Privacy Policy
Table of contents
Introduction and overview
We have prepared this privacy policy (version 03.02.2025) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the controller – and the processors (e.g. providers) commissioned by us – process, will process in the future and what lawful options you have. The terms used are to be understood as gender-neutral.
In short, we provide you with comprehensive information about the data we process about you.
Data protection declarations usually sound very technical and use legal jargon. This privacy policy, on the other hand, is intended to describe the most important things to you as simply and transparently as possible. Where it is conducive to transparency, technical terms are explained in a reader-friendly way, links to further information are provided and graphics are used. We thus inform you in clear and simple language that we only process personal data as part of our business activities if there is a corresponding legal basis. This is certainly not possible by providing explanations that are as concise, unclear and legal-technical as possible, as is often standard on the Internet when it comes to data protection. I hope you find the following explanations interesting and informative, and perhaps there is one or two pieces of information that you did not yet know.
If you still have questions, we would like to ask you to contact the responsible body named below or in the legal notice, to follow the links provided and to look at further information on third-party websites. Our contact details can of course also be found in the legal notice.
Area of application
This privacy policy applies to all personal data processed by us in the company and in all companies affiliated with us from Germany and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR, such as a person’s name, email address and postal address. The processing of personal data ensures that we can offer and invoice our services and products, whether online or offline. The scope of this privacy policy includes
- all online presences (websites, online shops) that we operate
- Social media presence and e-mail communication
- Mobile apps for smartphones and other devices
x1F may also share, sell or transfer your information to third parties in connection with any merger, acquisition, reorganisation, financing, sale of assets, bankruptcy or insolvency involving x1F or any part of our assets, services or business, or when contemplated (including as part of the due diligence process). Information such as customer name and email address, user content and other user information related to the Service may be among the items sold or otherwise transferred in such a transaction. You will be notified by email when such a transaction occurs and informed of any material changes to the way we treat your information in accordance with this Policy.
In short: The privacy policy applies to all areas in which personal data is processed in the company in a structured manner via the channels mentioned. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.
Legal basis
In the following privacy policy, we provide you with transparent information on the legal principles and regulations, i.e. the legal basis of the General Data Protection Regulation, which enable us to process personal data.
As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online at EUR-Lex, the gateway to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.
We only process your data if at least one of the following conditions applies:
- Consent (Article 6 para. 1 lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you have entered in a contact form.
- Contract (Article 6 para. 1 lit. b GDPR): In order to fulfil a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we require personal information in advance.
- Legal obligation (Article 6 para. 1 lit. c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.
- Legitimate interests (Article 6 para. 1 lit. f GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and efficiently. This processing is therefore a legitimate interest.
Other conditions such as the fulfilment of recording in the public interest and the exercise of official authority as well as the protection of vital interests do not generally arise for us. If such a legal basis is relevant, it will be indicated at the appropriate point.
In addition to the EU regulation, national laws also apply:
- In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), or DSG for short.
- In Germany, the Federal Data Protection Act (BDSG) applies.
If other regional or national laws apply, we will inform you of this in the following sections.
Contact details of the person responsible
If you have any questions about data protection or the processing of personal data, please find below the contact details of the controller in accordance with Article 4 para. 7 of the EU General Data Protection Regulation (GDPR):
x1F GmbH
Borselstraße 20
22765 Hamburg
Authorised to represent: Volker, Franz, Sven Geilich and Thomas Steiner
E-mail: experience@x1f.one
Phone: +49 40 819 9442 – 0
Imprint: https://www.x1f.one/en/legal-notice/
Contact details of the data protection officer
Below you will find the contact details of the data protection officer:
x1F Data Protection Officer
Sebastian Raguse
Nymphenburger Straße 1, 80335 Munich, Germany
E-mail: datenschutz@x1f.one
Phone: +49 162 2913464
Storage duration
It is a general criterion for us that we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist, for example for accounting purposes.
If you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as quickly as possible and insofar as there is no obligation to store it.
We will inform you below about the specific duration of the respective data processing if we have further information on this.
Rights under the General Data Protection Regulation
In accordance with Articles 13, 14 GDPR, we inform you of the following rights to which you are entitled in order to ensure fair and transparent processing of data:
- According to Article 15 GDPR, you have a right to information about whether we process your data. If this is the case, you have the right to receive a copy of the data and the following information:
- the purpose for which we carry out the processing;
- the categories, i.e. the types of data that are processed;
- who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
- how long the data will be stored;
- the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
- that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
- the origin of the data if we have not collected it from you;
- whether profiling is carried out, i.e. whether data is automatically analysed in order to create a personal profile of you.
- According to Article 16 GDPR, you have a right to rectification of data, which means that we must correct data if you find errors.
- According to Article 17 GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you may request the erasure of your data.
- According to Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it any further.
- According to Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a commonly used format upon request.
- According to Article 21 GDPR, you have the right to object, which will result in a change in the processing after enforcement.
- If the processing of your data is based on Article 6 para. 1 lit. e GDPR (public interest, exercise of official authority) or Article 6 para. 1 lit. f GDPR (legitimate interest), you can object to the processing. We will then check as quickly as possible whether we can legally honour this objection.
- If data is used for direct marketing purposes, you can object to this type of data processing at any time. We may then no longer use your data for direct marketing.
- If data is used for profiling purposes, you can object to this type of data processing at any time. We may then no longer use your data for profiling.
- Under Article 22 GDPR, you may have the right not to be subject to a decision based solely on automated processing (e.g. profiling).
- According to Article 77 GDPR, you have the right to lodge a complaint. This means that you can lodge a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.
In short: You have rights – do not hesitate to contact the responsible office listed above!
If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. For Austria, this is the data protection authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:
Hamburg Data Protection Authority
State Commissioner for Data Protection: Thomas Fuchs
Address: Ludwig-Erhard-Str. 22, 7th floor, 20459 Hamburg
Telephone number: 040/428 54-40 40
E-mail address: mailbox@datenschutz.hamburg.de
Website: https://datenschutz-hamburg.de
Categories of recipients
Initially, only our employees receive knowledge of your personal data. In addition, we share your personal data with other recipients who provide services for us in connection with our website, insofar as this is permitted or required by law. We limit the disclosure of your personal data to what is necessary. In some cases, our service providers receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently with your data that we transmit to them.
The categories of recipients of your personal data are listed below
- Affiliated companies within the x1F group of companies, insofar as they act as processors for us and provide IT services, for example, or insofar as this is necessary for the provision of our services,
- call centre to receive and process your enquiries and complaints,
- Service providers (e.g. agencies) who support us in the implementation of advertising measures (e.g. sending personalised newsletters), promotion, etc,
- IT service provider for the administration and hosting of our systems,
- public bodies and institutions, insofar as we are legally obliged to do so.
Data transfer to third countries
We only transfer or process data to countries outside the scope of the GDPR (third countries) if you consent to this processing or other legal authorisation exists. This applies in particular if the processing is required by law or necessary for the fulfilment of a contractual relationship and in any case only insofar as this is generally permitted. In most cases, your consent is the most important reason for us to process data in third countries. The processing of personal data in third countries such as the USA, where many software manufacturers offer services and have their server locations, may mean that personal data is processed and stored in unexpected ways.
We expressly point out that, in the opinion of the European Court of Justice, an adequate level of protection for data transfers to the USA currently only exists if a US company that processes personal data of EU citizens in the USA is an active participant in the EU-US Data Privacy Framework. You can find more information on this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en
Data processing by US services that are not active participants in the EU-US Data Privacy Framework may result in data not being processed and stored in anonymised form. Furthermore, US government authorities may be able to access individual data. In addition, data collected may be linked to data from other services of the same provider if you have a corresponding user account. Where possible, we endeavour to use server locations within the EU if this is offered.
We will inform you in more detail about data transfer to third countries, if applicable, in the appropriate sections of this privacy policy.
Security of data processing
We have implemented both technical and organisational measures to protect personal data. Where possible, we encrypt or pseudonymise personal data. In this way, we make it as difficult as possible for third parties to infer personal information from our data.
Art. 25 GDPR speaks here of “data protection by design and by default” and thus means that both software (e.g. forms) and hardware (e.g. access to the server room) should always be designed with security in mind and appropriate measures should be taken. If necessary, we will go into more detail on specific measures below.
TLS encryption with https
TLS, encryption and https sound very technical – and they are. We use HTTPS (the Hypertext Transfer Protocol Secure stands for “secure hypertext transfer protocol”) to transmit data tap-proof on the Internet.
This means that the complete transmission of all data from your browser to our web server is secured – nobody can “eavesdrop”.
We have thus introduced an additional layer of security and fulfil data protection by design (Article 25 para. 1 GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the Internet, we can ensure the protection of confidential data.
You can recognise the use of this data transmission security by the small lock symbol at the top left of the browser, to the left of the Internet address (e.g. examplepage.com) and the use of the https scheme (instead of http) as part of our Internet address.
If you would like to know more about encryption, we recommend a Google search for “Hypertext Transfer Protocol Secure wiki” to obtain good links to further information.
Communication
Communication
Data subjects: Anyone who communicates with us by phone, email or online form
Processed data: e.g. telephone number, name, email address, form data entered. You can find more details on this in the respective contact type used
Purpose: Processing communication with customers, business partners, etc.
Storage period: Duration of the business case and the statutory provisions
Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract), Art. 6 para. 1 lit. f GDPR (legitimate interests)
If you contact us and communicate with us by telephone, e-mail or online form, personal data may be processed.
The data is processed for the handling and processing of your enquiry and the associated business transaction. The data will be stored for as long as required by law.
Persons concerned
All those who seek contact with us via the communication channels provided by us are affected by the aforementioned processes.
Telephone
When you call us, the call data is stored pseudonymised on the respective end device and with the telecommunications provider used. In addition, data such as your name and telephone number may subsequently be sent by e-mail and stored for the purpose of responding to your enquiry. The data is deleted as soon as the business transaction has been completed and legal requirements permit.
If you communicate with us by e-mail, data may be stored on the respective end device (computer, laptop, smartphone, etc.) and data may be stored on the e-mail server. The data is deleted as soon as the business transaction has been completed and legal requirements permit.
Online forms
If you communicate with us using an online form, data is stored on our web server and may be forwarded to one of our e-mail addresses. The data will be deleted as soon as the business transaction has been completed and legal requirements permit.
Legal bases
The processing of the data is based on the following legal bases:
- Art. 6 para. 1 lit. a GDPR (consent): You give us your consent to store your data and to use it for purposes relating to the business transaction;
- Art. 6 para. 1 lit. b GDPR (contract): It is necessary for the fulfilment of a contract with you or a processor, such as the telephone provider, or we need to process the data for pre-contractual activities, such as the preparation of an offer;
- Art. 6 para. 1 lit. f GDPR (legitimate interests): We want to handle customer enquiries and business communication in a professional manner. This requires certain technical facilities such as email programmes, exchange servers and mobile network operators in order to operate communication efficiently.
Cookies
Cookies
Affected parties: Visitors to the website
Purpose: depending on the cookie. More details can be found below or from the manufacturer of the software that sets the cookie.
Processed data: Depending on the cookie used. You can find more details on this below or from the manufacturer of the software that sets the cookie.
Storage duration: depends on the cookie, can vary from hours to years
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit.f GDPR (legitimate interests)
What are cookies?
Our website uses HTTP cookies to store user-specific data.
Below we explain what cookies are and why they are used so that you can better understand the following privacy policy.
Whenever you surf the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.
One thing cannot be denied: Cookies are really useful little helpers. Almost all websites use cookies. More precisely, they are HTTP cookies, as there are also other cookies for other areas of application. HTTP cookies are small files that are stored on your computer by our website. These cookie files are automatically stored in the cookie folder, the “brain” of your browser, so to speak. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.
Cookies store certain user data about you, such as language or personal page settings. When you visit our site again, your browser transmits the “user-related” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to. In some browsers, each cookie has its own file; in others, such as Firefox, all cookies are stored in a single file.
There are both first-party cookies and third-party cookies. First-party cookies are created directly by our website, third-party cookies are created by partner websites (e.g. Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. The expiry time of a cookie also varies from a few minutes to a few years. Cookies are not software programmes and do not contain viruses, Trojans or other “malware”. Cookies also cannot access information on your PC.
Cookie data can look like this, for example:
Name: _ga
Wert: GA1.2.1326744211.152312942536-9
Purpose: Differentiation of website visitors
Expiry date: after 2 years
A browser should be able to support these minimum sizes:
- At least 4096 bytes per cookie
- At least 50 cookies per domain
- At least 3000 cookies in total
What types of cookies are there?
The question of which cookies we use in particular depends on the services used and is clarified in the following sections of the privacy policy. At this point, we would like to briefly explain the different types of HTTP cookies.
A distinction can be made between 4 types of cookies:
Essential cookies
These cookies are necessary to ensure basic website functions. For example, these cookies are needed when a user places a product in the shopping basket, then continues surfing on other pages and only goes to the checkout later. These cookies ensure that the shopping basket is not deleted even if the user closes their browser window.
Purposeful cookies
These cookies collect information about user behaviour and whether the user receives any error messages. These cookies are also used to measure the loading time and the behaviour of the website with different browsers.
Targeted cookies
These cookies ensure better user-friendliness. For example, entered locations, font sizes or form data are saved.
Advertising cookies
These cookies are also known as targeting cookies. They are used to deliver customised advertising to the user. This can be very practical, but also very annoying.
When you visit a website for the first time, you are usually asked which of these cookie types you would like to allow. And of course this decision is also stored in a cookie.
If you would like to know more about cookies and are not afraid of technical documentation, we recommend https://datatracker.ietf.org/doc/html/rfc6265, the Request for Comments of the Internet Engineering Task Force (IETF) called “HTTP State Management Mechanism”.
Purpose of processing via cookies
The purpose ultimately depends on the cookie in question. You can find more details on this below or from the manufacturer of the software that sets the cookie.
What data is processed?
Cookies are little helpers for many different tasks. Unfortunately, it is not possible to generalise which data is stored in cookies, but we will inform you about the processed or stored data in the following privacy policy.
Storage duration of cookies
The storage period depends on the cookie in question and is specified below. Some cookies are deleted after less than an hour, others can remain stored on a computer for several years.
You can also influence the storage period yourself. You can delete all cookies manually at any time via your browser (see also “Right to object” below). Furthermore, cookies that are based on consent will be deleted at the latest after you withdraw your consent, whereby the legality of the storage until then remains unaffected.
Right to object – how can I delete cookies?
You decide how and whether you want to use cookies. Regardless of which service or website the cookies originate from, you always have the option of deleting, deactivating or only partially allowing cookies. For example, you can block third-party cookies but allow all other cookies.
If you want to find out which cookies have been stored in your browser, if you want to change or delete cookie settings, you can find this in your browser settings:
Chrome: Delete, activate and cookies in Chrome
Safari: Managing cookies and website data with
Firefox: Delete cookies to remove data that websites stored on your computer
Internet Explorer: Deleting and managing
Microsoft Edge: Deleting and managing
If you generally do not want to have cookies, you can set up your browser so that it always informs you when a cookie is to be set. You can then decide for each individual cookie whether or not to allow it. The procedure differs depending on the browser. It is best to search for the instructions in Google using the search term “Delete cookies Chrome” or “Deactivate cookies Chrome” in the case of a Chrome browser.
Legal basis
The so-called “Cookie Guidelines” have been in place since 2009. These state that the storage of cookies requires your consent (Article 6 para. 1 lit. a GDPR). However, there are still very different reactions to these directives within the EU countries. In Austria, however, this directive was implemented in Section 165 (3) of the Telecommunications Act (2021). In Germany, the cookie directives have not been implemented as national law. Instead, this directive was largely implemented in Section 15 (3) of the Telemedia Act (TMG), which has been replaced by the Digital Services Act (DDG) since May 2024.
For strictly necessary cookies, even if no consent has been given, there are legitimate interests (Article 6 para. 1 lit. f GDPR), which in most cases are of an economic nature. We want to provide visitors to the website with a pleasant user experience and certain cookies are often absolutely necessary for this.
If cookies that are not absolutely necessary are used, this will only take place with your consent. The legal basis in this respect is Art. 6 para. 1 lit. a GDPR.
In the following sections, you will be informed in more detail about the use of cookies if the software used utilises cookies.
Use of Google Analytics
We use the functions of the web analysis service Google Analytics. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable your use of the website to be analysed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
Google Analytics cookies are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.
IP anonymisation
We have activated the IP anonymisation function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
Browser plugin
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
Objection to data collection
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website: Deactivate Google Analytics.
You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.
Order data processing
We have concluded a contract with Google for commissioned data processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic characteristics in Google Analytics
This website uses the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section “Objection to data collection”.
Use of Google Ads
We use Google Ads. Google Ads is an online advertising programme of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display adverts in the Google search engine or on third-party websites when the user enters certain search terms in Google (keyword targeting). Furthermore, targeted adverts can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analysing, for example, which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
Use of Gstatic
We use the Gstatic service of Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland, e-mail: support-deutschland@google.com, website: https://www.google.com/. Personal data is also transferred to the USA. With regard to the transfer of personal data to the USA, there is an adequacy decision on the EU-US Data Privacy Framework of the EU Commission within the meaning of Art. 45 GDPR (hereinafter: DPF – https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en ). The operator of the service is certified under the DPF, so that the usual level of protection of the GDPR applies to the transfer.
The legal basis for the processing of personal data is your consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, which you have given on our website.
Gstatic is a background service used by Google to retrieve static content in order to reduce bandwidth usage and load required catalogue files in advance. In particular, the service loads background data for Google Fonts and Google Maps.
As part of order processing, personal data may also be transferred to the servers of Google LLC, 1600 Amphitheatre Parkway, 94043 Mountain View, United States. You can access the provider’s certification under the EU-US Data Privacy Framework at https://www.dataprivacyframework.gov/list.
You can withdraw your consent at any time. You can find more information on revoking your consent either in the consent itself or at the end of this privacy policy.
Further information on the handling of the transferred data can be found in the provider’s privacy policy at https://policies.google.com/privacy.
The provider also offers an opt-out option at https://support.google.com/My-Ad-Center-Help/answer/12155451?hl=de.
Use of Google Fonts
We use Google Fonts on our website. These are the “Google fonts” of Google Inc. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services.
You do not need to log in or enter a password to use Google fonts. Furthermore, no cookies are stored in your browser. The files (CSS, fonts) are requested via the Google domains fonts.googleapis.com and fonts.gstatic.com. According to Google, requests for CSS and fonts are completely separate from all other Google services. If you have a Google account, you do not need to worry that your Google account data will be transmitted to Google while using Google Fonts. Google records the use of CSS (Cascading Style Sheets) and the fonts used and stores this data securely. We will take a closer look at exactly how the data is stored.
Google Fonts (formerly Google Web Fonts) is a directory of over 800 fonts that Google makes available to its users free of charge.
Many of these fonts are published under the SIL Open Font Licence, while others have been published under the Apache licence. Both are free software licences.
With Google Fonts, we can use fonts on our own website without having to upload them to our own server. Google Fonts is an important component in keeping the quality of our website high. All Google fonts are automatically optimised for the web and this saves data volume and is a great advantage, especially for use on mobile devices. When you visit our site, the low file size ensures a fast loading time. Furthermore, Google Fonts are secure web fonts. Different image synthesis systems (rendering) in different browsers,
Operating systems and mobile devices can lead to errors. Such errors can sometimes visually distort texts or entire websites. Thanks to the fast Content Delivery Network (CDN), there are no cross-platform problems with Google Fonts.
Google Fonts supports all major browsers (Google Chrome, Mozilla Firefox, Apple Safari, Opera) and works reliably on most modern mobile operating systems, including Android 2.2+ and iOS 4.2+ (iPhone, iPad, iPod). We therefore use Google Fonts so that we can present our entire online service as beautifully and uniformly as possible.
When you visit our website, the fonts are reloaded via a Google server. Through this external call, data is transmitted to the Google server. In this way, Google also recognises that you or your IP address is visiting our website. The Google Fonts API was developed to reduce the use, storage and collection of end user data to what is necessary for the proper provision of fonts. Incidentally, API stands for “Application Programming Interface” and serves, among other things, as a data transmitter in the software sector.
Google Fonts stores CSS and font requests securely at Google and is therefore protected. Google can use the collected usage figures to determine how well the individual fonts are received. Google publishes the results on internal analysis pages, such as Google Analytics. Google also uses data from its own
web crawlers to determine which websites use Google fonts. This data is published in the BigQuery database of Google Fonts. Entrepreneurs and developers use the Google web service BigQuery to analyse and move large amounts of data.
However, it should be noted that every Google Font request also automatically transmits information such as language settings, IP address, browser version, browser screen resolution and browser name to the Google servers. It is not clear whether this data is also stored or whether it is clearly communicated by Google.
Google stores requests for CSS assets for one day on its servers, which are mainly located outside the EU. This allows us to use the fonts with the help of a Google stylesheet. A stylesheet is a format template that can be used to quickly and easily change the design or font of a website, for example.
The font files are stored by Google for one year. Google’s aim is to fundamentally improve the loading time of websites.
When millions of websites link to the same fonts, they are cached after the first visit and immediately reappear on all other websites visited later. Sometimes Google updates font files to reduce file size, increase language coverage and improve design.
The data that Google stores for one day or one year cannot simply be deleted. The data is automatically transmitted to Google when the page is accessed. To delete this data prematurely, you must contact Google support at https:// support.google.com/?hl=en&tid=331738741868. In this case, you can only prevent data storage if you do not visit our website. Unlike other web fonts, Google allows us unrestricted access to all fonts. This means we have unlimited access to a sea of fonts and can therefore optimise our website. You can find out more about Google Fonts and other questions at https://developers.google.com/fonts/ faq?tid=331738741868. Although Google addresses data protection issues there, it does not provide any really detailed information about data storage. It is relatively difficult to obtain really precise information from Google about stored data.
If you have consented to the use of Google Fonts, the legal basis for the corresponding data processing is this consent. According to Art. 6 para. 1 lit. a GDPR (consent), this consent constitutes the legal basis for the processing of personal data, as may occur when Google Fonts is used.
We also have a legitimate interest in using Google Font to optimise our online service. The legal basis for this is Art. 6 para. 1 lit. f GDPR. Nevertheless, we only use Google Font if you have given your consent
Google also processes your data in the USA, among other places. Google is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at https://commission.europa.eu/ document/fa09cbad-dd7d-4684-ae60be03fcb0fddf_en.
Google also uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. They
The decision and the corresponding standard contractual clauses can be found here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
The Google Ads data processing conditions
(Google Ads Data Processing Terms), which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/de/ adsprocessorterms/.
You can also find out which data is generally collected by Google and what this data is used for at https://www.google.com/intl/de/policies/ privacy/.
Use of WPML
We use WPML from OnTheGoSystems Limited, 22/F 3 Lockhart Road, Wanchai, Hong Kong (hereinafter referred to as: WPML). WPML is a multilingual plugin for WordPress. We use WPML to display our website in different languages. When you visit our website, WPML stores a cookie on your end device to save the language setting you have selected. This allows personal data to be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on) as well as device and browser information (in particular the IP address and operating system).
Further information on the collection and storage of data by WPML can be found here:
https://wpml.org/documentation/privacy-policy-and-gdpr-compliance
The use of WPML enables us to display our website in multiple languages.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in addressing visitors to our website in their native language.
WPML stores cookies on your end device. Information on the storage duration of cookies can be found at: https://wpml.org/documentation/privacy-policy-and-gdpr-compliance
You can prevent the collection and processing of your personal data by WPML by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (www.noscript.net) or Ghostery (www.ghostery.com) in your browser.
Further information on objection and removal options in relation to WPML can be found at
https://wpml.org/documentation/privacy-policy-and-gdpr-compliance
Use of WP Statistics
We use the analytics plugin WP Statistics on our website. This plugin was developed by Veronalabs (5460 W Main St, Verona, NY 13478, United States), an American software company. This plugin provides us with simple statistics on how you as a user use our website. In this privacy policy, we go into more detail about the analysis tool and show you which data is stored where and for how long.
What is WP Statistics?
This plugin is an analytics software that has been specially developed for websites that use the WordPress content management system. WordPress helps us to easily edit our website even without programming knowledge. WP Statistics can collect data about how long you spend on our website, which subpages you visit, how many visitors there are on the website or which website you came to us from. No cookies are set by WP Statistics and you cannot be identified as a person by the data collected.
Why do we use WP Statistics?
With the help of WP Statistics, we obtain simple statistics that help us to make our website even more interesting and better for you. Our website and the content, products and/or services offered on it should fulfil your requirements and wishes as well as possible. In order to achieve this goal, we naturally also need to find out where we should make improvements and changes. The statistics we receive help us to get one step closer to this goal.
What data is stored by WP Statistics?
WP Statistics does not use cookies and the data collected is only used to generate anonymised statistics about the use of our website. WP Statistics also anonymises your IP address. You as a person cannot be identified.
WP Statistics collects visitor data (so-called Visitos’Data) when your web browser connects to our web server. This data is stored in our database on our server. This includes, for example
- the address (URL) of the website accessed
- Browser and browser version
- the operating system used
- the address (URL) of the previously visited page (referrer URL)
- the host name and IP address of the device from which access is made
- Date and time
- Country/city information
- Number of visitors coming from a search engine
- Duration of the website visit
- Clicks on the website
The data will not be passed on or sold.
How long and where is the data stored?
All data is stored locally on our web server. The data is stored on our web server until it is no longer required for the above-mentioned purposes.
How can I delete my data or prevent data storage?
You have the right to information, correction or deletion and restriction of the processing of your personal data at any time. You can also withdraw your consent to the processing of data at any time.
We have now provided you with the most important information on data processing by WP Analytics. As the plugin does not use cookies and the data for statistical analysis is stored locally on the web server, your data is handled very carefully here. If you want to find out more about WP Analytics, you should take a look at the company’s privacy policy at https://wp-statistics.com/privacy-and-policy/.
Webhosting Introduction
Webhosting
Affected parties: Visitors to the website
Purpose: professional hosting of the website and securing its operation
Processed data: IP address, time of website visit, browser used and other data. You can find more details on this below or from the web hosting provider used.
Storage period: depends on the respective provider, but usually 2 weeks
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is web hosting?
When you visit websites these days, certain information – including personal data – is automatically generated and stored, including on this website. This data should be processed as sparingly as possible and only with justification. By website, by the way, we mean the entirety of all web pages on a domain, i.e. everything from the start page (homepage) to the very last subpage (like this one). By domain we mean, for example, example.de or example.com.
If you want to view a website on a computer, tablet or smartphone, you use a programme called a web browser. You probably know a few web browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari. We call them browsers or web browsers for short.
In order to display the website, the browser must connect to another computer where the website code is stored: the web server. Operating a web server is a complicated and time-consuming task, which is why this is usually done by professional providers. These providers offer web hosting and thus ensure reliable and error-free storage of website data. A lot of technical terms, but please stay tuned, it will get even better!
When the browser on your computer (desktop, laptop, tablet or smartphone) connects and during data transfer to and from the web server, personal data may be processed. On the one hand, your computer stores data; on the other hand, the web server must also store data for a certain period of time to ensure proper operation.
Why do we process personal data?
The purposes of data processing are:
- Professional website hosting and operational security
- to maintain operational and IT security
- Anonymous evaluation of access behaviour to improve our offer and, if necessary, for criminal prosecution or prosecution of claims
What data is processed?
Even while you are currently visiting our website, our web server, i.e. the computer on which this website is stored, usually automatically saves data such as
- the complete Internet address (URL) of the website accessed
- Browser and browser version (e.g. Chrome 87)
- the operating system used (e.g. Windows 10)
- the address (URL) of the previously visited page (referrer URL) (e.g. https://www.beispielquellsite.de/vondabinichgekommen/)
- the host name and IP address of the device from which access is made (e.g. COMPUTERNAME and 194.23.43.121)
- Date and time
- in files, the so-called web server log files
How long is data stored?
As a rule, the above-mentioned data is stored for a fortnight and then automatically deleted. We do not pass this data on, but we cannot rule out the possibility of this data being viewed by the authorities in the event of unlawful behaviour.
In short: Your visit is logged by our provider (company that runs our website on special computers (servers)), but we do not pass on your data without your consent!
Legal basis
The lawfulness of the processing of personal data in the context of web hosting results from Art. 6 para. 1 lit. f GDPR (protection of legitimate interests), because the use of professional hosting with a provider is necessary in order to present the company securely and user-friendly on the Internet and to be able to pursue attacks and claims from this if necessary.
As a rule, there is a contract between us and the hosting provider for order processing in accordance with Art. 28 para. 3 lit. f GDPR, which ensures compliance with data protection and guarantees data security.
We host the content of our website with the following provider:
Mittwald
The provider is Mittwald CM Service GmbH & Co KG, Königsberger Straße 4-6, 32339 Espelkamp (hereinafter referred to as Mittwald).
Details can be found in Mittwald’s privacy policy: https://www.mittwald.de/datenschutz.
The use of Mittwald is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
Order processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which guarantees that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
Web Analytics Introduction
Web Analytics Privacy Policy
Data subject: Visitors to the website
Purpose: Evaluation of visitor information to optimise the website.
Processed data: Access statistics containing data such as access locations, device data, access duration and time, navigation behaviour, click behaviour and IP addresses. You can find more details on this in the web analytics tool used.
Storage duration: depending on the web analytics tool used
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is web analytics?
We use software on our website to evaluate the behaviour of website visitors, known as web analytics or web analysis for short. This involves collecting data that the respective analytics tool provider (also known as a tracking tool) stores, manages and processes. The data is used to create analyses of user behaviour on our website and made available to us as the website operator. In addition, most tools offer various test options. For example, we can test which offers or content are best received by our visitors. To do this, we show you two different offers for a limited period of time. After the test (known as an A/B test), we know which product or content our website visitors find more interesting. For such test procedures, as well as for other analytics procedures, user profiles can also be created and the data stored in cookies.
Why do we use web analytics?
With our website, we have a clear goal in mind: we want to deliver the best web offering on the market for our industry. In order to achieve this goal, we want to offer the best and most interesting services on the one hand and ensure that you feel completely at ease on our website on the other. With the help of web analysis tools, we can take a closer look at the behaviour of our website visitors and then improve our website accordingly for you and for us. For example, we can recognise the average age of our visitors, where they come from, when our website is visited the most or which content or products are particularly popular. All this information helps us to optimise the website and thus adapt it to your needs, interests and wishes.
What data is processed?
Exactly which data is stored depends, of course, on the analysis tools used. However, the content you view on our website, which buttons or links you click on, when you access a page, which browser you use, which device (PC, tablet, smartphone, etc.) you use to visit the website or which computer system you use are generally stored, for example. If you have agreed that location data may also be collected, this may also be processed by the web analysis tool provider.
Your IP address is also stored. According to the General Data Protection Regulation (GDPR), IP addresses are personal data. However, your IP address is usually stored pseudonymised (i.e. in an unrecognisable and shortened form). For the purposes of testing, web analysis and web optimisation, no direct data such as your name, age, address or email address is stored. All this data, if collected, is stored in pseudonymised form. This means that you cannot be identified as a person.
How long the respective data is stored always depends on the provider. Some cookies only store data for a few minutes or until you leave the website, while other cookies can store data for several years.
Duration of data processing
We will inform you about the duration of data processing below if we have further information on this. In general, we only process personal data for as long as is absolutely necessary for the provision of our services and products. If required by law, for example in the case of accounting, this storage period may also be exceeded.
Right of objection
You also have the right and the option to withdraw your consent to the use of cookies or third-party providers at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting cookies in your browser.
Legal basis
The use of web analytics requires your consent, which we have obtained with our cookie pop-up. According to Art. 6 para. 1 lit. a GDPR (consent) , this consent constitutes the legal basis for the processing of personal data, as may occur when it is collected by web analytics tools.
In addition to consent, we have a legitimate interest in analysing the behaviour of website visitors in order to improve our website technically and economically. With the help of web analytics, we recognise errors on the website, can identify attacks and improve efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests). Nevertheless, we only use the tools if you have given your consent.
As web analytics tools use cookies, we recommend that you also read our general privacy policy on cookies. To find out exactly which of your data is stored and processed, you should read the privacy policies of the respective tools.
Information on special web analytics tools, if available, can be found in the following sections.
Google Tag Manager privacy policy
We use the Google Tag Manager from Google Inc (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) for our website. This Tag Manager is one of many helpful marketing products from Google. Google Tag Manager allows us to centrally integrate and manage sections of code from various tracking tools that we use on our website.
In this privacy policy, we would like to explain in more detail what Google Tag Manager does, why we use it and how data is processed.
What is the Google Tag Manager?
Google Tag Manager is an organisational tool that allows us to integrate and manage website tags centrally and via a user interface. Tags are small sections of code that record (track) your activities on our website, for example. For this purpose, JavaScript code sections are inserted into the source code of our website. The tags often originate from internal Google products such as Google Ads or Google Analytics, but tags from other companies can also be integrated and managed via the Manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, integrate buttons, set cookies and also track users across multiple websites.
Why do we use Google Tag Manager for our website?
As the saying goes: organisation is half the battle! And of course this also applies to the maintenance of our website. In order to make our website as good as possible for you and all people who are interested in our products and services, we need various tracking tools such as Google Analytics. The data collected by these tools shows us what you are most interested in, where we can improve our services and which people we should show our offers to. And for this tracking to work, we have to integrate the corresponding JavaScript codes into our website. In principle, we could integrate each code section of the individual tracking tools separately into our source code. However, this takes a relatively long time and it is easy to lose track. That’s why we use the Google Tag Manager. We can simply integrate the necessary scripts and manage them from one place. The Google Tag Manager also offers an easy-to-use user interface and no programming knowledge is required. This is how we manage to keep order in our tag jungle.
What data is stored by Google Tag Manager?
The Tag Manager itself is a domain that does not set any cookies or store any data. It acts as a mere “manager” of the implemented tags. The data is recorded by the individual tags of the various web analysis tools. The data is channelled through the Google Tag Manager to the individual tracking tools and is not saved.
However, the situation is completely different with the integrated tags of the various web analysis tools, such as Google Analytics. Depending on the analysis tool, various data about your web behaviour is usually collected, stored and processed with the help of cookies. Please read our data protection texts for the individual analysis and tracking tools that we use on our website.
In the account settings of the Tag Manager, we have allowed Google to receive anonymised data from us. However, this only concerns the use and utilisation of our Tag Manager and not your data that is stored via the code sections. We allow Google and others to receive selected data in anonymised form. We therefore consent to the anonymous sharing of our website data. Despite extensive research, we were unable to find out exactly which summarised and anonymous data is forwarded. In any case, Google deletes all information that could identify our website. Google summarises the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking involves comparing our own results with those of our competitors. Processes can be optimised on the basis of the information collected.
How long and where is the data stored?
When Google stores data, this data is stored on Google’s own servers. The servers are located all over the world. Most of them are located in America. You can find out exactly where the Google servers are located at https://www.google.com/about/datacenters/inside/locations/?hl=de.
You can find out how long the individual tracking tools store your data in our individual data protection texts for the individual tools.
How can I delete my data or prevent data storage?
The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. In our data protection texts on the individual tracking tools, you will find detailed information on how you can delete or manage your data.
Google is also certified in accordance with the Data Privacy Framework. You can find proof of this in the US Department of Commerce’s list of voluntarily certified US companies. If you would like to find out more about Google Tag Manager, we recommend the FAQs at https://www.google.com/intl/de/tagmanager/faq.html.
Email marketing Introduction
Email marketing
Data subjects: Newsletter subscribers
Purpose: Direct marketing by email, notification of system-relevant events
Processed data: Data entered during registration, but at least the email address. More details can be found in the email marketing tool used.
Storage period: Duration of the existence of the subscription
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is email marketing?
In order to keep you up to date, we also use the option of e-mail marketing. If you have consented to receiving our emails or newsletters, your data will also be processed and stored. Email marketing is a sub-area of online marketing. It involves sending news or general information about a company, products or services by e-mail to a specific group of people who are interested in them.
If you want to take part in our e-mail marketing (usually by newsletter), you normally just need to register with your e-mail address. To do this, you fill in an online form and send it off. However, we may also ask you to provide your title and name so that we can write to you personally.
Basically, the registration for newsletters works with the help of the so-called “double opt-in procedure”. After you have registered for our newsletter on our website, you will receive an e-mail confirming your newsletter registration. This ensures that the e-mail address belongs to you and that no-one has registered with a third-party e-mail address. We or a notification tool used by us logs each individual registration. This is necessary so that we can prove that the registration process is legally correct. As a rule, the time of registration, the time of registration confirmation and your IP address are saved. In addition, it is also logged when you make changes to your stored data.
Why do we use email marketing?
We naturally want to stay in contact with you and always provide you with the most important news about our company. To do this, we use email marketing – often simply referred to as “newsletters” – as an essential part of our online marketing. If you agree to this or if it is permitted by law, we will send you newsletters, system emails or other notifications by email. When we use the term “newsletter” in the following text, we mainly mean e-mails sent regularly. Of course, we do not want to bother you in any way with our newsletters. That is why we always endeavour to offer only relevant and interesting content. For example, you can find out more about our company, our services or products. As we are also constantly improving our offers, you will always find out via our newsletter when there is news or when we are offering special, lucrative promotions. If we commission a service provider who offers a professional dispatch tool for our email marketing, we do so in order to be able to offer you fast and secure newsletters. The purpose of our email marketing is basically to inform you about new offers and also to achieve our business objectives.
What data is processed?
If you become a subscriber to our newsletter via our website, you confirm your membership of an e-mail list by e-mail. In addition to your IP address and e-mail address, your title, name, address and telephone number may also be stored. However, only if you consent to this data storage. The data marked as such is necessary so that you can participate in the service offered. Providing this information is voluntary, but if you do not provide it, you will not be able to use the service. In addition, information about your device or your favourite content on our website may also be stored. You can find out more about the storage of data when you visit a website in the “Automatic data storage” section. We record your declaration of consent so that we can always prove that it complies with our laws.
Duration of data processing
If you unsubscribe your e-mail address from our e-mail/newsletter distribution list, we may store your address for up to three years on the basis of our legitimate interests so that we can still prove that you gave your consent at the time. We may only process this data if we have to defend ourselves against any claims.
However, if you confirm that you have given us your consent to the newsletter registration, you can submit an individual cancellation request at any time. If you permanently revoke your consent, we reserve the right to store your e-mail address in a blacklist. As long as you have voluntarily subscribed to our newsletter, we will of course retain your e-mail address.
Right of objection
You have the option of cancelling your newsletter subscription at any time. All you have to do is revoke your consent to the newsletter subscription. This usually only takes a few seconds or one or two clicks. You will usually find a link to cancel your newsletter subscription right at the end of every email. If you cannot find the link in the newsletter, please contact us by e-mail and we will cancel your newsletter subscription immediately.
Legal basis
Our newsletter is sent on the basis of your consent (Article 6(1)(a) GDPR). This means that we may only send you a newsletter if you have actively subscribed to it beforehand. We may also send you advertising messages if you have become our customer and have not objected to the use of your email address for direct advertising.
Information on specific email marketing services and how they process personal data, if available, can be found in the following sections.
rapidmail privacy policy
What is rapidmail?
Data subjects: Newsletter subscribers
Purpose: Direct marketing by email, notification of relevant events
Processed data: Data entered during registration, but at least the email address.
Storage period: Duration of the subscription
Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
We use rapidmail on our website, a service for our email marketing. The service provider is the German company rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg, Germany.
The company was founded in Freiburg in 2008 by Sven Kummer to enable simple newsletter marketing for companies. A few years later, the company released the first rapidmail plugins to enable online shops to handle the email process and data transfer more efficiently. Especially after the GDPR came into force in 2018, the company placed particular emphasis on data protection in order to offer a 100% GDPR-compliant product. In 2019, rapidmail breaks the 100,000 customer mark, gets another office in Berlin and, with Steffen Müllers, another Managing Director. In 2021, rapidmail already has over 200,000 customers and is part of the Positive Group. Also in 2021, Keyed becomes a data protection partner to ensure that the rapidmail software remains GDPR-compliant even with every new legal change.
Why do we use rapidmail on our website?
Basically, we use a newsletter service to keep in touch with you. We want to tell you what’s new with us or what attractive offers we currently have in our programme. We always look for the simplest and best solutions for our marketing measures. Rapidmail offers user-friendly and GDPR-compliant software that fits our requirements perfectly. That’s why we opted for rapidmail’s service. Although the software is very easy to use, it offers a large number of helpful features. For example, we can design our newsletters in our corporate design, manage our contacts easily and the system can also be integrated into shop systems via the newsletter plugins.
The email marketing service also offers us helpful analysis options. This means that when we send out a newsletter, we find out, for example, whether and when the newsletter was opened by you. The software also recognises and records whether and on which link you click in the newsletter. This information helps us enormously to adapt and optimise our service to your wishes and concerns. After all, we naturally want to offer you the best possible service.
What data is processed by rapidmail?
If you become a subscriber to our newsletter via our website, you confirm your membership of a rapidmail email list by email. So that rapidmail can also prove that you have registered with the “list provider”, the date and time of registration and your IP address are stored.
With the help of rapidmail, we can always keep you up to date with first-hand information about what is going on in our company. However, you should be aware that when you register for the newsletter, all the data you enter (such as your e-mail address or your first name and surname) will be stored and managed by rapidmail. This also involves personal data. During the registration process, you also consent to us sending you the newsletter and reference is also made to this privacy policy. Furthermore, data such as click behaviour in the newsletter may also be processed. This information is used to send you emails and to enable certain other rapidmail functions (such as analysing the newsletter). The data will not be passed on to third parties unless there is a legal obligation to do so.
How long and where is the data stored?
Your data will be deleted from our servers and those of rapidmail when you have cancelled your subscription to the newsletter or when you have unsubscribed from the newsletter. There are of course exceptions, especially if legal obligations require the data to be stored for longer.
rapidmail uses a German data centre with the highest security standards for data storage. This means that your data is in safe hands and is stored exclusively on servers in Germany and is not passed on to third parties.
Right of objection
You have the option of cancelling your newsletter subscription at any time. All you have to do is revoke your consent to the newsletter subscription. This normally only takes a few seconds or one or two clicks. You will usually find a link to cancel your newsletter subscription at the end of every email. If you really cannot find the link in the newsletter, please contact us by email and we will cancel your newsletter subscription immediately. After cancellation, the personal data will be deleted from our server and from the rapidmail servers. You have a right to free information about your stored data and, if necessary, a right to cancellation, blocking or correction.
Legal basis
If you have consented to rapidmail being used, the legal basis for the corresponding data processing is this consent. According to Art. 6 para. 1 lit. a GDPR (consent), this consent constitutes the legal basis for the processing of personal data, as may occur when rapidmail collects it. We also have a legitimate interest in using rapidmail to optimise our online service and to design attractive and informative newsletters for you. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests). If consent is not required, the newsletter is sent on the basis of the legitimate interest in direct marketing (Art. 6 para. 1 lit. f GDPR), provided this is legally permitted. We record your registration process so that we can always prove that it complies with our laws.
You can find out more about the data processed through the use of rapidmail in the privacy policy at https://www.rapidmail.at/datenschutz.
Order processing contract (AVV) Rapidmail
We have concluded a data processing agreement (DPA) with Rapidmail in accordance with Article 28 of the General Data Protection Regulation (GDPR). This contract is required by law because Rapidmail processes personal data on our behalf. It clarifies that Rapidmail may only process data that it receives from us in accordance with our instructions and must comply with the GDPR.
Audio & Video Introduction
Audio & Video Privacy Policy Summary
Data subject: Visitors to the website
Purpose: Optimisation of our service performance
Processed data: Data such as contact details, user behaviour data, information about your device and your IP address may be stored.
You can find more details on this below in the corresponding data protection texts.
Storage duration: Data is generally stored for as long as it is necessary for the purpose of the service
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What are audio and video elements?
We have integrated audio and video elements on our website so that you can watch videos or listen to music/podcasts directly via our website. The content is provided by service providers. All content is therefore also obtained from the corresponding servers of the providers.
These are integrated functional elements from platforms such as YouTube, Vimeo or Spotify. The use of these portals is usually free of charge, but paid content can also be published. With the help of these integrated elements, you can listen to or watch the respective content via our website.
If you use audio or video elements on our website, your personal data may also be transmitted to the service providers, processed and stored.
Why do we use audio & video elements on our website?
Of course we want to provide you with the best offer on our website. And we realise that content is no longer conveyed merely in text and static images. Instead of simply giving you a link to a video, we offer you audio and video formats directly on our website that are entertaining or informative and ideally even both. This expands our service and makes it easier for you to access interesting content. We therefore offer video and/or audio content in addition to our texts and images.
What data is stored by audio & video elements?
When you access a page on our website that has an embedded video, for example, your server connects to the server of the service provider. Your data is also transferred to the third-party provider and stored there. Some data is collected and stored regardless of whether you have an account with the third-party provider or not. This usually includes your IP address, browser type, operating system and other general information about your end device. In addition, most providers also collect information about your web activity. This includes, for example, session duration, bounce rate, which button you clicked on or which website you used to access the service. All this information is usually stored via cookies or pixel tags (also known as web beacons). Pseudonymised data is usually stored in cookies in your browser. You can always find out exactly which data is stored and processed in the privacy policy of the respective provider.
Duration of data processing
You can find out exactly how long the data is stored on the servers of the third-party providers either below in the data protection text of the respective tool or in the provider’s privacy policy. In principle, personal data is only ever processed for as long as is absolutely necessary for the provision of our services or products. This generally also applies to third-party providers. In most cases, you can assume that certain data will be stored on the servers of third-party providers for several years. Data can be stored for different lengths of time, especially in cookies. Some cookies are deleted as soon as you leave the website, while others may be stored in your browser for several years.
Right of objection
You also have the right and the option to withdraw your consent to the use of cookies or third-party providers at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting cookies in your browser. The legality of the processing remains unaffected until the cancellation.
As the integrated audio and video functions on our website usually also use cookies, you should also read our general privacy policy on cookies. You can find out more about the handling and storage of your data in the privacy policies of the respective third-party providers.
Legal basis
If you have consented to your data being processed and stored by integrated audio and video elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data will also be stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners . Nevertheless, we only use the integrated audio and video elements if you have given your consent.
YouTube privacy policy
YouTube privacy policy summary Data subject: Visitors to the website |
What is YouTube?
We have integrated YouTube videos on our website. This allows us to present interesting videos directly on our site. YouTube is a video portal that has been a subsidiary of Google since 2006. The video portal is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you access a page on our website that has an embedded YouTube video, your browser automatically connects to the YouTube or Google servers. Various data will be transmitted (depending on the settings). Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe.
In the following, we would like to explain to you in more detail what data is processed, why we have integrated YouTube videos and how you can manage or delete your data.
On YouTube, users can watch, rate, comment on and upload videos for free. Over the last few years, YouTube has become one of the most important social media channels worldwide. To enable us to display videos on our website, YouTube provides a code snippet that we have integrated into our site.
Why do we use YouTube videos on our website?
YouTube is the video platform with the most visitors and the best content. We endeavour to offer you the best possible user experience on our website. And of course, interesting videos are a must. With the help of our embedded videos, we provide you with further helpful content in addition to our texts and images. The embedded videos also make our website easier to find on the Google search engine. Even if we place adverts via Google Ads, Google can – thanks to the data collected – only show these adverts to people who are interested in our offers.
What data is stored by YouTube?
As soon as you visit one of our pages that has a YouTube video embedded, YouTube sets at least one cookie that stores your IP address and our URL. If you are logged into your YouTube account, YouTube can usually assign your interactions on our website to your profile using cookies. This includes data such as session duration, bounce rate, approximate location, technical information such as browser type, screen resolution or your internet provider. Other data may include contact details, any ratings, the sharing of content via social media or adding to your favourites on YouTube.
If you are not logged into a Google account or a YouTube account, Google stores data with a unique identifier that is linked to your device, browser or app. For example, your preferred language setting is retained. But a lot of interaction data cannot be saved because fewer cookies are set.
In the following list, we show cookies that were set in the browser in a test. On the one hand, we show cookies that are set without a logged-in YouTube account. On the other hand, we show cookies that are set with a logged-in account. The list cannot claim to be exhaustive because the user data always depends on the interactions on YouTube.
Name: YSC
Value: b9-CV6ojI5Y312943489-1
Purpose: This cookie registers a unique ID to store statistics of the video viewed.
Expiry date: after the end of the session
Name: PREF
Value: f1=50000000
Purpose: This cookie also registers your unique ID. Google receives statistics on how you use YouTube videos on our website via PREF.
Expiry date: after 8 months
Name: GPS
Value: 1
Purpose: This cookie registers your unique ID on mobile devices to track the GPS location.
Expiry date: after 30 minutes
Name: VISITOR_INFO1_LIVE
Value: 95Chz8bagyU
Purpose: This cookie attempts to estimate the user’s bandwidth on our websites (with integrated YouTube video).
Expiry date: after 8 months
Other cookies that are set when you are logged in to your YouTube account:
Name: APISID
Wert: zILlvClZSkqGsSwI/AU1aZI6HY7312943489-
Purpose: This cookie is used to create a profile of your interests. The data is used for personalised advertisements.
Expiry date: after 2 years
Name: CONSENT
Value: YES+AT.de+20150628-20-0
Purpose: The cookie stores the status of a user’s consent to the use of various Google services. CONSENT is also used for security purposes to check users and protect user data from unauthorised attacks.
Expiry date: after 19 years
Name: HSID
Value: AcRwpgUik9Dveht0I
Purpose: This cookie is used to create a profile of your interests. This data helps to display personalised advertising.
Expiry date: after 2 years
Name: LOGIN_INFO
Value: AFmmF2swRQIhALl6aL…
Purpose: Information about your login data is stored in this cookie.
Expiry date: after 2 years
Name: SAPISID
Value: 7oaPxoG-pZsJuuF5/AnUdDUIsJ9iJz2vdM
Purpose: This cookie works by uniquely identifying your browser and device. It is used to create a profile of your interests.
Expiry date: after 2 years
Name: SID
Value: oQfNKjAsI312943489-
Purpose: This cookie stores your Google Account ID and your last login time in digitally signed and encrypted form.
Expiry date: after 2 years
Name: SIDCC
Value: AN0-TYuqub2JOcDTyL
Purpose: This cookie stores information about how you use the website and what adverts you may have seen before visiting our site.
Expiry date: after 3 months
How long and where is the data stored?
The data that YouTube receives from you and processes is stored on Google servers. Most of these servers are located in America. At https://www.google.com/about/datacenters/locations/?hl=de you can see exactly where the Google data centres are located. Your data is distributed across the servers. This means that the data can be accessed more quickly and is better protected against manipulation.
Google stores the data collected for different lengths of time. You can delete some data at any time, others are automatically deleted after a limited time and others are stored by Google for a longer period of time. Some data (such as elements from “My activity”, photos or documents, products) that are stored in your Google account remain stored until you delete them. Even if you are not signed in to a Google Account, you can delete some data that is linked to your device, browser or app.
How can I delete my data or prevent data storage?
In principle, you can delete data in your Google account manually. With the automatic deletion function for location and activity data introduced in 2019, information is stored for either 3 or 18 months, depending on your decision, and then deleted.
Regardless of whether you have a Google account or not, you can configure your browser so that cookies are deleted or deactivated by Google. Depending on which browser you use, this works in different ways. In the “Cookies” section, you will find the relevant links to the instructions for the most popular browsers.
If you generally do not want to have cookies, you can set up your browser so that it always informs you when a cookie is to be set. This allows you to decide for each individual cookie whether you want to allow it or not.
Legal basis
If you have consented to your data being processed and stored by integrated YouTube elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners. Nevertheless, we only use the integrated YouTube elements if you have given your consent. YouTube also sets cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and consult the privacy policy or cookie guidelines of the respective service provider.
YouTube also processes your data in the USA, among other places. YouTube and Google are active participants in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
Google also uses so-called standard contractual clauses (= Art. 46 para. 2 and para. 3 GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/de/adsprocessorterms/.
As YouTube is a subsidiary of Google, there is a joint privacy policy. If you would like to find out more about how your data is handled, we recommend that you read the privacy policy at https://policies.google.com/privacy?hl=de.
Social media Introduction
Social media privacy policy
Data subjects: Visitors to the website
Purpose: Presentation and optimisation of our services, contact with visitors, interested parties, etc., advertising
Processed data: Data such as telephone numbers, email addresses, contact details, user behaviour data, information about your device and your IP address.
You can find more details on this in the respective social media tool used.
Storage duration: depending on the social media platforms used
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is social media?
In addition to our website, we are also active on various social media platforms. User data may be processed so that we can target users who are interested in us via the social networks. In addition, elements of a social media platform may also be embedded directly in our website. This is the case, for example, if you click on a social button on our website and are forwarded directly to our social media presence. Social media refers to websites and apps through which registered members can produce content, share content openly or in specific groups and network with other members.
Why do we use social media?
For years, social media platforms have been the place where people communicate and socialise online. With our social media presence, we can bring our products and services closer to interested parties. The social media elements integrated on our website help you to switch to our social media content quickly and without complications.
The data that is stored and processed through your use of a social media channel is primarily used to carry out web analyses. The aim of these analyses is to be able to develop more precise and personalised marketing and advertising strategies. Depending on your behaviour on a social media platform, the analysed data can be used to draw conclusions about your interests and create user profiles. This also enables the platforms to present you with customised advertisements. Cookies are usually set in your browser for this purpose, which store data on your user behaviour.
As a rule, we assume that we remain responsible under data protection law, even if we use the services of a social media platform. However, the European Court of Justice has ruled that in certain cases the operator of the social media platform may be jointly responsible with us within the meaning of Art. 26 GDPR. If this is the case, we will point this out separately and work on the basis of an agreement to this effect . The essence of the agreement is then reproduced below for the platform concerned.
Please note that when using the social media platforms or our built-in elements, your data may also be processed outside the European Union, as many social media channels, such as Facebook or Twitter, are American companies. As a result, you may not be able to claim or enforce your rights in relation to your personal data as easily.
What data is processed?
Exactly which data is stored and processed depends on the respective provider of the social media platform. However, it usually involves data such as telephone numbers, email addresses, data that you enter in a contact form, user data such as which buttons you click, who you like or follow, when you visited which pages, information about your device and your IP address. Most of this data is stored in cookies. Data can be linked to your profile, especially if you have a profile on the social media channel you are visiting and are logged in.
All data that is collected via a social media platform is also stored on the provider’s servers. This means that only the providers have access to the data and can provide you with the appropriate information or make changes.
If you want to know exactly what data is stored and processed by the social media providers and how you can object to the data processing, you should carefully read the respective company’s privacy policy. We also recommend that you contact the provider directly if you have any questions about data storage and data processing or wish to assert corresponding rights.
Duration of data processing
We will inform you about the duration of data processing below if we have further information on this. For example, the social media platform Facebook stores data until it is no longer required for its own purposes. However, customer data that is compared with our own user data is deleted within two days. In general, we only process personal data for as long as is absolutely necessary for the provision of our services and products. If required by law, for example in the case of accounting, this storage period may be exceeded.
Right of objection
You also have the right and the option to withdraw your consent to the use of cookies or third-party providers such as embedded social media elements at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting cookies in your browser.
As social media tools may use cookies, we also recommend that you read our general privacy policy on cookies. To find out exactly which of your data is stored and processed, you should read the privacy policies of the respective tools.
Legal basis
If you have consented to your data being processed and stored by integrated social media elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data will also be stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners if you have given your consent. Nevertheless, we only use the tools if you have given your consent. Most social media platforms also set cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and consult the privacy policy or cookie guidelines of the respective service provider.
Information on specific social media platforms – if available – can be found in the following sections.
What is LinkedIn?
We use social plug-ins from the social media network LinkedIn, operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA, on our website. These social plug-ins may be feeds, content sharing or links to our LinkedIn page. The social plug-ins are clearly labelled with the well-known LinkedIn logo and allow you, for example, to share interesting content directly via our website. For the European Economic Area and Switzerland, the company LinkedIn Ireland Unlimited Company Wilton Place in Dublin is responsible for data processing.
When such plug-ins are embedded, data may be sent to LinkedIn, stored and processed there. In this privacy policy, we want to inform you what data is involved, how the network uses this data and how you can manage or prevent data storage.
LinkedIn is the largest social network for business contacts. Unlike Facebook, for example, the company focuses exclusively on building business contacts. Companies can use the platform to present services and products and establish business relationships. Many people also use LinkedIn to search for jobs or to find suitable employees for their own company. In Germany alone, the network has over 11 million members. In Austria, there are about 1.3 million.
Why do we use LinkedIn on our website?
We know how busy you are. You can’t follow all social media channels individually. Even if, as in our case, it would be worthwhile. Because we regularly post interesting news or reports that are worth sharing. That’s why we have created the option on our website to share interesting content directly on LinkedIn or to link directly to our LinkedIn page. We regard integrated social plug-ins as an extended service on our website. The data that LinkedIn collects also helps us to show possible advertising measures only to people who are interested in our offer.
What data is stored by LinkedIn?
LinkedIn does not store any personal data just by integrating social plug-ins. LinkedIn calls this data, which is generated by plug-ins, passive impressions. However, if you click on a social plug-in, for example to share our content, the platform stores personal data as so-called ‘active impressions’. And this is regardless of whether you have a LinkedIn account or not. If you are logged in, the data collected will be assigned to your account.
Your browser will establish a direct connection to the LinkedIn servers when you interact with our plug-ins. This is how the company logs various usage data. In addition to your IP address, this may include, for example, login data, device information or information about your internet or mobile service provider. If you access LinkedIn services via your smartphone, your location may also be determined (after you have given permission). LinkedIn can also share this data in ‘hashed’ form with third-party advertisers. Hashing means that a data set is converted into a character string. This allows the data to be encrypted in such a way that individuals can no longer be identified.
Most of the data about your user behaviour is stored in cookies. These are small text files that are usually placed in your browser. LinkedIn may also use web beacons, pixel tags, display tags and other device identifiers.
Various tests also show which cookies are set when a user interacts with a social plug-in. The data found cannot claim to be complete and serve only as an example. The following cookies were set without being logged in to LinkedIn:
Name: bcookie
value: =2&34aab2aa-2ae1-4d2a-8baf-c2e2d7235c16312047458-
purpose: This cookie is a so-called ‘browser ID cookie’ and therefore stores your identification number (ID).
expiration date: After 2 years
Name: lang
Value: v=2&lang=de-de
Purpose: This cookie stores your default or preferred language.
Expiry date: after end of session
Name: lidc
Value: 1818367:t=1571904767:s=AQF6KNnJ0G312047458…
Purpose: This cookie is used for routing. Routing records the ways in which you came to LinkedIn and how you navigate through the website.
Expiry date: after 24 hours
Name: rtc
Value: kt0lrv3NF3x3t6xvDgGrZGDKkX
Purpose: No further information could be obtained about this cookie.
Expiry date: after 2 minutes
Name: JSESSIONID
Value: ajax:3120474582900777718326218137
Purpose: This is a session cookie that LinkedIn uses to maintain anonymous user sessions through the server.
Expiry date: after session end
Name: bscookie
Value: ‘v=1&201910230812…
Purpose: This cookie is a security cookie. LinkedIn describes it as a secure browser ID cookie.
Expiry date: after 2 years
Name: fid
Value: AQHj7Ii23ZBcqAAAA…
Purpose: No further information could be found about this cookie.
Expiry date: after 7 days
Note: LinkedIn also works with third-party providers. That’s why we also recognised the two Google Analytics cookies _ga and _gat during our test.
How long and where is the data stored?
In principle, LinkedIn stores your personal data for as long as the company considers it necessary to provide its services. However, LinkedIn deletes your personal data when you delete your account. In some exceptional cases, LinkedIn may retain some data in aggregated and anonymised form even after you have deleted your account. As soon as you delete your account, other people will no longer be able to see your data within a day. LinkedIn generally deletes the data within 30 days. However, LinkedIn retains data if it is legally required to do so. Data that can no longer be assigned to a specific person remains stored even after the account has been closed. The data is stored on various servers in America and presumably also in Europe.
How can I delete my data or prevent it from being stored?
You have the right to access and delete your personal data at any time. You can manage, change and delete your data in your LinkedIn account. You can also request a copy of your personal data from LinkedIn.
To access the account data in your LinkedIn profile:
Click on your profile icon in LinkedIn and select the ‘Settings and Privacy’ section. Now click on ‘Privacy’ and then on ‘Change’ in the ‘How LinkedIn uses your data’ section. In just a short time, you will be able to download selected data about your web activity and account history.
You can also prevent LinkedIn from processing data in your browser. As mentioned above, LinkedIn stores most data using cookies that are set in your browser. You can manage, disable or delete these cookies. How you manage them depends on which browser you use. You will find links to instructions for the most popular browsers under the ‘Cookies’ section.
You can also set up your browser so that you are always informed when a cookie is about to be placed. This means that you can always decide individually whether you want to allow the cookie or not.
Legal basis
If you have consented to the processing and storage of your data by integrated social media elements, this consent is the legal basis for the data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in communicating quickly and effectively with you or other customers and business partners. However, we only use the integrated social media elements if you have given your consent. Most social media platforms also set cookies in your browser to store data. Therefore, we recommend that you read our data protection text about cookies carefully and view the data protection declaration or cookie guidelines of the respective service provider.
LinkedIn also processes your data in the United States, among other places. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the United States. This may be associated with various risks for the lawfulness and security of data processing.
As a basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or for data transfer to such recipients, LinkedIn uses so-called standard contractual clauses (= Art. 46. Para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission to ensure that your data also meets European data protection standards when it is transferred to and stored in third countries (such as the USA). These clauses oblige LinkedIn to comply with the European data protection level when processing your relevant data, even if the data is stored, processed and managed in the United States. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
More information about the standard contractual clauses for LinkedIn can be found at https://de.linkedin.com/legal/l/dpa or https://www.linkedin.com/legal/l/eu-sccs.
We have tried to provide you with the most important information about data processing by LinkedIn. You can find out more about data processing by the social media network LinkedIn at https://www.linkedin.com/legal/privacy-policy.
Cookie Consent Management Platform Introduction
Cookie Consent Management Platform
Data subjects: Website visitors
Purpose: To obtain and manage consent for certain cookies and therefore the use of certain tools
Processed data: Data for managing the cookie settings set, such as IP address, time of consent, type of consent, individual consents. You can find more details on this in the respective tool used.
Storage period: Depends on the tool used, you must be prepared for periods of several years
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is a Cookie Consent Management Platform?
We use Consent Management Platform (CMP) software on our website to make it easier for us and you to handle scripts and cookies correctly and securely. The software automatically creates a cookie pop-up, scans and checks all scripts and cookies, provides you with the cookie consent required under data protection law and helps us and you to keep track of all cookies. Most cookie consent management tools identify and categorise all existing cookies. As a website visitor, you then decide for yourself whether and which scripts and cookies you allow or disallow.
Why do we use a cookie management tool?
Our aim is to offer you the best possible transparency in the area of data protection. We are also legally obliged to do so. We want to provide you with as much information as possible about all tools and all cookies that can store and process your data. It is also your right to decide for yourself which cookies you accept and which you do not. In order to grant you this right, we first need to know exactly which cookies have ended up on our website in the first place. Thanks to a cookie management tool that regularly scans the website for all existing cookies, we know about all cookies and can provide you with GDPR-compliant information about them. You can then accept or reject cookies via the consent system.
What data is processed?
As part of our cookie management tool, you can manage each individual cookie yourself and have complete control over the storage and processing of your data. The declaration of your consent is stored so that we do not have to ask you every time you visit our website and we can also prove your consent if required by law. This is stored either in an opt-in cookie or on a server. The storage period of your cookie consent varies depending on the provider of the cookie management tool. In most cases, this data (e.g. pseudonymised user ID, time of consent, details of cookie categories or tools, browser, device information) is stored for up to two years.
Duration of data processing
We will inform you about the duration of data processing below if we have further information on this. In general, we only process personal data for as long as is absolutely necessary for the provision of our services and products. Data stored in cookies is stored for different lengths of time. Some cookies are deleted as soon as you leave the website, while others may be stored in your browser for several years. The exact duration of data processing depends on the tool used, but in most cases you should be prepared for a storage period of several years. You can usually find precise information about the duration of data processing in the respective data protection declarations of the individual providers.
Right of objection
You also have the right and the option to withdraw your consent to the use of cookies at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting cookies in your browser.
Information on special cookie management tools, if available, can be found in the following sections.
Legal basis
If you consent to cookies, your personal data will be processed and stored via these cookies. If we are authorised to use cookies on the basis of your consent (Article 6 para. 1 lit. a GDPR), this consent is also the legal basis for the use of cookies and the processing of your data. Cookie consent management platform software is used to manage your consent to cookies and to enable you to give your consent. The use of this software enables us to operate the website in an efficient and legally compliant manner, which constitutes a legitimate interest (Article 6 para.1 lit. f GDPR).
Cookiebot
We use the consent management service Cookiebot, from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (Usercentrics). This enables us to obtain and manage the consent of website users for data processing. The processing is necessary to fulfil a legal obligation (Art. 7 para. 1 GDPR) to which we are subject (Art. 6 para. 1 lit. c GDPR). The following data is processed with the help of cookies:
Your IP address (the last three digits are set to ‘0’). Date and time of consent. Browser information URL from which the consent was sent. An anonymous, random and encrypted key Your consent status of the end user, as proof of consent
The key and consent status are stored in the browser for 12 months using the “CookieConsent” cookie. This means that your cookie preference is retained for subsequent page requests. With the help of the key, your consent can be verified and tracked.
If you activate the “bulk consent” service feature to enable consent for multiple websites through a single end-user consent, the service will additionally store a separate, random, unique ID with your consent. If all of the following criteria are met, this key is stored in the third-party cookie “CookieConsentBulkTicket” in your browser in encrypted form: You activate the collective consent function in the service configuration. You allow third-party cookies via browser settings. You have deactivated “Do not track” via the browser settings. You accept all or at least certain types of cookies when you give your consent.
The functionality of the website is not guaranteed without the processing.
Usercentrics is the recipient of your personal data and acts as a processor for us.
The processing takes place in the European Union. Further information on objection and removal options vis-à-vis Usercentrics can be found at: https://www.cookiebot.com/de/privacy-policy/
Your personal data will be deleted continuously after 12 months or immediately after cancellation of the contract between us and Usercentrics.
Please refer to our general information on deleting and deactivating cookies above.
Cloud services
Cloud Services Privacy Policy
Data subjects: We as website operator and you as website visitor
Purpose: Security and data storage
Processed data: Data such as your IP address, name or technical data such as browser version
You can find more details on this below and in the individual data protection texts or in the privacy policies of the providers
Storage period: Most of the data is stored until it is no longer needed to fulfil the service
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What are cloud services?
Cloud services provide us as website operators with storage space and computing power via the internet. Data can be transferred to an external system, processed and stored via the internet. This data is managed by the corresponding cloud provider. Depending on requirements, an individual person or even a company can choose the amount of storage space or computing power. Cloud storage is accessed via an API or storage protocols. API stands for Application Programming Interface and refers to a programming interface that connects software and hardware components.
Why do we use cloud services?
We use cloud services for several reasons. A cloud service offers us the opportunity to store our data securely. We also have access to the data from different locations and devices, giving us more flexibility and making our work processes easier. Cloud storage also saves us costs because we don’t have to set up and manage our own infrastructure for data storage and data security. By centralising our data in the cloud, we can also expand our fields of application and manage our information much better.
As website operators and companies, we primarily use cloud services for our own purposes. For example, we use the services to manage our calendar, to store documents or other important information in the cloud. However, your personal data may also be stored in the process. This is the case, for example, if you provide us with your contact details (such as your name and email address) and we store our customer data with a cloud provider. Consequently, data that we process from you may also be stored and processed on external servers. If we offer certain forms or content from cloud services on our website, cookies may also be set for web analyses and advertising purposes. Furthermore, such cookies remember your settings (such as the language used) so that you will find your familiar web environment the next time you visit our website.
What data is processed by cloud services?
Much of the data we store in the cloud has no personal reference, but some data is considered personal data as defined by the GDPR. This often involves customer data such as name, address, IP address or telephone number or technical device information. Videos, images and audio files can also be stored in the cloud. Exactly how the data is collected and stored depends on the respective service. We only try to use services that handle the data in a very trustworthy and professional manner. In principle, the services, such as Amazon Drive, have access to the stored files in order to be able to offer their own service accordingly. However, the services require authorisations for this, such as the right to copy files for security reasons. This data is processed and managed within the scope of the services and in compliance with the applicable laws. This also includes the GDPR for US American providers (via the standard contractual clauses). In some cases, these cloud services also work with third-party providers who may process data under instruction and in accordance with the data protection guidelines and other security measures. At this point, we would like to emphasise once again that all known cloud services (such as Amazon Drive, Google Drive or Microsoft Onedrive) obtain the right to access stored content in order to offer and optimise their own services accordingly.
Duration of data processing
We will inform you about the duration of data processing below if we have further information on this. In general, cloud services store data until you or we revoke the data storage or delete the data. In general, personal data is only stored for as long as is absolutely necessary for the provision of the services. However, it may take several months to permanently delete data from the cloud. This is the case because the data is usually not stored on just one server, but is distributed across various servers.
Right of objection
You also have the right and the option to revoke your consent to data storage in a cloud at any time. If cookies are used, you also have a right of cancellation here. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting cookies in your browser. We also recommend our general privacy policy on cookies. To find out exactly what data of yours is stored and processed, you should read the privacy policies of the respective cloud providers.
Legal basis
We use cloud services mainly on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) in a good security and storage system.
Certain processing operations, in particular the use of cookies and the use of storage functions, require your consent. If you have consented to your data being processed and stored by cloud services, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Most of the services we use set cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and view the privacy policy or cookie policy of the respective service provider.
Information on special tools – if available – can be found in the following sections.
Video conferencing & streaming Introduction
Video conferencing & streaming privacy policy
Data subjects: Users who use our video conferencing or streaming tool
Purpose: Communication and presentation of content
Processed data: Access statistics containing data such as name, address, contact details, email address, telephone number or your IP address. You can find more details on this in the respective video conferencing or streaming tool used.
Storage duration: depends on the video conferencing or streaming tool used
Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests), Art. 6 para. 1 lit. b GDPR (contract)
What are video conferencing & streaming?
We use software programmes that enable us to hold video conferences, online meetings, webinars, display sharing and/or streaming. During a video conference or streaming, information is transmitted simultaneously via sound and moving images. With the help of such video conferencing or streaming tools, we can communicate with customers, business partners, clients and even employees quickly and easily via the Internet. When selecting a service provider, we naturally pay attention to the specified legal framework conditions.
In principle, third-party providers can process data as soon as you interact with the software programme. Third-party providers of video conferencing and streaming solutions use your data and metadata for various purposes. For example, the data helps to make the tool more secure and to improve the service. In most cases, the data may also be used for the third-party provider’s own marketing purposes.
Why do we use video conferencing & streaming on our website?
We want to communicate quickly, easily and securely with you, our customers and business partners digitally. This works best with video conferencing solutions that are very easy to use. Most tools also work directly via your browser and after just a few clicks you are right in the middle of a video meeting. The tools also offer helpful additional features such as a chat and screen sharing function or the option to share content between meeting participants.
What data is processed?
If you take part in our video conference or streaming, your data will also be processed and stored on the servers of the respective service provider.
Exactly which data is stored depends on the solutions used. Each provider stores and processes a different amount of data. As a rule, however, most providers store your name, address, contact details such as your email address or telephone number and your IP address. Information about the device you are using, usage data such as which websites you visit, when you visit a website or which buttons you click on may also be stored. Data that is shared within the video conference (photos, videos, texts) may also be stored.
Duration of data processing
We will inform you about the duration of data processing below in connection with the service used, if we have further information on this. In general, we only process personal data for as long as is absolutely necessary for the provision of our services and products. It may be that the provider stores your data according to its own specifications, over which we then have no influence.
Right of objection
You always have the right to information, correction and deletion of your personal data. If you have any questions, you can also contact the person responsible for the video conferencing or streaming tool used at any time. Contact details can be found either in our specific privacy policy or on the website of the relevant provider.
You can delete, deactivate or manage cookies that providers use for their functions in your browser. Depending on which browser you use, this works in different ways. Please note, however, that not all functions may then work as usual.
Legal basis
If you have consented to your data being processed and stored by the video or streaming solution, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In addition, we can also offer a video conference as part of our services if this has been contractually agreed with you in advance (Art. 6 para. 1 lit. b GDPR). In principle, your data will also be stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or other customers and business partners, but only if you have at least given your consent. Most video and streaming solutions also set cookies in your browser to store data. We therefore recommend that you read our data protection text on cookies carefully and consult the privacy policy or cookie guidelines of the respective service provider.
Information on special video conferencing and streaming solutions, if available, can be found in the following sections.
Microsoft Teams Privacy Policy
We use Microsoft Teams on our website, a service for online meetings and video conferencing. The service provider is the American company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Microsoft also processes your data in the USA, among other places. Microsoft is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
Microsoft also uses so-called standard contractual clauses (= Art. 46 para. 2 and para. 3 GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the standard contractual clauses, Microsoft undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https:
You can find more information on the standard contractual clauses at Microsoft at
You can find out more about the data that is processed through the use of Microsoft in the privacy policy at https://privacy.microsoft.com/de-de/privacystatement.
TeamViewer privacy policy
We use TeamViewer, a service for web conferencing and remote maintenance, on our website. The service provider is the German company TeamViewer Germany GmbH, Bahnhofsplatz 2, 73033 Göppingen, Germany.
You can find out more about the data that is processed through the use of TeamViewer in the privacy policy at https://www.teamviewer.com/de/datenschutzinformation/.
YouTube privacy policy
We use the YouTube.com platform to post our own videos and make them publicly accessible. YouTube is used for public relations work and in the interest of an appealing presentation of LMU’s online services in accordance with Art. 6 para. 1 lit. e GDPR.
YouTube is a service provided by a third party not affiliated with us, namely YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA; YouTube is a subsidiary of Google Inc.
In general, we are not responsible for the content of linked websites. However, in the event that you follow a link to YouTube, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own data usage guidelines and uses it for business purposes. Further information on this and on data protection at YouTube can be found in their privacy policy at
https://policies.google.com/privacy?hl=de&gl=de (external link)
https://www.datenschutz.org/youtube/ (external link)
https://support.google.com/youtube/answer/171780?hl=de (external link)
We only integrate YouTube on our website in extended data protection mode. YouTube provides this mode and thus ensures that no cookies are initially set and used. As soon as you start playing an embedded video by clicking on it, YouTube only stores cookies on your device through the extended data protection mode, which do not contain any personally identifiable data, unless you are currently logged in to a Google service. This may also lead to a connection being established with the Google “DoubleClick Network” (formerly Internet Advertising Network), under which online marketing solutions are offered. These cookies can be prevented by appropriate browser settings and extensions. YouTube uses cookies to collect information about visitors to its website, to collect statistics, to prevent fraud and to improve user-friendliness. When you start the video, this may trigger further data processing operations. We have no influence on this. YouTube is responsible for its own data processing.
Recruiting Tools Introduction
Recruiting Tools Privacy Policy
Data subjects: Users who complete an application process online or use a recruiting tool
Purpose: Processing of an application procedure
Processed data: Data such as name, address, contact details, email address or your telephone number. You can find more details on this in the respective recruiting tool used.
Storage period: if the application is successful, until the end of the employment relationship. Otherwise, the data will be deleted after the application process.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract), Art. 9 para. 2 lit. a. GDPR (processing of special categories)
What are recruiting tools?
Various companies offer software programmes that can make the application process much easier. Most systems offer filter options to search through databases of potential candidates. This enables us to quickly and efficiently find employees who are a good fit for our company. Both online forms and recruiting tools are used to transfer, store and manage your personal data. In this general text, we refer not only to recruiting tools but also to the traditional application process by e-mail or online form. You can find more detailed information on the recruiting tools in the data protection declarations of the respective providers.
Why do we use recruiting tools?
We use software programs and platforms that specialise in application management to search for suitable applicants and administer all application documents, taking into account all legal guidelines. Recruiting tools generally make the application process easier by taking over many administrative tasks and optimising processes in the application procedure. In some cases, this enables us to find suitable employees for our company more quickly.
Please refer to the respective job advertisements for details of the conditions of the recruitment process.
What data is processed?
If you apply to us, you must of course also provide us with information about yourself so that we can assess your application accordingly. Exactly what information you provide us with depends on the job advertisement or the information required in the online form.
As a rule, this involves data such as your name, address, date of birth and proof of your qualifications required for the job. During the application process, however, not only the usual personal data, such as name or address, may be transmitted, but also information about your health or ethnic origin may be requested so that we and you can exercise the rights relating to labour law, social security and social protection and at the same time comply with the corresponding obligations. This data is called special category data.
The data or your application will be sent to us in encrypted form via the online form. Alternatively, you can also send us your application by e-mail. If you choose this option, the data will be transmitted in encrypted form, but will not be stored in encrypted form on the server where it is sent and received.
Duration of data processing
If your application is successful, we may process the data you provide for the purposes of an employment relationship. If the application does not meet your expectations, we will delete the data received. This data will also be deleted if you withdraw your application. If you agree to be included in our applicant pool, we will store your data collected in this context until you leave the applicant pool. The same rules apply to withdrawal as to the cancellation of your consent.
Right of objection
You also always have the right and the option to withdraw your consent. The data will be deleted after 6 months at the latest so that we can answer any questions about your application and fulfil our obligation to provide evidence. We archive invoices for possible reimbursement of travel expenses due to tax law requirements.
Legal basis
If we include you in our application pool, this is done on the basis of your consent (Art. 6 para. 1 lit. a GDPR). We would like to point out that your consent to our application pool is voluntary, has no influence on the application process and you have the option of withdrawing your consent at any time.
In the case of the protection of vital interests, data processing is carried out in accordance with Art. 9 para. 2 lit. c GDPR. For the purposes of health care, occupational medicine, medical diagnosis, health or social care or treatment or for the management of health or social care systems and services, the processing of personal data is carried out in accordance with Art. 9 para. 2 lit. h GDPR. If you voluntarily provide data of special categories, the processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.
Information on the special recruiting tools – if available – can be found in the following sections.
Use of d.vinci (applicant management)
We use the applicant management software “d.vinci” on our website. The technical provision is carried out by the company “d.vinci HR-Systems GmbH” based in Hamburg (https://www.dvinci.de/). The software is used by our company primarily for the following purposes:
- Publication and processing of job adverts
- Acceptance and administration of applications
The corresponding widget (“job widget”) is integrated on the page https://www.muehlberger-gruppe.de/de/karriere/. By clicking on one of the job adverts published on our website, you will be redirected to an external applicant portal. The applicant portal and technical infrastructure are the responsibility of d.vinci HR-Systems GmbH. All content relating to applications (job adverts) is provided by our company.
The processing of all data in accordance with Art. 4 para. 2 GDPR, which was transmitted to us as part of an application, takes place exclusively in direct connection with the procedure and is in accordance with § 26 BDSG. All data is only accessible to the responsible persons in our company directly involved in the application process and is treated in strict confidence.
The following types of data are particularly affected by these provisions:
- Contact details
- Cover letter / CVs
- Certificates / references
- Applicant profiles
- Further applicant data / application documents (e.g. photographs)
- Information in optional form fields
As part of our activities in the area of applicant management, the company d.vinci HR-Systems GmbH acts as a processor in accordance with Art. 28 GDPR. The basis for the processing of this data is an order processing contract between us and d.vinci HR-Systems GmbH.
Your personal data will only be stored in direct connection with your application. Data will not be processed for other purposes outside of the application process.
Your data will be stored for 6 months after the end of the application process. It will then be automatically deleted or anonymised for statistical purposes so that it is no longer possible to draw conclusions about your person. This applies in the event that the application does not result in an employment relationship. If you have consented to further storage of your data, it will be stored in our internal applicant pool. In this case, the data will be deleted after two years.
If legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR (e.g. legal disputes) or other legal obligations prevent deletion, this will be delayed until the respective facts have been clarified.
All data that you transmit to us as part of the application process will be transmitted via an encrypted connection and stored in a data centre within Germany or the EU for the duration of the process. The data centre is the responsibility of our processor d.vinci HR-Systems GmbH.
Further information on how the service provider d.vinci HR-Systems GmbH ensures the protection of data and information can be found via the following link:
Customer Relationship Management Introduction
Customer Relationship Management Privacy Policy
Data subjects: Customers and interested parties
Purpose: Management of sales and communication channels
Processed data: Name, address, contact details, email address or your telephone number. More details can be found in the CRM tool used.
Storage period: up to 6 years after the end of the business relationship
Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract), Art. 6 para. 1 lit. f GDPR (legitimate interest)
Customer Relationship Management
The x1F Group uses the customer relationship management system Salesforce Sales Cloud (hereinafter referred to as the “CRM system”). x1F GmbH has concluded the necessary agreements with the provider of the CRM system and acts as a service provider to the individual companies of the x1F Group for the provision and use of the services offered to these companies with the CRM system.
The CRM system is standardised for all companies of the x1F Group in order to ensure group-wide data processing in compliance with data protection law within the meaning of Art. 4 para. 2 GDPR. Within the CRM system, only personal data is collected, processed and used in accordance with the principles described below and the requirements of the GDPR and the applicable national data protection law. For the avoidance of doubt, please note that your data may be processed and used by all companies in the x1F Group if you have given your consent to this. Furthermore, for the sake of standardisation, reference is only made to the GDPR for the legal bases mentioned here.
With this data protection notice, we are informing you about the type, scope and purpose of the collection, processing and use of your personal data.
General information on data processing
We collect, process and use your personal data only for the purpose of providing a group-wide CRM system and for the group-wide management of our business partner contacts (customers, business partners and interested parties).
Various personal data is processed in our CRM system. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”). Personal data is only collected, such as your name and email address, if you provide it to us voluntarily or if you have consented to its collection.
Our CRM system is not intended for persons under the age of 16. We ask that persons under the age of 16 do not provide us with any personal data within the CRM system. If we learn that we have collected personal data from persons under the age of 16, we will take steps to delete the data as quickly as possible.
If you have any questions about data protection in relation to our CRM system, please contact us using the contact details provided in this data protection notice.
Data processing in detail – CRM system Salesforce Sales Cloud (Salesforce)
Description and scope of data processing
We currently work with the cloud-based CRM solution “Salesforce Sales Cloud” from the provider Salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich (hereinafter referred to as “Salesforce”) for the technical provision and hosting of our group-wide CRM system. The order processing agreement required under data protection law was concluded with the provider Salesforce on the basis of the currently valid standard contractual clauses. In addition, Salesforce Inc. is certified in accordance with the Data Privacy Framework. Proof of this can be found in the US Department of Commerce’s list of voluntarily certified US companies. Salesforce also has so-called Binding Corporate Rules (BCR), i.e. binding internal company regulations that legitimise internal data transfers to third countries outside the EU/EEA. Details can be found here: https://www.salesforce.com/de/blog/2020/07/die-binding-corporate-rules-von-salesforce-erfuellen-hoechste-da.html.
For more information on Salesforce, please visit https://www.salesforce.com/de/.
As a Salesforce licencee, x1F GmbH acts as a service provider for the companies of the x1F Group in order to be able to offer the technical solution of the CRM system to these companies. On our behalf, all personal data is stored or processed on a certified server of our service provider Salesforce exclusively within the EU / EEA.
The CRM system enables us to manage existing and potential customers and interested parties for the purpose of organising our sales and communication channels with B2B contacts. Our CRM system provides us with semi-automated support in analysing our processes and organising our B2B contacts:
- Our CRM system serves as a group-wide central platform for maintaining our customer and supplier master data. The CRM system regularly transfers the master data in encrypted form via secure interfaces to other IT systems of the x1F Group (e.g. ERP system) in order to keep the databases in the systems synchronised. However, only the data requested by the receiving system is transferred.
- Potential sales opportunities and all sales projects with detailed information (e.g. expected order volume, incoming order data, probability of success, etc.) are recorded, processed and tracked by our sales managers in our CRM system.
- In addition, our CRM system is used to record and manage contacts with potential purchasing interest, i.e. prospective customers for products and services of the x1F Group companies are recorded, qualified, distributed to our account management and tracked using our CRM system.
- Information on our B2B contacts is stored centrally in our CRM system and linked to other information (e.g. contacts, opportunities). In addition, contacts and activities (e.g. sending offers, discussions with the respective contact, etc.) are stored.
We process the following categories of personal data in our CRM system:
- Salutation, first name, middle name and surname, title,
- Contact details (e-mail address, telephone number, language),
- Professional data (company, position, department, address, website, company size, company turnover, industry, product category, product application),
- Campaign data (campaign name, type, lead status, date of survey)
- Contract data (existing contracts and contracts under negotiation),
- Communication data (e-mail communication, visit reports and other interactions with us),
- Data on purchased goods or services (order and delivery history, credit management),
- Customer type (prospective customer, existing customer, new customer).
The aforementioned data is collected exclusively directly from you via the following channels: our websites, online campaigns, contact forms offered, at trade fairs and via direct telephone, messenger or e-mail contact with us and is stored, analysed, assigned to the responsible sales manager of a company of the x1F Group and used to contact you for the purposes mentioned above.
In our communication and in our online campaigns / contact forms, we will not ask you to provide us with so-called particularly sensitive personal data. However, if you voluntarily provide us with such information, we will understand this as consent to processing for the purpose of conducting the customer relationship and that you authorise us to store this information in our CRM system. In principle, however, we do not store and process information about particularly sensitive data, as the technical design of our CRM system does not provide for this. This data is only processed in exceptional cases.
Access to our CRM system takes place within the framework of the existing authorisation concept following separate registration and authorisation checks. Currently, the data in the CRM system can only be read and processed by authorised employees and account managers of the respective Group company across the Group. The limited number of authorised users of the x1F Group companies have access to your personal data to the extent necessary to process your data in the CRM system in accordance with the above-mentioned purposes or to answer your contact enquiries. Authorisations are granted to according to the need-to-know principle. All access to the CRM system and the data it contains is always logged. Your data will not be passed on to third parties outside the x1F Group.
We would like to point out at this point that some recipients or companies of the x1F Group are located in third countries (including Serbia, USA and Australia). Safeguarding takes place via internal group agreements including standard contractual clauses to ensure an appropriate level of data protection.
Legal basis for data processing
The use of our group-wide CRM system is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in targeted and efficient administration and communication with our customers, business partners and interested parties in x1F Group products and services.
The collection of your personal data via contact forms, at trade fairs, via online campaigns or through direct contact is regularly based on your consent Art. 6 para. 1 lit. a GDPR.
If the contact by our customers or interested parties is aimed at the conclusion of a contract for the purchase of products or services of the x1F Group, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
Purpose of the data processing
We process your personal data in our CRM system to respond to your contact enquiries, to maintain our customer and prospective customer relationships (CRM), to manage our business relationships and for marketing and sales purposes. Our group-wide CRM system is designed to improve marketing and sales results. The CRM system provides the companies of the x1F Group with a platform that supports the employees and account managers of the companies of the x1F Group, who are authorised via an established authorisation concept, in the sale, service, marketing and maintenance of our customer and prospective customer relationships.
Duration of storage / deletion of your data
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For the personal data collected for the above-mentioned purposes and processed in our CRM system, this is the case if the respective addressee has objected to the processing. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Blocking of further data processing or erasure of the data also takes place if a legally prescribed storage period expires, unless there is a need for further storage of the data for fulfilment of a contract.
We have implemented a Group-wide deletion concept to ensure a system-based procedure for the deletion of personal data in the CRM system:
- The persons responsible for contacts and account managers regularly check whether our contacts are still current contacts. If no retention periods require storage, your data will be completely deleted by us.
- The maximum storage limit is currently six years of inactivity. If a contact stored in the CRM system has not shown any interactions for six years or no changes have been made to the associated data record, the contact is deleted by the system.
We would also like to point out that you can request the deletion of your data in our CRM system at any time via the contact details. We will then delete your data immediately, provided that there are no statutory retention periods preventing deletion.
Explanation of terms used
We always endeavour to write our privacy policy as clearly and comprehensibly as possible. However, this is not always easy, especially when it comes to technical and legal topics. It often makes sense to use legal terms (such as personal data) or certain technical terms (such as cookies, IP address). However, we do not want to use these without explanation. Below you will find an alphabetical list of important terms used, which we may not have sufficiently addressed in the previous privacy policy. If these terms have been taken from the GDPR and are definitions, we will also quote the GDPR texts here and add our own explanations if necessary.
- Supervisory authority
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
‘supervisory authority’ means an independent public authority established by a Member State in accordance with Article 51
Explanation: “Supervisory authorities” are always independent state institutions that are also authorised to issue instructions in certain cases. They serve to carry out so-called state supervision and are located in ministries, special departments or other authorities. For data protection in Austria, there is an Austrian data protection authority; for Germany, there is a separate data protection authority for each federal state.
- Processor
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Explanation: As a company and website owner, we are responsible for all data that we process from you. In addition to controllers, there may also be so-called processors. This includes any company or person that processes personal data on our behalf. In addition to service providers such as tax consultants, processors can therefore also be hosting or cloud providers, payment or newsletter providers or large companies such as Google or Microsoft.
- Supervisory authority concerned
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“supervisory authority concerned” means a supervisory authority that is concerned by the processing of personal data
- the controller or processor is established in the territory of the Member State of that supervisory authority
- this processing has or may have a significant impact on data subjects residing in the Member State of that supervisory authority
- a complaint has been submitted to this supervisory authority
Explanation: In Germany, each federal state has its own supervisory authority for data protection. So if your company headquarters (main branch) is in Germany, the respective supervisory authority of the federal state is generally your point of contact. In Austria, there is only one supervisory authority for data protection for the entire country.
- File system
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“file system” means any structured collection of personal data that is accessible according to specific criteria, regardless of whether this collection is managed centrally, decentrally or according to functional or geographical aspects
Explanation: Any organised storage of data on a data carrier of a computer is referred to as a “file system”. For example, if we store your name and email address on a server for our newsletter, then this data is stored in a so-called “file system”. The most important tasks of a “file system” include quickly searching for and finding specific data and, of course, the secure storage of data.
- Service of the information society
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
‘information society service’ means a service as defined in point (1)(b) of Article 1 of Directive (EU) 2015/1535 of the European Parliament and of the Council (19)
Explanation: Basically, the term “information society” refers to a society that is based on information and communication technologies. As a website visitor in particular, you are familiar with various types of online services and most online services are categorised as “information society services”. A classic example of this is an online transaction, such as the purchase of goods over the Internet.
- Third
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Explanation: The GDPR basically only explains what a “third party” is not. In practice, a “third party” is anyone who also has an interest in the personal data but is not one of the above-mentioned persons, authorities or organisations. For example, a parent company can act as a “third party”. In this case, the subsidiary group is the controller and the parent group is the “third party”. However, this does not mean that the parent company is automatically authorised to view, collect or store the personal data of the subsidiary company.
- Restriction of processing
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Restriction of processing” means the marking of stored personal data with the aim of restricting its future processing
Explanation: One of your rights is that you can request processors to restrict your personal data for further processing operations at any time. For this purpose, specific personal data such as your name, your date of birth or your address will be marked in such a way that further processing is no longer possible. For example, you could restrict processing to the effect that your data may no longer be used for personalised advertising.
- Consent
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a other unambiguous affirmative act, signifies agreement to the processing of personal data relating to him or her
Explanation: As a rule, such consent is given via a cookie consent tool on websites. You are probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner whether you agree or consent to data processing. In most cases, you can also make individual settings and thus decide for yourself which data processing you allow and which you do not. If you do not give your consent, your personal data may not be processed. In principle, consent can of course also be given in writing, i.e. not via a tool.
- Receiver
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
Explanation: Every person and every company that receives personal data is considered a recipient. This means that we and our processors are also so-called recipients. Only authorities that have an investigation mandate are not considered recipients.
- Health data
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and from which information about their health status is derived
Explanation: Health data therefore includes all stored information relating to your own health. This is often data that is also recorded in a patient file. This includes, for example, which medication you use, X-ray images, your entire medical history or, as a rule, your immunisation status.
- Cross-border processing
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“cross-border processing”
a
processing of personal data carried out in the context of the activities of establishments of a controller or processor in the Union in more than one Member State, where the controller or processor is established in more than one Member State,
b
processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which produces or is likely to produce significant effects on data subjects in more than one Member State
Explanation: If, for example, a company or other organisation has branches in Spain and Croatia and personal data is processed in connection with the activities of the branches, this constitutes “cross-border processing” of personal data. Even if the data is only processed in one country (as in this example in Spain), but the effects for the data subject are also recognisable in another country, this is also referred to as “cross-border processing”.
- Head office
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Head office
- in the case of a controller with establishments in more than one Member State, the place of its head office in the Union, unless the decisions as to the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that establishment is authorised to have those decisions implemented, in which case the establishment taking such decisions shall be considered to be the main establishment
- in the case of a processor with establishments in more than one Member State, the place of its head office in the Union or, where the processor does not have a head office in the Union, the place of establishment of the processor in the Union where the processing activities in the context of the activities of an establishment of a processor are principally carried out, insofar as the processor is subject to specific obligations under this Regulation
Explanation: Although Google, for example, is an American company that also processes data in the USA, its European headquarters are located in Ireland (Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland). Google Ireland Limited is therefore legally an independent company and is responsible for all Google products offered in the European Economic Area. In contrast to a head office , there are also branch offices, but these do not function as legally independent branches and are therefore to be distinguished from subsidiaries. A principal place of business is therefore always the place where a company (trading company) has its centre of operations.
- International organisation
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
‘international organisation‘ means an international organisation and its subordinate bodies or any other body established by, or on the basis of, an agreement concluded between two or more countries
Explanation: The best-known examples of international organisations are probably the European Union or the United Nations. The GDPR distinguishes between third countries and international organisations in connection with data transfer. Within the EU, the transfer of personal data is not a problem because all EU countries are bound by the provisions of the GDPR. On the other hand, data transfers with third countries or international organisations are subject to certain conditions.
- Relevant and well-founded objection
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation or whether intended action against the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data in the Union
Explanation: If certain measures that we take as controllers or our processors do not comply with the GDPR, you can raise a so-called “relevant and reasoned objection”. In doing so, you must explain the scope of the risks in relation to your fundamental rights and freedoms and possibly the free movement of your personal data in the EU.
- Personal data
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Explanation: Personal data is therefore all data that can identify you as a person. This is usually data such as
- Name
- Address
- E-mail address
- Postal address
- Telephone number
- Date of birth
- Identification numbers such as national insurance number, tax identification number, identity card number or matriculation number
- Bank data such as account number, credit information, account balances and much more.
According to the European Court of Justice (ECJ), your IP address is also considered personal data. IT experts can use your IP address to determine at least the approximate location of your device and subsequently identify you as the owner of the connection. Therefore, the storage of an IP address also requires a legal basis within the meaning of the GDPR. There are also so-called “special categories” of personal data, which are also particularly worthy of protection. These include
- racial and ethnic origin
- political opinions
- Religious or ideological convictions
- trade union membership
- genetic data such as data taken from blood or saliva samples
- biometric data (i.e. information on mental, physical or behavioural characteristics that can identify a person).
Health data - Data on sexual orientation or sexual life
- Profiling
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Explanation: Profiling involves collecting various pieces of information about a person in order to find out more about them. In the web sector, profiling is often used for advertising purposes or for credit checks. Web and advertising analysis programs collect data about your behaviour and interests on a website, for example. This results in a special user profile that can be used to target advertising to a specific target group.
- The company
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“company” means a natural and legal person that carries out an economic activity, regardless of its legal form, including partnerships or associations that regularly carry out an economic activity
Explanation: For example, we are a company and also carry out an economic activity via our website by offering and selling services and/or products. The formal characteristic of every company is its legal entity, such as a GmbH or AG.
- Group of companies
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“group of companies” means a group consisting of a controlling company and the companies dependent on it
Explanation: We speak of a “group of companies” when several companies combine and are legally and financially linked to each other, but there is still a central, overarching company. For example, Instagram, WhatsApp, Oculus VR or Facebook are largely independent companies, but are all subject to the parent company Meta Platforms, Inc.
- Person responsible
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Explanation: In our case, we are responsible for the processing of your personal data and are therefore the “controller”. If we pass on collected data to other service providers for processing, they are “processors”. An “order processing contract (AVV)” must be signed for this.
- Processing
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Note: When we refer to processing in our privacy policy, we mean any kind of data processing. As mentioned above in the original GDPR declaration, this includes not only the collection but also the storage and processing of data.
- Binding internal data protection regulations
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
‘binding corporate rules’ means measures for the protection of personal data which a controller or processor established in the territory of a Member State undertakes to implement with regard to transfers or a set of transfers of personal data to a controller or processor within the same group of undertakings or the same group of undertakings engaged in a joint economic activity in one or more third countries
Explanation: You may have heard or read the term “Binding Corporate Rules” before. After all, this is the term that usually appears when it comes to binding internal data protection regulations. Especially for companies (such as Google) that process data in third countries, it is advisable to have such an internal regulation, through which a company commits itself, so to speak, to comply with data protection regulations. This regulation governs the handling of personal data that is transferred to and processed in third countries.
- Violation of the protection of personal data
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“personal data breach” means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful
Explanation: For example, a “personal data breach” can occur in the event of a data leak, i.e. a technical problem or a cyberattack. If the breach results in a risk to the rights and freedoms of natural persons, the controller must immediately report the incident to the competent supervisory authority. In addition, the data subjects must also be informed if the breach poses a high risk to the rights and freedoms of natural persons.
Legal information
x1F constantly checks and updates the information on its website. Nevertheless, it cannot assume any liability or guarantee for the topicality, correctness and completeness of the information provided.
The same applies to all other websites referred to via links. x1F is not responsible for the content of websites accessed via such links. Furthermore, x1F reserves the right to make changes or additions to the information provided.
Closing words
Congratulations! If you are reading this, you have really “fought” your way through our entire privacy policy, or at least scrolled this far. As you can see from the scope of our privacy policy, we do not take the protection of your personal data lightly.
It is important to us to inform you about the processing of personal data to the best of our knowledge and belief. However, we don’t just want to tell you what data is processed, but also explain the reasons for using various software programmes. As a rule, privacy policies sound very technical and legal. However, as most of you are not web developers or lawyers, we wanted to take a different approach and explain the facts in simple and clear language. Of course, this is not always possible due to the subject matter. The most important terms are therefore explained in more detail at the end of the privacy policy.
If you have any questions about data protection on our website, please do not hesitate to contact us or the responsible organisation. We wish you a pleasant time and hope to welcome you back to our website soon.
All texts are protected by copyright.
Source: Privacy Policy created with the Privacy Policy Generator for Germany by AdSimple. Please also take a look at our sample privacy policy.