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained in this section and in the context of the respective services and procedures.

Retention period: Regarding retention periods, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved, and preferred content can be displayed directly when a user revisits a website. Similarly, user data collected with the help of cookies may be used for reach measurement. Unless we provide users with explicit information on the type and retention period of cookies (e.g., as part of obtaining consent), they should assume these are permanent and the retention period can be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also object to the processing in accordance with legal requirements, including via their browser’s privacy settings.

  • Processed data types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers listed as part of the consent management solution. This procedure is used to collect, record, manage, and withdraw consent, particularly in relation to the use of cookies and similar technologies that are employed to store, read, and process information on users’ devices. As part of this procedure, users’ consent for the use of cookies and the associated processing of information, including specific processing and providers mentioned in the consent management process, is obtained. Users also have the option to manage and withdraw their consent. The consent declarations are stored to avoid re-prompting and to provide evidence of consent as required by law. Storage occurs server-side and/or in a cookie (known as an opt-in cookie) or through similar technologies to associate the consent with a specific user or their device. If no specific details are provided about the providers of consent management services, the following general notes apply: The storage duration of the consent is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, details about the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Blogs and Publication Media

We use blogs or similar means of online communication and publication (hereinafter “publication medium”). Readers’ data is only processed to the extent necessary for the presentation of the publication medium and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium as outlined in this privacy policy.

  • Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or visual messages and posts, as well as related information, such as authorship details or time of creation); Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
  • Concerned Persons: Users (e.g., website visitors, online service users).
  • Purposes of Processing: Feedback (e.g., collecting feedback via online forms). Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion as specified in the section “General Information on Data Storage and Deletion”.
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and Request Management

When contacting us (e.g., via mail, contact form, email, phone, or social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed as necessary to respond to the contact inquiries and any requested measures.

  • Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or visual messages and posts, as well as related information, such as authorship details or time of creation); Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
  • Concerned Persons: Communication partners.
  • Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online forms). Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion as specified in the section “General Information on Data Storage and Deletion”.
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to respond to and handle the respective request. This generally includes details such as name, contact information, and any other information shared with us that is necessary for proper processing. We use this data exclusively for the stated purpose of contact and communication; Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Communication via Messenger

We use messengers for communication purposes and kindly ask you to note the following information regarding the functionality of messengers, encryption, the use of communication metadata, and your options for objection.

You can also contact us through alternative means, e.g., via phone or email. Please use the contact options provided or those specified within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that communication contents (i.e., the content of messages and attached images) are encrypted end-to-end. This means that the content of the messages is not viewable, not even by the messenger providers themselves. You should always use an updated version of messengers with encryption enabled to ensure the encryption of message content.

We additionally inform our communication partners that while messenger providers cannot view the content, they may be able to determine that and when communication partners interact with us and may process technical information about the communication partners’ devices and, depending on their device settings, location information (so-called metadata).
Notes on Legal Bases: If we ask communication partners for permission before communicating with them via Messenger, the legal basis for processing their data is their consent. Otherwise, if we do not request consent and they contact us, for example, on their own initiative, we use Messenger in relation to our contractual partners and within the scope of contract initiation as a contractual measure, and in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners for communication via Messenger. Furthermore, we point out that we do not initially transmit the contact details provided to us to the Messengers without your consent.

Revocation, Objection, and Deletion: You can revoke any given consent at any time and request the deletion of your data.

  • Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers ). Content data (e.g., textual or visual messages and contributions as well as information related to them, such as authorship details ).
  • Affected Individuals: Communication partners.
  • Processing Purposes: Communication.
  • Retention and Deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
  • Legal Bases: Consent (Art. 6(1)(1)(a) GDPR); Contractual fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “Newsletter”) exclusively with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during the signup process, these contents are decisive for the user’s consent. Usually, providing your email address is sufficient for subscribing to our newsletter. However, to offer you a personalized service, we may request your name for personalized addressing or additional information if necessary for the newsletter’s purpose.

Deletion and Restriction of Processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove a previously given consent. The processing of this data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “Blocklist”).

The logging of the registration process is based on our legitimate interests to prove its proper implementation. If we engage a service provider to send emails, this is based on our legitimate interests in an efficient and secure sending system.

Contents:

Information about us, our services, actions, and offers.

  • Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems, interactions with content and features).
  • Affected Individuals: Communication partners.
  • Processing Purposes: Direct marketing (e.g., via email or postal mail).
  • Legal Bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Opt-Out Option: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe from the newsletter is included at the end of each newsletter, or you can use one of the contact options provided above, preferably email, for this purpose.

Additional Notes on Processing Procedures, Methods, and Services:

  • Measurement of Opening and Click Rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our or, if we use a dispatch service provider, their server when the newsletter is opened. During this retrieval, technical information, such as details about the browser and your system, as well as your IP address and the time of retrieval, is collected. This information is used to improve our newsletters based on technical data or target groups and their reading behaviors based on retrieval locations (determined using IP addresses) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is associated with individual newsletter recipients and stored in their profiles until deletion. The evaluations help us understand the reading habits of our users and adapt our content to them or send different content according to the interests of our users. The measurement of opening and click rates and the storage of results in user profiles Legal Bases: Consent (Art. 6(1)(1)(a) GDPR).
  • Mailchimp: Email marketing, marketing process automation, collection, storage, and management of contact data, campaign performance measurement, recipient interaction analysis with content, content personalization; Service Provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Legal Bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/; Data Processing Agreement: https://mailchimp.com/legal/; Third-Country Transfer Basis: Data Privacy Framework (DPF). Additional Information: Special security measures: https://mailchimp.com/de/help/mailchimp-european-data-transfers/.

Advertising Communication via Email, Postal Mail, Fax, or Telephone

We process personal data for the purposes of advertising communication, which can occur through various channels, such as email, telephone, postal mail, or fax, in accordance with legal regulations.
The recipients have the right to revoke any consent given or object to promotional communication at any time.

After revocation or objection, we store the data required to prove the previous authorization for contact or sending purposes for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of possible defense against claims. Additionally, based on the legitimate interest of permanently observing users’ revocation or objection, we store the data necessary to avoid further contact (e.g., depending on the communication channel, email address, phone number, name).

  • Processed Data Types: Inventory data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers). Content data (e.g., textual or visual messages and posts, and related information such as authorship or creation time).
  • Data Subjects: Communication partners.
  • Purposes of Processing: Direct marketing (e.g., via email or post); Marketing. Sales promotion.
  • Retention and Deletion: Deletion in accordance with the information provided in the “General Information on Data Retention and Deletion” section.
  • Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as “reach measurement”) is used to evaluate visitor flows on our online offerings and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With reach analysis, we can identify, for example, when our online offerings or their features or content are most frequently used or invite reuse. It also allows us to determine which areas need optimization.

In addition to web analysis, we may also use testing methods to test and optimize different versions of our online offerings or their components.

Unless otherwise stated below, profiles, i.e., data grouped into a usage process, may be created for these purposes, and information may be stored in a browser or a device and then read out. The collected data includes the websites visited and the elements used there, as well as technical information such as the browser used, the computer system, and information about usage times. If users have consented to the collection of their location data with us or the providers of the services we use, the processing of location data is also possible.

Additionally, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, only the data stored in their profiles for the purpose of the respective procedures.

Information on Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is the consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

  • Processed Data Types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the information provided in the “General Information on Data Retention and Deletion” section. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).
  • Security Measures: IP masking (pseudonymization of the IP address).
  • Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Further Information on Processing Procedures, Methods, and Services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offerings based on a pseudonymous user identification number. This identification number does not contain any identifiable data, such as names or email addresses. It is used to associate analytical information with a device to recognize which content users accessed during one or multiple usage sessions, the search terms they used, revisited content, or interacted with our online offerings. Additionally, usage times and durations, user referral sources, and technical aspects of their devices and browsers are stored. The pseudonymous profiles of users are created with information collected from the use of various devices, using cookies where applicable. Google Analytics does not log or store individual IP addresses for EU users. However, it provides coarse geographic location data by deriving the following metadata from IP addresses: city (and its derived latitude and longitude), continent, country, region, subcontinent (and corresponding ID-based counterparts). For EU traffic, IP address data is used exclusively for deriving geolocation data and is then immediately deleted. These data points are not logged, accessible, or used for further purposes. When Google Analytics collects measurement data, all IP requests are handled on EU-based servers before data is sent for processing to Analytics servers. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security Measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Third-Country Transfer Basis: Data Privacy Framework (DPF); Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Personalization Settings: https://myadcenter.google.com/personalizationoff. More Information: https://business.safety.google/adsservices/ (types of processing and processed data).
  • Matomo: Matomo is software used for web analysis and reach measurement purposes. During the use of Matomo, cookies are generated and stored on users’ devices. Data collected from the use of Matomo is processed only by us and not shared with third parties. Cookies are stored for a maximum duration of 13 months: https://matomo.org/faq/general/faq_146/; Legal Basis: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Data Deletion: Cookies are stored for a maximum period of 13 months.

Online Marketing

We process personal data for online marketing purposes, which may include the promotion of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential user interests and the measurement of their effectiveness.

For these purposes, user profiles are created and stored in a file (commonly referred to as a “cookie”) or similar procedures are used to store user-related information necessary for the display of the aforementioned content. These can include viewed content, visited websites, used online networks, as well as communication partners and technical details such as the browser used, operating system, usage times, and utilized features. If users have consented to the collection of their location data, this data may also be processed.

Additionally, the IP addresses of users are stored. However, IP masking procedures (i.e., pseudonymization by shortening the IP address) are used to protect users. In general, no clear user data (e.g., email addresses or names) is stored during online marketing procedures, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of users, only the data stored in their profiles.

The information stored in the profiles is usually stored in cookies or through similar methods. These cookies can generally also be read and analyzed later on other websites that use the same online marketing procedure, supplemented with additional data, and stored on the online marketing procedure provider’s server.

In exceptional cases, clear data can be assigned to the profiles, primarily when users are members of a social network whose online marketing procedure we use, and the network links the user profiles with the mentioned data. We ask you to note that users may have additional agreements with the providers, e.g., through consent given during registration.

We generally only have access to aggregated information about the success of our advertisements. However, as part of conversion measurements, we can check which of our online marketing methods have led to a conversion, i.e., for example, to a contract conclusion with us. Conversion measurement is used solely to analyze the success of our marketing efforts.

Unless otherwise stated, please assume that the cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is their consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

Notes on withdrawal and objection:

We refer to the privacy notices of the respective providers and the objection options provided by the providers (so-called “opt-out”). If no explicit opt-out option is specified, you can deactivate cookies in your browser settings. However, this may limit the functionality of our online offering. Therefore, we also recommend the following opt-out options, which are offered collectively for specific regions:

  • Types of processed data: Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purpose of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest/behavior-based profiling, use of cookies); audience formation; marketing. Profiles with user-related information (creating user profiles).
  • Retention and deletion: Deletion in accordance with the “General information on data retention and deletion” section. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).
  • Security measures: IP masking (pseudonymization of IP addresses).

Presences on social networks (Social Media)

We maintain an online presence within social networks and process user data in this context to communicate with active users there or to offer information about us.

We point out that user data may be processed outside the European Union. This may pose risks to users, as it could make the enforcement of users’ rights more difficult.

Furthermore, user data is generally processed within social networks for market research and advertising purposes. For instance, user behavior and resulting interests can be used to create usage profiles. These profiles may, in turn, be used to display advertisements within and outside the networks that are presumably aligned with user interests. As a result, cookies are usually stored on users’ devices, saving their usage behavior and interests. Additionally, data can be stored in usage profiles regardless of the devices users use (especially if they are members of the respective platforms and logged in).

For a detailed description of the respective processing forms and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In case of information requests and the assertion of data subject rights, we also point out that these are most effectively asserted with the providers. Only the latter have access to user data and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.

  • Types of processed data: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts as well as related information, such as authorship or creation timestamp). Usage data (e.g., page views and time spent, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purpose of processing: Communication; feedback (e.g., collecting feedback via online forms). Public relations.
  • Retention and deletion: Deletion in accordance with the “General information on data retention and deletion” section.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing procedures, methods, and services:

  • Instagram: Social network, enables sharing of photos and videos, commenting, liking posts, sending messages, and subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook Page (so-called “Fanpage”). This data includes information about the types of content users view or interact with, or the actions they take (see under “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g., IP addresses, operating systems, browser types, language settings, cookie data; see under “Device information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under “How do we use this information?” Facebook also collects and uses information to provide analytical services, known as “Page Insights,” to page operators to provide them with insights about how people interact with their pages and associated content. We have entered into a special agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which specifically governs the security measures Facebook must adhere to and in which Facebook agrees to fulfill data subject rights (e.g., users can make requests for information or deletion directly to Facebook). The rights of users (in particular, the rights to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further details can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly concerning the transmission of data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
  • LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data from visitors that is used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. Additionally, details about the devices used are collected, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as profile information, such as job functions, country, industry, seniority level, company size, and employment status. Data protection information regarding LinkedIn’s processing of user data can be found in LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy.
    We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum,” https://legal.linkedin.com/pages-joint-controller-addendum), which specifically governs the security measures LinkedIn must adhere to and in which LinkedIn agrees to fulfill the rights of data subjects (e.g., users can make requests for information or deletion directly to LinkedIn). The rights of users (in particular, the rights to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is solely the responsibility of LinkedIn Ireland Unlimited Company, particularly concerning the transmission of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • X: Social Network; Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://x.com. Privacy Policy: https://x.com/de/privacy.

Plug-ins and Embedded Features and Content

We integrate functional and content elements into our online offering, which are retrieved from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include graphics, videos, or city maps (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the users’ IP addresses, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore necessary for the display of these contents or functions. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and other details regarding the use of our online offering, as well as being linked to such information from other sources.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is the user’s consent. Otherwise, users’ data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

  • Processed Data Types: Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types, and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts and the related information such as authorship or creation time). Location data (e.g., geographic location of a device or person).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.” Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods can be stored on users’ devices for up to two years).
  • Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Google Fonts (retrieval from Google server): Retrieval of fonts (and symbols) for the purpose of a technically secure, maintenance-free, and efficient use of fonts and symbols with respect to their currentness and loading times, their uniform presentation, and consideration of possible license restrictions. The provider of the fonts is informed of the user’s IP address to make the fonts available in the user’s browser. Additionally, technical data (language settings, screen resolution, operating system, used hardware) are transmitted, which are necessary for providing the fonts based on the used devices and technical environment. This data may be processed on a server of the font provider in the USA – When visiting our online offering, users’ browsers send their HTTP browser requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API provides the users with Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, as well as the referrer URL (i.e., the website where the Google font is displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a specific font family is requested. The user agent must adapt the font generated for the respective browser type in the Google Fonts Web API. The user agent is primarily logged for debugging purposes and used to generate aggregated usage statistics to measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts “Analytics” page. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on top integrations based on the number of font requests can be generated. According to its own information, Google does not use the information collected by Google Fonts to create user profiles or target advertisements; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Further Information: https://developers.google.com/fonts/faq/privacy?hl=en.
  • Google Maps: We integrate maps from the service “Google Maps” provided by Google. Processed data may include IP addresses and location data of users; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: Data Privacy Framework (DPF).
  • YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ad Display Settings: https://myadcenter.google.com/personalizationoff.

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to our data processing make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and we ask you to check the details before contacting them.

Feedback within 24 hours

One of our experts will get in touch with you.